forked from TrueCloudLab/frostfs-api
246 lines
7.8 KiB
Protocol Buffer
246 lines
7.8 KiB
Protocol Buffer
syntax = "proto3";
|
|
|
|
package frost.fs.acl;
|
|
|
|
import "refs/types.proto";
|
|
import "ape/types.proto";
|
|
|
|
// Target role of the access control rule in access control list.
|
|
enum Role {
|
|
// Unspecified role, default value
|
|
ROLE_UNSPECIFIED = 0;
|
|
|
|
// User target rule is applied if sender is the owner of the container
|
|
USER = 1;
|
|
|
|
// System target rule is applied if sender is a storage node within the
|
|
// container or an inner ring node
|
|
SYSTEM = 2;
|
|
|
|
// Others target rule is applied if sender is neither a user nor a system
|
|
// target
|
|
OTHERS = 3;
|
|
}
|
|
|
|
// MatchType is an enumeration of match types.
|
|
enum MatchType {
|
|
// Unspecified match type, default value.
|
|
MATCH_TYPE_UNSPECIFIED = 0;
|
|
|
|
// Return true if strings are equal
|
|
STRING_EQUAL = 1;
|
|
|
|
// Return true if strings are different
|
|
STRING_NOT_EQUAL = 2;
|
|
}
|
|
|
|
// Request's operation type to match if the rule is applicable to a particular
|
|
// request.
|
|
enum Operation {
|
|
// Unspecified operation, default value
|
|
OPERATION_UNSPECIFIED = 0;
|
|
|
|
// Get
|
|
GET = 1;
|
|
|
|
// Head
|
|
HEAD = 2;
|
|
|
|
// Put
|
|
PUT = 3;
|
|
|
|
// Delete
|
|
DELETE = 4;
|
|
|
|
// Search
|
|
SEARCH = 5;
|
|
|
|
// GetRange
|
|
GETRANGE = 6;
|
|
|
|
// GetRangeHash
|
|
GETRANGEHASH = 7;
|
|
}
|
|
|
|
// Rule execution result action. Either allows or denies access if the rule's
|
|
// filters match.
|
|
enum Action {
|
|
// Unspecified action, default value
|
|
ACTION_UNSPECIFIED = 0;
|
|
|
|
// Allow action
|
|
ALLOW = 1;
|
|
|
|
// Deny action
|
|
DENY = 2;
|
|
}
|
|
|
|
// Enumeration of possible sources of Headers to apply filters.
|
|
enum HeaderType {
|
|
// Unspecified header, default value.
|
|
HEADER_UNSPECIFIED = 0;
|
|
|
|
// Filter request headers
|
|
REQUEST = 1;
|
|
|
|
// Filter object headers
|
|
OBJECT = 2;
|
|
|
|
// Filter service headers. These are not processed by FrostFS nodes and
|
|
// exist for service use only.
|
|
SERVICE = 3;
|
|
}
|
|
|
|
// Describes a single eACL rule.
|
|
message EACLRecord {
|
|
// FrostFS request Verb to match
|
|
Operation operation = 1 [ json_name = "operation" ];
|
|
|
|
// Rule execution result. Either allows or denies access if filters match.
|
|
Action action = 2 [ json_name = "action" ];
|
|
|
|
// Filter to check particular properties of the request or the object.
|
|
//
|
|
// By default `key` field refers to the corresponding object's `Attribute`.
|
|
// Some Object's header fields can also be accessed by adding `$Object:`
|
|
// prefix to the name. Here is the list of fields available via this prefix:
|
|
//
|
|
// * $Object:version \
|
|
// version
|
|
// * $Object:objectID \
|
|
// object_id
|
|
// * $Object:containerID \
|
|
// container_id
|
|
// * $Object:ownerID \
|
|
// owner_id
|
|
// * $Object:creationEpoch \
|
|
// creation_epoch
|
|
// * $Object:payloadLength \
|
|
// payload_length
|
|
// * $Object:payloadHash \
|
|
// payload_hash
|
|
// * $Object:objectType \
|
|
// object_type
|
|
// * $Object:homomorphicHash \
|
|
// homomorphic_hash
|
|
//
|
|
// Please note, that if request or response does not have object's headers of
|
|
// full object (Range, RangeHash, Search, Delete), it will not be possible to
|
|
// filter by object header fields or user attributes. From the well-known list
|
|
// only `$Object:objectID` and `$Object:containerID` will be available, as
|
|
// it's possible to take that information from the requested address.
|
|
message Filter {
|
|
// Define if Object or Request header will be used
|
|
HeaderType header_type = 1 [ json_name = "headerType" ];
|
|
|
|
// Match operation type
|
|
MatchType match_type = 2 [ json_name = "matchType" ];
|
|
|
|
// Name of the Header to use
|
|
string key = 3 [ json_name = "key" ];
|
|
|
|
// Expected Header Value or pattern to match
|
|
string value = 4 [ json_name = "value" ];
|
|
}
|
|
|
|
// List of filters to match and see if rule is applicable
|
|
repeated Filter filters = 3 [ json_name = "filters" ];
|
|
|
|
// Target to apply ACL rule. Can be a subject's role class or a list of public
|
|
// keys to match.
|
|
message Target {
|
|
// Target subject's role class
|
|
Role role = 1 [ json_name = "role" ];
|
|
|
|
// List of public keys to identify target subject
|
|
repeated bytes keys = 2 [ json_name = "keys" ];
|
|
}
|
|
// List of target subjects to apply ACL rule to
|
|
repeated Target targets = 4 [ json_name = "targets" ];
|
|
}
|
|
|
|
// Extended ACL rules table. A list of ACL rules defined additionally to Basic
|
|
// ACL. Extended ACL rules can be attached to a container and can be updated
|
|
// or may be defined in `BearerToken` structure. Please see the corresponding
|
|
// FrostFS Technical Specification section for detailed description.
|
|
message EACLTable {
|
|
// eACL format version. Effectively, the version of API library used to create
|
|
// eACL Table.
|
|
frost.fs.refs.Version version = 1 [ json_name = "version" ];
|
|
|
|
// Identifier of the container that should use given access control rules
|
|
frost.fs.refs.ContainerID container_id = 2 [ json_name = "containerID" ];
|
|
|
|
// List of Extended ACL rules
|
|
repeated EACLRecord records = 3 [ json_name = "records" ];
|
|
}
|
|
|
|
// BearerToken allows to attach signed Extended ACL rules to the request in
|
|
// `RequestMetaHeader`. If container's Basic ACL rules allow, the attached rule
|
|
// set will be checked instead of one attached to the container itself. Just
|
|
// like [JWT](https://jwt.io), it has a limited lifetime and scope, hence can be
|
|
// used in the similar use cases, like providing authorisation to externally
|
|
// authenticated party.
|
|
//
|
|
// BearerToken can be issued only by the container's owner and must be signed
|
|
// using the key associated with the container's `OwnerID`.
|
|
message BearerToken {
|
|
// Bearer Token body structure contains Extended ACL table issued by the
|
|
// container owner with additional information preventing token abuse.
|
|
message Body {
|
|
// Table of Extended ACL rules to use instead of the ones attached to the
|
|
// container. If it contains `container_id` field, bearer token is only
|
|
// valid for this specific container. Otherwise, any container of the same
|
|
// owner is allowed.
|
|
//
|
|
// Deprecated: eACL tables are no longer relevant - `APEOverrides` should be
|
|
// used instead.
|
|
EACLTable eacl_table = 1 [ json_name = "eaclTable" ];
|
|
|
|
// `OwnerID` defines to whom the token was issued. It must match the request
|
|
// originator's `OwnerID`. If empty, any token bearer will be accepted.
|
|
frost.fs.refs.OwnerID owner_id = 2 [ json_name = "ownerID" ];
|
|
|
|
// Lifetime parameters of the token. Field names taken from
|
|
// [rfc7519](https://tools.ietf.org/html/rfc7519).
|
|
message TokenLifetime {
|
|
// Expiration Epoch
|
|
uint64 exp = 1 [ json_name = "exp" ];
|
|
|
|
// Not valid before Epoch
|
|
uint64 nbf = 2 [ json_name = "nbf" ];
|
|
|
|
// Issued at Epoch
|
|
uint64 iat = 3 [ json_name = "iat" ];
|
|
}
|
|
// Token expiration and valid time period parameters
|
|
TokenLifetime lifetime = 3 [ json_name = "lifetime" ];
|
|
|
|
// AllowImpersonate flag to consider token signer as request owner.
|
|
// If this field is true extended ACL table in token body isn't processed.
|
|
bool allow_impersonate = 4 [ json_name = "allowImpersonate" ];
|
|
|
|
// APEOverride is the list of APE chains defined for a target.
|
|
// These chains are meant to serve as overrides to the already defined (or
|
|
// even undefined) APE chains for the target (see contract `Policy`).
|
|
//
|
|
// The server-side processing of the bearer token with set APE overrides
|
|
// must verify if a client is permitted to override chains for the target,
|
|
// preventing unauthorized access through the APE mechanism.
|
|
message APEOverride {
|
|
// Target for which chains are applied.
|
|
frost.fs.ape.ChainTarget target = 1 [ json_name = "target" ];
|
|
|
|
// The list of APE chains.
|
|
repeated frost.fs.ape.Chain chains = 2 [ json_name = "chains" ];
|
|
}
|
|
|
|
// APE override for the target.
|
|
APEOverride ape_override = 5 [ json_name = "apeOverride" ];
|
|
}
|
|
// Bearer Token body
|
|
Body body = 1 [ json_name = "body" ];
|
|
|
|
// Signature of BearerToken body
|
|
frost.fs.refs.Signature signature = 2 [ json_name = "signature" ];
|
|
}
|