syntax = "proto3"; option go_package = "github.com/hashicorp/vault/helper/identity"; package identity; import "google/protobuf/timestamp.proto"; import "helper/identity/mfa/types.proto"; // Group represents an identity group. message Group { // ID is the unique identifier for this group // @inject_tag: sentinel:"-" string id = 1; // Name is the unique name for this group // @inject_tag: sentinel:"-" string name = 2; // Policies are the vault policies to be granted to members of this group // @inject_tag: sentinel:"-" repeated string policies = 3; // ParentGroupIDs are the identifiers of those groups to which this group is a // member of. These will serve as references to the parent group in the // hierarchy. // @inject_tag: sentinel:"-" repeated string parent_group_ids = 4; // MemberEntityIDs are the identifiers of entities which are members of this // group // @inject_tag: sentinel:"-" repeated string member_entity_ids = 5; // Metadata represents the custom data tied with this group // @inject_tag: sentinel:"-" map metadata = 6; // CreationTime is the time at which this group was created // @inject_tag: sentinel:"-" google.protobuf.Timestamp creation_time = 7; // LastUpdateTime is the time at which this group was last modified // @inject_tag: sentinel:"-" google.protobuf.Timestamp last_update_time= 8; // ModifyIndex tracks the number of updates to the group. It is useful to detect // updates to the groups. // @inject_tag: sentinel:"-" uint64 modify_index = 9; // BucketKey is the path of the storage packer key into which this group is // stored. // @inject_tag: sentinel:"-" string bucket_key = 10; // Alias is used to mark this group as an internal mapping of a group that // is external to the identity store. Alias can only be set if the 'type' // is set to 'external'. // @inject_tag: sentinel:"-" Alias alias = 11; // Type indicates if this group is an internal group or an external group. // Memberships of the internal groups can be managed over the API whereas // the memberships on the external group --for which a corresponding alias // will be set-- will be managed automatically. // @inject_tag: sentinel:"-" string type = 12; // NamespaceID is the identifier of the namespace to which this group // belongs to. Do not return this value over the API when reading the // group. // @inject_tag: sentinel:"-" string namespace_id = 13; } // LocalAliases holds the aliases belonging to an entity that are local to the // cluster. message LocalAliases { repeated Alias aliases = 1; } // Entity represents an entity that gets persisted and indexed. // Entity is fundamentally composed of zero or many aliases. message Entity { // Aliases are the identities that this entity is made of. This can be // empty as well to favor being able to create the entity first and then // incrementally adding aliases. // @inject_tag: sentinel:"-" repeated Alias aliases = 1; // ID is the unique identifier of the entity which always be a UUID. This // should never be allowed to be updated. // @inject_tag: sentinel:"-" string id = 2; // Name is a unique identifier of the entity which is intended to be // human-friendly. The default name might not be human friendly since it // gets suffixed by a UUID, but it can optionally be updated, unlike the ID // field. // @inject_tag: sentinel:"-" string name = 3; // Metadata represents the explicit metadata which is set by the // clients. This is useful to tie any information pertaining to the // aliases. This is a non-unique field of entity, meaning multiple // entities can have the same metadata set. Entities will be indexed based // on this explicit metadata. This enables virtual groupings of entities // based on its metadata. // @inject_tag: sentinel:"-" map metadata = 4; // CreationTime is the time at which this entity is first created. // @inject_tag: sentinel:"-" google.protobuf.Timestamp creation_time = 5; // LastUpdateTime is the most recent time at which the properties of this // entity got modified. This is helpful in filtering out entities based on // its age and to take action on them, if desired. // @inject_tag: sentinel:"-" google.protobuf.Timestamp last_update_time= 6; // MergedEntityIDs are the entities which got merged to this one. Entities // will be indexed based on all the entities that got merged into it. This // helps to apply the actions on this entity on the tokens that are merged // to the merged entities. Merged entities will be deleted entirely and // this is the only trackable trail of its earlier presence. // @inject_tag: sentinel:"-" repeated string merged_entity_ids = 7; // Policies the entity is entitled to // @inject_tag: sentinel:"-" repeated string policies = 8; // BucketKey is the path of the storage packer key into which this entity is // stored. // @inject_tag: sentinel:"-" string bucket_key = 9; // MFASecrets holds the MFA secrets indexed by the identifier of the MFA // method configuration. // @inject_tag: sentinel:"-" map mfa_secrets = 10; // Disabled indicates whether tokens associated with the account should not // be able to be used // @inject_tag: sentinel:"-" bool disabled = 11; // NamespaceID is the identifier of the namespace to which this entity // belongs to. Do not return this value over the API when reading the // entity. // @inject_tag: sentinel:"-" string namespace_id = 12; } // Alias represents the alias that gets stored inside of the // entity object in storage and also represents in an in-memory index of an // alias object. message Alias { // ID is the unique identifier that represents this alias // @inject_tag: sentinel:"-" string id = 1; // CanonicalID is the entity identifier to which this alias belongs to // @inject_tag: sentinel:"-" string canonical_id = 2; // MountType is the backend mount's type to which this alias belongs to. // This enables categorically querying aliases of specific backend types. // @inject_tag: sentinel:"-" string mount_type = 3; // MountAccessor is the backend mount's accessor to which this alias // belongs to. // @inject_tag: sentinel:"-" string mount_accessor = 4; // MountPath is the backend mount's path to which the Maccessor belongs to. This // field is not used for any operational purposes. This is only returned when // alias is read, only as a nicety. // @inject_tag: sentinel:"-" string mount_path = 5; // Metadata is the explicit metadata that clients set against an entity // which enables virtual grouping of aliases. Aliases will be indexed // against their metadata. // @inject_tag: sentinel:"-" map metadata = 6; // Name is the identifier of this alias in its authentication source. // This does not uniquely identify an alias in Vault. This in conjunction // with MountAccessor form to be the factors that represent an alias in a // unique way. Aliases will be indexed based on this combined uniqueness // factor. // @inject_tag: sentinel:"-" string name = 7; // CreationTime is the time at which this alias was first created // @inject_tag: sentinel:"-" google.protobuf.Timestamp creation_time = 8; // LastUpdateTime is the most recent time at which the properties of this // alias got modified. This is helpful in filtering out aliases based // on its age and to take action on them, if desired. // @inject_tag: sentinel:"-" google.protobuf.Timestamp last_update_time = 9; // MergedFromCanonicalIDs is the FIFO history of merging activity // @inject_tag: sentinel:"-" repeated string merged_from_canonical_ids = 10; // NamespaceID is the identifier of the namespace to which this alias // belongs. // @inject_tag: sentinel:"-" string namespace_id = 11; // Custom Metadata represents the custom data tied to this alias // @inject_tag: sentinel:"-" map custom_metadata = 12; // Local indicates if the alias only belongs to the cluster where it was // created. If true, the alias will be stored in a location that is ignored by // the performance replication subsystem. // @inject_tag: sentinel:"-" bool local = 13; // LocalBucketKey is the identifying element of the location where this alias // is stored in the storage packer. This helps in querying local aliases // during invalidation of local aliases in performance standbys. // @inject_tag: sentinel:"-" string local_bucket_key = 14; } // Deprecated. Retained for backwards compatibility. message EntityStorageEntry { repeated PersonaIndexEntry personas = 1; string id = 2; string name = 3; map metadata = 4; google.protobuf.Timestamp creation_time = 5; google.protobuf.Timestamp last_update_time= 6; repeated string merged_entity_ids = 7; repeated string policies = 8; string bucket_key_hash = 9; map mfa_secrets = 10; } // Deprecated. Retained for backwards compatibility. message PersonaIndexEntry { string id = 1; string entity_id = 2; string mount_type = 3; string mount_accessor = 4; string mount_path = 5; map metadata = 6; string name = 7; google.protobuf.Timestamp creation_time = 8; google.protobuf.Timestamp last_update_time = 9; repeated string merged_from_entity_ids = 10; }