package kudu.security

Get desktop application:
View/edit binary Protocol Buffers messages

Used in: TokenPB

• optional string username = 1

Used in: TokenPB

• optional string username = 1

• optional TablePrivilegePB table_privilege = 2

Used in: TablePrivilegePB

• optional bool scan_privilege = 1

  If set, the user has privileges to select and apply predicates on the column during scans.

Used in: rpc.NegotiatePB

• optional bytes token_data = 1

  The actual token data. This is a serialized TokenPB protobuf. However, we use a 'bytes' field, since protobuf doesn't guarantee that if two implementations serialize a protobuf, they'll necessary get bytewise identical results, particularly in the presence of unknown fields.

• optional bytes signature = 2

  The cryptographic signature of 'token_contents'.

• optional int64 signing_key_seq_num = 3

  The sequence number of the key which produced 'signature'.

Used in: AuthzTokenPB

• optional string table_id = 1

  The ID of the table to which the privileges apply.

• optional bool scan_privilege = 2

  If set, the user is authorized to select and apply predicates to all columns when scanning the table, and `column_privileges` is ignored. If unset, the user may only scan and apply predicates to columns with the privileges specified in `column_privileges`.

• optional bool insert_privilege = 3

  If set, the user is authorized to insert rows into the table.

• optional bool update_privilege = 4

  If set, the user is authorized to update rows in the table.

• optional bool delete_privilege = 5

  If set, the user is authorized to delete rows in the table.

• map<int32, ColumnPrivilegePB> column_privileges = 6

  Per-column privileges, indexed by column ID.

• optional int64 expire_unix_epoch_seconds = 1

  The time at which this token expires, in seconds since the unix epoch.

• repeated int32 incompatible_features = 2

  List of incompatible features used by this token. If a feature is listed in the token and a server verifying/authorizing the token sees an UNKNOWN value in this list, it should reject the token. This allows us to safely add "restrictive" content to tokens and have a "default deny" policy on servers that may not understand them. We use an int32 here but the values correspond to the 'Feature' enum above. This is to deal with protobuf's odd handling of unknown enum values (see KUDU-1850).

• oneof token

  • AuthnTokenPB authn = 3

  • AuthzTokenPB authz = 4

• UNUSED_PLACEHOLDER = 999

  Protobuf doesn't let us define a enum with no values, so we've got this placeholder in here for now. When we add the first real feature flag, we can remove this.

A private key used to sign tokens.

• optional int64 key_seq_num = 1

• optional bytes rsa_key_der = 2

  The private key material, in DER format.

• optional int64 expire_unix_epoch_seconds = 3

  The time at which signatures made by this key should no longer be valid.

A public key corresponding to the private key used to sign tokens. Only this part is necessary for token verification.

• optional int64 key_seq_num = 1

• optional bytes rsa_key_der = 2

  The public key material, in DER format.

• optional int64 expire_unix_epoch_seconds = 3

  The time at which signatures made by this key should no longer be valid.