go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/auth_service/api/rpcpb/groups.proto

go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/auth_service/api/rpcpb/groups.proto (about)

     1  // Copyright 2021 The LUCI Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  syntax = "proto3";
    16  
    17  package auth.service;
    18  
    19  option go_package = "go.chromium.org/luci/auth_service/api/rpcpb";
    20  
    21  import "google/api/field_behavior.proto";
    22  import "google/protobuf/empty.proto";
    23  import "google/protobuf/field_mask.proto";
    24  import "google/protobuf/timestamp.proto";
    25  
    26  // Groups service contains methods to examine groups.
    27  service Groups {
    28    // ListGroups returns all the groups currently stored in LUCI Auth service
    29    // datastore. The groups will be returned in alphabetical order based on their
    30    // ID.
    31    rpc ListGroups(google.protobuf.Empty) returns (ListGroupsResponse);
    32  
    33    // GetGroup returns information about an individual group, given the name.
    34    rpc GetGroup(GetGroupRequest) returns (AuthGroup);
    35  
    36    // CreateGroup creates a new group.
    37    rpc CreateGroup(CreateGroupRequest) returns (AuthGroup);
    38  
    39    // UpdateGroup updates an existing group.
    40    rpc UpdateGroup(UpdateGroupRequest) returns (AuthGroup);
    41  
    42    // DeleteGroup deletes a group.
    43    rpc DeleteGroup(DeleteGroupRequest) returns (google.protobuf.Empty);
    44  
    45    // GetSubgraph returns a Subgraph without information about groups that
    46    // include a principal (perhaps indirectly or via globs). Here a principal is
    47    // either an identity, a group or a glob (see PrincipalKind enum).
    48    rpc GetSubgraph(GetSubgraphRequest) returns (Subgraph);
    49  }
    50  
    51  // ListGroupsResponse is all the groups listed in LUCI Auth Service.
    52  message ListGroupsResponse {
    53    // List of all groups. In order to keep the response lightweight, each
    54    // AuthGroup will contain only metadata, i.e. the membership list fields will
    55    // be left empty.
    56    repeated AuthGroup groups = 1;
    57  }
    58  
    59  // GetGroupRequest is to specify an individual group.
    60  message GetGroupRequest {
    61    string name = 1;  // e.g: "administrators"
    62  }
    63  
    64  // CreateGroupRequest requests the creation of a new group.
    65  message CreateGroupRequest {
    66    // Details of the group to create. Not all fields will be written to the new
    67    // group: if the request specifies fields that should be automatically
    68    // generated (e.g. created/modified timestamps), these will be ignored.
    69    AuthGroup group = 1 [ (google.api.field_behavior) = REQUIRED ];
    70  }
    71  
    72  // UpdateGroupRequest requests an update to an existing group.
    73  message UpdateGroupRequest {
    74    // Details of the group to update. The group's 'name' field is used to
    75    // identify the group to update.
    76    AuthGroup group = 1 [ (google.api.field_behavior) = REQUIRED ];
    77  
    78    // The list of fields to be updated.
    79    google.protobuf.FieldMask update_mask = 2;
    80  }
    81  
    82  // DeleteGroupRequest requests the deletion of a group.
    83  message DeleteGroupRequest {
    84    // Name of the group to delete.
    85    string name = 1 [ (google.api.field_behavior) = REQUIRED ];
    86  
    87    // The current etag of the group.
    88    // If an etag is provided and does not match the current etag of the group,
    89    // deletion will be blocked and an ABORTED error will be returned.
    90    string etag = 2;
    91  }
    92  
    93  // AuthGroup defines an individual group.
    94  message AuthGroup {
    95    string name = 1;              // e.g: "auth-service-access"
    96    repeated string members = 2;  // e.g: ["user:t@example.com"]
    97    repeated string globs = 3;    // e.g: ["user:*@example.com"
    98    repeated string nested = 4;   // e.g: ["another-group-0", "another-group-1"]
    99    string description = 5;       // e.g: "This group is used for ..."
   100    string owners = 6;            // e.g: "administrators"
   101    google.protobuf.Timestamp created_ts = 7;  // e.g: "1972-01-01T10:00:20.021Z"
   102    string created_by = 8;                     // e.g: "user:test@example.com"
   103  
   104    // Output only. Whether the caller can modify this group.
   105    bool caller_can_modify = 9 [(google.api.field_behavior) = OUTPUT_ONLY];
   106  
   107    // An opaque string that indicates the version of the group being edited.
   108    // This will be sent to the client in responses, and should be sent back
   109    // to the server for update and delete requests in order to protect against
   110    // concurrent modification errors. See https://google.aip.dev/154.
   111    // Technically this is a "weak etag", meaning that if two AuthGroups have the
   112    // same etag, they are not guaranteed to be byte-for-byte identical. This is
   113    // because under the hood we generate it based on the last-modified time
   114    // (though this should not be relied on as it may change in future).
   115    string etag = 99;
   116  }
   117  
   118  // GetSubgraphRequest contains the Principal that is the basis of the search
   119  // for inclusion and is the root of the output subgraph.
   120  message GetSubgraphRequest {
   121    Principal principal = 1;
   122  }
   123  
   124  // The Subgraph returned by GetSubgraph RPC.
   125  //
   126  // The node representing a principal passed to GetSubgraph is always the
   127  // first in the list.
   128  message Subgraph {
   129    repeated Node nodes = 1;
   130  }
   131  
   132  // PrincipalKind denotes the type of principal of a specific entity.
   133  enum PrincipalKind {
   134    PRINCIPAL_KIND_UNSPECIFIED = 0;
   135    // A single individual identity, e.g. "user:someone@example.com".
   136    IDENTITY = 1;
   137    // A group name, e.g. "some-group".
   138    GROUP = 2;
   139    // An identity glob, e.g. "user*@example.com".
   140    GLOB = 3;
   141  }
   142  
   143  // Principal is an entity that can be found in the Subgraph. A Principal can
   144  // represent a group, identity, or glob. See PrincipalKind for clarification on
   145  // how each Principal kind is represented.
   146  message Principal {
   147    PrincipalKind kind = 1;  // e.g. IDENTITY, GROUP, GLOB
   148    string name = 2;  // e.g. "user*@example.com", "some-group", "user:m0@example.com"
   149  }
   150  
   151  // Each Node is a representation of a Principal.
   152  // Each subgraph will only contain one Node per principal; in other words,
   153  // a principal uniquely identifies a Node.
   154  message Node {
   155    // The principal represented by this node.
   156    Principal principal = 1;
   157    // Nodes that directly include this principal.
   158    //
   159    // Each item is an index of a Node in Subgraph's `nodes` list.
   160    repeated int32 included_by = 2;
   161  }