Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 9ffa1f9577003ab70a6b483475874f3552d1ccc3^! / . / metropolis / proto / ext / authorization.proto
commit9ffa1f9577003ab70a6b483475874f3552d1ccc3[log] [tgz]
authorSerge Bazanski <serge@monogon.tech>Wed Sep 01 15:42:23 2021 +0200
committerSergiusz Bazanski <serge@monogon.tech>Thu Sep 02 10:38:15 2021 +0000
treea688d02424e8601ed830d12021b5867688d31438
parent6bd415920b84bd695038caeb386f1e97184f0c51 [diff] [blame]
m/n/core/curator: authenticated RPC

This adds authentication middleware (server interceptors) for gRPC
services running on the public curator listener.

Most of this code is testing harnesses to start up just the curator
listener with enough of a PKI infrastructure copy from a real Metropolis
cluster to be able to start running tests against GetRegisterTicket.

Change-Id: I429ff29e3c1233d74e8da619ddb543d56bc051b9
Reviewed-on: https://review.monogon.dev/c/monogon/+/311
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>

diff --git a/metropolis/proto/ext/authorization.proto b/metropolis/proto/ext/authorization.proto
new file mode 100644
index 0000000..cc9082f
--- /dev/null
+++ b/metropolis/proto/ext/authorization.proto

@@ -0,0 +1,36 @@
+syntax = "proto3";
+package metropolis.proto.ext;
+option go_package = "source.monogon.dev/metropolis/proto/ext";
+
+import "google/protobuf/descriptor.proto";
+
+extend google.protobuf.MethodOptions {
+    // Set authorization policy for this RPC. If not set but the service is
+    // configured to use authorization, the default/zero value of the
+    // Authorization message will be used (effectively allowing all
+    // authenticated users).
+    Authorization authorization = 1000;
+}
+
+
+// Permission is a combined activity/object that an identity can perform in the
+// cluster.
+//
+// MVP: this might get replaced with a full activity/object split later on.
+enum Permission {
+    PERMISSION_UNSPECIFIED = 0;
+    PERMISSION_GET_REGISTER_TICKET = 1;
+}
+
+// Authorization policy for an RPC method. This message/API does not have the
+// same stability guarantees as the rest of Metropolis APIs - it is internal,
+// might change in wire and text incompatible ways and should not be used by
+// consumers of the API.
+message Authorization {
+    // Set of permissions required from the caller.
+    repeated Permission need = 1;
+    // If set, this API can be called unauthorized and unauthenticated, thereby
+    // allowing full access to anyone, including public access by anyone with
+    // network connectivity to the cluster.. Ignored if `need` is non-empty.
+    bool allow_unauthenticated = 2;
+}