Google Git
Sign in
gbmc / vbmc / refs/heads/master / . / proxy_config.proto
blob: 357d2d9f23cef39a0638931352c0443cd555c9ff [file] [log] [blame] [edit]
syntax = "proto3";
package milotic_grpc_proxy;
import "google/protobuf/any.proto";
option optimize_for = CODE_SIZE;
message RedfishV1Options {}
message VoyagerTelemetryOptions {}
message Ownership {
uint32 id = 1;
}
enum Permission {
// Default behavior is implementation dependent, but ensures that the
// specified user has read/write access. It is currently the same as
// PERM_USER_AND_GROUP. Generally, the default should only be used if we don't
// care about what permissions are set.
PERM_DEFAULT = 0;
PERM_USER_ONLY = 1; // rwx------
PERM_USER_AND_GROUP = 2; // rwxr-x---
}
message UdsConfiguration {
string path = 1;
Ownership user = 2;
Ownership group = 3;
Permission permission = 4;
}
message NetConfiguration {
string host = 1;
uint32 port = 2;
}
message ChannelArgumentsConfiguration {
uint32 keepalive_time_ms = 1;
uint32 keepalive_timeout_ms = 2;
uint32 keepalive_permit_without_calls = 3;
uint32 http2_max_pings_without_data = 4;
uint32 http2_min_recv_ping_interval_without_data_ms = 5;
uint32 http2_max_ping_strikes = 6;
}
message MtlsServerCredentialsConfiguration {
string keypair_path = 1;
string trust_bundle_path = 2;
string root_cert_name = 3;
uint32 keypair_file_check_retry_duration_sec = 4;
uint32 keypair_refresh_interval_sec = 5;
string authz_policy_path = 11;
uint32 authz_policy_refresh_interval_sec = 12;
}
// gRPC server configuration per proxy.
message GrpcConfiguration {
// Endpoints are added if the configuration is set
UdsConfiguration uds_endpoint = 1;
// The server will listen at host:port, so host should usually be the FQDN.
NetConfiguration net_endpoint = 2;
// Channel arguments to be added to the gRPC server builder.
ChannelArgumentsConfiguration channel_arguments = 3;
// If set, the server will be configured with mTLS credentials.
MtlsServerCredentialsConfiguration mtls_server_credentials = 4;
}
message RetryConfig {
int64 delay_sec = 1;
int64 max_attempts = 2;
}
enum CacheMode {
CACHE_MODE_UNSPECIFIED = 0;
CACHE_MODE_NEVER = 1;
CACHE_MODE_ONCE = 2;
}
message CredentialsFile {
repeated string path = 1;
string private_cache_path = 2;
}
// Contains multiple methods to search ReasonID from the event,
message EventReasonIdParse {
message ReasonIdMessageArgsIndex {
string message_key = 1;
int32 message_arg_index = 2;
}
oneof reason_id_parse {
// Path to the Oem json field
string oem_field_path = 1;
// Search for ReasonID in message args for a MessageKey at an index of
// MessageArgs
ReasonIdMessageArgsIndex message_args_index = 2;
// Search for ReasonID in message string using regex parsing
string message_string_regex = 3;
}
}
message EventParse {
// Path of events registry which contains mapping of reasonId to severity
// platforms/vbmc/platform/<machine>/vendor_events.proto:VendorEventRegistry
string events_registry_config = 1;
// For tests
bool skip_event_registry = 2;
// Config on which methods to use for finding reason id from the event
repeated EventReasonIdParse reason_id_parse = 3;
// List of MessageKeys for which we should ignore event severity
repeated string ignore_event_sev_message_keys = 4;
// List of MessageRegistryPrefix for which we should ignore event severity
repeated string ignore_event_sev_message_prefix = 5;
// If set true, only events with a reason id will be used to determine the
// health of the machine
bool ignore_event_sev_wo_reason_id = 6;
}
enum RequestVerb {
REQUEST_VERB_UNSPECIFIED = 0;
REQUEST_VERB_GET = 1;
REQUEST_VERB_POST = 2;
REQUEST_VERB_PUT = 3;
REQUEST_VERB_PATCH = 4;
REQUEST_VERB_DELETE = 5;
REQUEST_VERB_SUBSCRIBE = 6;
REQUEST_VERB_INTERNAL = 7;
REQUEST_VERB_BIDIRECTIONAL_STREAM = 8;
}
message AuthorizationPolicy {
message Rule {
// An empty Rule will always succeed.
// gRPC AuthContext properties. All specified AuthContext properties should
// have at least one value that matches exactly. The same name may be
// repeated multiple times to match multiple values.
reserved 1;
reserved "property_value";
oneof permission {
// This permission ID is passed to the milotic::PermissionChecker
// implementation.
string permission_id = 2;
// If true, requests from local connections (e.g. UDS) are authorized.
bool local = 3;
}
}
message Mapping {
// This name is used for logging, monitoring and error messages.
string name = 1;
// A map of rule names to rules. At least one rule should apply for the
// request to be approved.
map<string, Rule> allow = 2;
// The resource path to authorize. If omitted or empty, this matches all
// resource paths.
repeated string resource_path = 3;
// Request verb to match. If not specified, all request verbs will match.
RequestVerb request_verb = 4;
// If true, this rule will match the entire subtree at `resource_path`. This
// is also required for $expand.
bool with_subtree = 5;
}
// Mappings are tried in sequence. If a mapping matches, at least one Rule
// should pass to authorize the resource
repeated Mapping mappings = 2;
// If set to true, query parameters are preserved in the request. Otherwise,
// query parameters are stripped before authorization (they are not passed to
// the handlers either).
bool keep_query_params = 3;
}
message TargetHostConnectedCheck {
bool include_in_machine_info = 1;
oneof check_path {
string internal_session_check_path = 2;
string get_redfish_check_path = 3;
}
// string internal_session_check_path = 2;
// string get_redfish_check_path = 3;
}
message GrpcAuth {
oneof auth_type {
SecureTls secure_tls = 1;
Loas3 loas3 = 2;
TlsNotVerifyServer tls_not_verify_server = 3;
}
message SecureTls {
string tls_key_path = 1;
string tls_cert_path = 2;
string root_cert_path = 3;
string crl_dir_path = 4;
}
message Loas3 {}
message TlsNotVerifyServer {
string tls_key_path = 1;
string tls_cert_path = 2;
}
}
message Plugin {
// This is for tests only. Replaces the URI in all requests.
message Test {
string fixed_redfish_id = 1;
}
// This is for tests only. This plugin is registered, but should never be
// used.
message TestDummy {}
message EventsManager {
// Size of the event queue for storing redfish events received from BMC.
int64 events_queue_size = 1;
// Time to wait before receiving first event from BMC.
// This is to allow for the BMC to start sending events on the SSE steam.
// Once this time expires, the plugin state is set to serving.
int64 init_timer_start_wait_sec = 2;
// Time to wait for subsequent events from BMC. This updates the timer
// duration after every event is received.
int64 init_timer_restart_wait_sec = 3;
// Time to wait for the plugin to be in serving state.
// If the plugin is not in serving state for this duration, the machine
// will move to Critical health state.
int64 serving_state_timeout_sec = 4;
// API path exposed by events manager plugin to PUT processed events from
// storage manager.
string put_processed_events_path = 5;
// API path exposed by events manager plugin to subscribe to SSE stream from
// storage manager.
string subscribe_events_path = 6;
// Path to the redfish logs resource which is queried after a non-OK event.
// If the value is empty, the logs are not fetched.
string redfish_logs_path = 12;
// Json pointer to the field to find the LogsUri value in GET response
// on `redfish_logs_path`
// Similar to `health_rollup_fields`
string redfish_logs_fields = 13;
string redfish_event_service_path = 14;
string redfish_event_service_fields = 15;
RetryConfig sse_connection_retry = 16;
// Config used only for testing.
// For testing use logs as event storage instead of CNS borg collector
bool use_logger_storage = 30;
// Use vlog with verbosity level
int64 vlog_level = 31;
// SSE connection does't work on surrogate machines, used for tests
bool skip_sse_connection = 32;
// Collector request ID filter, used for selecting specific collector
// instance which connects to vBMC, required in Mtest
string collector_request_id_filter = 33;
}
message CperEvents {
EventsManager events_manager = 1;
int64 remapping_ready_timeout_sec = 2;
int64 remapping_retry_delay_ms = 3;
message CounterFile {
string path = 1;
bool path_must_exist = 2;
string filename = 3;
string temp_filename = 4;
string memory_error_field_name = 5;
string cpu_error_field_name = 6;
int64 save_retry_interval_ms = 7;
}
CounterFile counter_file = 4;
}
message RedfishSessionAuth {
string username = 1;
oneof password_management {
string password = 2;
CredentialsFile credentials_file = 3;
}
bool only_use_basic_auth = 4;
uint32 session_check_interval_sec = 5;
}
// This plugin is used to add OAuth token to redfish requests.
message RedfishOAuth {
message MintTokenRequestConfig {
// Sets time duration for token.
int64 token_valid_time_sec = 1;
}
AuthzServerSettings authz_server_settings = 1;
MintTokenRequestConfig mint_token_request_config = 2;
string redfish_role = 3;
}
message StaticResource {
string path = 1;
}
message RedfishPassthrough {
uint64 request_timeout_msec = 1;
uint64 connect_timeout_msec = 2;
int64 dns_timeout_sec = 3;
int64 max_recv_speed = 4;
uint64 sse_low_speed_limit_bytes_per_sec = 5;
uint64 sse_low_speed_time_sec = 6;
uint32 max_concurrent_requests = 7;
int64 acquire_client_timeout_sec = 8;
}
message SshActions {
message Action {
string action_path = 1;
string ssh_command = 2;
uint64 timeout_sec = 3;
uint64 args_count = 4;
}
repeated Action actions = 1;
uint64 execute_timeout_sec = 2;
uint64 execute_retry_interval_ms = 3;
}
message RedfishGrpc {
GrpcAuth grpc_auth = 1;
}
oneof plugin {
Test test = 1;
TestDummy test_do_not_use = 2;
RedfishSessionAuth redfish_session_auth = 4;
StaticResource static_resource = 5;
RedfishPassthrough redfish_passthrough = 6;
SshActions ssh_actions = 8;
RedfishGrpc redfish_grpc = 11;
CperEvents cper_events = 12;
}
string name = 99;
}
message AuthzServerSettings {
GrpcAuth grpc_auth = 1;
int32 oauth_port = 2;
string hostname = 3;
int64 rpc_timeout_sec = 4;
}
message SshOptions {
oneof credentials {
CredentialsFile credentials_file = 1;
AuthzServerSettings authz_server_settings = 6;
}
uint32 port = 2;
uint32 max_connections = 3;
uint64 connect_timeout_sec = 4;
uint64 connect_retry_interval_ms = 5;
google.protobuf.Any connector_config = 7;
}
message HiscConnectorConfig {
int32 serial_port = 1;
}
enum TargetScheme {
TARGET_SCHEME_UNSPECIFIED = 0;
TARGET_SCHEME_HTTP = 1;
TARGET_SCHEME_HTTPS = 2;
TARGET_SCHEME_GRPC = 3;
TARGET_SCHEME_SSH = 4;
}
message Target {
TargetScheme scheme = 1;
oneof host {
string hostname = 2;
NEAHost nea_host = 4;
}
uint32 port = 3;
}
message NEAHost {
string entity_tag = 1;
oneof role {
string interface_role = 2;
bool legacy_hostname = 3;
}
}
// Configuration for a single proxy.
message ProxyConfiguration {
reserved 1;
reserved "target_host";
oneof target_spec {
Target target = 7;
}
repeated Target fallback_targets = 11;
GrpcConfiguration grpc_configuration = 2;
// Services are enabled if their configuration is present
RedfishV1Options redfish_v1_options = 3;
VoyagerTelemetryOptions voyager_telemetry_options = 4;
repeated Plugin plugins = 5;
SshOptions ssh_options = 6;
AuthorizationPolicy resource_authorization_policy = 8;
// If set, the additional gRPC services will be added to the proxy. The
// services must be registered using `Proxy::RegisterService` before starting
// the server.
repeated google.protobuf.Any additional_services = 9;
string name = 10;
}
message QueueOptions {
uint32 size = 1;
uint32 quantum = 2;
uint32 max_parallel_jobs = 3;
}
// A Configuration message configures a set of proxies in a common gRPC server.
// Right now, only a single proxy is supported.
// TODO(b/279213767): Support multiple proxies
message Configuration {
repeated ProxyConfiguration proxy_configuration = 1;
QueueOptions queue_options = 2;
}