diff --git a/doc/index.html b/doc/index.html
index 130c3ac5..f6be1481 100644
--- a/doc/index.html
+++ b/doc/index.html
@@ -12474,7 +12474,11 @@
| string |
|
Subject maybe either the project or the tenant
-for which the methods should be allowed |
+for which the methods should be allowed
+
+asterisk (*) can be specified to match any subject
+empty string ("") can be specified for requests that do not require a subject, e.g. partition list
+otherwise either a projectid or a tenant login should be specified
@@ -12492,7 +12496,7 @@
- Token is a jwt authentication token to access the api
+ Token generates a jwt authentication token to access the api
There are two different types of tokens, api- and user- tokens
A user token is used to authenticate end user requests for example from a cli.
The configured roles in a user token are expanded in the api server
based on the memberships in other projects and tenants based on the role granted there.
User tokens will never contain permissions.
Permissions are always derived from the tenant and project roles and memberships.
The api token should be used to authenticate services.
In contrast to a user token, the api token permissions and roles apply as configured during the token create process.
@@ -12578,6 +12582,13 @@
AdminRole defines the admin role of the token owner |
+
+ | infra_role |
+ InfraRole |
+ optional |
+ InfraRole defines the infrastructure role of the token owner |
+
+
@@ -12699,6 +12710,13 @@ AdminRole defines the admin role of the token owner
+
+ | infra_role |
+ InfraRole |
+ optional |
+ InfraRole defines the infrastructure role of the token owner |
+
+
| labels |
Labels |
@@ -13014,6 +13032,13 @@ AdminRole defines the admin role of the token owner
+
+ | infra_role |
+ InfraRole |
+ optional |
+ InfraRole defines the infrastructure role of the token owner |
+
+
| labels |
UpdateLabels |
@@ -13168,7 +13193,7 @@
Create |
TokenServiceCreateRequest |
TokenServiceCreateResponse |
- Create a token to authenticate against the platform, the secret will be only visible in the response |
+ Create a token to authenticate against the platform, the secret will be only visible in the response. |
@@ -13391,7 +13416,8 @@
| Create |
TokenServiceCreateRequest |
TokenServiceCreateResponse |
- Create a token to authenticate against the platform, the secret will be only visible in the response |
+ Create a token to authenticate against the platform, the secret will be only visible in the response.
+This service is suitable to create tokens for other users instead of deriving users from tokens directly. |
diff --git a/generate/Makefile b/generate/Makefile
index 2ff141a4..f44cac0a 100644
--- a/generate/Makefile
+++ b/generate/Makefile
@@ -4,7 +4,6 @@ generate: go-mocks
rm -f ../go/permissions/servicepermissions.go
rm -f ../go/client/client.go
rm -f ../go/tests/mock_clients.go
- rm -f ../js/permissions/servicepermissions.json
go run ./generate.go
diff --git a/generate/generate.go b/generate/generate.go
index da4186bd..29e4970d 100644
--- a/generate/generate.go
+++ b/generate/generate.go
@@ -100,7 +100,11 @@ func servicePermissions(root string) (*permissions.ServicePermissions, error) {
Tenant: permissions.Tenant{},
Project: permissions.Project{},
}
- methods = permissions.Methods{}
+ methods = permissions.Methods{
+ // Allow service reflection to list available methods
+ serverReflectionInfov1alpha1: true,
+ serverReflectionInfo: true,
+ }
visibility = permissions.Visibility{
Public: map[string]bool{
// Allow service reflection to list available methods
@@ -177,10 +181,10 @@ func servicePermissions(root string) (*permissions.ServicePermissions, error) {
// noop
// Infra
case v1.InfraRole_INFRA_ROLE_EDITOR.String():
- roles.Infra[v1.InfraRole_INFRA_ROLE_EDITOR.String()] = append(roles.Admin[v1.InfraRole_INFRA_ROLE_EDITOR.String()], methodName)
+ roles.Infra[v1.InfraRole_INFRA_ROLE_EDITOR.String()] = append(roles.Infra[v1.InfraRole_INFRA_ROLE_EDITOR.String()], methodName)
visibility.Infra[methodName] = true
case v1.InfraRole_INFRA_ROLE_VIEWER.String():
- roles.Infra[v1.InfraRole_INFRA_ROLE_VIEWER.String()] = append(roles.Admin[v1.InfraRole_INFRA_ROLE_VIEWER.String()], methodName)
+ roles.Infra[v1.InfraRole_INFRA_ROLE_VIEWER.String()] = append(roles.Infra[v1.InfraRole_INFRA_ROLE_VIEWER.String()], methodName)
visibility.Infra[methodName] = true
case v1.InfraRole_INFRA_ROLE_UNSPECIFIED.String():
// noop
diff --git a/generate/go_servicepermissions.tpl b/generate/go_servicepermissions.tpl
index 1f3914f9..9245cb2b 100644
--- a/generate/go_servicepermissions.tpl
+++ b/generate/go_servicepermissions.tpl
@@ -1,4 +1,4 @@
-// Code generated discover.go. DO NOT EDIT.
+// Code generated generate.go. DO NOT EDIT.
package permissions
import (
diff --git a/go.mod b/go.mod
index 24bb4f2d..671e84c6 100644
--- a/go.mod
+++ b/go.mod
@@ -10,25 +10,26 @@ require (
github.com/go-task/slim-sprig/v3 v3.0.0
github.com/golang-jwt/jwt/v5 v5.3.0
github.com/google/go-cmp v0.7.0
- github.com/klauspost/connect-compress/v2 v2.0.0
+ github.com/klauspost/connect-compress/v2 v2.1.0
github.com/stretchr/testify v1.11.1
google.golang.org/protobuf v1.36.10
)
require (
- cel.dev/expr v0.24.0 // indirect
+ cel.dev/expr v0.25.1 // indirect
github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/google/cel-go v0.26.1 // indirect
- github.com/klauspost/compress v1.18.0 // indirect
+ github.com/klauspost/compress v1.18.1 // indirect
github.com/kr/pretty v0.3.1 // indirect
+ github.com/minio/minlz v1.0.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/stoewer/go-strcase v1.3.1 // indirect
github.com/stretchr/objx v0.5.3 // indirect
- golang.org/x/exp v0.0.0-20251009144603-d2f985daa21b // indirect
- golang.org/x/text v0.30.0 // indirect
- google.golang.org/genproto/googleapis/api v0.0.0-20251007200510-49b9836ed3ff // indirect
- google.golang.org/genproto/googleapis/rpc v0.0.0-20251007200510-49b9836ed3ff // indirect
+ golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
+ golang.org/x/text v0.31.0 // indirect
+ google.golang.org/genproto/googleapis/api v0.0.0-20251111163417-95abcf5c77ba // indirect
+ google.golang.org/genproto/googleapis/rpc v0.0.0-20251111163417-95abcf5c77ba // indirect
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)
diff --git a/go.sum b/go.sum
index 0d816771..550d1a5d 100644
--- a/go.sum
+++ b/go.sum
@@ -2,8 +2,8 @@ buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.10-202509121410
buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.10-20250912141014-52f32327d4b0.1/go.mod h1:fUl8CEN/6ZAMk6bP8ahBJPUJw7rbp+j4x+wCcYi2IG4=
buf.build/go/protovalidate v1.0.0 h1:IAG1etULddAy93fiBsFVhpj7es5zL53AfB/79CVGtyY=
buf.build/go/protovalidate v1.0.0/go.mod h1:KQmEUrcQuC99hAw+juzOEAmILScQiKBP1Oc36vvCLW8=
-cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY=
-cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
+cel.dev/expr v0.25.1 h1:1KrZg61W6TWSxuNZ37Xy49ps13NUovb66QLprthtwi4=
+cel.dev/expr v0.25.1/go.mod h1:hrXvqGP6G6gyx8UAHSHJ5RGk//1Oj5nXQ2NI02Nrsg4=
connectrpc.com/connect v1.19.1 h1:R5M57z05+90EfEvCY1b7hBxDVOUl45PrtXtAV2fOC14=
connectrpc.com/connect v1.19.1/go.mod h1:tN20fjdGlewnSFeZxLKb0xwIZ6ozc3OQs2hTXy4du9w=
github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ=
@@ -22,10 +22,10 @@ github.com/google/cel-go v0.26.1 h1:iPbVVEdkhTX++hpe3lzSk7D3G3QSYqLGoHOcEio+UXQ=
github.com/google/cel-go v0.26.1/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM=
github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
-github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
-github.com/klauspost/connect-compress/v2 v2.0.0 h1:L7TVsLa6Oo9Hkkb6r3DwSrhBbcWlXjneqBj7fCRXviU=
-github.com/klauspost/connect-compress/v2 v2.0.0/go.mod h1:604CD9JSAjGqtVzCM4SRgM/9TFTkWBcp+2wlQfGyJ6c=
+github.com/klauspost/compress v1.18.1 h1:bcSGx7UbpBqMChDtsF28Lw6v/G94LPrrbMbdC3JH2co=
+github.com/klauspost/compress v1.18.1/go.mod h1:ZQFFVG+MdnR0P+l6wpXgIL4NTtwiKIdBnrBd8Nrxr+0=
+github.com/klauspost/connect-compress/v2 v2.1.0 h1:8fM8QrVeHT69e5VVSh4yjDaQASYIvOp2uMZq7nVLj2U=
+github.com/klauspost/connect-compress/v2 v2.1.0/go.mod h1:Ayurh2wscMMx3AwdGGVL+ylSR5316WfApREDgsqHyH8=
github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -33,6 +33,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/minio/minlz v1.0.1 h1:OUZUzXcib8diiX+JYxyRLIdomyZYzHct6EShOKtQY2A=
+github.com/minio/minlz v1.0.1/go.mod h1:qT0aEB35q79LLornSzeDH75LBf3aH1MV+jB5w9Wasec=
github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -50,14 +52,14 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-golang.org/x/exp v0.0.0-20251009144603-d2f985daa21b h1:18qgiDvlvH7kk8Ioa8Ov+K6xCi0GMvmGfGW0sgd/SYA=
-golang.org/x/exp v0.0.0-20251009144603-d2f985daa21b/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
-golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
-golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
-google.golang.org/genproto/googleapis/api v0.0.0-20251007200510-49b9836ed3ff h1:8Zg5TdmcbU8A7CXGjGXF1Slqu/nIFCRaR3S5gT2plIA=
-google.golang.org/genproto/googleapis/api v0.0.0-20251007200510-49b9836ed3ff/go.mod h1:dbWfpVPvW/RqafStmRWBUpMN14puDezDMHxNYiRfQu0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251007200510-49b9836ed3ff h1:A90eA31Wq6HOMIQlLfzFwzqGKBTuaVztYu/g8sn+8Zc=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251007200510-49b9836ed3ff/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
+golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+google.golang.org/genproto/googleapis/api v0.0.0-20251111163417-95abcf5c77ba h1:B14OtaXuMaCQsl2deSvNkyPKIzq3BjfxQp8d00QyWx4=
+google.golang.org/genproto/googleapis/api v0.0.0-20251111163417-95abcf5c77ba/go.mod h1:G5IanEx8/PgI9w6CFcYQf7jMtHQhZruvfM1i3qOqk5U=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251111163417-95abcf5c77ba h1:UKgtfRM7Yh93Sya0Fo8ZzhDP4qBckrrxEr2oF5UIVb8=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251111163417-95abcf5c77ba/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
diff --git a/go/metalstack/admin/v2/adminv2connect/token.connect.go b/go/metalstack/admin/v2/adminv2connect/token.connect.go
index 6c906c60..1b5a7753 100644
--- a/go/metalstack/admin/v2/adminv2connect/token.connect.go
+++ b/go/metalstack/admin/v2/adminv2connect/token.connect.go
@@ -47,7 +47,8 @@ type TokenServiceClient interface {
List(context.Context, *v2.TokenServiceListRequest) (*v2.TokenServiceListResponse, error)
// Revoke a token
Revoke(context.Context, *v2.TokenServiceRevokeRequest) (*v2.TokenServiceRevokeResponse, error)
- // Create a token to authenticate against the platform, the secret will be only visible in the response
+ // Create a token to authenticate against the platform, the secret will be only visible in the response.
+ // This service is suitable to create tokens for other users instead of deriving users from tokens directly.
Create(context.Context, *v2.TokenServiceCreateRequest) (*v2.TokenServiceCreateResponse, error)
}
@@ -123,7 +124,8 @@ type TokenServiceHandler interface {
List(context.Context, *v2.TokenServiceListRequest) (*v2.TokenServiceListResponse, error)
// Revoke a token
Revoke(context.Context, *v2.TokenServiceRevokeRequest) (*v2.TokenServiceRevokeResponse, error)
- // Create a token to authenticate against the platform, the secret will be only visible in the response
+ // Create a token to authenticate against the platform, the secret will be only visible in the response.
+ // This service is suitable to create tokens for other users instead of deriving users from tokens directly.
Create(context.Context, *v2.TokenServiceCreateRequest) (*v2.TokenServiceCreateResponse, error)
}
diff --git a/go/metalstack/api/v2/apiv2connect/token.connect.go b/go/metalstack/api/v2/apiv2connect/token.connect.go
index c1009496..1488f2e1 100644
--- a/go/metalstack/api/v2/apiv2connect/token.connect.go
+++ b/go/metalstack/api/v2/apiv2connect/token.connect.go
@@ -51,7 +51,7 @@ const (
type TokenServiceClient interface {
// Get a token
Get(context.Context, *v2.TokenServiceGetRequest) (*v2.TokenServiceGetResponse, error)
- // Create a token to authenticate against the platform, the secret will be only visible in the response
+ // Create a token to authenticate against the platform, the secret will be only visible in the response.
Create(context.Context, *v2.TokenServiceCreateRequest) (*v2.TokenServiceCreateResponse, error)
// Update a token
Update(context.Context, *v2.TokenServiceUpdateRequest) (*v2.TokenServiceUpdateResponse, error)
@@ -181,7 +181,7 @@ func (c *tokenServiceClient) Refresh(ctx context.Context, req *v2.TokenServiceRe
type TokenServiceHandler interface {
// Get a token
Get(context.Context, *v2.TokenServiceGetRequest) (*v2.TokenServiceGetResponse, error)
- // Create a token to authenticate against the platform, the secret will be only visible in the response
+ // Create a token to authenticate against the platform, the secret will be only visible in the response.
Create(context.Context, *v2.TokenServiceCreateRequest) (*v2.TokenServiceCreateResponse, error)
// Update a token
Update(context.Context, *v2.TokenServiceUpdateRequest) (*v2.TokenServiceUpdateResponse, error)
diff --git a/go/metalstack/api/v2/token.pb.go b/go/metalstack/api/v2/token.pb.go
index aec596c4..7d2cc683 100644
--- a/go/metalstack/api/v2/token.pb.go
+++ b/go/metalstack/api/v2/token.pb.go
@@ -77,7 +77,18 @@ func (TokenType) EnumDescriptor() ([]byte, []int) {
return file_metalstack_api_v2_token_proto_rawDescGZIP(), []int{0}
}
-// Token is a jwt authentication token to access the api
+// Token generates a jwt authentication token to access the api
+//
+// # There are two different types of tokens, api- and user- tokens
+//
+// A user token is used to authenticate end user requests for example from a cli.
+// The configured roles in a user token are expanded in the api server
+// based on the memberships in other projects and tenants based on the role granted there.
+// User tokens will never contain permissions.
+// Permissions are always derived from the tenant and project roles and memberships.
+//
+// The api token should be used to authenticate services.
+// In contrast to a user token, the api token permissions and roles apply as configured during the token create process.
type Token struct {
state protoimpl.MessageState `protogen:"open.v1"`
// Uuid of the jwt token, used to reference it by revoke
@@ -101,7 +112,9 @@ type Token struct {
// TenantRoles associates a tenant id with the corresponding role of the token owner
TenantRoles map[string]TenantRole `protobuf:"bytes,10,rep,name=tenant_roles,json=tenantRoles,proto3" json:"tenant_roles,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"varint,2,opt,name=value,enum=metalstack.api.v2.TenantRole"`
// AdminRole defines the admin role of the token owner
- AdminRole *AdminRole `protobuf:"varint,11,opt,name=admin_role,json=adminRole,proto3,enum=metalstack.api.v2.AdminRole,oneof" json:"admin_role,omitempty"`
+ AdminRole *AdminRole `protobuf:"varint,11,opt,name=admin_role,json=adminRole,proto3,enum=metalstack.api.v2.AdminRole,oneof" json:"admin_role,omitempty"`
+ // InfraRole defines the infrastructure role of the token owner
+ InfraRole *InfraRole `protobuf:"varint,12,opt,name=infra_role,json=infraRole,proto3,enum=metalstack.api.v2.InfraRole,oneof" json:"infra_role,omitempty"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
@@ -213,6 +226,13 @@ func (x *Token) GetAdminRole() AdminRole {
return AdminRole_ADMIN_ROLE_UNSPECIFIED
}
+func (x *Token) GetInfraRole() InfraRole {
+ if x != nil && x.InfraRole != nil {
+ return *x.InfraRole
+ }
+ return InfraRole_INFRA_ROLE_UNSPECIFIED
+}
+
// TokenServiceCreateRequest is the request payload to create a token
type TokenServiceCreateRequest struct {
state protoimpl.MessageState `protogen:"open.v1"`
@@ -228,8 +248,10 @@ type TokenServiceCreateRequest struct {
TenantRoles map[string]TenantRole `protobuf:"bytes,6,rep,name=tenant_roles,json=tenantRoles,proto3" json:"tenant_roles,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"varint,2,opt,name=value,enum=metalstack.api.v2.TenantRole"`
// AdminRole defines the admin role of the token owner
AdminRole *AdminRole `protobuf:"varint,7,opt,name=admin_role,json=adminRole,proto3,enum=metalstack.api.v2.AdminRole,oneof" json:"admin_role,omitempty"`
+ // InfraRole defines the infrastructure role of the token owner
+ InfraRole *InfraRole `protobuf:"varint,8,opt,name=infra_role,json=infraRole,proto3,enum=metalstack.api.v2.InfraRole,oneof" json:"infra_role,omitempty"`
// Labels on this token
- Labels *Labels `protobuf:"bytes,8,opt,name=labels,proto3" json:"labels,omitempty"`
+ Labels *Labels `protobuf:"bytes,9,opt,name=labels,proto3" json:"labels,omitempty"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
@@ -306,6 +328,13 @@ func (x *TokenServiceCreateRequest) GetAdminRole() AdminRole {
return AdminRole_ADMIN_ROLE_UNSPECIFIED
}
+func (x *TokenServiceCreateRequest) GetInfraRole() InfraRole {
+ if x != nil && x.InfraRole != nil {
+ return *x.InfraRole
+ }
+ return InfraRole_INFRA_ROLE_UNSPECIFIED
+}
+
func (x *TokenServiceCreateRequest) GetLabels() *Labels {
if x != nil {
return x.Labels
@@ -318,6 +347,10 @@ type MethodPermission struct {
state protoimpl.MessageState `protogen:"open.v1"`
// Subject maybe either the project or the tenant
// for which the methods should be allowed
+ //
+ // asterisk (*) can be specified to match any subject
+ // empty string ("") can be specified for requests that do not require a subject, e.g. partition list
+ // otherwise either a projectid or a tenant login should be specified
Subject string `protobuf:"bytes,1,opt,name=subject,proto3" json:"subject,omitempty"`
// Methods which should be accessible
Methods []string `protobuf:"bytes,2,rep,name=methods,proto3" json:"methods,omitempty"`
@@ -608,8 +641,10 @@ type TokenServiceUpdateRequest struct {
TenantRoles map[string]TenantRole `protobuf:"bytes,6,rep,name=tenant_roles,json=tenantRoles,proto3" json:"tenant_roles,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"varint,2,opt,name=value,enum=metalstack.api.v2.TenantRole"`
// AdminRole defines the admin role of the token owner
AdminRole *AdminRole `protobuf:"varint,7,opt,name=admin_role,json=adminRole,proto3,enum=metalstack.api.v2.AdminRole,oneof" json:"admin_role,omitempty"`
+ // InfraRole defines the infrastructure role of the token owner
+ InfraRole *InfraRole `protobuf:"varint,8,opt,name=infra_role,json=infraRole,proto3,enum=metalstack.api.v2.InfraRole,oneof" json:"infra_role,omitempty"`
// Labels on this token
- Labels *UpdateLabels `protobuf:"bytes,8,opt,name=labels,proto3" json:"labels,omitempty"`
+ Labels *UpdateLabels `protobuf:"bytes,9,opt,name=labels,proto3" json:"labels,omitempty"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
@@ -693,6 +728,13 @@ func (x *TokenServiceUpdateRequest) GetAdminRole() AdminRole {
return AdminRole_ADMIN_ROLE_UNSPECIFIED
}
+func (x *TokenServiceUpdateRequest) GetInfraRole() InfraRole {
+ if x != nil && x.InfraRole != nil {
+ return *x.InfraRole
+ }
+ return InfraRole_INFRA_ROLE_UNSPECIFIED
+}
+
func (x *TokenServiceUpdateRequest) GetLabels() *UpdateLabels {
if x != nil {
return x.Labels
@@ -936,7 +978,7 @@ var File_metalstack_api_v2_token_proto protoreflect.FileDescriptor
const file_metalstack_api_v2_token_proto_rawDesc = "" +
"\n" +
- "\x1dmetalstack/api/v2/token.proto\x12\x11metalstack.api.v2\x1a\x1bbuf/validate/validate.proto\x1a\x1egoogle/protobuf/duration.proto\x1a\x1fgoogle/protobuf/timestamp.proto\x1a\x1emetalstack/api/v2/common.proto\x1a(metalstack/api/v2/predefined_rules.proto\"\xe3\x06\n" +
+ "\x1dmetalstack/api/v2/token.proto\x12\x11metalstack.api.v2\x1a\x1bbuf/validate/validate.proto\x1a\x1egoogle/protobuf/duration.proto\x1a\x1fgoogle/protobuf/timestamp.proto\x1a\x1emetalstack/api/v2/common.proto\x1a(metalstack/api/v2/predefined_rules.proto\"\xe0\b\n" +
"\x05Token\x12\x1c\n" +
"\x04uuid\x18\x01 \x01(\tB\b\xbaH\x05r\x03\xb0\x01\x01R\x04uuid\x12\x1e\n" +
"\x04user\x18\x02 \x01(\tB\n" +
@@ -952,14 +994,18 @@ const file_metalstack_api_v2_token_proto_rawDesc = "" +
"\ftenant_roles\x18\n" +
" \x03(\v2).metalstack.api.v2.Token.TenantRolesEntryR\vtenantRoles\x12J\n" +
"\n" +
- "admin_role\x18\v \x01(\x0e2\x1c.metalstack.api.v2.AdminRoleB\b\xbaH\x05\x82\x01\x02\x10\x01H\x00R\tadminRole\x88\x01\x01\x1a_\n" +
+ "admin_role\x18\v \x01(\x0e2\x1c.metalstack.api.v2.AdminRoleB\b\xbaH\x05\x82\x01\x02\x10\x01H\x00R\tadminRole\x88\x01\x01\x12J\n" +
+ "\n" +
+ "infra_role\x18\f \x01(\x0e2\x1c.metalstack.api.v2.InfraRoleB\b\xbaH\x05\x82\x01\x02\x10\x01H\x01R\tinfraRole\x88\x01\x01\x1a_\n" +
"\x11ProjectRolesEntry\x12\x10\n" +
"\x03key\x18\x01 \x01(\tR\x03key\x124\n" +
"\x05value\x18\x02 \x01(\x0e2\x1e.metalstack.api.v2.ProjectRoleR\x05value:\x028\x01\x1a]\n" +
"\x10TenantRolesEntry\x12\x10\n" +
"\x03key\x18\x01 \x01(\tR\x03key\x123\n" +
- "\x05value\x18\x02 \x01(\x0e2\x1d.metalstack.api.v2.TenantRoleR\x05value:\x028\x01B\r\n" +
- "\v_admin_role\"\xa7\x06\n" +
+ "\x05value\x18\x02 \x01(\x0e2\x1d.metalstack.api.v2.TenantRoleR\x05value:\x028\x01:\x9f\x01\xbaH\x9b\x01\x1a\x98\x01\n" +
+ "\x1btoken.permissions.usertoken\x12)token type user must not have permissions\x1aN(this.token_type == 2 && this.permissions.size() == 0) || this.token_type != 2B\r\n" +
+ "\v_admin_roleB\r\n" +
+ "\v_infra_role\"\x82\a\n" +
"\x19TokenServiceCreateRequest\x12-\n" +
"\vdescription\x18\x01 \x01(\tB\v\xbaH\br\x06ȳ\xae\xb1\x02\x01R\vdescription\x12O\n" +
"\vpermissions\x18\x02 \x03(\v2#.metalstack.api.v2.MethodPermissionB\b\xbaH\x05\x92\x01\x02\x10dR\vpermissions\x12G\n" +
@@ -967,18 +1013,20 @@ const file_metalstack_api_v2_token_proto_rawDesc = "" +
"\rproject_roles\x18\x05 \x03(\v2>.metalstack.api.v2.TokenServiceCreateRequest.ProjectRolesEntryB\x14\xbaH\x11\x9a\x01\x0e\"\x05r\x03\xb0\x01\x01*\x05\x82\x01\x02\x10\x01R\fprojectRoles\x12x\n" +
"\ftenant_roles\x18\x06 \x03(\v2=.metalstack.api.v2.TokenServiceCreateRequest.TenantRolesEntryB\x16\xbaH\x13\x9a\x01\x10\"\ar\x05\x10\x03\x18\x80\x01*\x05\x82\x01\x02\x10\x01R\vtenantRoles\x12J\n" +
"\n" +
- "admin_role\x18\a \x01(\x0e2\x1c.metalstack.api.v2.AdminRoleB\b\xbaH\x05\x82\x01\x02\x10\x01H\x00R\tadminRole\x88\x01\x01\x121\n" +
- "\x06labels\x18\b \x01(\v2\x19.metalstack.api.v2.LabelsR\x06labels\x1a_\n" +
+ "admin_role\x18\a \x01(\x0e2\x1c.metalstack.api.v2.AdminRoleB\b\xbaH\x05\x82\x01\x02\x10\x01H\x00R\tadminRole\x88\x01\x01\x12J\n" +
+ "\n" +
+ "infra_role\x18\b \x01(\x0e2\x1c.metalstack.api.v2.InfraRoleB\b\xbaH\x05\x82\x01\x02\x10\x01H\x01R\tinfraRole\x88\x01\x01\x121\n" +
+ "\x06labels\x18\t \x01(\v2\x19.metalstack.api.v2.LabelsR\x06labels\x1a_\n" +
"\x11ProjectRolesEntry\x12\x10\n" +
"\x03key\x18\x01 \x01(\tR\x03key\x124\n" +
"\x05value\x18\x02 \x01(\x0e2\x1e.metalstack.api.v2.ProjectRoleR\x05value:\x028\x01\x1a]\n" +
"\x10TenantRolesEntry\x12\x10\n" +
"\x03key\x18\x01 \x01(\tR\x03key\x123\n" +
"\x05value\x18\x02 \x01(\x0e2\x1d.metalstack.api.v2.TenantRoleR\x05value:\x028\x01B\r\n" +
- "\v_admin_role\"]\n" +
- "\x10MethodPermission\x12$\n" +
- "\asubject\x18\x01 \x01(\tB\n" +
- "\xbaH\ar\x05\x10\x02\x18\x80\x02R\asubject\x12#\n" +
+ "\v_admin_roleB\r\n" +
+ "\v_infra_role\"[\n" +
+ "\x10MethodPermission\x12\"\n" +
+ "\asubject\x18\x01 \x01(\tB\b\xbaH\x05r\x03\x18\x80\x02R\asubject\x12#\n" +
"\amethods\x18\x02 \x03(\tB\t\xbaH\x06\x92\x01\x03\x10\xf4\x03R\amethods\"d\n" +
"\x1aTokenServiceCreateResponse\x12.\n" +
"\x05token\x18\x01 \x01(\v2\x18.metalstack.api.v2.TokenR\x05token\x12\x16\n" +
@@ -988,7 +1036,7 @@ const file_metalstack_api_v2_token_proto_rawDesc = "" +
"\x06tokens\x18\x01 \x03(\v2\x18.metalstack.api.v2.TokenR\x06tokens\"9\n" +
"\x19TokenServiceRevokeRequest\x12\x1c\n" +
"\x04uuid\x18\x01 \x01(\tB\b\xbaH\x05r\x03\xb0\x01\x01R\x04uuid\"\x1c\n" +
- "\x1aTokenServiceRevokeResponse\"\xd5\x06\n" +
+ "\x1aTokenServiceRevokeResponse\"\xb0\a\n" +
"\x19TokenServiceUpdateRequest\x12\x1c\n" +
"\x04uuid\x18\x01 \x01(\tB\b\xbaH\x05r\x03\xb0\x01\x01R\x04uuid\x12F\n" +
"\vupdate_meta\x18\x02 \x01(\v2\x1d.metalstack.api.v2.UpdateMetaB\x06\xbaH\x03\xc8\x01\x00R\n" +
@@ -998,8 +1046,10 @@ const file_metalstack_api_v2_token_proto_rawDesc = "" +
"\rproject_roles\x18\x05 \x03(\v2>.metalstack.api.v2.TokenServiceUpdateRequest.ProjectRolesEntryB\x14\xbaH\x11\x9a\x01\x0e\"\x05r\x03\xb0\x01\x01*\x05\x82\x01\x02\x10\x01R\fprojectRoles\x12x\n" +
"\ftenant_roles\x18\x06 \x03(\v2=.metalstack.api.v2.TokenServiceUpdateRequest.TenantRolesEntryB\x16\xbaH\x13\x9a\x01\x10\"\ar\x05\x10\x03\x18\x80\x01*\x05\x82\x01\x02\x10\x01R\vtenantRoles\x12J\n" +
"\n" +
- "admin_role\x18\a \x01(\x0e2\x1c.metalstack.api.v2.AdminRoleB\b\xbaH\x05\x82\x01\x02\x10\x01H\x01R\tadminRole\x88\x01\x01\x127\n" +
- "\x06labels\x18\b \x01(\v2\x1f.metalstack.api.v2.UpdateLabelsR\x06labels\x1a_\n" +
+ "admin_role\x18\a \x01(\x0e2\x1c.metalstack.api.v2.AdminRoleB\b\xbaH\x05\x82\x01\x02\x10\x01H\x01R\tadminRole\x88\x01\x01\x12J\n" +
+ "\n" +
+ "infra_role\x18\b \x01(\x0e2\x1c.metalstack.api.v2.InfraRoleB\b\xbaH\x05\x82\x01\x02\x10\x01H\x02R\tinfraRole\x88\x01\x01\x127\n" +
+ "\x06labels\x18\t \x01(\v2\x1f.metalstack.api.v2.UpdateLabelsR\x06labels\x1a_\n" +
"\x11ProjectRolesEntry\x12\x10\n" +
"\x03key\x18\x01 \x01(\tR\x03key\x124\n" +
"\x05value\x18\x02 \x01(\x0e2\x1e.metalstack.api.v2.ProjectRoleR\x05value:\x028\x01\x1a]\n" +
@@ -1007,7 +1057,8 @@ const file_metalstack_api_v2_token_proto_rawDesc = "" +
"\x03key\x18\x01 \x01(\tR\x03key\x123\n" +
"\x05value\x18\x02 \x01(\x0e2\x1d.metalstack.api.v2.TenantRoleR\x05value:\x028\x01B\x0e\n" +
"\f_descriptionB\r\n" +
- "\v_admin_role\"L\n" +
+ "\v_admin_roleB\r\n" +
+ "\v_infra_role\"L\n" +
"\x1aTokenServiceUpdateResponse\x12.\n" +
"\x05token\x18\x01 \x01(\v2\x18.metalstack.api.v2.TokenR\x05token\"6\n" +
"\x16TokenServiceGetRequest\x12\x1c\n" +
@@ -1071,12 +1122,13 @@ var file_metalstack_api_v2_token_proto_goTypes = []any{
(*Meta)(nil), // 21: metalstack.api.v2.Meta
(*timestamppb.Timestamp)(nil), // 22: google.protobuf.Timestamp
(AdminRole)(0), // 23: metalstack.api.v2.AdminRole
- (*durationpb.Duration)(nil), // 24: google.protobuf.Duration
- (*Labels)(nil), // 25: metalstack.api.v2.Labels
- (*UpdateMeta)(nil), // 26: metalstack.api.v2.UpdateMeta
- (*UpdateLabels)(nil), // 27: metalstack.api.v2.UpdateLabels
- (ProjectRole)(0), // 28: metalstack.api.v2.ProjectRole
- (TenantRole)(0), // 29: metalstack.api.v2.TenantRole
+ (InfraRole)(0), // 24: metalstack.api.v2.InfraRole
+ (*durationpb.Duration)(nil), // 25: google.protobuf.Duration
+ (*Labels)(nil), // 26: metalstack.api.v2.Labels
+ (*UpdateMeta)(nil), // 27: metalstack.api.v2.UpdateMeta
+ (*UpdateLabels)(nil), // 28: metalstack.api.v2.UpdateLabels
+ (ProjectRole)(0), // 29: metalstack.api.v2.ProjectRole
+ (TenantRole)(0), // 30: metalstack.api.v2.TenantRole
}
var file_metalstack_api_v2_token_proto_depIdxs = []int32{
21, // 0: metalstack.api.v2.Token.meta:type_name -> metalstack.api.v2.Meta
@@ -1087,46 +1139,49 @@ var file_metalstack_api_v2_token_proto_depIdxs = []int32{
15, // 5: metalstack.api.v2.Token.project_roles:type_name -> metalstack.api.v2.Token.ProjectRolesEntry
16, // 6: metalstack.api.v2.Token.tenant_roles:type_name -> metalstack.api.v2.Token.TenantRolesEntry
23, // 7: metalstack.api.v2.Token.admin_role:type_name -> metalstack.api.v2.AdminRole
- 3, // 8: metalstack.api.v2.TokenServiceCreateRequest.permissions:type_name -> metalstack.api.v2.MethodPermission
- 24, // 9: metalstack.api.v2.TokenServiceCreateRequest.expires:type_name -> google.protobuf.Duration
- 17, // 10: metalstack.api.v2.TokenServiceCreateRequest.project_roles:type_name -> metalstack.api.v2.TokenServiceCreateRequest.ProjectRolesEntry
- 18, // 11: metalstack.api.v2.TokenServiceCreateRequest.tenant_roles:type_name -> metalstack.api.v2.TokenServiceCreateRequest.TenantRolesEntry
- 23, // 12: metalstack.api.v2.TokenServiceCreateRequest.admin_role:type_name -> metalstack.api.v2.AdminRole
- 25, // 13: metalstack.api.v2.TokenServiceCreateRequest.labels:type_name -> metalstack.api.v2.Labels
- 1, // 14: metalstack.api.v2.TokenServiceCreateResponse.token:type_name -> metalstack.api.v2.Token
- 1, // 15: metalstack.api.v2.TokenServiceListResponse.tokens:type_name -> metalstack.api.v2.Token
- 26, // 16: metalstack.api.v2.TokenServiceUpdateRequest.update_meta:type_name -> metalstack.api.v2.UpdateMeta
- 3, // 17: metalstack.api.v2.TokenServiceUpdateRequest.permissions:type_name -> metalstack.api.v2.MethodPermission
- 19, // 18: metalstack.api.v2.TokenServiceUpdateRequest.project_roles:type_name -> metalstack.api.v2.TokenServiceUpdateRequest.ProjectRolesEntry
- 20, // 19: metalstack.api.v2.TokenServiceUpdateRequest.tenant_roles:type_name -> metalstack.api.v2.TokenServiceUpdateRequest.TenantRolesEntry
- 23, // 20: metalstack.api.v2.TokenServiceUpdateRequest.admin_role:type_name -> metalstack.api.v2.AdminRole
- 27, // 21: metalstack.api.v2.TokenServiceUpdateRequest.labels:type_name -> metalstack.api.v2.UpdateLabels
- 1, // 22: metalstack.api.v2.TokenServiceUpdateResponse.token:type_name -> metalstack.api.v2.Token
- 1, // 23: metalstack.api.v2.TokenServiceGetResponse.token:type_name -> metalstack.api.v2.Token
- 1, // 24: metalstack.api.v2.TokenServiceRefreshResponse.token:type_name -> metalstack.api.v2.Token
- 28, // 25: metalstack.api.v2.Token.ProjectRolesEntry.value:type_name -> metalstack.api.v2.ProjectRole
- 29, // 26: metalstack.api.v2.Token.TenantRolesEntry.value:type_name -> metalstack.api.v2.TenantRole
- 28, // 27: metalstack.api.v2.TokenServiceCreateRequest.ProjectRolesEntry.value:type_name -> metalstack.api.v2.ProjectRole
- 29, // 28: metalstack.api.v2.TokenServiceCreateRequest.TenantRolesEntry.value:type_name -> metalstack.api.v2.TenantRole
- 28, // 29: metalstack.api.v2.TokenServiceUpdateRequest.ProjectRolesEntry.value:type_name -> metalstack.api.v2.ProjectRole
- 29, // 30: metalstack.api.v2.TokenServiceUpdateRequest.TenantRolesEntry.value:type_name -> metalstack.api.v2.TenantRole
- 11, // 31: metalstack.api.v2.TokenService.Get:input_type -> metalstack.api.v2.TokenServiceGetRequest
- 2, // 32: metalstack.api.v2.TokenService.Create:input_type -> metalstack.api.v2.TokenServiceCreateRequest
- 9, // 33: metalstack.api.v2.TokenService.Update:input_type -> metalstack.api.v2.TokenServiceUpdateRequest
- 5, // 34: metalstack.api.v2.TokenService.List:input_type -> metalstack.api.v2.TokenServiceListRequest
- 7, // 35: metalstack.api.v2.TokenService.Revoke:input_type -> metalstack.api.v2.TokenServiceRevokeRequest
- 13, // 36: metalstack.api.v2.TokenService.Refresh:input_type -> metalstack.api.v2.TokenServiceRefreshRequest
- 12, // 37: metalstack.api.v2.TokenService.Get:output_type -> metalstack.api.v2.TokenServiceGetResponse
- 4, // 38: metalstack.api.v2.TokenService.Create:output_type -> metalstack.api.v2.TokenServiceCreateResponse
- 10, // 39: metalstack.api.v2.TokenService.Update:output_type -> metalstack.api.v2.TokenServiceUpdateResponse
- 6, // 40: metalstack.api.v2.TokenService.List:output_type -> metalstack.api.v2.TokenServiceListResponse
- 8, // 41: metalstack.api.v2.TokenService.Revoke:output_type -> metalstack.api.v2.TokenServiceRevokeResponse
- 14, // 42: metalstack.api.v2.TokenService.Refresh:output_type -> metalstack.api.v2.TokenServiceRefreshResponse
- 37, // [37:43] is the sub-list for method output_type
- 31, // [31:37] is the sub-list for method input_type
- 31, // [31:31] is the sub-list for extension type_name
- 31, // [31:31] is the sub-list for extension extendee
- 0, // [0:31] is the sub-list for field type_name
+ 24, // 8: metalstack.api.v2.Token.infra_role:type_name -> metalstack.api.v2.InfraRole
+ 3, // 9: metalstack.api.v2.TokenServiceCreateRequest.permissions:type_name -> metalstack.api.v2.MethodPermission
+ 25, // 10: metalstack.api.v2.TokenServiceCreateRequest.expires:type_name -> google.protobuf.Duration
+ 17, // 11: metalstack.api.v2.TokenServiceCreateRequest.project_roles:type_name -> metalstack.api.v2.TokenServiceCreateRequest.ProjectRolesEntry
+ 18, // 12: metalstack.api.v2.TokenServiceCreateRequest.tenant_roles:type_name -> metalstack.api.v2.TokenServiceCreateRequest.TenantRolesEntry
+ 23, // 13: metalstack.api.v2.TokenServiceCreateRequest.admin_role:type_name -> metalstack.api.v2.AdminRole
+ 24, // 14: metalstack.api.v2.TokenServiceCreateRequest.infra_role:type_name -> metalstack.api.v2.InfraRole
+ 26, // 15: metalstack.api.v2.TokenServiceCreateRequest.labels:type_name -> metalstack.api.v2.Labels
+ 1, // 16: metalstack.api.v2.TokenServiceCreateResponse.token:type_name -> metalstack.api.v2.Token
+ 1, // 17: metalstack.api.v2.TokenServiceListResponse.tokens:type_name -> metalstack.api.v2.Token
+ 27, // 18: metalstack.api.v2.TokenServiceUpdateRequest.update_meta:type_name -> metalstack.api.v2.UpdateMeta
+ 3, // 19: metalstack.api.v2.TokenServiceUpdateRequest.permissions:type_name -> metalstack.api.v2.MethodPermission
+ 19, // 20: metalstack.api.v2.TokenServiceUpdateRequest.project_roles:type_name -> metalstack.api.v2.TokenServiceUpdateRequest.ProjectRolesEntry
+ 20, // 21: metalstack.api.v2.TokenServiceUpdateRequest.tenant_roles:type_name -> metalstack.api.v2.TokenServiceUpdateRequest.TenantRolesEntry
+ 23, // 22: metalstack.api.v2.TokenServiceUpdateRequest.admin_role:type_name -> metalstack.api.v2.AdminRole
+ 24, // 23: metalstack.api.v2.TokenServiceUpdateRequest.infra_role:type_name -> metalstack.api.v2.InfraRole
+ 28, // 24: metalstack.api.v2.TokenServiceUpdateRequest.labels:type_name -> metalstack.api.v2.UpdateLabels
+ 1, // 25: metalstack.api.v2.TokenServiceUpdateResponse.token:type_name -> metalstack.api.v2.Token
+ 1, // 26: metalstack.api.v2.TokenServiceGetResponse.token:type_name -> metalstack.api.v2.Token
+ 1, // 27: metalstack.api.v2.TokenServiceRefreshResponse.token:type_name -> metalstack.api.v2.Token
+ 29, // 28: metalstack.api.v2.Token.ProjectRolesEntry.value:type_name -> metalstack.api.v2.ProjectRole
+ 30, // 29: metalstack.api.v2.Token.TenantRolesEntry.value:type_name -> metalstack.api.v2.TenantRole
+ 29, // 30: metalstack.api.v2.TokenServiceCreateRequest.ProjectRolesEntry.value:type_name -> metalstack.api.v2.ProjectRole
+ 30, // 31: metalstack.api.v2.TokenServiceCreateRequest.TenantRolesEntry.value:type_name -> metalstack.api.v2.TenantRole
+ 29, // 32: metalstack.api.v2.TokenServiceUpdateRequest.ProjectRolesEntry.value:type_name -> metalstack.api.v2.ProjectRole
+ 30, // 33: metalstack.api.v2.TokenServiceUpdateRequest.TenantRolesEntry.value:type_name -> metalstack.api.v2.TenantRole
+ 11, // 34: metalstack.api.v2.TokenService.Get:input_type -> metalstack.api.v2.TokenServiceGetRequest
+ 2, // 35: metalstack.api.v2.TokenService.Create:input_type -> metalstack.api.v2.TokenServiceCreateRequest
+ 9, // 36: metalstack.api.v2.TokenService.Update:input_type -> metalstack.api.v2.TokenServiceUpdateRequest
+ 5, // 37: metalstack.api.v2.TokenService.List:input_type -> metalstack.api.v2.TokenServiceListRequest
+ 7, // 38: metalstack.api.v2.TokenService.Revoke:input_type -> metalstack.api.v2.TokenServiceRevokeRequest
+ 13, // 39: metalstack.api.v2.TokenService.Refresh:input_type -> metalstack.api.v2.TokenServiceRefreshRequest
+ 12, // 40: metalstack.api.v2.TokenService.Get:output_type -> metalstack.api.v2.TokenServiceGetResponse
+ 4, // 41: metalstack.api.v2.TokenService.Create:output_type -> metalstack.api.v2.TokenServiceCreateResponse
+ 10, // 42: metalstack.api.v2.TokenService.Update:output_type -> metalstack.api.v2.TokenServiceUpdateResponse
+ 6, // 43: metalstack.api.v2.TokenService.List:output_type -> metalstack.api.v2.TokenServiceListResponse
+ 8, // 44: metalstack.api.v2.TokenService.Revoke:output_type -> metalstack.api.v2.TokenServiceRevokeResponse
+ 14, // 45: metalstack.api.v2.TokenService.Refresh:output_type -> metalstack.api.v2.TokenServiceRefreshResponse
+ 40, // [40:46] is the sub-list for method output_type
+ 34, // [34:40] is the sub-list for method input_type
+ 34, // [34:34] is the sub-list for extension type_name
+ 34, // [34:34] is the sub-list for extension extendee
+ 0, // [0:34] is the sub-list for field type_name
}
func init() { file_metalstack_api_v2_token_proto_init() }
diff --git a/go/metalstack/infra/v2/bmc.pb.go b/go/metalstack/infra/v2/bmc.pb.go
index 198c93e3..a9842bb5 100644
--- a/go/metalstack/infra/v2/bmc.pb.go
+++ b/go/metalstack/infra/v2/bmc.pb.go
@@ -102,11 +102,10 @@ const file_metalstack_infra_v2_bmc_proto_rawDesc = "" +
"\n" +
"\x1dmetalstack/infra/v2/bmc.proto\x12\x13metalstack.infra.v2\x1a\x1emetalstack/api/v2/common.proto\"\x16\n" +
"\x14UpdateBMCInfoRequest\"\x17\n" +
- "\x15UpdateBMCInfoResponse2\x80\x01\n" +
+ "\x15UpdateBMCInfoResponse2\x7f\n" +
"\n" +
- "BMCService\x12r\n" +
- "\rUpdateBMCInfo\x12).metalstack.infra.v2.UpdateBMCInfoRequest\x1a*.metalstack.infra.v2.UpdateBMCInfoResponse\"\n" +
- "\xe0\xf3\x18\x02\xea\xf3\x18\x02\x01\x02B\xcc\x01\n" +
+ "BMCService\x12q\n" +
+ "\rUpdateBMCInfo\x12).metalstack.infra.v2.UpdateBMCInfoRequest\x1a*.metalstack.infra.v2.UpdateBMCInfoResponse\"\t\xe0\xf3\x18\x02\xea\xf3\x18\x01\x01B\xcc\x01\n" +
"\x17com.metalstack.infra.v2B\bBmcProtoP\x01Z9github.com/metal-stack/api/go/metalstack/infra/v2;infrav2\xa2\x02\x03MIX\xaa\x02\x13Metalstack.Infra.V2\xca\x02\x13Metalstack\\Infra\\V2\xe2\x02\x1fMetalstack\\Infra\\V2\\GPBMetadata\xea\x02\x15Metalstack::Infra::V2b\x06proto3"
var (
diff --git a/go/metalstack/infra/v2/switch.pb.go b/go/metalstack/infra/v2/switch.pb.go
index abd7e949..1fd9342a 100644
--- a/go/metalstack/infra/v2/switch.pb.go
+++ b/go/metalstack/infra/v2/switch.pb.go
@@ -457,9 +457,10 @@ const file_metalstack_infra_v2_switch_proto_rawDesc = "" +
"\x04time\x18\x01 \x01(\v2\x1a.google.protobuf.TimestampR\x04time\x125\n" +
"\bduration\x18\x02 \x01(\v2\x19.google.protobuf.DurationR\bduration\x12\x19\n" +
"\x05error\x18\x03 \x01(\tH\x00R\x05error\x88\x01\x01B\b\n" +
- "\x06_error2\xfd\x02\n" +
- "\rSwitchService\x12m\n" +
- "\x03Get\x12,.metalstack.infra.v2.SwitchServiceGetRequest\x1a-.metalstack.infra.v2.SwitchServiceGetResponse\"\t\xe0\xf3\x18\x02\xea\xf3\x18\x01\x01\x12|\n" +
+ "\x06_error2\xfe\x02\n" +
+ "\rSwitchService\x12n\n" +
+ "\x03Get\x12,.metalstack.infra.v2.SwitchServiceGetRequest\x1a-.metalstack.infra.v2.SwitchServiceGetResponse\"\n" +
+ "\xe0\xf3\x18\x02\xea\xf3\x18\x02\x01\x02\x12|\n" +
"\bRegister\x121.metalstack.infra.v2.SwitchServiceRegisterRequest\x1a2.metalstack.infra.v2.SwitchServiceRegisterResponse\"\t\xe0\xf3\x18\x02\xea\xf3\x18\x01\x01\x12\x7f\n" +
"\tHeartbeat\x122.metalstack.infra.v2.SwitchServiceHeartbeatRequest\x1a3.metalstack.infra.v2.SwitchServiceHeartbeatResponse\"\t\xe0\xf3\x18\x02\xea\xf3\x18\x01\x01B\xcf\x01\n" +
"\x17com.metalstack.infra.v2B\vSwitchProtoP\x01Z9github.com/metal-stack/api/go/metalstack/infra/v2;infrav2\xa2\x02\x03MIX\xaa\x02\x13Metalstack.Infra.V2\xca\x02\x13Metalstack\\Infra\\V2\xe2\x02\x1fMetalstack\\Infra\\V2\\GPBMetadata\xea\x02\x15Metalstack::Infra::V2b\x06proto3"
diff --git a/go/permissions/permissions.go b/go/permissions/permissions.go
index c12d57b5..40bb83e8 100644
--- a/go/permissions/permissions.go
+++ b/go/permissions/permissions.go
@@ -4,14 +4,15 @@ import (
_ "embed"
)
-type ServicePermissions struct {
- Roles Roles `json:"roles"`
- Methods Methods `json:"methods"`
- Visibility Visibility `json:"visibility"`
- Auditable Auditable `json:"auditable,omitempty"`
- Services []string `json:"services,omitempty"`
-}
type (
+ ServicePermissions struct {
+ Roles Roles `json:"roles"`
+ Methods Methods `json:"methods"`
+ Visibility Visibility `json:"visibility"`
+ Auditable Auditable `json:"auditable,omitempty"`
+ Services []string `json:"services,omitempty"`
+ }
+
Methods map[string]bool
Chargeable map[string]bool
@@ -21,21 +22,21 @@ type (
Infra map[string][]string
Tenant map[string][]string
Project map[string][]string
-)
-// Roles
-type Roles struct {
- Admin Admin `json:"admin,omitempty"`
- Infra Infra `json:"infra,omitempty"`
- Tenant Tenant `json:"tenant,omitempty"`
- Project Project `json:"project,omitempty"`
-}
+ // Roles
+ Roles struct {
+ Admin Admin `json:"admin,omitempty"`
+ Infra Infra `json:"infra,omitempty"`
+ Tenant Tenant `json:"tenant,omitempty"`
+ Project Project `json:"project,omitempty"`
+ }
-type Visibility struct {
- Public map[string]bool `json:"public,omitempty"`
- Self map[string]bool `json:"self,omitempty"`
- Admin map[string]bool `json:"admin,omitempty"`
- Infra map[string]bool `json:"infra,omitempty"`
- Tenant map[string]bool `json:"tenant,omitempty"`
- Project map[string]bool `json:"project,omitempty"`
-}
+ Visibility struct {
+ Public map[string]bool `json:"public,omitempty"`
+ Self map[string]bool `json:"self,omitempty"`
+ Admin map[string]bool `json:"admin,omitempty"`
+ Infra map[string]bool `json:"infra,omitempty"`
+ Tenant map[string]bool `json:"tenant,omitempty"`
+ Project map[string]bool `json:"project,omitempty"`
+ }
+)
diff --git a/go/permissions/servicepermissions.go b/go/permissions/servicepermissions.go
index 2d98df84..fe43b278 100755
--- a/go/permissions/servicepermissions.go
+++ b/go/permissions/servicepermissions.go
@@ -1,4 +1,4 @@
-// Code generated discover.go. DO NOT EDIT.
+// Code generated generate.go. DO NOT EDIT.
package permissions
import (
@@ -91,10 +91,13 @@ func GetServicePermissions() *ServicePermissions {
},
Infra: Infra{
"INFRA_ROLE_EDITOR": []string{
+ "/metalstack.infra.v2.BMCService/UpdateBMCInfo",
+ "/metalstack.infra.v2.SwitchService/Get",
+ "/metalstack.infra.v2.SwitchService/Register",
"/metalstack.infra.v2.SwitchService/Heartbeat",
},
"INFRA_ROLE_VIEWER": []string{
- "/metalstack.infra.v2.BMCService/UpdateBMCInfo",
+ "/metalstack.infra.v2.SwitchService/Get",
},
},
Tenant: Tenant{
@@ -184,106 +187,108 @@ func GetServicePermissions() *ServicePermissions {
},
},
Methods: map[string]bool{
- "/metalstack.admin.v2.FilesystemService/Create": true,
- "/metalstack.admin.v2.FilesystemService/Delete": true,
- "/metalstack.admin.v2.FilesystemService/Update": true,
- "/metalstack.admin.v2.IPService/List": true,
- "/metalstack.admin.v2.ImageService/Create": true,
- "/metalstack.admin.v2.ImageService/Delete": true,
- "/metalstack.admin.v2.ImageService/Update": true,
- "/metalstack.admin.v2.ImageService/Usage": true,
- "/metalstack.admin.v2.MachineService/Get": true,
- "/metalstack.admin.v2.MachineService/List": true,
- "/metalstack.admin.v2.NetworkService/Create": true,
- "/metalstack.admin.v2.NetworkService/Delete": true,
- "/metalstack.admin.v2.NetworkService/Get": true,
- "/metalstack.admin.v2.NetworkService/List": true,
- "/metalstack.admin.v2.NetworkService/Update": true,
- "/metalstack.admin.v2.PartitionService/Capacity": true,
- "/metalstack.admin.v2.PartitionService/Create": true,
- "/metalstack.admin.v2.PartitionService/Delete": true,
- "/metalstack.admin.v2.PartitionService/Update": true,
- "/metalstack.admin.v2.SizeService/Create": true,
- "/metalstack.admin.v2.SizeService/Delete": true,
- "/metalstack.admin.v2.SizeService/Update": true,
- "/metalstack.admin.v2.SwitchService/Delete": true,
- "/metalstack.admin.v2.SwitchService/Get": true,
- "/metalstack.admin.v2.SwitchService/List": true,
- "/metalstack.admin.v2.SwitchService/Migrate": true,
- "/metalstack.admin.v2.SwitchService/Port": true,
- "/metalstack.admin.v2.SwitchService/Update": true,
- "/metalstack.admin.v2.TenantService/Create": true,
- "/metalstack.admin.v2.TenantService/List": true,
- "/metalstack.admin.v2.TokenService/Create": true,
- "/metalstack.admin.v2.TokenService/List": true,
- "/metalstack.admin.v2.TokenService/Revoke": true,
- "/metalstack.api.v2.FilesystemService/Get": true,
- "/metalstack.api.v2.FilesystemService/List": true,
- "/metalstack.api.v2.FilesystemService/Match": true,
- "/metalstack.api.v2.HealthService/Get": true,
- "/metalstack.api.v2.IPService/Create": true,
- "/metalstack.api.v2.IPService/Delete": true,
- "/metalstack.api.v2.IPService/Get": true,
- "/metalstack.api.v2.IPService/List": true,
- "/metalstack.api.v2.IPService/Update": true,
- "/metalstack.api.v2.ImageService/Get": true,
- "/metalstack.api.v2.ImageService/Latest": true,
- "/metalstack.api.v2.ImageService/List": true,
- "/metalstack.api.v2.MachineService/Create": true,
- "/metalstack.api.v2.MachineService/Delete": true,
- "/metalstack.api.v2.MachineService/Get": true,
- "/metalstack.api.v2.MachineService/List": true,
- "/metalstack.api.v2.MachineService/Update": true,
- "/metalstack.api.v2.MethodService/List": true,
- "/metalstack.api.v2.MethodService/TokenScopedList": true,
- "/metalstack.api.v2.NetworkService/Create": true,
- "/metalstack.api.v2.NetworkService/Delete": true,
- "/metalstack.api.v2.NetworkService/Get": true,
- "/metalstack.api.v2.NetworkService/List": true,
- "/metalstack.api.v2.NetworkService/ListBaseNetworks": true,
- "/metalstack.api.v2.NetworkService/Update": true,
- "/metalstack.api.v2.PartitionService/Get": true,
- "/metalstack.api.v2.PartitionService/List": true,
- "/metalstack.api.v2.ProjectService/Create": true,
- "/metalstack.api.v2.ProjectService/Delete": true,
- "/metalstack.api.v2.ProjectService/Get": true,
- "/metalstack.api.v2.ProjectService/Invite": true,
- "/metalstack.api.v2.ProjectService/InviteAccept": true,
- "/metalstack.api.v2.ProjectService/InviteDelete": true,
- "/metalstack.api.v2.ProjectService/InviteGet": true,
- "/metalstack.api.v2.ProjectService/InvitesList": true,
- "/metalstack.api.v2.ProjectService/Leave": true,
- "/metalstack.api.v2.ProjectService/List": true,
- "/metalstack.api.v2.ProjectService/RemoveMember": true,
- "/metalstack.api.v2.ProjectService/Update": true,
- "/metalstack.api.v2.ProjectService/UpdateMember": true,
- "/metalstack.api.v2.SizeService/Get": true,
- "/metalstack.api.v2.SizeService/List": true,
- "/metalstack.api.v2.TenantService/Create": true,
- "/metalstack.api.v2.TenantService/Delete": true,
- "/metalstack.api.v2.TenantService/Get": true,
- "/metalstack.api.v2.TenantService/Invite": true,
- "/metalstack.api.v2.TenantService/InviteAccept": true,
- "/metalstack.api.v2.TenantService/InviteDelete": true,
- "/metalstack.api.v2.TenantService/InviteGet": true,
- "/metalstack.api.v2.TenantService/InvitesList": true,
- "/metalstack.api.v2.TenantService/Leave": true,
- "/metalstack.api.v2.TenantService/List": true,
- "/metalstack.api.v2.TenantService/RemoveMember": true,
- "/metalstack.api.v2.TenantService/Update": true,
- "/metalstack.api.v2.TenantService/UpdateMember": true,
- "/metalstack.api.v2.TokenService/Create": true,
- "/metalstack.api.v2.TokenService/Get": true,
- "/metalstack.api.v2.TokenService/List": true,
- "/metalstack.api.v2.TokenService/Refresh": true,
- "/metalstack.api.v2.TokenService/Revoke": true,
- "/metalstack.api.v2.TokenService/Update": true,
- "/metalstack.api.v2.UserService/Get": true,
- "/metalstack.api.v2.VersionService/Get": true,
- "/metalstack.infra.v2.BMCService/UpdateBMCInfo": true,
- "/metalstack.infra.v2.SwitchService/Get": true,
- "/metalstack.infra.v2.SwitchService/Heartbeat": true,
- "/metalstack.infra.v2.SwitchService/Register": true,
+ "/grpc.reflection.v1.ServerReflection/ServerReflectionInfo": true,
+ "/grpc.reflection.v1alpha.ServerReflection/ServerReflectionInfo": true,
+ "/metalstack.admin.v2.FilesystemService/Create": true,
+ "/metalstack.admin.v2.FilesystemService/Delete": true,
+ "/metalstack.admin.v2.FilesystemService/Update": true,
+ "/metalstack.admin.v2.IPService/List": true,
+ "/metalstack.admin.v2.ImageService/Create": true,
+ "/metalstack.admin.v2.ImageService/Delete": true,
+ "/metalstack.admin.v2.ImageService/Update": true,
+ "/metalstack.admin.v2.ImageService/Usage": true,
+ "/metalstack.admin.v2.MachineService/Get": true,
+ "/metalstack.admin.v2.MachineService/List": true,
+ "/metalstack.admin.v2.NetworkService/Create": true,
+ "/metalstack.admin.v2.NetworkService/Delete": true,
+ "/metalstack.admin.v2.NetworkService/Get": true,
+ "/metalstack.admin.v2.NetworkService/List": true,
+ "/metalstack.admin.v2.NetworkService/Update": true,
+ "/metalstack.admin.v2.PartitionService/Capacity": true,
+ "/metalstack.admin.v2.PartitionService/Create": true,
+ "/metalstack.admin.v2.PartitionService/Delete": true,
+ "/metalstack.admin.v2.PartitionService/Update": true,
+ "/metalstack.admin.v2.SizeService/Create": true,
+ "/metalstack.admin.v2.SizeService/Delete": true,
+ "/metalstack.admin.v2.SizeService/Update": true,
+ "/metalstack.admin.v2.SwitchService/Delete": true,
+ "/metalstack.admin.v2.SwitchService/Get": true,
+ "/metalstack.admin.v2.SwitchService/List": true,
+ "/metalstack.admin.v2.SwitchService/Migrate": true,
+ "/metalstack.admin.v2.SwitchService/Port": true,
+ "/metalstack.admin.v2.SwitchService/Update": true,
+ "/metalstack.admin.v2.TenantService/Create": true,
+ "/metalstack.admin.v2.TenantService/List": true,
+ "/metalstack.admin.v2.TokenService/Create": true,
+ "/metalstack.admin.v2.TokenService/List": true,
+ "/metalstack.admin.v2.TokenService/Revoke": true,
+ "/metalstack.api.v2.FilesystemService/Get": true,
+ "/metalstack.api.v2.FilesystemService/List": true,
+ "/metalstack.api.v2.FilesystemService/Match": true,
+ "/metalstack.api.v2.HealthService/Get": true,
+ "/metalstack.api.v2.IPService/Create": true,
+ "/metalstack.api.v2.IPService/Delete": true,
+ "/metalstack.api.v2.IPService/Get": true,
+ "/metalstack.api.v2.IPService/List": true,
+ "/metalstack.api.v2.IPService/Update": true,
+ "/metalstack.api.v2.ImageService/Get": true,
+ "/metalstack.api.v2.ImageService/Latest": true,
+ "/metalstack.api.v2.ImageService/List": true,
+ "/metalstack.api.v2.MachineService/Create": true,
+ "/metalstack.api.v2.MachineService/Delete": true,
+ "/metalstack.api.v2.MachineService/Get": true,
+ "/metalstack.api.v2.MachineService/List": true,
+ "/metalstack.api.v2.MachineService/Update": true,
+ "/metalstack.api.v2.MethodService/List": true,
+ "/metalstack.api.v2.MethodService/TokenScopedList": true,
+ "/metalstack.api.v2.NetworkService/Create": true,
+ "/metalstack.api.v2.NetworkService/Delete": true,
+ "/metalstack.api.v2.NetworkService/Get": true,
+ "/metalstack.api.v2.NetworkService/List": true,
+ "/metalstack.api.v2.NetworkService/ListBaseNetworks": true,
+ "/metalstack.api.v2.NetworkService/Update": true,
+ "/metalstack.api.v2.PartitionService/Get": true,
+ "/metalstack.api.v2.PartitionService/List": true,
+ "/metalstack.api.v2.ProjectService/Create": true,
+ "/metalstack.api.v2.ProjectService/Delete": true,
+ "/metalstack.api.v2.ProjectService/Get": true,
+ "/metalstack.api.v2.ProjectService/Invite": true,
+ "/metalstack.api.v2.ProjectService/InviteAccept": true,
+ "/metalstack.api.v2.ProjectService/InviteDelete": true,
+ "/metalstack.api.v2.ProjectService/InviteGet": true,
+ "/metalstack.api.v2.ProjectService/InvitesList": true,
+ "/metalstack.api.v2.ProjectService/Leave": true,
+ "/metalstack.api.v2.ProjectService/List": true,
+ "/metalstack.api.v2.ProjectService/RemoveMember": true,
+ "/metalstack.api.v2.ProjectService/Update": true,
+ "/metalstack.api.v2.ProjectService/UpdateMember": true,
+ "/metalstack.api.v2.SizeService/Get": true,
+ "/metalstack.api.v2.SizeService/List": true,
+ "/metalstack.api.v2.TenantService/Create": true,
+ "/metalstack.api.v2.TenantService/Delete": true,
+ "/metalstack.api.v2.TenantService/Get": true,
+ "/metalstack.api.v2.TenantService/Invite": true,
+ "/metalstack.api.v2.TenantService/InviteAccept": true,
+ "/metalstack.api.v2.TenantService/InviteDelete": true,
+ "/metalstack.api.v2.TenantService/InviteGet": true,
+ "/metalstack.api.v2.TenantService/InvitesList": true,
+ "/metalstack.api.v2.TenantService/Leave": true,
+ "/metalstack.api.v2.TenantService/List": true,
+ "/metalstack.api.v2.TenantService/RemoveMember": true,
+ "/metalstack.api.v2.TenantService/Update": true,
+ "/metalstack.api.v2.TenantService/UpdateMember": true,
+ "/metalstack.api.v2.TokenService/Create": true,
+ "/metalstack.api.v2.TokenService/Get": true,
+ "/metalstack.api.v2.TokenService/List": true,
+ "/metalstack.api.v2.TokenService/Refresh": true,
+ "/metalstack.api.v2.TokenService/Revoke": true,
+ "/metalstack.api.v2.TokenService/Update": true,
+ "/metalstack.api.v2.UserService/Get": true,
+ "/metalstack.api.v2.VersionService/Get": true,
+ "/metalstack.infra.v2.BMCService/UpdateBMCInfo": true,
+ "/metalstack.infra.v2.SwitchService/Get": true,
+ "/metalstack.infra.v2.SwitchService/Heartbeat": true,
+ "/metalstack.infra.v2.SwitchService/Register": true,
},
Visibility: Visibility{
Public: map[string]bool{
diff --git a/go/tests/validation/token_test.go b/go/tests/validation/token_test.go
index c5a8228a..f4dd5032 100644
--- a/go/tests/validation/token_test.go
+++ b/go/tests/validation/token_test.go
@@ -48,6 +48,40 @@ func TestValidateToken(t *testing.T) {
wantErrorMessage: `validation error:
- project_roles["00000000-0000-0000-0000-000000000000"]: value must be one of the defined enum values [enum.defined_only]`,
},
+ {
+ name: "InValid Token, user token with permissions",
+ msg: &apiv2.Token{
+ Uuid: "00000000-0000-0000-0000-000000000000",
+ User: "user-a",
+ Description: "B Token",
+ Permissions: []*apiv2.MethodPermission{
+ {
+ Subject: "project-a",
+ Methods: []string{"/metalstack.admin.v2.IPService/List"},
+ },
+ },
+ TokenType: apiv2.TokenType_TOKEN_TYPE_USER,
+ },
+ wantErr: true,
+ wantErrorMessage: `validation error:
+ - token type user must not have permissions [token.permissions.usertoken]`,
+ },
+ {
+ name: "Valid Token, api token with permissions",
+ msg: &apiv2.Token{
+ Uuid: "00000000-0000-0000-0000-000000000000",
+ User: "user-a",
+ Description: "B Token",
+ Permissions: []*apiv2.MethodPermission{
+ {
+ Subject: "project-a",
+ Methods: []string{"/metalstack.admin.v2.IPService/List"},
+ },
+ },
+ TokenType: apiv2.TokenType_TOKEN_TYPE_API,
+ },
+ wantErr: false,
+ },
}
validateProtos(t, tests)
diff --git a/proto/metalstack/admin/v2/token.proto b/proto/metalstack/admin/v2/token.proto
index b79a04d4..aa2d61de 100644
--- a/proto/metalstack/admin/v2/token.proto
+++ b/proto/metalstack/admin/v2/token.proto
@@ -17,7 +17,8 @@ service TokenService {
rpc Revoke(TokenServiceRevokeRequest) returns (TokenServiceRevokeResponse) {
option (metalstack.api.v2.admin_roles) = ADMIN_ROLE_EDITOR;
}
- // Create a token to authenticate against the platform, the secret will be only visible in the response
+ // Create a token to authenticate against the platform, the secret will be only visible in the response.
+ // This service is suitable to create tokens for other users instead of deriving users from tokens directly.
rpc Create(TokenServiceCreateRequest) returns (TokenServiceCreateResponse) {
option (metalstack.api.v2.admin_roles) = ADMIN_ROLE_EDITOR;
}
diff --git a/proto/metalstack/api/v2/token.proto b/proto/metalstack/api/v2/token.proto
index 64c51786..539e9ef6 100644
--- a/proto/metalstack/api/v2/token.proto
+++ b/proto/metalstack/api/v2/token.proto
@@ -14,7 +14,7 @@ service TokenService {
rpc Get(TokenServiceGetRequest) returns (TokenServiceGetResponse) {
option (visibility) = VISIBILITY_SELF;
}
- // Create a token to authenticate against the platform, the secret will be only visible in the response
+ // Create a token to authenticate against the platform, the secret will be only visible in the response.
rpc Create(TokenServiceCreateRequest) returns (TokenServiceCreateResponse) {
option (visibility) = VISIBILITY_SELF;
}
@@ -36,8 +36,25 @@ service TokenService {
}
}
-// Token is a jwt authentication token to access the api
+// Token generates a jwt authentication token to access the api
+//
+// There are two different types of tokens, api- and user- tokens
+//
+// A user token is used to authenticate end user requests for example from a cli.
+// The configured roles in a user token are expanded in the api server
+// based on the memberships in other projects and tenants based on the role granted there.
+// User tokens will never contain permissions.
+// Permissions are always derived from the tenant and project roles and memberships.
+//
+// The api token should be used to authenticate services.
+// In contrast to a user token, the api token permissions and roles apply as configured during the token create process.
message Token {
+ // Message level validation, can be developed using https://protovalidate.com/playground
+ option (buf.validate.message).cel = {
+ id: "token.permissions.usertoken"
+ message: "token type user must not have permissions"
+ expression: "(this.token_type == 2 && this.permissions.size() == 0) || this.token_type != 2"
+ };
// Uuid of the jwt token, used to reference it by revoke
string uuid = 1 [(buf.validate.field).string.uuid = true];
// User who created this token
@@ -63,6 +80,8 @@ message Token {
map tenant_roles = 10;
// AdminRole defines the admin role of the token owner
optional AdminRole admin_role = 11 [(buf.validate.field).enum.defined_only = true];
+ // InfraRole defines the infrastructure role of the token owner
+ optional InfraRole infra_role = 12 [(buf.validate.field).enum.defined_only = true];
}
// TokenType specifies different use cases of tokens
@@ -109,18 +128,21 @@ message TokenServiceCreateRequest {
}];
// AdminRole defines the admin role of the token owner
optional AdminRole admin_role = 7 [(buf.validate.field).enum.defined_only = true];
+ // InfraRole defines the infrastructure role of the token owner
+ optional InfraRole infra_role = 8 [(buf.validate.field).enum.defined_only = true];
// Labels on this token
- Labels labels = 8;
+ Labels labels = 9;
}
// MethodPermission is a mapping from a subject/project to a service method
message MethodPermission {
// Subject maybe either the project or the tenant
// for which the methods should be allowed
- string subject = 1 [(buf.validate.field).string = {
- min_len: 2
- max_len: 256
- }];
+ //
+ // asterisk (*) can be specified to match any subject
+ // empty string ("") can be specified for requests that do not require a subject, e.g. partition list
+ // otherwise either a projectid or a tenant login should be specified
+ string subject = 1 [(buf.validate.field).string = {max_len: 256}];
// Methods which should be accessible
repeated string methods = 2 [(buf.validate.field).repeated.max_items = 500];
}
@@ -185,8 +207,10 @@ message TokenServiceUpdateRequest {
}];
// AdminRole defines the admin role of the token owner
optional AdminRole admin_role = 7 [(buf.validate.field).enum.defined_only = true];
+ // InfraRole defines the infrastructure role of the token owner
+ optional InfraRole infra_role = 8 [(buf.validate.field).enum.defined_only = true];
// Labels on this token
- UpdateLabels labels = 8;
+ UpdateLabels labels = 9;
}
// TokenServiceUpdateResponse is the response payload of a token update request
diff --git a/proto/metalstack/infra/v2/bmc.proto b/proto/metalstack/infra/v2/bmc.proto
index 8aa98c12..06de6530 100644
--- a/proto/metalstack/infra/v2/bmc.proto
+++ b/proto/metalstack/infra/v2/bmc.proto
@@ -9,7 +9,6 @@ service BMCService {
// UpdateBMCInfo
rpc UpdateBMCInfo(UpdateBMCInfoRequest) returns (UpdateBMCInfoResponse) {
option (metalstack.api.v2.infra_roles) = INFRA_ROLE_EDITOR;
- option (metalstack.api.v2.infra_roles) = INFRA_ROLE_VIEWER;
option (metalstack.api.v2.auditing) = AUDITING_EXCLUDED;
}
}
diff --git a/proto/metalstack/infra/v2/switch.proto b/proto/metalstack/infra/v2/switch.proto
index 04d9f58b..d89dc204 100644
--- a/proto/metalstack/infra/v2/switch.proto
+++ b/proto/metalstack/infra/v2/switch.proto
@@ -14,6 +14,7 @@ service SwitchService {
// Get a switch by ID.
rpc Get(SwitchServiceGetRequest) returns (SwitchServiceGetResponse) {
option (metalstack.api.v2.infra_roles) = INFRA_ROLE_EDITOR;
+ option (metalstack.api.v2.infra_roles) = INFRA_ROLE_VIEWER;
option (metalstack.api.v2.auditing) = AUDITING_EXCLUDED;
}
// Register a switch.
diff --git a/python/metalstack/api/v2/token_pb2.py b/python/metalstack/api/v2/token_pb2.py
index 159d9e29..5a600d7e 100644
--- a/python/metalstack/api/v2/token_pb2.py
+++ b/python/metalstack/api/v2/token_pb2.py
@@ -29,7 +29,7 @@
from metalstack.api.v2 import predefined_rules_pb2 as metalstack_dot_api_dot_v2_dot_predefined__rules__pb2
-DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x1dmetalstack/api/v2/token.proto\x12\x11metalstack.api.v2\x1a\x1b\x62uf/validate/validate.proto\x1a\x1egoogle/protobuf/duration.proto\x1a\x1fgoogle/protobuf/timestamp.proto\x1a\x1emetalstack/api/v2/common.proto\x1a(metalstack/api/v2/predefined_rules.proto\"\xe3\x06\n\x05Token\x12\x1c\n\x04uuid\x18\x01 \x01(\tB\x08\xbaH\x05r\x03\xb0\x01\x01R\x04uuid\x12\x1e\n\x04user\x18\x02 \x01(\tB\n\xbaH\x07r\x05\x10\x02\x18\x80\x04R\x04user\x12+\n\x04meta\x18\x03 \x01(\x0b\x32\x17.metalstack.api.v2.MetaR\x04meta\x12-\n\x0b\x64\x65scription\x18\x04 \x01(\tB\x0b\xbaH\x08r\x06\xc8\xb3\xae\xb1\x02\x01R\x0b\x64\x65scription\x12P\n\x0bpermissions\x18\x05 \x03(\x0b\x32#.metalstack.api.v2.MethodPermissionB\t\xbaH\x06\x92\x01\x03\x10\xf4\x03R\x0bpermissions\x12\x34\n\x07\x65xpires\x18\x06 \x01(\x0b\x32\x1a.google.protobuf.TimestampR\x07\x65xpires\x12\x37\n\tissued_at\x18\x07 \x01(\x0b\x32\x1a.google.protobuf.TimestampR\x08issuedAt\x12\x45\n\ntoken_type\x18\x08 \x01(\x0e\x32\x1c.metalstack.api.v2.TokenTypeB\x08\xbaH\x05\x82\x01\x02\x10\x01R\ttokenType\x12O\n\rproject_roles\x18\t \x03(\x0b\x32*.metalstack.api.v2.Token.ProjectRolesEntryR\x0cprojectRoles\x12L\n\x0ctenant_roles\x18\n \x03(\x0b\x32).metalstack.api.v2.Token.TenantRolesEntryR\x0btenantRoles\x12J\n\nadmin_role\x18\x0b \x01(\x0e\x32\x1c.metalstack.api.v2.AdminRoleB\x08\xbaH\x05\x82\x01\x02\x10\x01H\x00R\tadminRole\x88\x01\x01\x1a_\n\x11ProjectRolesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12\x34\n\x05value\x18\x02 \x01(\x0e\x32\x1e.metalstack.api.v2.ProjectRoleR\x05value:\x02\x38\x01\x1a]\n\x10TenantRolesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12\x33\n\x05value\x18\x02 \x01(\x0e\x32\x1d.metalstack.api.v2.TenantRoleR\x05value:\x02\x38\x01\x42\r\n\x0b_admin_role\"\xa7\x06\n\x19TokenServiceCreateRequest\x12-\n\x0b\x64\x65scription\x18\x01 \x01(\tB\x0b\xbaH\x08r\x06\xc8\xb3\xae\xb1\x02\x01R\x0b\x64\x65scription\x12O\n\x0bpermissions\x18\x02 \x03(\x0b\x32#.metalstack.api.v2.MethodPermissionB\x08\xbaH\x05\x92\x01\x02\x10\x64R\x0bpermissions\x12G\n\x07\x65xpires\x18\x04 \x01(\x0b\x32\x19.google.protobuf.DurationB\x12\xbaH\x0f\xaa\x01\x0c\x1a\x05\x08\x81\xe7\x84\x0f\x32\x03\x08\xd8\x04R\x07\x65xpires\x12y\n\rproject_roles\x18\x05 \x03(\x0b\x32>.metalstack.api.v2.TokenServiceCreateRequest.ProjectRolesEntryB\x14\xbaH\x11\x9a\x01\x0e\"\x05r\x03\xb0\x01\x01*\x05\x82\x01\x02\x10\x01R\x0cprojectRoles\x12x\n\x0ctenant_roles\x18\x06 \x03(\x0b\x32=.metalstack.api.v2.TokenServiceCreateRequest.TenantRolesEntryB\x16\xbaH\x13\x9a\x01\x10\"\x07r\x05\x10\x03\x18\x80\x01*\x05\x82\x01\x02\x10\x01R\x0btenantRoles\x12J\n\nadmin_role\x18\x07 \x01(\x0e\x32\x1c.metalstack.api.v2.AdminRoleB\x08\xbaH\x05\x82\x01\x02\x10\x01H\x00R\tadminRole\x88\x01\x01\x12\x31\n\x06labels\x18\x08 \x01(\x0b\x32\x19.metalstack.api.v2.LabelsR\x06labels\x1a_\n\x11ProjectRolesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12\x34\n\x05value\x18\x02 \x01(\x0e\x32\x1e.metalstack.api.v2.ProjectRoleR\x05value:\x02\x38\x01\x1a]\n\x10TenantRolesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12\x33\n\x05value\x18\x02 \x01(\x0e\x32\x1d.metalstack.api.v2.TenantRoleR\x05value:\x02\x38\x01\x42\r\n\x0b_admin_role\"]\n\x10MethodPermission\x12$\n\x07subject\x18\x01 \x01(\tB\n\xbaH\x07r\x05\x10\x02\x18\x80\x02R\x07subject\x12#\n\x07methods\x18\x02 \x03(\tB\t\xbaH\x06\x92\x01\x03\x10\xf4\x03R\x07methods\"d\n\x1aTokenServiceCreateResponse\x12.\n\x05token\x18\x01 \x01(\x0b\x32\x18.metalstack.api.v2.TokenR\x05token\x12\x16\n\x06secret\x18\x02 \x01(\tR\x06secret\"\x19\n\x17TokenServiceListRequest\"L\n\x18TokenServiceListResponse\x12\x30\n\x06tokens\x18\x01 \x03(\x0b\x32\x18.metalstack.api.v2.TokenR\x06tokens\"9\n\x19TokenServiceRevokeRequest\x12\x1c\n\x04uuid\x18\x01 \x01(\tB\x08\xbaH\x05r\x03\xb0\x01\x01R\x04uuid\"\x1c\n\x1aTokenServiceRevokeResponse\"\xd5\x06\n\x19TokenServiceUpdateRequest\x12\x1c\n\x04uuid\x18\x01 \x01(\tB\x08\xbaH\x05r\x03\xb0\x01\x01R\x04uuid\x12\x46\n\x0bupdate_meta\x18\x02 \x01(\x0b\x32\x1d.metalstack.api.v2.UpdateMetaB\x06\xbaH\x03\xc8\x01\x00R\nupdateMeta\x12\x32\n\x0b\x64\x65scription\x18\x03 \x01(\tB\x0b\xbaH\x08r\x06\xc8\xb3\xae\xb1\x02\x01H\x00R\x0b\x64\x65scription\x88\x01\x01\x12\x45\n\x0bpermissions\x18\x04 \x03(\x0b\x32#.metalstack.api.v2.MethodPermissionR\x0bpermissions\x12y\n\rproject_roles\x18\x05 \x03(\x0b\x32>.metalstack.api.v2.TokenServiceUpdateRequest.ProjectRolesEntryB\x14\xbaH\x11\x9a\x01\x0e\"\x05r\x03\xb0\x01\x01*\x05\x82\x01\x02\x10\x01R\x0cprojectRoles\x12x\n\x0ctenant_roles\x18\x06 \x03(\x0b\x32=.metalstack.api.v2.TokenServiceUpdateRequest.TenantRolesEntryB\x16\xbaH\x13\x9a\x01\x10\"\x07r\x05\x10\x03\x18\x80\x01*\x05\x82\x01\x02\x10\x01R\x0btenantRoles\x12J\n\nadmin_role\x18\x07 \x01(\x0e\x32\x1c.metalstack.api.v2.AdminRoleB\x08\xbaH\x05\x82\x01\x02\x10\x01H\x01R\tadminRole\x88\x01\x01\x12\x37\n\x06labels\x18\x08 \x01(\x0b\x32\x1f.metalstack.api.v2.UpdateLabelsR\x06labels\x1a_\n\x11ProjectRolesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12\x34\n\x05value\x18\x02 \x01(\x0e\x32\x1e.metalstack.api.v2.ProjectRoleR\x05value:\x02\x38\x01\x1a]\n\x10TenantRolesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12\x33\n\x05value\x18\x02 \x01(\x0e\x32\x1d.metalstack.api.v2.TenantRoleR\x05value:\x02\x38\x01\x42\x0e\n\x0c_descriptionB\r\n\x0b_admin_role\"L\n\x1aTokenServiceUpdateResponse\x12.\n\x05token\x18\x01 \x01(\x0b\x32\x18.metalstack.api.v2.TokenR\x05token\"6\n\x16TokenServiceGetRequest\x12\x1c\n\x04uuid\x18\x01 \x01(\tB\x08\xbaH\x05r\x03\xb0\x01\x01R\x04uuid\"I\n\x17TokenServiceGetResponse\x12.\n\x05token\x18\x01 \x01(\x0b\x32\x18.metalstack.api.v2.TokenR\x05token\"\x1c\n\x1aTokenServiceRefreshRequest\"e\n\x1bTokenServiceRefreshResponse\x12.\n\x05token\x18\x01 \x01(\x0b\x32\x18.metalstack.api.v2.TokenR\x05token\x12\x16\n\x06secret\x18\x02 \x01(\tR\x06secret*P\n\tTokenType\x12\x1a\n\x16TOKEN_TYPE_UNSPECIFIED\x10\x00\x12\x12\n\x0eTOKEN_TYPE_API\x10\x01\x12\x13\n\x0fTOKEN_TYPE_USER\x10\x02\x32\x90\x05\n\x0cTokenService\x12\x62\n\x03Get\x12).metalstack.api.v2.TokenServiceGetRequest\x1a*.metalstack.api.v2.TokenServiceGetResponse\"\x04\xd8\xf3\x18\x03\x12k\n\x06\x43reate\x12,.metalstack.api.v2.TokenServiceCreateRequest\x1a-.metalstack.api.v2.TokenServiceCreateResponse\"\x04\xd8\xf3\x18\x03\x12k\n\x06Update\x12,.metalstack.api.v2.TokenServiceUpdateRequest\x1a-.metalstack.api.v2.TokenServiceUpdateResponse\"\x04\xd8\xf3\x18\x03\x12\x65\n\x04List\x12*.metalstack.api.v2.TokenServiceListRequest\x1a+.metalstack.api.v2.TokenServiceListResponse\"\x04\xd8\xf3\x18\x03\x12k\n\x06Revoke\x12,.metalstack.api.v2.TokenServiceRevokeRequest\x1a-.metalstack.api.v2.TokenServiceRevokeResponse\"\x04\xd8\xf3\x18\x03\x12n\n\x07Refresh\x12-.metalstack.api.v2.TokenServiceRefreshRequest\x1a..metalstack.api.v2.TokenServiceRefreshResponse\"\x04\xd8\xf3\x18\x03\x42\xc0\x01\n\x15\x63om.metalstack.api.v2B\nTokenProtoP\x01Z5github.com/metal-stack/api/go/metalstack/api/v2;apiv2\xa2\x02\x03MAX\xaa\x02\x11Metalstack.Api.V2\xca\x02\x11Metalstack\\Api\\V2\xe2\x02\x1dMetalstack\\Api\\V2\\GPBMetadata\xea\x02\x13Metalstack::Api::V2b\x06proto3')
+DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x1dmetalstack/api/v2/token.proto\x12\x11metalstack.api.v2\x1a\x1b\x62uf/validate/validate.proto\x1a\x1egoogle/protobuf/duration.proto\x1a\x1fgoogle/protobuf/timestamp.proto\x1a\x1emetalstack/api/v2/common.proto\x1a(metalstack/api/v2/predefined_rules.proto\"\xe0\x08\n\x05Token\x12\x1c\n\x04uuid\x18\x01 \x01(\tB\x08\xbaH\x05r\x03\xb0\x01\x01R\x04uuid\x12\x1e\n\x04user\x18\x02 \x01(\tB\n\xbaH\x07r\x05\x10\x02\x18\x80\x04R\x04user\x12+\n\x04meta\x18\x03 \x01(\x0b\x32\x17.metalstack.api.v2.MetaR\x04meta\x12-\n\x0b\x64\x65scription\x18\x04 \x01(\tB\x0b\xbaH\x08r\x06\xc8\xb3\xae\xb1\x02\x01R\x0b\x64\x65scription\x12P\n\x0bpermissions\x18\x05 \x03(\x0b\x32#.metalstack.api.v2.MethodPermissionB\t\xbaH\x06\x92\x01\x03\x10\xf4\x03R\x0bpermissions\x12\x34\n\x07\x65xpires\x18\x06 \x01(\x0b\x32\x1a.google.protobuf.TimestampR\x07\x65xpires\x12\x37\n\tissued_at\x18\x07 \x01(\x0b\x32\x1a.google.protobuf.TimestampR\x08issuedAt\x12\x45\n\ntoken_type\x18\x08 \x01(\x0e\x32\x1c.metalstack.api.v2.TokenTypeB\x08\xbaH\x05\x82\x01\x02\x10\x01R\ttokenType\x12O\n\rproject_roles\x18\t \x03(\x0b\x32*.metalstack.api.v2.Token.ProjectRolesEntryR\x0cprojectRoles\x12L\n\x0ctenant_roles\x18\n \x03(\x0b\x32).metalstack.api.v2.Token.TenantRolesEntryR\x0btenantRoles\x12J\n\nadmin_role\x18\x0b \x01(\x0e\x32\x1c.metalstack.api.v2.AdminRoleB\x08\xbaH\x05\x82\x01\x02\x10\x01H\x00R\tadminRole\x88\x01\x01\x12J\n\ninfra_role\x18\x0c \x01(\x0e\x32\x1c.metalstack.api.v2.InfraRoleB\x08\xbaH\x05\x82\x01\x02\x10\x01H\x01R\tinfraRole\x88\x01\x01\x1a_\n\x11ProjectRolesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12\x34\n\x05value\x18\x02 \x01(\x0e\x32\x1e.metalstack.api.v2.ProjectRoleR\x05value:\x02\x38\x01\x1a]\n\x10TenantRolesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12\x33\n\x05value\x18\x02 \x01(\x0e\x32\x1d.metalstack.api.v2.TenantRoleR\x05value:\x02\x38\x01:\x9f\x01\xbaH\x9b\x01\x1a\x98\x01\n\x1btoken.permissions.usertoken\x12)token type user must not have permissions\x1aN(this.token_type == 2 && this.permissions.size() == 0) || this.token_type != 2B\r\n\x0b_admin_roleB\r\n\x0b_infra_role\"\x82\x07\n\x19TokenServiceCreateRequest\x12-\n\x0b\x64\x65scription\x18\x01 \x01(\tB\x0b\xbaH\x08r\x06\xc8\xb3\xae\xb1\x02\x01R\x0b\x64\x65scription\x12O\n\x0bpermissions\x18\x02 \x03(\x0b\x32#.metalstack.api.v2.MethodPermissionB\x08\xbaH\x05\x92\x01\x02\x10\x64R\x0bpermissions\x12G\n\x07\x65xpires\x18\x04 \x01(\x0b\x32\x19.google.protobuf.DurationB\x12\xbaH\x0f\xaa\x01\x0c\x1a\x05\x08\x81\xe7\x84\x0f\x32\x03\x08\xd8\x04R\x07\x65xpires\x12y\n\rproject_roles\x18\x05 \x03(\x0b\x32>.metalstack.api.v2.TokenServiceCreateRequest.ProjectRolesEntryB\x14\xbaH\x11\x9a\x01\x0e\"\x05r\x03\xb0\x01\x01*\x05\x82\x01\x02\x10\x01R\x0cprojectRoles\x12x\n\x0ctenant_roles\x18\x06 \x03(\x0b\x32=.metalstack.api.v2.TokenServiceCreateRequest.TenantRolesEntryB\x16\xbaH\x13\x9a\x01\x10\"\x07r\x05\x10\x03\x18\x80\x01*\x05\x82\x01\x02\x10\x01R\x0btenantRoles\x12J\n\nadmin_role\x18\x07 \x01(\x0e\x32\x1c.metalstack.api.v2.AdminRoleB\x08\xbaH\x05\x82\x01\x02\x10\x01H\x00R\tadminRole\x88\x01\x01\x12J\n\ninfra_role\x18\x08 \x01(\x0e\x32\x1c.metalstack.api.v2.InfraRoleB\x08\xbaH\x05\x82\x01\x02\x10\x01H\x01R\tinfraRole\x88\x01\x01\x12\x31\n\x06labels\x18\t \x01(\x0b\x32\x19.metalstack.api.v2.LabelsR\x06labels\x1a_\n\x11ProjectRolesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12\x34\n\x05value\x18\x02 \x01(\x0e\x32\x1e.metalstack.api.v2.ProjectRoleR\x05value:\x02\x38\x01\x1a]\n\x10TenantRolesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12\x33\n\x05value\x18\x02 \x01(\x0e\x32\x1d.metalstack.api.v2.TenantRoleR\x05value:\x02\x38\x01\x42\r\n\x0b_admin_roleB\r\n\x0b_infra_role\"[\n\x10MethodPermission\x12\"\n\x07subject\x18\x01 \x01(\tB\x08\xbaH\x05r\x03\x18\x80\x02R\x07subject\x12#\n\x07methods\x18\x02 \x03(\tB\t\xbaH\x06\x92\x01\x03\x10\xf4\x03R\x07methods\"d\n\x1aTokenServiceCreateResponse\x12.\n\x05token\x18\x01 \x01(\x0b\x32\x18.metalstack.api.v2.TokenR\x05token\x12\x16\n\x06secret\x18\x02 \x01(\tR\x06secret\"\x19\n\x17TokenServiceListRequest\"L\n\x18TokenServiceListResponse\x12\x30\n\x06tokens\x18\x01 \x03(\x0b\x32\x18.metalstack.api.v2.TokenR\x06tokens\"9\n\x19TokenServiceRevokeRequest\x12\x1c\n\x04uuid\x18\x01 \x01(\tB\x08\xbaH\x05r\x03\xb0\x01\x01R\x04uuid\"\x1c\n\x1aTokenServiceRevokeResponse\"\xb0\x07\n\x19TokenServiceUpdateRequest\x12\x1c\n\x04uuid\x18\x01 \x01(\tB\x08\xbaH\x05r\x03\xb0\x01\x01R\x04uuid\x12\x46\n\x0bupdate_meta\x18\x02 \x01(\x0b\x32\x1d.metalstack.api.v2.UpdateMetaB\x06\xbaH\x03\xc8\x01\x00R\nupdateMeta\x12\x32\n\x0b\x64\x65scription\x18\x03 \x01(\tB\x0b\xbaH\x08r\x06\xc8\xb3\xae\xb1\x02\x01H\x00R\x0b\x64\x65scription\x88\x01\x01\x12\x45\n\x0bpermissions\x18\x04 \x03(\x0b\x32#.metalstack.api.v2.MethodPermissionR\x0bpermissions\x12y\n\rproject_roles\x18\x05 \x03(\x0b\x32>.metalstack.api.v2.TokenServiceUpdateRequest.ProjectRolesEntryB\x14\xbaH\x11\x9a\x01\x0e\"\x05r\x03\xb0\x01\x01*\x05\x82\x01\x02\x10\x01R\x0cprojectRoles\x12x\n\x0ctenant_roles\x18\x06 \x03(\x0b\x32=.metalstack.api.v2.TokenServiceUpdateRequest.TenantRolesEntryB\x16\xbaH\x13\x9a\x01\x10\"\x07r\x05\x10\x03\x18\x80\x01*\x05\x82\x01\x02\x10\x01R\x0btenantRoles\x12J\n\nadmin_role\x18\x07 \x01(\x0e\x32\x1c.metalstack.api.v2.AdminRoleB\x08\xbaH\x05\x82\x01\x02\x10\x01H\x01R\tadminRole\x88\x01\x01\x12J\n\ninfra_role\x18\x08 \x01(\x0e\x32\x1c.metalstack.api.v2.InfraRoleB\x08\xbaH\x05\x82\x01\x02\x10\x01H\x02R\tinfraRole\x88\x01\x01\x12\x37\n\x06labels\x18\t \x01(\x0b\x32\x1f.metalstack.api.v2.UpdateLabelsR\x06labels\x1a_\n\x11ProjectRolesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12\x34\n\x05value\x18\x02 \x01(\x0e\x32\x1e.metalstack.api.v2.ProjectRoleR\x05value:\x02\x38\x01\x1a]\n\x10TenantRolesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12\x33\n\x05value\x18\x02 \x01(\x0e\x32\x1d.metalstack.api.v2.TenantRoleR\x05value:\x02\x38\x01\x42\x0e\n\x0c_descriptionB\r\n\x0b_admin_roleB\r\n\x0b_infra_role\"L\n\x1aTokenServiceUpdateResponse\x12.\n\x05token\x18\x01 \x01(\x0b\x32\x18.metalstack.api.v2.TokenR\x05token\"6\n\x16TokenServiceGetRequest\x12\x1c\n\x04uuid\x18\x01 \x01(\tB\x08\xbaH\x05r\x03\xb0\x01\x01R\x04uuid\"I\n\x17TokenServiceGetResponse\x12.\n\x05token\x18\x01 \x01(\x0b\x32\x18.metalstack.api.v2.TokenR\x05token\"\x1c\n\x1aTokenServiceRefreshRequest\"e\n\x1bTokenServiceRefreshResponse\x12.\n\x05token\x18\x01 \x01(\x0b\x32\x18.metalstack.api.v2.TokenR\x05token\x12\x16\n\x06secret\x18\x02 \x01(\tR\x06secret*P\n\tTokenType\x12\x1a\n\x16TOKEN_TYPE_UNSPECIFIED\x10\x00\x12\x12\n\x0eTOKEN_TYPE_API\x10\x01\x12\x13\n\x0fTOKEN_TYPE_USER\x10\x02\x32\x90\x05\n\x0cTokenService\x12\x62\n\x03Get\x12).metalstack.api.v2.TokenServiceGetRequest\x1a*.metalstack.api.v2.TokenServiceGetResponse\"\x04\xd8\xf3\x18\x03\x12k\n\x06\x43reate\x12,.metalstack.api.v2.TokenServiceCreateRequest\x1a-.metalstack.api.v2.TokenServiceCreateResponse\"\x04\xd8\xf3\x18\x03\x12k\n\x06Update\x12,.metalstack.api.v2.TokenServiceUpdateRequest\x1a-.metalstack.api.v2.TokenServiceUpdateResponse\"\x04\xd8\xf3\x18\x03\x12\x65\n\x04List\x12*.metalstack.api.v2.TokenServiceListRequest\x1a+.metalstack.api.v2.TokenServiceListResponse\"\x04\xd8\xf3\x18\x03\x12k\n\x06Revoke\x12,.metalstack.api.v2.TokenServiceRevokeRequest\x1a-.metalstack.api.v2.TokenServiceRevokeResponse\"\x04\xd8\xf3\x18\x03\x12n\n\x07Refresh\x12-.metalstack.api.v2.TokenServiceRefreshRequest\x1a..metalstack.api.v2.TokenServiceRefreshResponse\"\x04\xd8\xf3\x18\x03\x42\xc0\x01\n\x15\x63om.metalstack.api.v2B\nTokenProtoP\x01Z5github.com/metal-stack/api/go/metalstack/api/v2;apiv2\xa2\x02\x03MAX\xaa\x02\x11Metalstack.Api.V2\xca\x02\x11Metalstack\\Api\\V2\xe2\x02\x1dMetalstack\\Api\\V2\\GPBMetadata\xea\x02\x13Metalstack::Api::V2b\x06proto3')
_globals = globals()
_builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, _globals)
@@ -53,6 +53,10 @@
_globals['_TOKEN'].fields_by_name['token_type']._serialized_options = b'\272H\005\202\001\002\020\001'
_globals['_TOKEN'].fields_by_name['admin_role']._loaded_options = None
_globals['_TOKEN'].fields_by_name['admin_role']._serialized_options = b'\272H\005\202\001\002\020\001'
+ _globals['_TOKEN'].fields_by_name['infra_role']._loaded_options = None
+ _globals['_TOKEN'].fields_by_name['infra_role']._serialized_options = b'\272H\005\202\001\002\020\001'
+ _globals['_TOKEN']._loaded_options = None
+ _globals['_TOKEN']._serialized_options = b'\272H\233\001\032\230\001\n\033token.permissions.usertoken\022)token type user must not have permissions\032N(this.token_type == 2 && this.permissions.size() == 0) || this.token_type != 2'
_globals['_TOKENSERVICECREATEREQUEST_PROJECTROLESENTRY']._loaded_options = None
_globals['_TOKENSERVICECREATEREQUEST_PROJECTROLESENTRY']._serialized_options = b'8\001'
_globals['_TOKENSERVICECREATEREQUEST_TENANTROLESENTRY']._loaded_options = None
@@ -69,8 +73,10 @@
_globals['_TOKENSERVICECREATEREQUEST'].fields_by_name['tenant_roles']._serialized_options = b'\272H\023\232\001\020\"\007r\005\020\003\030\200\001*\005\202\001\002\020\001'
_globals['_TOKENSERVICECREATEREQUEST'].fields_by_name['admin_role']._loaded_options = None
_globals['_TOKENSERVICECREATEREQUEST'].fields_by_name['admin_role']._serialized_options = b'\272H\005\202\001\002\020\001'
+ _globals['_TOKENSERVICECREATEREQUEST'].fields_by_name['infra_role']._loaded_options = None
+ _globals['_TOKENSERVICECREATEREQUEST'].fields_by_name['infra_role']._serialized_options = b'\272H\005\202\001\002\020\001'
_globals['_METHODPERMISSION'].fields_by_name['subject']._loaded_options = None
- _globals['_METHODPERMISSION'].fields_by_name['subject']._serialized_options = b'\272H\007r\005\020\002\030\200\002'
+ _globals['_METHODPERMISSION'].fields_by_name['subject']._serialized_options = b'\272H\005r\003\030\200\002'
_globals['_METHODPERMISSION'].fields_by_name['methods']._loaded_options = None
_globals['_METHODPERMISSION'].fields_by_name['methods']._serialized_options = b'\272H\006\222\001\003\020\364\003'
_globals['_TOKENSERVICEREVOKEREQUEST'].fields_by_name['uuid']._loaded_options = None
@@ -91,6 +97,8 @@
_globals['_TOKENSERVICEUPDATEREQUEST'].fields_by_name['tenant_roles']._serialized_options = b'\272H\023\232\001\020\"\007r\005\020\003\030\200\001*\005\202\001\002\020\001'
_globals['_TOKENSERVICEUPDATEREQUEST'].fields_by_name['admin_role']._loaded_options = None
_globals['_TOKENSERVICEUPDATEREQUEST'].fields_by_name['admin_role']._serialized_options = b'\272H\005\202\001\002\020\001'
+ _globals['_TOKENSERVICEUPDATEREQUEST'].fields_by_name['infra_role']._loaded_options = None
+ _globals['_TOKENSERVICEUPDATEREQUEST'].fields_by_name['infra_role']._serialized_options = b'\272H\005\202\001\002\020\001'
_globals['_TOKENSERVICEGETREQUEST'].fields_by_name['uuid']._loaded_options = None
_globals['_TOKENSERVICEGETREQUEST'].fields_by_name['uuid']._serialized_options = b'\272H\005r\003\260\001\001'
_globals['_TOKENSERVICE'].methods_by_name['Get']._loaded_options = None
@@ -105,48 +113,48 @@
_globals['_TOKENSERVICE'].methods_by_name['Revoke']._serialized_options = b'\330\363\030\003'
_globals['_TOKENSERVICE'].methods_by_name['Refresh']._loaded_options = None
_globals['_TOKENSERVICE'].methods_by_name['Refresh']._serialized_options = b'\330\363\030\003'
- _globals['_TOKENTYPE']._serialized_start=3489
- _globals['_TOKENTYPE']._serialized_end=3569
+ _globals['_TOKENTYPE']._serialized_start=3922
+ _globals['_TOKENTYPE']._serialized_end=4002
_globals['_TOKEN']._serialized_start=221
- _globals['_TOKEN']._serialized_end=1088
- _globals['_TOKEN_PROJECTROLESENTRY']._serialized_start=883
- _globals['_TOKEN_PROJECTROLESENTRY']._serialized_end=978
- _globals['_TOKEN_TENANTROLESENTRY']._serialized_start=980
- _globals['_TOKEN_TENANTROLESENTRY']._serialized_end=1073
- _globals['_TOKENSERVICECREATEREQUEST']._serialized_start=1091
- _globals['_TOKENSERVICECREATEREQUEST']._serialized_end=1898
- _globals['_TOKENSERVICECREATEREQUEST_PROJECTROLESENTRY']._serialized_start=883
- _globals['_TOKENSERVICECREATEREQUEST_PROJECTROLESENTRY']._serialized_end=978
- _globals['_TOKENSERVICECREATEREQUEST_TENANTROLESENTRY']._serialized_start=980
- _globals['_TOKENSERVICECREATEREQUEST_TENANTROLESENTRY']._serialized_end=1073
- _globals['_METHODPERMISSION']._serialized_start=1900
- _globals['_METHODPERMISSION']._serialized_end=1993
- _globals['_TOKENSERVICECREATERESPONSE']._serialized_start=1995
- _globals['_TOKENSERVICECREATERESPONSE']._serialized_end=2095
- _globals['_TOKENSERVICELISTREQUEST']._serialized_start=2097
- _globals['_TOKENSERVICELISTREQUEST']._serialized_end=2122
- _globals['_TOKENSERVICELISTRESPONSE']._serialized_start=2124
- _globals['_TOKENSERVICELISTRESPONSE']._serialized_end=2200
- _globals['_TOKENSERVICEREVOKEREQUEST']._serialized_start=2202
- _globals['_TOKENSERVICEREVOKEREQUEST']._serialized_end=2259
- _globals['_TOKENSERVICEREVOKERESPONSE']._serialized_start=2261
- _globals['_TOKENSERVICEREVOKERESPONSE']._serialized_end=2289
- _globals['_TOKENSERVICEUPDATEREQUEST']._serialized_start=2292
- _globals['_TOKENSERVICEUPDATEREQUEST']._serialized_end=3145
- _globals['_TOKENSERVICEUPDATEREQUEST_PROJECTROLESENTRY']._serialized_start=883
- _globals['_TOKENSERVICEUPDATEREQUEST_PROJECTROLESENTRY']._serialized_end=978
- _globals['_TOKENSERVICEUPDATEREQUEST_TENANTROLESENTRY']._serialized_start=980
- _globals['_TOKENSERVICEUPDATEREQUEST_TENANTROLESENTRY']._serialized_end=1073
- _globals['_TOKENSERVICEUPDATERESPONSE']._serialized_start=3147
- _globals['_TOKENSERVICEUPDATERESPONSE']._serialized_end=3223
- _globals['_TOKENSERVICEGETREQUEST']._serialized_start=3225
- _globals['_TOKENSERVICEGETREQUEST']._serialized_end=3279
- _globals['_TOKENSERVICEGETRESPONSE']._serialized_start=3281
- _globals['_TOKENSERVICEGETRESPONSE']._serialized_end=3354
- _globals['_TOKENSERVICEREFRESHREQUEST']._serialized_start=3356
- _globals['_TOKENSERVICEREFRESHREQUEST']._serialized_end=3384
- _globals['_TOKENSERVICEREFRESHRESPONSE']._serialized_start=3386
- _globals['_TOKENSERVICEREFRESHRESPONSE']._serialized_end=3487
- _globals['_TOKENSERVICE']._serialized_start=3572
- _globals['_TOKENSERVICE']._serialized_end=4228
+ _globals['_TOKEN']._serialized_end=1341
+ _globals['_TOKEN_PROJECTROLESENTRY']._serialized_start=959
+ _globals['_TOKEN_PROJECTROLESENTRY']._serialized_end=1054
+ _globals['_TOKEN_TENANTROLESENTRY']._serialized_start=1056
+ _globals['_TOKEN_TENANTROLESENTRY']._serialized_end=1149
+ _globals['_TOKENSERVICECREATEREQUEST']._serialized_start=1344
+ _globals['_TOKENSERVICECREATEREQUEST']._serialized_end=2242
+ _globals['_TOKENSERVICECREATEREQUEST_PROJECTROLESENTRY']._serialized_start=959
+ _globals['_TOKENSERVICECREATEREQUEST_PROJECTROLESENTRY']._serialized_end=1054
+ _globals['_TOKENSERVICECREATEREQUEST_TENANTROLESENTRY']._serialized_start=1056
+ _globals['_TOKENSERVICECREATEREQUEST_TENANTROLESENTRY']._serialized_end=1149
+ _globals['_METHODPERMISSION']._serialized_start=2244
+ _globals['_METHODPERMISSION']._serialized_end=2335
+ _globals['_TOKENSERVICECREATERESPONSE']._serialized_start=2337
+ _globals['_TOKENSERVICECREATERESPONSE']._serialized_end=2437
+ _globals['_TOKENSERVICELISTREQUEST']._serialized_start=2439
+ _globals['_TOKENSERVICELISTREQUEST']._serialized_end=2464
+ _globals['_TOKENSERVICELISTRESPONSE']._serialized_start=2466
+ _globals['_TOKENSERVICELISTRESPONSE']._serialized_end=2542
+ _globals['_TOKENSERVICEREVOKEREQUEST']._serialized_start=2544
+ _globals['_TOKENSERVICEREVOKEREQUEST']._serialized_end=2601
+ _globals['_TOKENSERVICEREVOKERESPONSE']._serialized_start=2603
+ _globals['_TOKENSERVICEREVOKERESPONSE']._serialized_end=2631
+ _globals['_TOKENSERVICEUPDATEREQUEST']._serialized_start=2634
+ _globals['_TOKENSERVICEUPDATEREQUEST']._serialized_end=3578
+ _globals['_TOKENSERVICEUPDATEREQUEST_PROJECTROLESENTRY']._serialized_start=959
+ _globals['_TOKENSERVICEUPDATEREQUEST_PROJECTROLESENTRY']._serialized_end=1054
+ _globals['_TOKENSERVICEUPDATEREQUEST_TENANTROLESENTRY']._serialized_start=1056
+ _globals['_TOKENSERVICEUPDATEREQUEST_TENANTROLESENTRY']._serialized_end=1149
+ _globals['_TOKENSERVICEUPDATERESPONSE']._serialized_start=3580
+ _globals['_TOKENSERVICEUPDATERESPONSE']._serialized_end=3656
+ _globals['_TOKENSERVICEGETREQUEST']._serialized_start=3658
+ _globals['_TOKENSERVICEGETREQUEST']._serialized_end=3712
+ _globals['_TOKENSERVICEGETRESPONSE']._serialized_start=3714
+ _globals['_TOKENSERVICEGETRESPONSE']._serialized_end=3787
+ _globals['_TOKENSERVICEREFRESHREQUEST']._serialized_start=3789
+ _globals['_TOKENSERVICEREFRESHREQUEST']._serialized_end=3817
+ _globals['_TOKENSERVICEREFRESHRESPONSE']._serialized_start=3819
+ _globals['_TOKENSERVICEREFRESHRESPONSE']._serialized_end=3920
+ _globals['_TOKENSERVICE']._serialized_start=4005
+ _globals['_TOKENSERVICE']._serialized_end=4661
# @@protoc_insertion_point(module_scope)
diff --git a/python/metalstack/api/v2/token_pb2.pyi b/python/metalstack/api/v2/token_pb2.pyi
index 21df89c2..99bc3db7 100644
--- a/python/metalstack/api/v2/token_pb2.pyi
+++ b/python/metalstack/api/v2/token_pb2.pyi
@@ -24,7 +24,7 @@ TOKEN_TYPE_API: TokenType
TOKEN_TYPE_USER: TokenType
class Token(_message.Message):
- __slots__ = ("uuid", "user", "meta", "description", "permissions", "expires", "issued_at", "token_type", "project_roles", "tenant_roles", "admin_role")
+ __slots__ = ("uuid", "user", "meta", "description", "permissions", "expires", "issued_at", "token_type", "project_roles", "tenant_roles", "admin_role", "infra_role")
class ProjectRolesEntry(_message.Message):
__slots__ = ("key", "value")
KEY_FIELD_NUMBER: _ClassVar[int]
@@ -50,6 +50,7 @@ class Token(_message.Message):
PROJECT_ROLES_FIELD_NUMBER: _ClassVar[int]
TENANT_ROLES_FIELD_NUMBER: _ClassVar[int]
ADMIN_ROLE_FIELD_NUMBER: _ClassVar[int]
+ INFRA_ROLE_FIELD_NUMBER: _ClassVar[int]
uuid: str
user: str
meta: _common_pb2.Meta
@@ -61,10 +62,11 @@ class Token(_message.Message):
project_roles: _containers.ScalarMap[str, _common_pb2.ProjectRole]
tenant_roles: _containers.ScalarMap[str, _common_pb2.TenantRole]
admin_role: _common_pb2.AdminRole
- def __init__(self, uuid: _Optional[str] = ..., user: _Optional[str] = ..., meta: _Optional[_Union[_common_pb2.Meta, _Mapping]] = ..., description: _Optional[str] = ..., permissions: _Optional[_Iterable[_Union[MethodPermission, _Mapping]]] = ..., expires: _Optional[_Union[datetime.datetime, _timestamp_pb2.Timestamp, _Mapping]] = ..., issued_at: _Optional[_Union[datetime.datetime, _timestamp_pb2.Timestamp, _Mapping]] = ..., token_type: _Optional[_Union[TokenType, str]] = ..., project_roles: _Optional[_Mapping[str, _common_pb2.ProjectRole]] = ..., tenant_roles: _Optional[_Mapping[str, _common_pb2.TenantRole]] = ..., admin_role: _Optional[_Union[_common_pb2.AdminRole, str]] = ...) -> None: ...
+ infra_role: _common_pb2.InfraRole
+ def __init__(self, uuid: _Optional[str] = ..., user: _Optional[str] = ..., meta: _Optional[_Union[_common_pb2.Meta, _Mapping]] = ..., description: _Optional[str] = ..., permissions: _Optional[_Iterable[_Union[MethodPermission, _Mapping]]] = ..., expires: _Optional[_Union[datetime.datetime, _timestamp_pb2.Timestamp, _Mapping]] = ..., issued_at: _Optional[_Union[datetime.datetime, _timestamp_pb2.Timestamp, _Mapping]] = ..., token_type: _Optional[_Union[TokenType, str]] = ..., project_roles: _Optional[_Mapping[str, _common_pb2.ProjectRole]] = ..., tenant_roles: _Optional[_Mapping[str, _common_pb2.TenantRole]] = ..., admin_role: _Optional[_Union[_common_pb2.AdminRole, str]] = ..., infra_role: _Optional[_Union[_common_pb2.InfraRole, str]] = ...) -> None: ...
class TokenServiceCreateRequest(_message.Message):
- __slots__ = ("description", "permissions", "expires", "project_roles", "tenant_roles", "admin_role", "labels")
+ __slots__ = ("description", "permissions", "expires", "project_roles", "tenant_roles", "admin_role", "infra_role", "labels")
class ProjectRolesEntry(_message.Message):
__slots__ = ("key", "value")
KEY_FIELD_NUMBER: _ClassVar[int]
@@ -85,6 +87,7 @@ class TokenServiceCreateRequest(_message.Message):
PROJECT_ROLES_FIELD_NUMBER: _ClassVar[int]
TENANT_ROLES_FIELD_NUMBER: _ClassVar[int]
ADMIN_ROLE_FIELD_NUMBER: _ClassVar[int]
+ INFRA_ROLE_FIELD_NUMBER: _ClassVar[int]
LABELS_FIELD_NUMBER: _ClassVar[int]
description: str
permissions: _containers.RepeatedCompositeFieldContainer[MethodPermission]
@@ -92,8 +95,9 @@ class TokenServiceCreateRequest(_message.Message):
project_roles: _containers.ScalarMap[str, _common_pb2.ProjectRole]
tenant_roles: _containers.ScalarMap[str, _common_pb2.TenantRole]
admin_role: _common_pb2.AdminRole
+ infra_role: _common_pb2.InfraRole
labels: _common_pb2.Labels
- def __init__(self, description: _Optional[str] = ..., permissions: _Optional[_Iterable[_Union[MethodPermission, _Mapping]]] = ..., expires: _Optional[_Union[datetime.timedelta, _duration_pb2.Duration, _Mapping]] = ..., project_roles: _Optional[_Mapping[str, _common_pb2.ProjectRole]] = ..., tenant_roles: _Optional[_Mapping[str, _common_pb2.TenantRole]] = ..., admin_role: _Optional[_Union[_common_pb2.AdminRole, str]] = ..., labels: _Optional[_Union[_common_pb2.Labels, _Mapping]] = ...) -> None: ...
+ def __init__(self, description: _Optional[str] = ..., permissions: _Optional[_Iterable[_Union[MethodPermission, _Mapping]]] = ..., expires: _Optional[_Union[datetime.timedelta, _duration_pb2.Duration, _Mapping]] = ..., project_roles: _Optional[_Mapping[str, _common_pb2.ProjectRole]] = ..., tenant_roles: _Optional[_Mapping[str, _common_pb2.TenantRole]] = ..., admin_role: _Optional[_Union[_common_pb2.AdminRole, str]] = ..., infra_role: _Optional[_Union[_common_pb2.InfraRole, str]] = ..., labels: _Optional[_Union[_common_pb2.Labels, _Mapping]] = ...) -> None: ...
class MethodPermission(_message.Message):
__slots__ = ("subject", "methods")
@@ -132,7 +136,7 @@ class TokenServiceRevokeResponse(_message.Message):
def __init__(self) -> None: ...
class TokenServiceUpdateRequest(_message.Message):
- __slots__ = ("uuid", "update_meta", "description", "permissions", "project_roles", "tenant_roles", "admin_role", "labels")
+ __slots__ = ("uuid", "update_meta", "description", "permissions", "project_roles", "tenant_roles", "admin_role", "infra_role", "labels")
class ProjectRolesEntry(_message.Message):
__slots__ = ("key", "value")
KEY_FIELD_NUMBER: _ClassVar[int]
@@ -154,6 +158,7 @@ class TokenServiceUpdateRequest(_message.Message):
PROJECT_ROLES_FIELD_NUMBER: _ClassVar[int]
TENANT_ROLES_FIELD_NUMBER: _ClassVar[int]
ADMIN_ROLE_FIELD_NUMBER: _ClassVar[int]
+ INFRA_ROLE_FIELD_NUMBER: _ClassVar[int]
LABELS_FIELD_NUMBER: _ClassVar[int]
uuid: str
update_meta: _common_pb2.UpdateMeta
@@ -162,8 +167,9 @@ class TokenServiceUpdateRequest(_message.Message):
project_roles: _containers.ScalarMap[str, _common_pb2.ProjectRole]
tenant_roles: _containers.ScalarMap[str, _common_pb2.TenantRole]
admin_role: _common_pb2.AdminRole
+ infra_role: _common_pb2.InfraRole
labels: _common_pb2.UpdateLabels
- def __init__(self, uuid: _Optional[str] = ..., update_meta: _Optional[_Union[_common_pb2.UpdateMeta, _Mapping]] = ..., description: _Optional[str] = ..., permissions: _Optional[_Iterable[_Union[MethodPermission, _Mapping]]] = ..., project_roles: _Optional[_Mapping[str, _common_pb2.ProjectRole]] = ..., tenant_roles: _Optional[_Mapping[str, _common_pb2.TenantRole]] = ..., admin_role: _Optional[_Union[_common_pb2.AdminRole, str]] = ..., labels: _Optional[_Union[_common_pb2.UpdateLabels, _Mapping]] = ...) -> None: ...
+ def __init__(self, uuid: _Optional[str] = ..., update_meta: _Optional[_Union[_common_pb2.UpdateMeta, _Mapping]] = ..., description: _Optional[str] = ..., permissions: _Optional[_Iterable[_Union[MethodPermission, _Mapping]]] = ..., project_roles: _Optional[_Mapping[str, _common_pb2.ProjectRole]] = ..., tenant_roles: _Optional[_Mapping[str, _common_pb2.TenantRole]] = ..., admin_role: _Optional[_Union[_common_pb2.AdminRole, str]] = ..., infra_role: _Optional[_Union[_common_pb2.InfraRole, str]] = ..., labels: _Optional[_Union[_common_pb2.UpdateLabels, _Mapping]] = ...) -> None: ...
class TokenServiceUpdateResponse(_message.Message):
__slots__ = ("token",)
diff --git a/python/metalstack/infra/v2/bmc_pb2.py b/python/metalstack/infra/v2/bmc_pb2.py
index 3fe8a1de..6a849b24 100644
--- a/python/metalstack/infra/v2/bmc_pb2.py
+++ b/python/metalstack/infra/v2/bmc_pb2.py
@@ -25,7 +25,7 @@
from metalstack.api.v2 import common_pb2 as metalstack_dot_api_dot_v2_dot_common__pb2
-DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x1dmetalstack/infra/v2/bmc.proto\x12\x13metalstack.infra.v2\x1a\x1emetalstack/api/v2/common.proto\"\x16\n\x14UpdateBMCInfoRequest\"\x17\n\x15UpdateBMCInfoResponse2\x80\x01\n\nBMCService\x12r\n\rUpdateBMCInfo\x12).metalstack.infra.v2.UpdateBMCInfoRequest\x1a*.metalstack.infra.v2.UpdateBMCInfoResponse\"\n\xe0\xf3\x18\x02\xea\xf3\x18\x02\x01\x02\x42\xcc\x01\n\x17\x63om.metalstack.infra.v2B\x08\x42mcProtoP\x01Z9github.com/metal-stack/api/go/metalstack/infra/v2;infrav2\xa2\x02\x03MIX\xaa\x02\x13Metalstack.Infra.V2\xca\x02\x13Metalstack\\Infra\\V2\xe2\x02\x1fMetalstack\\Infra\\V2\\GPBMetadata\xea\x02\x15Metalstack::Infra::V2b\x06proto3')
+DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x1dmetalstack/infra/v2/bmc.proto\x12\x13metalstack.infra.v2\x1a\x1emetalstack/api/v2/common.proto\"\x16\n\x14UpdateBMCInfoRequest\"\x17\n\x15UpdateBMCInfoResponse2\x7f\n\nBMCService\x12q\n\rUpdateBMCInfo\x12).metalstack.infra.v2.UpdateBMCInfoRequest\x1a*.metalstack.infra.v2.UpdateBMCInfoResponse\"\t\xe0\xf3\x18\x02\xea\xf3\x18\x01\x01\x42\xcc\x01\n\x17\x63om.metalstack.infra.v2B\x08\x42mcProtoP\x01Z9github.com/metal-stack/api/go/metalstack/infra/v2;infrav2\xa2\x02\x03MIX\xaa\x02\x13Metalstack.Infra.V2\xca\x02\x13Metalstack\\Infra\\V2\xe2\x02\x1fMetalstack\\Infra\\V2\\GPBMetadata\xea\x02\x15Metalstack::Infra::V2b\x06proto3')
_globals = globals()
_builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, _globals)
@@ -34,11 +34,11 @@
_globals['DESCRIPTOR']._loaded_options = None
_globals['DESCRIPTOR']._serialized_options = b'\n\027com.metalstack.infra.v2B\010BmcProtoP\001Z9github.com/metal-stack/api/go/metalstack/infra/v2;infrav2\242\002\003MIX\252\002\023Metalstack.Infra.V2\312\002\023Metalstack\\Infra\\V2\342\002\037Metalstack\\Infra\\V2\\GPBMetadata\352\002\025Metalstack::Infra::V2'
_globals['_BMCSERVICE'].methods_by_name['UpdateBMCInfo']._loaded_options = None
- _globals['_BMCSERVICE'].methods_by_name['UpdateBMCInfo']._serialized_options = b'\340\363\030\002\352\363\030\002\001\002'
+ _globals['_BMCSERVICE'].methods_by_name['UpdateBMCInfo']._serialized_options = b'\340\363\030\002\352\363\030\001\001'
_globals['_UPDATEBMCINFOREQUEST']._serialized_start=86
_globals['_UPDATEBMCINFOREQUEST']._serialized_end=108
_globals['_UPDATEBMCINFORESPONSE']._serialized_start=110
_globals['_UPDATEBMCINFORESPONSE']._serialized_end=133
- _globals['_BMCSERVICE']._serialized_start=136
- _globals['_BMCSERVICE']._serialized_end=264
+ _globals['_BMCSERVICE']._serialized_start=135
+ _globals['_BMCSERVICE']._serialized_end=262
# @@protoc_insertion_point(module_scope)
diff --git a/python/metalstack/infra/v2/switch_pb2.py b/python/metalstack/infra/v2/switch_pb2.py
index 5053009b..1eaecea0 100644
--- a/python/metalstack/infra/v2/switch_pb2.py
+++ b/python/metalstack/infra/v2/switch_pb2.py
@@ -30,7 +30,7 @@
from metalstack.api.v2 import switch_pb2 as metalstack_dot_api_dot_v2_dot_switch__pb2
-DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n metalstack/infra/v2/switch.proto\x12\x13metalstack.infra.v2\x1a\x1b\x62uf/validate/validate.proto\x1a\x1egoogle/protobuf/duration.proto\x1a\x1fgoogle/protobuf/timestamp.proto\x1a\x1emetalstack/api/v2/common.proto\x1a(metalstack/api/v2/predefined_rules.proto\x1a\x1emetalstack/api/v2/switch.proto\"8\n\x17SwitchServiceGetRequest\x12\x1d\n\x02id\x18\x01 \x01(\tB\r\xbaH\nr\x08h\x01\xc0\xb3\xae\xb1\x02\x01R\x02id\"M\n\x18SwitchServiceGetResponse\x12\x31\n\x06switch\x18\x01 \x01(\x0b\x32\x19.metalstack.api.v2.SwitchR\x06switch\"Q\n\x1cSwitchServiceRegisterRequest\x12\x31\n\x06switch\x18\x01 \x01(\x0b\x32\x19.metalstack.api.v2.SwitchR\x06switch\"R\n\x1dSwitchServiceRegisterResponse\x12\x31\n\x06switch\x18\x01 \x01(\x0b\x32\x19.metalstack.api.v2.SwitchR\x06switch\"\xbb\x04\n\x1dSwitchServiceHeartbeatRequest\x12\x1d\n\x02id\x18\x01 \x01(\tB\r\xbaH\nr\x08h\x01\xc0\xb3\xae\xb1\x02\x01R\x02id\x12\x35\n\x08\x64uration\x18\x02 \x01(\x0b\x32\x19.google.protobuf.DurationR\x08\x64uration\x12\x19\n\x05\x65rror\x18\x03 \x01(\tH\x00R\x05\x65rror\x88\x01\x01\x12\x63\n\x0bport_states\x18\x04 \x03(\x0b\x32\x42.metalstack.infra.v2.SwitchServiceHeartbeatRequest.PortStatesEntryR\nportStates\x12m\n\x0f\x62gp_port_states\x18\x05 \x03(\x0b\x32\x45.metalstack.infra.v2.SwitchServiceHeartbeatRequest.BgpPortStatesEntryR\rbgpPortStates\x1a\x62\n\x0fPortStatesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12\x39\n\x05value\x18\x02 \x01(\x0e\x32#.metalstack.api.v2.SwitchPortStatusR\x05value:\x02\x38\x01\x1ag\n\x12\x42gpPortStatesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12;\n\x05value\x18\x02 \x01(\x0b\x32%.metalstack.api.v2.SwitchBGPPortStateR\x05value:\x02\x38\x01\x42\x08\n\x06_error\"\xb7\x01\n\x1eSwitchServiceHeartbeatResponse\x12\x0e\n\x02id\x18\x01 \x01(\tR\x02id\x12<\n\tlast_sync\x18\x02 \x01(\x0b\x32\x1f.metalstack.infra.v2.SwitchSyncR\x08lastSync\x12G\n\x0flast_sync_error\x18\x03 \x01(\x0b\x32\x1f.metalstack.infra.v2.SwitchSyncR\rlastSyncError\"\x98\x01\n\nSwitchSync\x12.\n\x04time\x18\x01 \x01(\x0b\x32\x1a.google.protobuf.TimestampR\x04time\x12\x35\n\x08\x64uration\x18\x02 \x01(\x0b\x32\x19.google.protobuf.DurationR\x08\x64uration\x12\x19\n\x05\x65rror\x18\x03 \x01(\tH\x00R\x05\x65rror\x88\x01\x01\x42\x08\n\x06_error2\xfd\x02\n\rSwitchService\x12m\n\x03Get\x12,.metalstack.infra.v2.SwitchServiceGetRequest\x1a-.metalstack.infra.v2.SwitchServiceGetResponse\"\t\xe0\xf3\x18\x02\xea\xf3\x18\x01\x01\x12|\n\x08Register\x12\x31.metalstack.infra.v2.SwitchServiceRegisterRequest\x1a\x32.metalstack.infra.v2.SwitchServiceRegisterResponse\"\t\xe0\xf3\x18\x02\xea\xf3\x18\x01\x01\x12\x7f\n\tHeartbeat\x12\x32.metalstack.infra.v2.SwitchServiceHeartbeatRequest\x1a\x33.metalstack.infra.v2.SwitchServiceHeartbeatResponse\"\t\xe0\xf3\x18\x02\xea\xf3\x18\x01\x01\x42\xcf\x01\n\x17\x63om.metalstack.infra.v2B\x0bSwitchProtoP\x01Z9github.com/metal-stack/api/go/metalstack/infra/v2;infrav2\xa2\x02\x03MIX\xaa\x02\x13Metalstack.Infra.V2\xca\x02\x13Metalstack\\Infra\\V2\xe2\x02\x1fMetalstack\\Infra\\V2\\GPBMetadata\xea\x02\x15Metalstack::Infra::V2b\x06proto3')
+DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n metalstack/infra/v2/switch.proto\x12\x13metalstack.infra.v2\x1a\x1b\x62uf/validate/validate.proto\x1a\x1egoogle/protobuf/duration.proto\x1a\x1fgoogle/protobuf/timestamp.proto\x1a\x1emetalstack/api/v2/common.proto\x1a(metalstack/api/v2/predefined_rules.proto\x1a\x1emetalstack/api/v2/switch.proto\"8\n\x17SwitchServiceGetRequest\x12\x1d\n\x02id\x18\x01 \x01(\tB\r\xbaH\nr\x08h\x01\xc0\xb3\xae\xb1\x02\x01R\x02id\"M\n\x18SwitchServiceGetResponse\x12\x31\n\x06switch\x18\x01 \x01(\x0b\x32\x19.metalstack.api.v2.SwitchR\x06switch\"Q\n\x1cSwitchServiceRegisterRequest\x12\x31\n\x06switch\x18\x01 \x01(\x0b\x32\x19.metalstack.api.v2.SwitchR\x06switch\"R\n\x1dSwitchServiceRegisterResponse\x12\x31\n\x06switch\x18\x01 \x01(\x0b\x32\x19.metalstack.api.v2.SwitchR\x06switch\"\xbb\x04\n\x1dSwitchServiceHeartbeatRequest\x12\x1d\n\x02id\x18\x01 \x01(\tB\r\xbaH\nr\x08h\x01\xc0\xb3\xae\xb1\x02\x01R\x02id\x12\x35\n\x08\x64uration\x18\x02 \x01(\x0b\x32\x19.google.protobuf.DurationR\x08\x64uration\x12\x19\n\x05\x65rror\x18\x03 \x01(\tH\x00R\x05\x65rror\x88\x01\x01\x12\x63\n\x0bport_states\x18\x04 \x03(\x0b\x32\x42.metalstack.infra.v2.SwitchServiceHeartbeatRequest.PortStatesEntryR\nportStates\x12m\n\x0f\x62gp_port_states\x18\x05 \x03(\x0b\x32\x45.metalstack.infra.v2.SwitchServiceHeartbeatRequest.BgpPortStatesEntryR\rbgpPortStates\x1a\x62\n\x0fPortStatesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12\x39\n\x05value\x18\x02 \x01(\x0e\x32#.metalstack.api.v2.SwitchPortStatusR\x05value:\x02\x38\x01\x1ag\n\x12\x42gpPortStatesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12;\n\x05value\x18\x02 \x01(\x0b\x32%.metalstack.api.v2.SwitchBGPPortStateR\x05value:\x02\x38\x01\x42\x08\n\x06_error\"\xb7\x01\n\x1eSwitchServiceHeartbeatResponse\x12\x0e\n\x02id\x18\x01 \x01(\tR\x02id\x12<\n\tlast_sync\x18\x02 \x01(\x0b\x32\x1f.metalstack.infra.v2.SwitchSyncR\x08lastSync\x12G\n\x0flast_sync_error\x18\x03 \x01(\x0b\x32\x1f.metalstack.infra.v2.SwitchSyncR\rlastSyncError\"\x98\x01\n\nSwitchSync\x12.\n\x04time\x18\x01 \x01(\x0b\x32\x1a.google.protobuf.TimestampR\x04time\x12\x35\n\x08\x64uration\x18\x02 \x01(\x0b\x32\x19.google.protobuf.DurationR\x08\x64uration\x12\x19\n\x05\x65rror\x18\x03 \x01(\tH\x00R\x05\x65rror\x88\x01\x01\x42\x08\n\x06_error2\xfe\x02\n\rSwitchService\x12n\n\x03Get\x12,.metalstack.infra.v2.SwitchServiceGetRequest\x1a-.metalstack.infra.v2.SwitchServiceGetResponse\"\n\xe0\xf3\x18\x02\xea\xf3\x18\x02\x01\x02\x12|\n\x08Register\x12\x31.metalstack.infra.v2.SwitchServiceRegisterRequest\x1a\x32.metalstack.infra.v2.SwitchServiceRegisterResponse\"\t\xe0\xf3\x18\x02\xea\xf3\x18\x01\x01\x12\x7f\n\tHeartbeat\x12\x32.metalstack.infra.v2.SwitchServiceHeartbeatRequest\x1a\x33.metalstack.infra.v2.SwitchServiceHeartbeatResponse\"\t\xe0\xf3\x18\x02\xea\xf3\x18\x01\x01\x42\xcf\x01\n\x17\x63om.metalstack.infra.v2B\x0bSwitchProtoP\x01Z9github.com/metal-stack/api/go/metalstack/infra/v2;infrav2\xa2\x02\x03MIX\xaa\x02\x13Metalstack.Infra.V2\xca\x02\x13Metalstack\\Infra\\V2\xe2\x02\x1fMetalstack\\Infra\\V2\\GPBMetadata\xea\x02\x15Metalstack::Infra::V2b\x06proto3')
_globals = globals()
_builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, _globals)
@@ -47,7 +47,7 @@
_globals['_SWITCHSERVICEHEARTBEATREQUEST'].fields_by_name['id']._loaded_options = None
_globals['_SWITCHSERVICEHEARTBEATREQUEST'].fields_by_name['id']._serialized_options = b'\272H\nr\010h\001\300\263\256\261\002\001'
_globals['_SWITCHSERVICE'].methods_by_name['Get']._loaded_options = None
- _globals['_SWITCHSERVICE'].methods_by_name['Get']._serialized_options = b'\340\363\030\002\352\363\030\001\001'
+ _globals['_SWITCHSERVICE'].methods_by_name['Get']._serialized_options = b'\340\363\030\002\352\363\030\002\001\002'
_globals['_SWITCHSERVICE'].methods_by_name['Register']._loaded_options = None
_globals['_SWITCHSERVICE'].methods_by_name['Register']._serialized_options = b'\340\363\030\002\352\363\030\001\001'
_globals['_SWITCHSERVICE'].methods_by_name['Heartbeat']._loaded_options = None
@@ -71,5 +71,5 @@
_globals['_SWITCHSYNC']._serialized_start=1322
_globals['_SWITCHSYNC']._serialized_end=1474
_globals['_SWITCHSERVICE']._serialized_start=1477
- _globals['_SWITCHSERVICE']._serialized_end=1858
+ _globals['_SWITCHSERVICE']._serialized_end=1859
# @@protoc_insertion_point(module_scope)