1syntax = "proto3"; 2 3option go_package = "github.com/hashicorp/vault/helper/identity"; 4 5package identity; 6 7import "google/protobuf/timestamp.proto"; 8import "helper/identity/mfa/types.proto"; 9 10// Group represents an identity group. 11message Group { 12 // ID is the unique identifier for this group 13 string id = 1; 14 15 // Name is the unique name for this group 16 string name = 2; 17 18 // Policies are the vault policies to be granted to members of this group 19 repeated string policies = 3; 20 21 // ParentGroupIDs are the identifiers of those groups to which this group is a 22 // member of. These will serve as references to the parent group in the 23 // hierarchy. 24 repeated string parent_group_ids = 4; 25 26 // MemberEntityIDs are the identifiers of entities which are members of this 27 // group 28 repeated string member_entity_ids = 5; 29 30 // Metadata represents the custom data tied with this group 31 map<string, string> metadata = 6; 32 33 // CreationTime is the time at which this group was created 34 google.protobuf.Timestamp creation_time = 7; 35 36 // LastUpdateTime is the time at which this group was last modified 37 google.protobuf.Timestamp last_update_time= 8; 38 39 // ModifyIndex tracks the number of updates to the group. It is useful to detect 40 // updates to the groups. 41 uint64 modify_index = 9; 42 43 // BucketKeyHash is the MD5 hash of the storage bucket key into which this 44 // group is stored in the underlying storage. This is useful to find all 45 // the groups belonging to a particular bucket during invalidation of the 46 // storage key. 47 string bucket_key_hash = 10; 48 49 // Alias is used to mark this group as an internal mapping of a group that 50 // is external to the identity store. Alias can only be set if the 'type' 51 // is set to 'external'. 52 Alias alias = 11; 53 54 // Type indicates if this group is an internal group or an external group. 55 // Memberships of the internal groups can be managed over the API whereas 56 // the memberships on the external group --for which a corresponding alias 57 // will be set-- will be managed automatically. 58 string type = 12; 59 60 // NamespaceID is the identifier of the namespace to which this group 61 // belongs to. Do not return this value over the API when reading the 62 // group. 63 string namespace_id = 13; 64} 65 66// Entity represents an entity that gets persisted and indexed. 67// Entity is fundamentally composed of zero or many aliases. 68message Entity { 69 // Aliases are the identities that this entity is made of. This can be 70 // empty as well to favor being able to create the entity first and then 71 // incrementally adding aliases. 72 repeated Alias aliases = 1; 73 74 // ID is the unique identifier of the entity which always be a UUID. This 75 // should never be allowed to be updated. 76 string id = 2; 77 78 // Name is a unique identifier of the entity which is intended to be 79 // human-friendly. The default name might not be human friendly since it 80 // gets suffixed by a UUID, but it can optionally be updated, unlike the ID 81 // field. 82 string name = 3; 83 84 // Metadata represents the explicit metadata which is set by the 85 // clients. This is useful to tie any information pertaining to the 86 // aliases. This is a non-unique field of entity, meaning multiple 87 // entities can have the same metadata set. Entities will be indexed based 88 // on this explicit metadata. This enables virtual groupings of entities 89 // based on its metadata. 90 map<string, string> metadata = 4; 91 92 // CreationTime is the time at which this entity is first created. 93 google.protobuf.Timestamp creation_time = 5; 94 95 // LastUpdateTime is the most recent time at which the properties of this 96 // entity got modified. This is helpful in filtering out entities based on 97 // its age and to take action on them, if desired. 98 google.protobuf.Timestamp last_update_time= 6; 99 100 // MergedEntityIDs are the entities which got merged to this one. Entities 101 // will be indexed based on all the entities that got merged into it. This 102 // helps to apply the actions on this entity on the tokens that are merged 103 // to the merged entities. Merged entities will be deleted entirely and 104 // this is the only trackable trail of its earlier presence. 105 repeated string merged_entity_ids = 7; 106 107 // Policies the entity is entitled to 108 repeated string policies = 8; 109 110 // BucketKeyHash is the MD5 hash of the storage bucket key into which this 111 // entity is stored in the underlying storage. This is useful to find all 112 // the entities belonging to a particular bucket during invalidation of the 113 // storage key. 114 string bucket_key_hash = 9; 115 116 // MFASecrets holds the MFA secrets indexed by the identifier of the MFA 117 // method configuration. 118 map<string, mfa.Secret> mfa_secrets = 10; 119 120 // Disabled indicates whether tokens associated with the account should not 121 // be able to be used 122 bool disabled = 11; 123 124 // NamespaceID is the identifier of the namespace to which this entity 125 // belongs to. Do not return this value over the API when reading the 126 // entity. 127 string namespace_id = 12; 128} 129 130// Alias represents the alias that gets stored inside of the 131// entity object in storage and also represents in an in-memory index of an 132// alias object. 133message Alias { 134 // ID is the unique identifier that represents this alias 135 string id = 1; 136 137 // CanonicalID is the entity identifier to which this alias belongs to 138 string canonical_id = 2; 139 140 // MountType is the backend mount's type to which this alias belongs to. 141 // This enables categorically querying aliases of specific backend types. 142 string mount_type = 3; 143 144 // MountAccessor is the backend mount's accessor to which this alias 145 // belongs to. 146 string mount_accessor = 4; 147 148 // MountPath is the backend mount's path to which the Maccessor belongs to. This 149 // field is not used for any operational purposes. This is only returned when 150 // alias is read, only as a nicety. 151 string mount_path = 5; 152 153 // Metadata is the explicit metadata that clients set against an entity 154 // which enables virtual grouping of aliases. Aliases will be indexed 155 // against their metadata. 156 map<string, string> metadata = 6; 157 158 // Name is the identifier of this alias in its authentication source. 159 // This does not uniquely identify an alias in Vault. This in conjunction 160 // with MountAccessor form to be the factors that represent an alias in a 161 // unique way. Aliases will be indexed based on this combined uniqueness 162 // factor. 163 string name = 7; 164 165 // CreationTime is the time at which this alias was first created 166 google.protobuf.Timestamp creation_time = 8; 167 168 // LastUpdateTime is the most recent time at which the properties of this 169 // alias got modified. This is helpful in filtering out aliases based 170 // on its age and to take action on them, if desired. 171 google.protobuf.Timestamp last_update_time = 9; 172 173 // MergedFromCanonicalIDs is the FIFO history of merging activity 174 repeated string merged_from_canonical_ids = 10; 175 176 // NamespaceID is the identifier of the namespace to which this alias 177 // belongs. 178 string namespace_id = 11; 179} 180 181// Deprecated. Retained for backwards compatibility. 182message EntityStorageEntry { 183 repeated PersonaIndexEntry personas = 1; 184 string id = 2; 185 string name = 3; 186 map<string, string> metadata = 4; 187 google.protobuf.Timestamp creation_time = 5; 188 google.protobuf.Timestamp last_update_time= 6; 189 repeated string merged_entity_ids = 7; 190 repeated string policies = 8; 191 string bucket_key_hash = 9; 192 map<string, mfa.Secret> mfa_secrets = 10; 193} 194 195// Deprecated. Retained for backwards compatibility. 196message PersonaIndexEntry { 197 string id = 1; 198 string entity_id = 2; 199 string mount_type = 3; 200 string mount_accessor = 4; 201 string mount_path = 5; 202 map<string, string> metadata = 6; 203 string name = 7; 204 google.protobuf.Timestamp creation_time = 8; 205 google.protobuf.Timestamp last_update_time = 9; 206 repeated string merged_from_entity_ids = 10; 207} 208