-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcosi.proto
223 lines (187 loc) · 7.98 KB
/
cosi.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
// Code generated by make; DO NOT EDIT.
syntax = "proto3";
package cosi.v1alpha1;
import "google/protobuf/descriptor.proto";
option go_package = "sigs.k8s.io/container-object-storage-interface-spec;cosi";
extend google.protobuf.EnumOptions {
// Indicates that this enum is OPTIONAL and part of an experimental
// API that may be deprecated and eventually removed between minor
// releases.
bool alpha_enum = 1060;
}
extend google.protobuf.EnumValueOptions {
// Indicates that this enum value is OPTIONAL and part of an
// experimental API that may be deprecated and eventually removed
// between minor releases.
bool alpha_enum_value = 1060;
}
extend google.protobuf.FieldOptions {
// Indicates that a field MAY contain information that is sensitive
// and MUST be treated as such (e.g. not logged).
bool cosi_secret = 1059;
// Indicates that this field is OPTIONAL and part of an experimental
// API that may be deprecated and eventually removed between minor
// releases.
bool alpha_field = 1060;
}
extend google.protobuf.MessageOptions {
// Indicates that this message is OPTIONAL and part of an experimental
// API that may be deprecated and eventually removed between minor
// releases.
bool alpha_message = 1060;
}
extend google.protobuf.MethodOptions {
// Indicates that this method is OPTIONAL and part of an experimental
// API that may be deprecated and eventually removed between minor
// releases.
bool alpha_method = 1060;
}
extend google.protobuf.ServiceOptions {
// Indicates that this service is OPTIONAL and part of an experimental
// API that may be deprecated and eventually removed between minor
// releases.
bool alpha_service = 1060;
}
service Identity {
// This call is meant to retrieve the unique provisioner Identity.
// This identity will have to be set in BucketRequest.Provisioner field in order to invoke this specific provisioner.
rpc ProvisionerGetInfo (ProvisionerGetInfoRequest) returns (ProvisionerGetInfoResponse) {}
}
service Provisioner {
// This call is made to create the bucket in the backend.
// This call is idempotent
// 1. If a bucket that matches both name and parameters already exists, then OK (success) must be returned.
// 2. If a bucket by same name, but different parameters is provided, then the appropriate error code ALREADY_EXISTS must be returned.
rpc ProvisionerCreateBucket (ProvisionerCreateBucketRequest) returns (ProvisionerCreateBucketResponse) {}
// This call is made to delete the bucket in the backend.
// If the bucket has already been deleted, then no error should be returned.
rpc ProvisionerDeleteBucket (ProvisionerDeleteBucketRequest) returns (ProvisionerDeleteBucketResponse) {}
// This call grants access to an account. The account_name in the request shall be used as a unique identifier to create credentials.
// The account_id returned in the response will be used as the unique identifier for deleting this access when calling ProvisionerRevokeBucketAccess.
rpc ProvisionerGrantBucketAccess (ProvisionerGrantBucketAccessRequest) returns (ProvisionerGrantBucketAccessResponse);
// This call revokes all access to a particular bucket from a principal.
rpc ProvisionerRevokeBucketAccess (ProvisionerRevokeBucketAccessRequest) returns (ProvisionerRevokeBucketAccessResponse);
}
// S3SignatureVersion is the version of the signing algorithm for all s3 requests
enum S3SignatureVersion {
UnknownSignature = 0;
// S3V2, Signature version v2
S3V2 = 1;
// S3V4, Signature version v4
S3V4 = 2;
}
enum AnonymousBucketAccessMode {
UnknownBucketAccessMode = 0;
// Default, disallow uncredentialed access to the backend storage.
Private = 1;
// Read only, uncredentialed users can call ListBucket and GetObject.
ReadOnly = 2;
// Write only, uncredentialed users can only call PutObject.
WriteOnly = 3;
// Read/Write, uncredentialed users can read objects as well as PutObject.
ReadWrite = 4;
}
message S3 {
// region denotes the geographical region where the S3 server is running
string region = 1;
// signature_version denotes the signature version for signing all s3 requests
S3SignatureVersion signature_version = 2;
}
message AzureBlob {
// storage_account is the id of the azure storage account
string storage_account = 1;
}
message GCS {
// private_key_name denotes the name of the private key in the storage backend
string private_key_name = 1;
// project_id denotes the name of the project id in the storage backend
string project_id = 2;
// service_account denotes the name of the service account in the storage backend
string service_account = 3;
}
message Protocol {
oneof type {
S3 s3 = 1;
AzureBlob azureBlob = 2;
GCS gcs = 3;
}
}
message ProvisionerGetInfoRequest {
// Intentionally left blank
}
message ProvisionerGetInfoResponse {
// This field is REQUIRED
// The name MUST follow domain name notation format
// (https://tools.ietf.org/html/rfc1035#section-2.3.1). It SHOULD
// include the plugin's host company name and the plugin name,
// to minimize the possibility of collisions. It MUST be 63
// characters or less, beginning and ending with an alphanumeric
// character ([a-z0-9A-Z]) with dashes (-), dots (.), and
// alphanumerics between.
string name = 1;
}
message ProvisionerCreateBucketRequest {
// This field is REQUIRED
// name specifies the name of the bucket that should be created.
string name = 1;
// This field is REQUIRED
// Protocol specific information required by the call is passed in as key,value pairs.
Protocol protocol = 2;
// This field is OPTIONAL
// The caller should treat the values in parameters as opaque.
// The receiver is responsible for parsing and validating the values.
map<string,string> parameters = 3;
}
message ProvisionerCreateBucketResponse {
// bucket_id returned here is expected to be the globally unique
// identifier for the bucket in the object storage provider
string bucket_id = 1;
}
message ProvisionerDeleteBucketRequest {
// This field is REQUIRED
// bucket_id is a globally unique identifier for the bucket
// in the object storage provider
string bucket_id = 1;
}
message ProvisionerDeleteBucketResponse {
// Intentionally left blank
}
message ProvisionerGrantBucketAccessRequest {
// This field is REQUIRED
// bucket_id is a globally unique identifier for the bucket
// in the object storage provider
string bucket_id = 1;
// This field is REQUIRED
// account_name is a identifier for object storage provider
// to ensure that multiple requests for the same account
// result in only one access token being created
string account_name = 2;
// This field is REQUIRED
// Requested Access policy, ex: {"Effect":"Allow","Action":"s3:PutObject","Resource":"arn:aws:s3:::profilepics/*"}
string access_policy = 3;
// This field is OPTIONAL
// The caller should treat the values in parameters as opaque.
// The receiver is responsible for parsing and validating the values.
map<string,string> parameters = 4;
}
message ProvisionerGrantBucketAccessResponse {
// This field is OPTIONAL
// This is the account_id that is being provided access. This will
// be required later to revoke access.
string account_id = 1;
// This field is OPTIONAL
// Credentials supplied for accessing the bucket ex: aws access key id and secret, etc.
string credentials = 2;
}
message ProvisionerRevokeBucketAccessRequest {
// This field is REQUIRED
// bucket_id is a globally unique identifier for the bucket
// in the object storage provider.
string bucket_id = 1;
// This field is REQUIRED
// This is the account_id that is having its access revoked.
string account_id = 2;
}
message ProvisionerRevokeBucketAccessResponse {
// Intentionally left blank
}