mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-10-29 09:42:25 +00:00
0b12cdcfd1
* Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License. Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at https://hashi.co/bsl-blog, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUS-1.1 * Fix test that expected exact offset on hcl file --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> Co-authored-by: Sarah Thompson <sthompson@hashicorp.com> Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com>
265 lines
9.4 KiB
Protocol Buffer
265 lines
9.4 KiB
Protocol Buffer
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
syntax = "proto3";
|
|
|
|
package identity;
|
|
|
|
import "google/protobuf/timestamp.proto";
|
|
import "helper/identity/mfa/types.proto";
|
|
|
|
option go_package = "github.com/hashicorp/vault/helper/identity";
|
|
|
|
// Group represents an identity group.
|
|
message Group {
|
|
// ID is the unique identifier for this group
|
|
// @inject_tag: sentinel:"-"
|
|
string id = 1;
|
|
|
|
// Name is the unique name for this group
|
|
// @inject_tag: sentinel:"-"
|
|
string name = 2;
|
|
|
|
// Policies are the vault policies to be granted to members of this group
|
|
// @inject_tag: sentinel:"-"
|
|
repeated string policies = 3;
|
|
|
|
// ParentGroupIDs are the identifiers of those groups to which this group is a
|
|
// member of. These will serve as references to the parent group in the
|
|
// hierarchy.
|
|
// @inject_tag: sentinel:"-"
|
|
repeated string parent_group_ids = 4;
|
|
|
|
// MemberEntityIDs are the identifiers of entities which are members of this
|
|
// group
|
|
// @inject_tag: sentinel:"-"
|
|
repeated string member_entity_ids = 5;
|
|
|
|
// Metadata represents the custom data tied with this group
|
|
// @inject_tag: sentinel:"-"
|
|
map<string, string> metadata = 6;
|
|
|
|
// CreationTime is the time at which this group was created
|
|
// @inject_tag: sentinel:"-"
|
|
google.protobuf.Timestamp creation_time = 7;
|
|
|
|
// LastUpdateTime is the time at which this group was last modified
|
|
// @inject_tag: sentinel:"-"
|
|
google.protobuf.Timestamp last_update_time = 8;
|
|
|
|
// ModifyIndex tracks the number of updates to the group. It is useful to detect
|
|
// updates to the groups.
|
|
// @inject_tag: sentinel:"-"
|
|
uint64 modify_index = 9;
|
|
|
|
// BucketKey is the path of the storage packer key into which this group is
|
|
// stored.
|
|
// @inject_tag: sentinel:"-"
|
|
string bucket_key = 10;
|
|
|
|
// Alias is used to mark this group as an internal mapping of a group that
|
|
// is external to the identity store. Alias can only be set if the 'type'
|
|
// is set to 'external'.
|
|
// @inject_tag: sentinel:"-"
|
|
Alias alias = 11;
|
|
|
|
// Type indicates if this group is an internal group or an external group.
|
|
// Memberships of the internal groups can be managed over the API whereas
|
|
// the memberships on the external group --for which a corresponding alias
|
|
// will be set-- will be managed automatically.
|
|
// @inject_tag: sentinel:"-"
|
|
string type = 12;
|
|
|
|
// NamespaceID is the identifier of the namespace to which this group
|
|
// belongs to. Do not return this value over the API when reading the
|
|
// group.
|
|
// @inject_tag: sentinel:"-"
|
|
string namespace_id = 13;
|
|
}
|
|
|
|
// LocalAliases holds the aliases belonging to an entity that are local to the
|
|
// cluster.
|
|
message LocalAliases {
|
|
repeated Alias aliases = 1;
|
|
}
|
|
|
|
// Entity represents an entity that gets persisted and indexed.
|
|
// Entity is fundamentally composed of zero or many aliases.
|
|
message Entity {
|
|
// Aliases are the identities that this entity is made of. This can be
|
|
// empty as well to favor being able to create the entity first and then
|
|
// incrementally adding aliases.
|
|
// @inject_tag: sentinel:"-"
|
|
repeated Alias aliases = 1;
|
|
|
|
// ID is the unique identifier of the entity which always be a UUID. This
|
|
// should never be allowed to be updated.
|
|
// @inject_tag: sentinel:"-"
|
|
string id = 2;
|
|
|
|
// Name is a unique identifier of the entity which is intended to be
|
|
// human-friendly. The default name might not be human friendly since it
|
|
// gets suffixed by a UUID, but it can optionally be updated, unlike the ID
|
|
// field.
|
|
// @inject_tag: sentinel:"-"
|
|
string name = 3;
|
|
|
|
// Metadata represents the explicit metadata which is set by the
|
|
// clients. This is useful to tie any information pertaining to the
|
|
// aliases. This is a non-unique field of entity, meaning multiple
|
|
// entities can have the same metadata set. Entities will be indexed based
|
|
// on this explicit metadata. This enables virtual groupings of entities
|
|
// based on its metadata.
|
|
// @inject_tag: sentinel:"-"
|
|
map<string, string> metadata = 4;
|
|
|
|
// CreationTime is the time at which this entity is first created.
|
|
// @inject_tag: sentinel:"-"
|
|
google.protobuf.Timestamp creation_time = 5;
|
|
|
|
// LastUpdateTime is the most recent time at which the properties of this
|
|
// entity got modified. This is helpful in filtering out entities based on
|
|
// its age and to take action on them, if desired.
|
|
// @inject_tag: sentinel:"-"
|
|
google.protobuf.Timestamp last_update_time = 6;
|
|
|
|
// MergedEntityIDs are the entities which got merged to this one. Entities
|
|
// will be indexed based on all the entities that got merged into it. This
|
|
// helps to apply the actions on this entity on the tokens that are merged
|
|
// to the merged entities. Merged entities will be deleted entirely and
|
|
// this is the only trackable trail of its earlier presence.
|
|
// @inject_tag: sentinel:"-"
|
|
repeated string merged_entity_ids = 7;
|
|
|
|
// Policies the entity is entitled to
|
|
// @inject_tag: sentinel:"-"
|
|
repeated string policies = 8;
|
|
|
|
// BucketKey is the path of the storage packer key into which this entity is
|
|
// stored.
|
|
// @inject_tag: sentinel:"-"
|
|
string bucket_key = 9;
|
|
|
|
// MFASecrets holds the MFA secrets indexed by the identifier of the MFA
|
|
// method configuration.
|
|
// @inject_tag: sentinel:"-"
|
|
map<string, mfa.Secret> mfa_secrets = 10;
|
|
|
|
// Disabled indicates whether tokens associated with the account should not
|
|
// be able to be used
|
|
// @inject_tag: sentinel:"-"
|
|
bool disabled = 11;
|
|
|
|
// NamespaceID is the identifier of the namespace to which this entity
|
|
// belongs to. Do not return this value over the API when reading the
|
|
// entity.
|
|
// @inject_tag: sentinel:"-"
|
|
string namespace_id = 12;
|
|
}
|
|
|
|
// Alias represents the alias that gets stored inside of the
|
|
// entity object in storage and also represents in an in-memory index of an
|
|
// alias object.
|
|
message Alias {
|
|
// ID is the unique identifier that represents this alias
|
|
// @inject_tag: sentinel:"-"
|
|
string id = 1;
|
|
|
|
// CanonicalID is the entity identifier to which this alias belongs to
|
|
// @inject_tag: sentinel:"-"
|
|
string canonical_id = 2;
|
|
|
|
// MountType is the backend mount's type to which this alias belongs to.
|
|
// This enables categorically querying aliases of specific backend types.
|
|
// @inject_tag: sentinel:"-"
|
|
string mount_type = 3;
|
|
|
|
// MountAccessor is the backend mount's accessor to which this alias
|
|
// belongs to.
|
|
// @inject_tag: sentinel:"-"
|
|
string mount_accessor = 4;
|
|
|
|
// MountPath is the backend mount's path to which the Maccessor belongs to. This
|
|
// field is not used for any operational purposes. This is only returned when
|
|
// alias is read, only as a nicety.
|
|
// @inject_tag: sentinel:"-"
|
|
string mount_path = 5;
|
|
|
|
// Metadata is the explicit metadata that clients set against an entity
|
|
// which enables virtual grouping of aliases. Aliases will be indexed
|
|
// against their metadata.
|
|
// @inject_tag: sentinel:"-"
|
|
map<string, string> metadata = 6;
|
|
|
|
// Name is the identifier of this alias in its authentication source.
|
|
// This does not uniquely identify an alias in Vault. This in conjunction
|
|
// with MountAccessor form to be the factors that represent an alias in a
|
|
// unique way. Aliases will be indexed based on this combined uniqueness
|
|
// factor.
|
|
// @inject_tag: sentinel:"-"
|
|
string name = 7;
|
|
|
|
// CreationTime is the time at which this alias was first created
|
|
// @inject_tag: sentinel:"-"
|
|
google.protobuf.Timestamp creation_time = 8;
|
|
|
|
// LastUpdateTime is the most recent time at which the properties of this
|
|
// alias got modified. This is helpful in filtering out aliases based
|
|
// on its age and to take action on them, if desired.
|
|
// @inject_tag: sentinel:"-"
|
|
google.protobuf.Timestamp last_update_time = 9;
|
|
|
|
// MergedFromCanonicalIDs is the FIFO history of merging activity
|
|
// @inject_tag: sentinel:"-"
|
|
repeated string merged_from_canonical_ids = 10;
|
|
|
|
// NamespaceID is the identifier of the namespace to which this alias
|
|
// belongs.
|
|
// @inject_tag: sentinel:"-"
|
|
string namespace_id = 11;
|
|
|
|
// Custom Metadata represents the custom data tied to this alias
|
|
// @inject_tag: sentinel:"-"
|
|
map<string, string> custom_metadata = 12;
|
|
|
|
// Local indicates if the alias only belongs to the cluster where it was
|
|
// created. If true, the alias will be stored in a location that is ignored by
|
|
// the performance replication subsystem.
|
|
// @inject_tag: sentinel:"-"
|
|
bool local = 13;
|
|
|
|
// LocalBucketKey is the identifying element of the location where this alias
|
|
// is stored in the storage packer. This helps in querying local aliases
|
|
// during invalidation of local aliases in performance standbys.
|
|
// @inject_tag: sentinel:"-"
|
|
string local_bucket_key = 14;
|
|
}
|
|
|
|
// Deprecated. Retained for backwards compatibility.
|
|
message EntityStorageEntry {
|
|
repeated PersonaIndexEntry personas = 1;
|
|
string id = 2;
|
|
string name = 3;
|
|
map<string, string> metadata = 4;
|
|
google.protobuf.Timestamp creation_time = 5;
|
|
google.protobuf.Timestamp last_update_time = 6;
|
|
repeated string merged_entity_ids = 7;
|
|
repeated string policies = 8;
|
|
string bucket_key_hash = 9;
|
|
map<string, mfa.Secret> mfa_secrets = 10;
|
|
}
|
|
|
|
// Deprecated. Retained for backwards compatibility.
|
|
message PersonaIndexEntry {
|
|
string id = 1;
|
|
string entity_id = 2;
|
|
string mount_type = 3;
|
|
string mount_accessor = 4;
|
|
string mount_path = 5;
|
|
map<string, string> metadata = 6;
|
|
string name = 7;
|
|
google.protobuf.Timestamp creation_time = 8;
|
|
google.protobuf.Timestamp last_update_time = 9;
|
|
repeated string merged_from_entity_ids = 10;
|
|
}
|