services/identity: Support email-domain based classification of
blessings.
Motivation:
We want the ability to use a single identity provider but be able to ACL
different classes of users based on their email address. For example,
all @google.com email addresses should be able to user some services
that @gmail.com addresses cannot.
There are many ways to go about doing this - from using different
identity providers, to issuing dual blessings and what not. For now, we
try this simple approach - given an email address, it can be classified
based on the domain. For example, with:
--email_classifier=google.com=internal
identityd running as say "dev.v.io" will issue the blessing:
- dev.v.io/users/alice@gmail.com to alice@gmail.com
- dev.v.io/internal/bob@google.com to bob@google.com
Thus, an ACL of the form:
{ In: "dev.v.io/internal" }
will grant access to "dev.v.io/internal/bob@google.com" but
deny access to "dev.v.io/users/alice@gmail.com".
One can argue that bob@google.com should be blessed as both:
dev.v.io/users/bob@google.com
&
dev.v.io/internal/bob@google.com
and we might do that in the future.
This is just a quick change for now.
Change-Id: If967a0ee849131634371069ddbc4ed8afc80eeaf
10 files changed
