-
Notifications
You must be signed in to change notification settings - Fork 1.7k
/
Copy pathauth.proto
86 lines (80 loc) · 2.62 KB
/
auth.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
// Copyright 2020 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
option go_package = "github.com/kubeflow/pipelines/backend/api/go_client";
package api;
import "google/api/annotations.proto";
import "google/protobuf/empty.proto";
import "backend/api/error.proto";
import "protoc-gen-swagger/options/annotations.proto";
option (grpc.gateway.protoc_gen_swagger.options.openapiv2_swagger) = {
responses: {
key: "default";
value: {
schema: {
json_schema: {
ref: ".api.Status";
}
}
}
}
// Use bearer token for authorizing access to job service.
// Kubernetes client library(https://kubernetes.io/docs/reference/using-api/client-libraries/)
// uses bearer token as default for authorization. The section below
// ensures security definition object is generated in the swagger definition.
// For more details see https://github.com/OAI/OpenAPI-Specification/blob/3.0.0/versions/2.0.md#securityDefinitionsObject
security_definitions: {
security: {
key: "Bearer";
value: {
type: TYPE_API_KEY;
in: IN_HEADER;
name: "authorization";
}
}
}
security: {
security_requirement: {
key: "Bearer";
value: {};
}
}
};
service AuthService {
rpc Authorize(AuthorizeRequest) returns (google.protobuf.Empty) {
option (google.api.http) = {
get: "/apis/v1beta1/auth"
};
}
}
// Ask for authorization of an access by providing resource's namespace, type
// and verb. User identity is not part of the message, because it is expected
// to be parsed from request headers. Caller should proxy user request's headers.
message AuthorizeRequest {
// Type of resources in pipelines system.
enum Resources {
UNASSIGNED_RESOURCES = 0;
VIEWERS = 1;
}
// Type of verbs that act on the resources.
enum Verb {
UNASSIGNED_VERB = 0;
CREATE = 1;
GET = 2;
DELETE = 3;
}
string namespace = 1; // Namespace the resource belongs to.
Resources resources = 2; // Resource type asking for authorization.
Verb verb = 3; // Verb on the resource asking for authorization.
}