1syntax = "proto3";
2
3option go_package = "github.com/hashicorp/vault/helper/identity";
4
5package identity;
6
7import "google/protobuf/timestamp.proto";
8import "helper/identity/mfa/types.proto";
9
10// Group represents an identity group.
11message Group {
12	// ID is the unique identifier for this group
13	string id = 1;
14
15	// Name is the unique name for this group
16	string name = 2;
17
18	// Policies are the vault policies to be granted to members of this group
19	repeated string policies = 3;
20
21	// ParentGroupIDs are the identifiers of those groups to which this group is a
22	// member of. These will serve as references to the parent group in the
23	// hierarchy.
24	repeated string parent_group_ids = 4;
25
26	// MemberEntityIDs are the identifiers of entities which are members of this
27	// group
28	repeated string member_entity_ids = 5;
29
30	// Metadata represents the custom data tied with this group
31	map<string, string> metadata = 6;
32
33	// CreationTime is the time at which this group was created
34	google.protobuf.Timestamp creation_time = 7;
35
36	// LastUpdateTime is the time at which this group was last modified
37	google.protobuf.Timestamp last_update_time= 8;
38
39	// ModifyIndex tracks the number of updates to the group. It is useful to detect
40	// updates to the groups.
41	uint64 modify_index = 9;
42
43	// BucketKey is the path of the storage packer key into which this group is
44	// stored.
45	string bucket_key = 10;
46
47	// Alias is used to mark this group as an internal mapping of a group that
48	// is external to the identity store. Alias can only be set if the 'type'
49	// is set to 'external'.
50	Alias alias = 11;
51
52	// Type indicates if this group is an internal group or an external group.
53	// Memberships of the internal groups can be managed over the API whereas
54	// the memberships on the external group --for which a corresponding alias
55	// will be set-- will be managed automatically.
56	string type = 12;
57
58	// NamespaceID is the identifier of the namespace to which this group
59	// belongs to. Do not return this value over the API when reading the
60	// group.
61	string namespace_id = 13;
62}
63
64// Entity represents an entity that gets persisted and indexed.
65// Entity is fundamentally composed of zero or many aliases.
66message Entity {
67	// Aliases are the identities that this entity is made of. This can be
68	// empty as well to favor being able to create the entity first and then
69	// incrementally adding aliases.
70	repeated Alias aliases = 1;
71
72	// ID is the unique identifier of the entity which always be a UUID. This
73	// should never be allowed to be updated.
74	string id = 2;
75
76	// Name is a unique identifier of the entity which is intended to be
77	// human-friendly. The default name might not be human friendly since it
78	// gets suffixed by a UUID, but it can optionally be updated, unlike the ID
79	// field.
80	string name = 3;
81
82	// Metadata represents the explicit metadata which is set by the
83	// clients.  This is useful to tie any information pertaining to the
84	// aliases. This is a non-unique field of entity, meaning multiple
85	// entities can have the same metadata set. Entities will be indexed based
86	// on this explicit metadata. This enables virtual groupings of entities
87	// based on its metadata.
88	map<string, string> metadata = 4;
89
90	// CreationTime is the time at which this entity is first created.
91	google.protobuf.Timestamp creation_time = 5;
92
93	// LastUpdateTime is the most recent time at which the properties of this
94	// entity got modified. This is helpful in filtering out entities based on
95	// its age and to take action on them, if desired.
96	google.protobuf.Timestamp last_update_time= 6;
97
98	// MergedEntityIDs are the entities which got merged to this one. Entities
99	// will be indexed based on all the entities that got merged into it. This
100	// helps to apply the actions on this entity on the tokens that are merged
101	// to the merged entities. Merged entities will be deleted entirely and
102	// this is the only trackable trail of its earlier presence.
103	repeated string merged_entity_ids = 7;
104
105	// Policies the entity is entitled to
106	repeated string policies = 8;
107
108	// BucketKey is the path of the storage packer key into which this entity is
109	// stored.
110	string bucket_key = 9;
111
112	// MFASecrets holds the MFA secrets indexed by the identifier of the MFA
113	// method configuration.
114	map<string, mfa.Secret> mfa_secrets = 10;
115
116	// Disabled indicates whether tokens associated with the account should not
117	// be able to be used
118	bool disabled = 11;
119
120	// NamespaceID is the identifier of the namespace to which this entity
121	// belongs to. Do not return this value over the API when reading the
122	// entity.
123	string namespace_id = 12;
124}
125
126// Alias represents the alias that gets stored inside of the
127// entity object in storage and also represents in an in-memory index of an
128// alias object.
129message Alias {
130	// ID is the unique identifier that represents this alias
131	string id = 1;
132
133	// CanonicalID is the entity identifier to which this alias belongs to
134	string canonical_id = 2;
135
136	// MountType is the backend mount's type to which this alias belongs to.
137	// This enables categorically querying aliases of specific backend types.
138	string mount_type = 3;
139
140	// MountAccessor is the backend mount's accessor to which this alias
141	// belongs to.
142	string mount_accessor = 4;
143
144	// MountPath is the backend mount's path to which the Maccessor belongs to. This
145	// field is not used for any operational purposes. This is only returned when
146	// alias is read, only as a nicety.
147	string mount_path = 5;
148
149	// Metadata is the explicit metadata that clients set against an entity
150	// which enables virtual grouping of aliases. Aliases will be indexed
151	// against their metadata.
152	map<string, string> metadata = 6;
153
154	// Name is the identifier of this alias in its authentication source.
155	// This does not uniquely identify an alias in Vault. This in conjunction
156	// with MountAccessor form to be the factors that represent an alias in a
157	// unique way. Aliases will be indexed based on this combined uniqueness
158	// factor.
159	string name = 7;
160
161	// CreationTime is the time at which this alias was first created
162	google.protobuf.Timestamp creation_time = 8;
163
164	// LastUpdateTime is the most recent time at which the properties of this
165	// alias got modified. This is helpful in filtering out aliases based
166	// on its age and to take action on them, if desired.
167	google.protobuf.Timestamp last_update_time = 9;
168
169	// MergedFromCanonicalIDs is the FIFO history of merging activity
170	repeated string merged_from_canonical_ids = 10;
171
172	// NamespaceID is the identifier of the namespace to which this alias
173	// belongs.
174	string namespace_id = 11;
175}
176
177// Deprecated. Retained for backwards compatibility.
178message EntityStorageEntry {
179	repeated PersonaIndexEntry personas = 1;
180	string id = 2;
181	string name = 3;
182	map<string, string> metadata = 4;
183	google.protobuf.Timestamp creation_time = 5;
184	google.protobuf.Timestamp last_update_time= 6;
185	repeated string merged_entity_ids = 7;
186	repeated string policies = 8;
187	string bucket_key_hash = 9;
188	map<string, mfa.Secret> mfa_secrets = 10;
189}
190
191// Deprecated. Retained for backwards compatibility.
192message PersonaIndexEntry {
193	string id = 1;
194	string entity_id = 2;
195	string mount_type = 3;
196	string mount_accessor = 4;
197	string mount_path = 5;
198	map<string, string> metadata = 6;
199	string name = 7;
200	google.protobuf.Timestamp creation_time = 8;
201	google.protobuf.Timestamp last_update_time = 9;
202	repeated string merged_from_entity_ids = 10;
203}
204