blob: caf2a6a53af4c7cda613483b236a09fafa5e442b [file] [log] [blame]
Scott Bakere7144bc2019-10-01 14:16:47 -07001/*
2Copyright The Kubernetes Authors.
3
4Licensed under the Apache License, Version 2.0 (the "License");
5you may not use this file except in compliance with the License.
6You may obtain a copy of the License at
7
8 http://www.apache.org/licenses/LICENSE-2.0
9
10Unless required by applicable law or agreed to in writing, software
11distributed under the License is distributed on an "AS IS" BASIS,
12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13See the License for the specific language governing permissions and
14limitations under the License.
15*/
16
17
18// This file was autogenerated by go-to-protobuf. Do not edit it manually!
19
20syntax = 'proto2';
21
22package k8s.io.api.authentication.v1beta1;
23
24import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
25import "k8s.io/apimachinery/pkg/runtime/generated.proto";
26import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
27
28// Package-wide variables from generator "generated".
29option go_package = "v1beta1";
30
31// ExtraValue masks the value so protobuf can generate
32// +protobuf.nullable=true
33// +protobuf.options.(gogoproto.goproto_stringer)=false
34message ExtraValue {
35 // items, if empty, will result in an empty slice
36
37 repeated string items = 1;
38}
39
40// TokenReview attempts to authenticate a token to a known user.
41// Note: TokenReview requests may be cached by the webhook token authenticator
42// plugin in the kube-apiserver.
43message TokenReview {
44 // +optional
45 optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
46
47 // Spec holds information about the request being evaluated
48 optional TokenReviewSpec spec = 2;
49
50 // Status is filled in by the server and indicates whether the request can be authenticated.
51 // +optional
52 optional TokenReviewStatus status = 3;
53}
54
55// TokenReviewSpec is a description of the token authentication request.
56message TokenReviewSpec {
57 // Token is the opaque bearer token.
58 // +optional
59 optional string token = 1;
60
61 // Audiences is a list of the identifiers that the resource server presented
62 // with the token identifies as. Audience-aware token authenticators will
63 // verify that the token was intended for at least one of the audiences in
64 // this list. If no audiences are provided, the audience will default to the
65 // audience of the Kubernetes apiserver.
66 // +optional
67 repeated string audiences = 2;
68}
69
70// TokenReviewStatus is the result of the token authentication request.
71message TokenReviewStatus {
72 // Authenticated indicates that the token was associated with a known user.
73 // +optional
74 optional bool authenticated = 1;
75
76 // User is the UserInfo associated with the provided token.
77 // +optional
78 optional UserInfo user = 2;
79
80 // Audiences are audience identifiers chosen by the authenticator that are
81 // compatible with both the TokenReview and token. An identifier is any
82 // identifier in the intersection of the TokenReviewSpec audiences and the
83 // token's audiences. A client of the TokenReview API that sets the
84 // spec.audiences field should validate that a compatible audience identifier
85 // is returned in the status.audiences field to ensure that the TokenReview
86 // server is audience aware. If a TokenReview returns an empty
87 // status.audience field where status.authenticated is "true", the token is
88 // valid against the audience of the Kubernetes API server.
89 // +optional
90 repeated string audiences = 4;
91
92 // Error indicates that the token couldn't be checked
93 // +optional
94 optional string error = 3;
95}
96
97// UserInfo holds the information about the user needed to implement the
98// user.Info interface.
99message UserInfo {
100 // The name that uniquely identifies this user among all active users.
101 // +optional
102 optional string username = 1;
103
104 // A unique value that identifies this user across time. If this user is
105 // deleted and another user by the same name is added, they will have
106 // different UIDs.
107 // +optional
108 optional string uid = 2;
109
110 // The names of groups this user is a part of.
111 // +optional
112 repeated string groups = 3;
113
114 // Any additional information provided by the authenticator.
115 // +optional
116 map<string, ExtraValue> extra = 4;
117}
118