1syntax = "proto3"; 2 3option go_package = "github.com/hashicorp/vault/helper/identity"; 4 5package identity; 6 7import "google/protobuf/timestamp.proto"; 8import "helper/identity/mfa/types.proto"; 9 10// Group represents an identity group. 11message Group { 12 // ID is the unique identifier for this group 13 string id = 1; 14 15 // Name is the unique name for this group 16 string name = 2; 17 18 // Policies are the vault policies to be granted to members of this group 19 repeated string policies = 3; 20 21 // ParentGroupIDs are the identifiers of those groups to which this group is a 22 // member of. These will serve as references to the parent group in the 23 // hierarchy. 24 repeated string parent_group_ids = 4; 25 26 // MemberEntityIDs are the identifiers of entities which are members of this 27 // group 28 repeated string member_entity_ids = 5; 29 30 // Metadata represents the custom data tied with this group 31 map<string, string> metadata = 6; 32 33 // CreationTime is the time at which this group was created 34 google.protobuf.Timestamp creation_time = 7; 35 36 // LastUpdateTime is the time at which this group was last modified 37 google.protobuf.Timestamp last_update_time= 8; 38 39 // ModifyIndex tracks the number of updates to the group. It is useful to detect 40 // updates to the groups. 41 uint64 modify_index = 9; 42 43 // BucketKey is the path of the storage packer key into which this group is 44 // stored. 45 string bucket_key = 10; 46 47 // Alias is used to mark this group as an internal mapping of a group that 48 // is external to the identity store. Alias can only be set if the 'type' 49 // is set to 'external'. 50 Alias alias = 11; 51 52 // Type indicates if this group is an internal group or an external group. 53 // Memberships of the internal groups can be managed over the API whereas 54 // the memberships on the external group --for which a corresponding alias 55 // will be set-- will be managed automatically. 56 string type = 12; 57 58 // NamespaceID is the identifier of the namespace to which this group 59 // belongs to. Do not return this value over the API when reading the 60 // group. 61 string namespace_id = 13; 62} 63 64// Entity represents an entity that gets persisted and indexed. 65// Entity is fundamentally composed of zero or many aliases. 66message Entity { 67 // Aliases are the identities that this entity is made of. This can be 68 // empty as well to favor being able to create the entity first and then 69 // incrementally adding aliases. 70 repeated Alias aliases = 1; 71 72 // ID is the unique identifier of the entity which always be a UUID. This 73 // should never be allowed to be updated. 74 string id = 2; 75 76 // Name is a unique identifier of the entity which is intended to be 77 // human-friendly. The default name might not be human friendly since it 78 // gets suffixed by a UUID, but it can optionally be updated, unlike the ID 79 // field. 80 string name = 3; 81 82 // Metadata represents the explicit metadata which is set by the 83 // clients. This is useful to tie any information pertaining to the 84 // aliases. This is a non-unique field of entity, meaning multiple 85 // entities can have the same metadata set. Entities will be indexed based 86 // on this explicit metadata. This enables virtual groupings of entities 87 // based on its metadata. 88 map<string, string> metadata = 4; 89 90 // CreationTime is the time at which this entity is first created. 91 google.protobuf.Timestamp creation_time = 5; 92 93 // LastUpdateTime is the most recent time at which the properties of this 94 // entity got modified. This is helpful in filtering out entities based on 95 // its age and to take action on them, if desired. 96 google.protobuf.Timestamp last_update_time= 6; 97 98 // MergedEntityIDs are the entities which got merged to this one. Entities 99 // will be indexed based on all the entities that got merged into it. This 100 // helps to apply the actions on this entity on the tokens that are merged 101 // to the merged entities. Merged entities will be deleted entirely and 102 // this is the only trackable trail of its earlier presence. 103 repeated string merged_entity_ids = 7; 104 105 // Policies the entity is entitled to 106 repeated string policies = 8; 107 108 // BucketKey is the path of the storage packer key into which this entity is 109 // stored. 110 string bucket_key = 9; 111 112 // MFASecrets holds the MFA secrets indexed by the identifier of the MFA 113 // method configuration. 114 map<string, mfa.Secret> mfa_secrets = 10; 115 116 // Disabled indicates whether tokens associated with the account should not 117 // be able to be used 118 bool disabled = 11; 119 120 // NamespaceID is the identifier of the namespace to which this entity 121 // belongs to. Do not return this value over the API when reading the 122 // entity. 123 string namespace_id = 12; 124} 125 126// Alias represents the alias that gets stored inside of the 127// entity object in storage and also represents in an in-memory index of an 128// alias object. 129message Alias { 130 // ID is the unique identifier that represents this alias 131 string id = 1; 132 133 // CanonicalID is the entity identifier to which this alias belongs to 134 string canonical_id = 2; 135 136 // MountType is the backend mount's type to which this alias belongs to. 137 // This enables categorically querying aliases of specific backend types. 138 string mount_type = 3; 139 140 // MountAccessor is the backend mount's accessor to which this alias 141 // belongs to. 142 string mount_accessor = 4; 143 144 // MountPath is the backend mount's path to which the Maccessor belongs to. This 145 // field is not used for any operational purposes. This is only returned when 146 // alias is read, only as a nicety. 147 string mount_path = 5; 148 149 // Metadata is the explicit metadata that clients set against an entity 150 // which enables virtual grouping of aliases. Aliases will be indexed 151 // against their metadata. 152 map<string, string> metadata = 6; 153 154 // Name is the identifier of this alias in its authentication source. 155 // This does not uniquely identify an alias in Vault. This in conjunction 156 // with MountAccessor form to be the factors that represent an alias in a 157 // unique way. Aliases will be indexed based on this combined uniqueness 158 // factor. 159 string name = 7; 160 161 // CreationTime is the time at which this alias was first created 162 google.protobuf.Timestamp creation_time = 8; 163 164 // LastUpdateTime is the most recent time at which the properties of this 165 // alias got modified. This is helpful in filtering out aliases based 166 // on its age and to take action on them, if desired. 167 google.protobuf.Timestamp last_update_time = 9; 168 169 // MergedFromCanonicalIDs is the FIFO history of merging activity 170 repeated string merged_from_canonical_ids = 10; 171 172 // NamespaceID is the identifier of the namespace to which this alias 173 // belongs. 174 string namespace_id = 11; 175} 176 177// Deprecated. Retained for backwards compatibility. 178message EntityStorageEntry { 179 repeated PersonaIndexEntry personas = 1; 180 string id = 2; 181 string name = 3; 182 map<string, string> metadata = 4; 183 google.protobuf.Timestamp creation_time = 5; 184 google.protobuf.Timestamp last_update_time= 6; 185 repeated string merged_entity_ids = 7; 186 repeated string policies = 8; 187 string bucket_key_hash = 9; 188 map<string, mfa.Secret> mfa_secrets = 10; 189} 190 191// Deprecated. Retained for backwards compatibility. 192message PersonaIndexEntry { 193 string id = 1; 194 string entity_id = 2; 195 string mount_type = 3; 196 string mount_accessor = 4; 197 string mount_path = 5; 198 map<string, string> metadata = 6; 199 string name = 7; 200 google.protobuf.Timestamp creation_time = 8; 201 google.protobuf.Timestamp last_update_time = 9; 202 repeated string merged_from_entity_ids = 10; 203} 204