Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add initial Decision (aka PDP) protos #49875

Merged
merged 20 commits into from
Dec 16, 2024
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Split identity protos into separate files
codingllama committed Dec 6, 2024

Verified

This commit was signed with the committer’s verified signature.
codingllama Alan Parra
commit a8559459d71a21c6835cbeea97c90d054fc7cf9a
4 changes: 2 additions & 2 deletions api/proto/teleport/decision/v1alpha1/database_access.proto
Original file line number Diff line number Diff line change
@@ -16,8 +16,8 @@ syntax = "proto3";

package teleport.decision.v1alpha1;

import "teleport/decision/v1alpha1/identity.proto";
import "teleport/decision/v1alpha1/metadata.proto";
import "teleport/decision/v1alpha1/tls_identity.proto";

option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb";

@@ -26,7 +26,7 @@ option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport
message EvaluateDatabaseAccessRequest {
RequestMetadata metadata = 1;

Identity identity = 2;
TLSIdentity identity = 2;

// TODO
}
4 changes: 2 additions & 2 deletions api/proto/teleport/decision/v1alpha1/ssh_access.proto
Original file line number Diff line number Diff line change
@@ -17,9 +17,9 @@ syntax = "proto3";
package teleport.decision.v1alpha1;

import "google/protobuf/duration.proto";
import "teleport/decision/v1alpha1/identity.proto";
import "teleport/decision/v1alpha1/metadata.proto";
import "teleport/decision/v1alpha1/resource.proto";
import "teleport/decision/v1alpha1/ssh_identity.proto";

option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb";

@@ -30,7 +30,7 @@ message EvaluateSSHAccessRequest {
RequestMetadata metadata = 1;

// User describes the teleport user requesting access.
SSHIdentity user = 2;
SSHIdentity ssh_identity = 2;

// Node references the target node the user is attempting to access.
Resource node = 3;
22 changes: 22 additions & 0 deletions api/proto/teleport/decision/v1alpha1/ssh_identity.proto
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
// Copyright 2024 Gravitational, Inc
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package teleport.decision.v1alpha1;

option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb";

// SSHIdentity is the identity used for SSH connections.
message SSHIdentity {}
Original file line number Diff line number Diff line change
@@ -20,136 +20,38 @@ import "google/protobuf/timestamp.proto";

option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb";

// Trait encodes a single key-values pair from a user's traits.
message Trait {
// name is the "key" of the trait.
string name = 1;
// values is the list of values the trait name maps to.
repeated string values = 2;
}

// RouteToApp holds routing information for applications.
message RouteToApp {
// SessionID is an ID used to identify application sessions created by
// this certificate.
string session_id = 1;

// PublicAddr (and ClusterName) are used to route requests issued with this
// certificate to the appropriate application proxy/cluster.
string public_addr = 2;

// ClusterName (and PublicAddr) are used to route requests issued with this
// certificate to the appropriate application proxy/cluster.
string cluster_name = 3;

// Name is the app name.
string name = 4;

// AWSRoleARN is the AWS role to assume when accessing AWS console.
string aws_role_arn = 5;

// AzureIdentity is the Azure identity to assume when accessing Azure API.
string azure_identity = 6;

// GCPServiceAccount is the GCP service account to assume when accessing GCP API.
string gcp_service_account = 7;

// URI is the URI of the app. This is the internal endpoint where the application is running and isn't user-facing.
string uri = 8;
}

// RouteToDatabase contains routing information for databases.
message RouteToDatabase {
// ServiceName is the name of the Teleport database proxy service
// to route requests to.
string service_name = 1;

// Protocol is the database protocol.
//
// It is embedded in identity so clients can understand what type
// of database this is without contacting server.
string protocol = 2;

// Username is an optional database username to serve as a default
// username to connect as.
string username = 3;

// Database is an optional database name to serve as a default
// database to connect to.
string database = 4;

// Roles is an optional list of database roles to use for a database
// session.
// This list should be a subset of allowed database roles. If not
// specified, Database Service will use all allowed database roles for this
// database.
repeated string roles = 5;
}

// ResourceID is a unique identifier for a teleport resource.
message ResourceID {
// ClusterName is the name of the cluster the resource is in.
string cluster_name = 1;

// Kind is the resource kind.
string kind = 2;

// Name is the name of the specific resource.
string name = 3;

// SubResourceName is the resource belonging to resource identified by "Name"
// that the user is allowed to access to.
// When granting access to a subresource, access to other resources is limited.
// Currently it just supports resources of Kind=pod and the format is the following
// "<kube_namespace>/<kube_pod>".
string sub_resource_name = 4;
}

// DeviceExtensions holds device-aware extensions for the identity.
message DeviceExtensions {
// DeviceID is the trusted device identifier.
string device_id = 1;

// AssetTag is the device inventory identifier.
string asset_tag = 2;

// CredentialID is the identifier for the credential used by the device to
// authenticate itself.
string credential_id = 3;
}

// Identity is an identity of the user or service, e.g. Proxy or Node
message Identity {
// Username is a username or name of the node connection
// TLSIdentity is the identity used for TLS connections.
message TLSIdentity {
// Username is a username or name of the node connection.
codingllama marked this conversation as resolved.
Show resolved Hide resolved
string username = 1;

// Impersonator is a username of a user impersonating this user
// Impersonator is a username of a user impersonating this user.
string impersonator = 2;

// Groups is a list of groups (Teleport roles) encoded in the identity
// Groups is a list of groups (Teleport roles) encoded in the identity.
repeated string groups = 3;

// SystemRoles is a list of system roles (e.g. auth, proxy, node, etc) used
// in "multi-role" certificates. Single-role certificates encode the system role
// SystemRoles is a list of system roles (e.g. auth, proxy, node, etc) used in
// "multi-role" certificates. Single-role certificates encode the system role
// in `Groups` for back-compat reasons.
repeated string system_roles = 4;

// Usage is a list of usage restrictions encoded in the identity
// Usage is a list of usage restrictions encoded in the identity.
repeated string usage = 5;

// Principals is a list of Unix logins allowed.
repeated string principals = 6;

// KubernetesGroups is a list of Kubernetes groups allowed
// KubernetesGroups is a list of Kubernetes groups allowed.
repeated string kubernetes_groups = 7;

// KubernetesUsers is a list of Kubernetes users allowed
// KubernetesUsers is a list of Kubernetes users allowed.
repeated string kubernetes_users = 8;

// Expires specifies whenever the session will expire
// Expires specifies whenever the session will expire.
google.protobuf.Timestamp expires = 9;

// RouteToCluster specifies the target cluster
// RouteToCluster specifies the target cluster.
string route_to_cluster = 10;

// KubernetesCluster specifies the target kubernetes cluster for TLS
@@ -160,13 +62,13 @@ message Identity {
repeated Trait traits = 12;

// RouteToApp holds routing information for applications. Routing metadata
// allows Teleport web proxy to route HTTP requests to the appropriate
// cluster and Teleport application proxy within the cluster.
// allows Teleport web proxy to route HTTP requests to the appropriate cluster
// and Teleport application proxy within the cluster.
RouteToApp route_to_app = 13;

// TeleportCluster is the name of the teleport cluster that this identity
// originated from. For TLS certs this may not be the same as cert issuer,
// in case of multi-hop requests that originate from a remote cluster.
// originated from. For TLS certs this may not be the same as cert issuer, in
// case of multi-hop requests that originate from a remote cluster.
string teleport_cluster = 14;

// RouteToDatabase contains routing information for databases.
@@ -184,8 +86,9 @@ message Identity {

// PreviousIdentityExpires is the expiry time of the identity/cert that this
// identity/cert was derived from. It is used to determine a session's hard
// deadline in cases where both require_session_mfa and disconnect_expired_cert
// are enabled. See https://github.com/gravitational/teleport/issues/18544.
// deadline in cases where both require_session_mfa and
// disconnect_expired_cert are enabled.
// See https://github.com/gravitational/teleport/issues/18544.
google.protobuf.Timestamp previous_identity_expires = 19;

// LoginIP is an observed IP of the client that this Identity represents.
@@ -200,19 +103,20 @@ message Identity {
// AzureIdentities is a list of allowed Azure identities user can assume.
repeated string azure_identities = 23;

// GCPServiceAccounts is a list of allowed GCP service accounts that the user can assume.
// GCPServiceAccounts is a list of allowed GCP service accounts that the user
// can assume.
repeated string gcp_service_accounts = 24;

// ActiveRequests is a list of UUIDs of active requests for this Identity.
repeated string active_requests = 25;

// DisallowReissue is a flag that, if set, instructs the auth server to
// deny any attempts to reissue new certificates while authenticated with
// this certificate.
// DisallowReissue is a flag that, if set, instructs the auth server to deny
// any attempts to reissue new certificates while authenticated with this
// certificate.
bool disallow_reissue = 26;

// Renewable indicates that this identity is allowed to renew it's
// own credentials. This is only enabled for certificate renewal bots.
// Renewable indicates that this identity is allowed to renew it's own
// credentials. This is only enabled for certificate renewal bots.
bool renewable = 27;

// Generation counts the number of times this certificate has been renewed.
@@ -222,8 +126,8 @@ message Identity {
// to, if any.
string bot_name = 29;

// BotInstanceID is a unique identifier for Machine ID bots that is
// persisted through renewals.
// BotInstanceID is a unique identifier for Machine ID bots that is persisted
// through renewals.
string bot_instance_id = 30;

// AllowedResourceIDs lists the resources the identity should be allowed to
@@ -233,7 +137,8 @@ message Identity {
// PrivateKeyPolicy is the private key policy supported by this identity.
string private_key_policy = 32;

// ConnectionDiagnosticID is used to add connection diagnostic messages when Testing a Connection.
// ConnectionDiagnosticID is used to add connection diagnostic messages when
// Testing a Connection.
string connection_diagnostic_id = 33;

// DeviceExtensions holds device-aware extensions for the identity.
@@ -243,7 +148,100 @@ message Identity {
string user_type = 35;
}

// SSHIdentity is the identity used for SSH connections.
message SSHIdentity {
// TODO
// Trait encodes a single key-values pair from a user's traits.
message Trait {
// name is the "key" of the trait.
string name = 1;
// values is the list of values the trait name maps to.
repeated string values = 2;
}
codingllama marked this conversation as resolved.
Show resolved Hide resolved

// RouteToApp holds routing information for applications.
message RouteToApp {
codingllama marked this conversation as resolved.
Show resolved Hide resolved
// SessionID is an ID used to identify application sessions created by this
// certificate.
string session_id = 1;

// PublicAddr (and ClusterName) are used to route requests issued with this
// certificate to the appropriate application proxy/cluster.
string public_addr = 2;

// ClusterName (and PublicAddr) are used to route requests issued with this
// certificate to the appropriate application proxy/cluster.
string cluster_name = 3;

// Name is the app name.
string name = 4;

// AWSRoleARN is the AWS role to assume when accessing AWS console.
string aws_role_arn = 5;

// AzureIdentity is the Azure identity to assume when accessing Azure API.
string azure_identity = 6;

// GCPServiceAccount is the GCP service account to assume when accessing GCP
// API.
string gcp_service_account = 7;

// URI is the URI of the app. This is the internal endpoint where the
// application is running and isn't user-facing.
string uri = 8;
}

// RouteToDatabase contains routing information for databases.
message RouteToDatabase {
// ServiceName is the name of the Teleport database proxy service to route
// requests to.
string service_name = 1;

// Protocol is the database protocol.
//
// It is embedded in identity so clients can understand what type of database
// this is without contacting server.
string protocol = 2;

// Username is an optional database username to serve as a default username to
// connect as.
string username = 3;

// Database is an optional database name to serve as a default database to
// connect to.
string database = 4;

// Roles is an optional list of database roles to use for a database session.
// This list should be a subset of allowed database roles. If not specified,
// Database Service will use all allowed database roles for this database.
repeated string roles = 5;
}

// ResourceID is a unique identifier for a teleport resource.
message ResourceID {
codingllama marked this conversation as resolved.
Show resolved Hide resolved
// ClusterName is the name of the cluster the resource is in.
string cluster_name = 1;

// Kind is the resource kind.
string kind = 2;

// Name is the name of the specific resource.
string name = 3;

// SubResourceName is the resource belonging to resource identified by "Name"
// that the user is allowed to access to. When granting access to a
// subresource, access to other resources is limited. Currently it just
// supports resources of Kind=pod and the format is the following
// "<kube_namespace>/<kube_pod>".
string sub_resource_name = 4;
}

// DeviceExtensions holds device-aware extensions for the identity.
message DeviceExtensions {
// DeviceID is the trusted device identifier.
string device_id = 1;

// AssetTag is the device inventory identifier.
string asset_tag = 2;

// CredentialID is the identifier for the credential used by the device to
// authenticate itself.
string credential_id = 3;
}