Remove roles (replaced with scope)

2020-05-21 14:56:17 +01:00 · 2020-05-21 14:56:17 +01:00 · 856c73b341
commit 856c73b341
parent 4de19805ba
13 changed files with 93 additions and 226 deletions
--- a/auth/auth.go
+++ b/auth/auth.go
@ -4,7 +4,6 @@ package auth
 import (
 	"context"
 	"errors"
 	"strings"
 	"time"
 )
@ -14,7 +13,7 @@ const BearerScheme = "Bearer "
 var (
 	// ErrInvalidToken is when the token provided is not valid
 	ErrInvalidToken = errors.New("invalid token provided")
-	// ErrForbidden is when a user does not have the necessary roles or scoeps to access a resource
+	// ErrForbidden is when a user does not have the necessary scope to access a resource
 	ErrForbidden = errors.New("resource forbidden")
 )
@ -50,8 +49,6 @@ type Account struct {
 	Type string `json:"type"`
 	// Provider who issued the account
 	Provider string `json:"provider"`
 	// Roles associated with the Account
 	Roles []string `json:"roles"`
 	// Any other associated metadata
 	Metadata map[string]string `json:"metadata"`
 	// Scopes the account has access to
@ -60,36 +57,6 @@ type Account struct {
 	Secret string `json:"secret"`
 }
 // HasScope returns a boolean indicating if the account has the given scope
 func (a *Account) HasScope(scopes ...string) bool {
 	if a.Scopes == nil {
 		return false
 	}
 	for _, s := range a.Scopes {
 		if s == strings.Join(scopes, ".") {
 			return true
 		}
 	}
 	return false
 }
 // HasRole returns a boolean indicating if the account has the given role
 func (a *Account) HasRole(role string) bool {
 	if a.Roles == nil {
 		return false
 	}
 	for _, r := range a.Roles {
 		if r == role {
 			return true
 		}
 	}
 	return false
 }
 // Token can be short or long lived
 type Token struct {
 	// The token to be used for accessing resources
@ -131,9 +98,9 @@ const (
 type Rule struct {
 	// ID of the rule, e.g. "public"
 	ID string
-	// Role the rule requires, a blank role indicates open to the public and * indicates the rule
+	// Scope the rule requires, a blank scope indicates open to the public and * indicates the rule
 	// applies to any valid account
-	Role string
+	Scope string
 	// Resource the rule applies to
 	Resource *Resource
 	// Access determines if the rule grants or denies access to the resource
--- a/auth/auth_test.go
+++ b/auth/auth_test.go
@ -1,30 +0,0 @@
 package auth
 import "testing"
 func TestHasScope(t *testing.T) {
 	if new(Account).HasScope("namespace", "foo") {
 		t.Errorf("Expected the blank account to not have a role")
 	}
 	acc := Account{Scopes: []string{"namespace.foo"}}
 	if !acc.HasScope("namespace", "foo") {
 		t.Errorf("Expected the account to have the namespace.foo role")
 	}
 	if acc.HasScope("namespace", "bar") {
 		t.Errorf("Expected the account to not have the namespace.bar role")
 	}
 }
 func TestHasRole(t *testing.T) {
 	if new(Account).HasRole("foo") {
 		t.Errorf("Expected the blank account to not have a role")
 	}
 	acc := Account{Roles: []string{"foo"}}
 	if !acc.HasRole("foo") {
 		t.Errorf("Expected the account to have the foo role")
 	}
 	if acc.HasRole("bar") {
 		t.Errorf("Expected the account to not have the bar role")
 	}
 }
--- a/auth/default.go
+++ b/auth/default.go
@ -50,7 +50,6 @@ func (n *noop) Generate(id string, opts ...GenerateOption) (*Account, error) {
 	return &Account{
 		ID:       id,
 		Roles:    options.Roles,
 		Secret:   options.Secret,
 		Metadata: options.Metadata,
 		Scopes:   options.Scopes,
--- a/auth/jwt/jwt.go
+++ b/auth/jwt/jwt.go
@ -17,11 +17,6 @@ func NewAuth(opts ...auth.Option) auth.Auth {
 	return j
 }
 type rule struct {
 	role     string
 	resource *auth.Resource
 }
 type jwt struct {
 	options auth.Options
 	jwt     token.Provider
@ -59,7 +54,6 @@ func (j *jwt) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, e
 	account := &auth.Account{
 		ID:       id,
 		Type:     options.Type,
 		Roles:    options.Roles,
 		Scopes:   options.Scopes,
 		Provider: options.Provider,
 		Metadata: options.Metadata,
--- a/auth/options.go
+++ b/auth/options.go
@ -121,8 +121,6 @@ func WithClient(c client.Client) Option {
 type GenerateOptions struct {
 	// Metadata associated with the account
 	Metadata map[string]string
 	// Roles/scopes associated with the account
 	Roles []string
 	// Scopes the account has access too
 	Scopes []string
 	// Provider of the account, e.g. oauth
@ -156,13 +154,6 @@ func WithMetadata(md map[string]string) GenerateOption {
 	}
 }
 // WithRoles for the generated account
 func WithRoles(rs ...string) GenerateOption {
 	return func(o *GenerateOptions) {
 		o.Roles = rs
 	}
 }
 // WithScopes for the generated account
 func WithScopes(s ...string) GenerateOption {
 	return func(o *GenerateOptions) {
--- a/auth/rules/rules.go
+++ b/auth/rules/rules.go
@ -50,29 +50,29 @@ func Verify(namespace string, rules []*auth.Rule, acc *auth.Account, res *auth.R
 	// loop through the rules and check for a rule which applies to this account
 	for _, rule := range filteredRules {
-		// a blank role indicates the rule applies to everyone, even nil accounts
+		// a blank scope indicates the rule applies to everyone, even nil accounts
-		if rule.Role == "" && rule.Access == auth.AccessDenied {
+		if rule.Scope == "" && rule.Access == auth.AccessDenied {
 			return auth.ErrForbidden
-		} else if rule.Role == "" && rule.Access == auth.AccessGranted {
+		} else if rule.Scope == "" && rule.Access == auth.AccessGranted {
 			return nil
 		}
-		// all further checks require an account within the current scope
+		// all further checks require an account
-		if acc == nil || !acc.HasScope("namespace", namespace) {
+		if acc == nil {
 			continue
 		}
 		// this rule applies to any account
-		if rule.Role == "*" && rule.Access == auth.AccessDenied {
+		if rule.Scope == "*" && rule.Access == auth.AccessDenied {
 			return auth.ErrForbidden
-		} else if rule.Role == "" && rule.Access == auth.AccessGranted {
+		} else if rule.Scope == "" && rule.Access == auth.AccessGranted {
 			return nil
 		}
-		// if the account has the necessary role
+		// if the account has the necessary scope
-		if include(acc.Roles, rule.Role) && rule.Access == auth.AccessDenied {
+		if include(acc.Scopes, rule.Scope) && rule.Access == auth.AccessDenied {
 			return auth.ErrForbidden
-		} else if rule.Role == "" && rule.Access == auth.AccessGranted {
+		} else if rule.Scope == "" && rule.Access == auth.AccessGranted {
 			return nil
 		}
 	}
--- a/auth/service/proto/auth.pb.go
+++ b/auth/service/proto/auth.pb.go
@ -188,7 +188,6 @@ func (m *Token) GetExpiry() int64 {
 type Account struct {
 	Id                   string            `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
 	Type                 string            `protobuf:"bytes,2,opt,name=type,proto3" json:"type,omitempty"`
 	Roles                []string          `protobuf:"bytes,3,rep,name=roles,proto3" json:"roles,omitempty"`
 	Metadata             map[string]string `protobuf:"bytes,4,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
 	Scopes               []string          `protobuf:"bytes,5,rep,name=scopes,proto3" json:"scopes,omitempty"`
 	Provider             string            `protobuf:"bytes,6,opt,name=provider,proto3" json:"provider,omitempty"`
@ -237,13 +236,6 @@ func (m *Account) GetType() string {
 	return ""
 }
 func (m *Account) GetRoles() []string {
 	if m != nil {
 		return m.Roles
 	}
 	return nil
 }
 func (m *Account) GetMetadata() map[string]string {
 	if m != nil {
 		return m.Metadata
@ -329,7 +321,6 @@ func (m *Resource) GetEndpoint() string {
 type GenerateRequest struct {
 	Id                   string            `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
 	Roles                []string          `protobuf:"bytes,2,rep,name=roles,proto3" json:"roles,omitempty"`
 	Metadata             map[string]string `protobuf:"bytes,3,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
 	Scopes               []string          `protobuf:"bytes,4,rep,name=scopes,proto3" json:"scopes,omitempty"`
 	Secret               string            `protobuf:"bytes,5,opt,name=secret,proto3" json:"secret,omitempty"`
@ -372,13 +363,6 @@ func (m *GenerateRequest) GetId() string {
 	return ""
 }
 func (m *GenerateRequest) GetRoles() []string {
 	if m != nil {
 		return m.Roles
 	}
 	return nil
 }
 func (m *GenerateRequest) GetMetadata() map[string]string {
 	if m != nil {
 		return m.Metadata
@ -454,7 +438,7 @@ func (m *GenerateResponse) GetAccount() *Account {
 }
 type GrantRequest struct {
-	Role                 string    `protobuf:"bytes,1,opt,name=role,proto3" json:"role,omitempty"`
+	Scope                string    `protobuf:"bytes,1,opt,name=scope,proto3" json:"scope,omitempty"`
 	Resource             *Resource `protobuf:"bytes,2,opt,name=resource,proto3" json:"resource,omitempty"`
 	XXX_NoUnkeyedLiteral struct{}  `json:"-"`
 	XXX_unrecognized     []byte    `json:"-"`
@ -486,9 +470,9 @@ func (m *GrantRequest) XXX_DiscardUnknown() {
 var xxx_messageInfo_GrantRequest proto.InternalMessageInfo
-func (m *GrantRequest) GetRole() string {
+func (m *GrantRequest) GetScope() string {
 	if m != nil {
-		return m.Role
+		return m.Scope
 	}
 	return ""
 }
@ -532,7 +516,7 @@ func (m *GrantResponse) XXX_DiscardUnknown() {
 var xxx_messageInfo_GrantResponse proto.InternalMessageInfo
 type RevokeRequest struct {
-	Role                 string    `protobuf:"bytes,1,opt,name=role,proto3" json:"role,omitempty"`
+	Scope                string    `protobuf:"bytes,1,opt,name=scope,proto3" json:"scope,omitempty"`
 	Resource             *Resource `protobuf:"bytes,2,opt,name=resource,proto3" json:"resource,omitempty"`
 	XXX_NoUnkeyedLiteral struct{}  `json:"-"`
 	XXX_unrecognized     []byte    `json:"-"`
@ -564,9 +548,9 @@ func (m *RevokeRequest) XXX_DiscardUnknown() {
 var xxx_messageInfo_RevokeRequest proto.InternalMessageInfo
-func (m *RevokeRequest) GetRole() string {
+func (m *RevokeRequest) GetScope() string {
 	if m != nil {
-		return m.Role
+		return m.Scope
 	}
 	return ""
 }
@ -791,7 +775,7 @@ func (m *TokenResponse) GetToken() *Token {
 type Rule struct {
 	Id                   string    `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
-	Role                 string    `protobuf:"bytes,2,opt,name=role,proto3" json:"role,omitempty"`
+	Scope                string    `protobuf:"bytes,2,opt,name=scope,proto3" json:"scope,omitempty"`
 	Resource             *Resource `protobuf:"bytes,3,opt,name=resource,proto3" json:"resource,omitempty"`
 	Access               Access    `protobuf:"varint,4,opt,name=access,proto3,enum=go.micro.auth.Access" json:"access,omitempty"`
 	Priority             int32     `protobuf:"varint,5,opt,name=priority,proto3" json:"priority,omitempty"`
@ -832,9 +816,9 @@ func (m *Rule) GetId() string {
 	return ""
 }
-func (m *Rule) GetRole() string {
+func (m *Rule) GetScope() string {
 	if m != nil {
-		return m.Role
+		return m.Scope
 	}
 	return ""
 }
@ -1101,63 +1085,62 @@ func init() {
 func init() { proto.RegisterFile("auth/service/proto/auth.proto", fileDescriptor_21300bfacc51fc2a) }
 var fileDescriptor_21300bfacc51fc2a = []byte{
-	// 890 bytes of a gzipped FileDescriptorProto
+	// 871 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x56, 0xdd, 0x8e, 0xdb, 0x44,
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x56, 0x5f, 0x8f, 0xdb, 0x44,
-	0x14, 0x5e, 0xff, 0xc4, 0xc9, 0x9e, 0xc4, 0xbb, 0xd1, 0x74, 0x5b, 0xac, 0x94, 0x6d, 0xb7, 0x2e,
+	0x10, 0x3f, 0xe7, 0x8f, 0x93, 0x9b, 0xc4, 0x77, 0xd1, 0xf6, 0x5a, 0xac, 0x94, 0x6b, 0xaf, 0x2e,
-	0x82, 0xa5, 0x82, 0x2c, 0x4a, 0x6f, 0x0a, 0xbd, 0x61, 0xd5, 0x44, 0xa1, 0x85, 0x06, 0x61, 0x15,
+	0x82, 0xa3, 0x82, 0x1c, 0x4a, 0x5f, 0x0a, 0x7d, 0xe1, 0xd4, 0x44, 0xa1, 0x85, 0x06, 0x61, 0x15,
-	0x95, 0x1b, 0x54, 0x19, 0xe7, 0xc0, 0x5a, 0x9b, 0xb5, 0xc3, 0xcc, 0x38, 0x22, 0x37, 0x48, 0xbc,
+	0x21, 0x90, 0x50, 0x65, 0x9c, 0x81, 0xb3, 0x2e, 0x67, 0x9b, 0xdd, 0x75, 0x44, 0x5e, 0x90, 0x78,
-	0x00, 0x8f, 0xc0, 0x03, 0xf0, 0x4c, 0xdc, 0xf3, 0x1a, 0x68, 0xfe, 0xbc, 0xb1, 0xe3, 0x54, 0x2b,
+	0xe3, 0xc3, 0xf0, 0x91, 0x78, 0xe7, 0x2b, 0xf0, 0x88, 0xbc, 0x3b, 0xeb, 0x8b, 0x1d, 0xa7, 0x3a,
-	0xe0, 0x6e, 0xce, 0xcc, 0x77, 0xce, 0x9c, 0xef, 0x3b, 0x67, 0x8e, 0x0d, 0xc7, 0x71, 0xc1, 0x2f,
+	0x81, 0x78, 0xf3, 0xec, 0xfe, 0x76, 0x66, 0x7e, 0xbf, 0x9d, 0x99, 0x35, 0x1c, 0x07, 0x99, 0xbc,
-	0xce, 0x18, 0xd2, 0x55, 0x9a, 0xe0, 0xd9, 0x92, 0xe6, 0x3c, 0x3f, 0x13, 0x5b, 0x43, 0xb9, 0x24,
+	0x38, 0x13, 0xc8, 0x57, 0x51, 0x88, 0x67, 0x29, 0x4f, 0x64, 0x72, 0x96, 0x2f, 0x8d, 0xd4, 0x27,
-	0xfe, 0x4f, 0xf9, 0xf0, 0x2a, 0x4d, 0x68, 0x3e, 0x14, 0x9b, 0xe1, 0x6d, 0xb8, 0xf5, 0x55, 0xca,
+	0x73, 0x7e, 0x4a, 0x46, 0x57, 0x51, 0xc8, 0x93, 0x51, 0xbe, 0xe8, 0xdd, 0x86, 0x5b, 0x5f, 0x44,
-	0xf8, 0x79, 0x92, 0xe4, 0x45, 0xc6, 0x59, 0x84, 0x3f, 0x17, 0xc8, 0x78, 0xf8, 0x02, 0x8e, 0xaa,
+	0x42, 0x9e, 0x87, 0x61, 0x92, 0xc5, 0x52, 0xf8, 0xf8, 0x73, 0x86, 0x42, 0x7a, 0x2f, 0xe0, 0xa8,
-	0xdb, 0x6c, 0x99, 0x67, 0x0c, 0xc9, 0x08, 0x3a, 0xb1, 0xde, 0x0b, 0xac, 0x13, 0xe7, 0xb4, 0x3b,
+	0xbc, 0x2c, 0xd2, 0x24, 0x16, 0xc8, 0xc6, 0xd0, 0x0d, 0x68, 0xcd, 0xb5, 0x4e, 0x9a, 0xa7, 0xbd,
-	0xba, 0x33, 0xac, 0x04, 0x1c, 0x6a, 0x97, 0xa8, 0xc4, 0x85, 0xbf, 0x59, 0xd0, 0x7a, 0x95, 0x5f,
+	0xf1, 0x9d, 0x51, 0xc9, 0xe1, 0x88, 0x8e, 0xf8, 0x05, 0xce, 0xfb, 0xcd, 0x82, 0xf6, 0xab, 0xe4,
-	0x62, 0x46, 0x1e, 0x40, 0x2f, 0x4e, 0x12, 0x64, 0xec, 0x0d, 0x17, 0x76, 0x60, 0x9d, 0x58, 0xa7,
+	0x12, 0x63, 0xf6, 0x00, 0xfa, 0x41, 0x18, 0xa2, 0x10, 0xaf, 0x65, 0x6e, 0xbb, 0xd6, 0x89, 0x75,
-	0xfb, 0x51, 0x57, 0xed, 0x29, 0xc8, 0x43, 0xf0, 0x29, 0xfe, 0x48, 0x91, 0x5d, 0x68, 0x8c, 0x2d,
+	0xba, 0xef, 0xf7, 0xf4, 0x9a, 0x86, 0x3c, 0x04, 0x87, 0xe3, 0x8f, 0x1c, 0xc5, 0x05, 0x61, 0x1a,
-	0x31, 0x3d, 0xbd, 0xa9, 0x40, 0x01, 0xb4, 0x13, 0x8a, 0x31, 0xc7, 0x79, 0xe0, 0x9c, 0x58, 0xa7,
+	0x0a, 0xd3, 0xa7, 0x45, 0x0d, 0x72, 0xa1, 0x13, 0x72, 0x0c, 0x24, 0x2e, 0xdc, 0xe6, 0x89, 0x75,
-	0x4e, 0x64, 0x4c, 0x72, 0x07, 0x3c, 0xfc, 0x65, 0x99, 0xd2, 0x75, 0xe0, 0xca, 0x03, 0x6d, 0x85,
+	0xda, 0xf4, 0x8d, 0xc9, 0xee, 0x80, 0x8d, 0xbf, 0xa4, 0x11, 0x5f, 0xbb, 0x2d, 0xb5, 0x41, 0x96,
-	0xbf, 0xdb, 0xd0, 0xd6, 0x99, 0x91, 0x03, 0xb0, 0xd3, 0xb9, 0xbe, 0xdb, 0x4e, 0xe7, 0x84, 0x80,
+	0xf7, 0xb7, 0x05, 0x1d, 0xca, 0x8c, 0x1d, 0x40, 0x23, 0x5a, 0x50, 0xec, 0x46, 0xb4, 0x60, 0x0c,
-	0xcb, 0xd7, 0x4b, 0xd4, 0x37, 0xc9, 0x35, 0x39, 0x82, 0x16, 0xcd, 0x17, 0xc8, 0x02, 0xe7, 0xc4,
+	0x5a, 0x72, 0x9d, 0x22, 0x45, 0x52, 0xdf, 0xec, 0x53, 0xe8, 0x5e, 0xa1, 0x0c, 0x16, 0x81, 0x0c,
-	0x39, 0xdd, 0x8f, 0x94, 0x41, 0x3e, 0x87, 0xce, 0x15, 0xf2, 0x78, 0x1e, 0xf3, 0x38, 0x70, 0x25,
+	0xdc, 0x96, 0xe2, 0xf9, 0x4e, 0x3d, 0xcf, 0xd1, 0x4b, 0x82, 0x4d, 0x63, 0xc9, 0xd7, 0x7e, 0x71,
-	0xfb, 0xf7, 0x9a, 0xd9, 0x0f, 0x5f, 0x6a, 0xd8, 0x24, 0xe3, 0x74, 0x1d, 0x95, 0x5e, 0x22, 0x3f,
+	0x2a, 0xcf, 0x44, 0x84, 0x49, 0x8a, 0xc2, 0x6d, 0x9f, 0x34, 0x4f, 0xf7, 0x7d, 0xb2, 0xd8, 0x10,
-	0x96, 0xe4, 0x4b, 0x64, 0x41, 0x4b, 0x06, 0xd6, 0x16, 0x19, 0x40, 0x67, 0x49, 0xf3, 0x55, 0x3a,
+	0xba, 0x29, 0x4f, 0x56, 0xd1, 0x02, 0xb9, 0x6b, 0xab, 0x88, 0x85, 0xad, 0xce, 0x60, 0xc8, 0x51,
-	0x47, 0x1a, 0x78, 0x32, 0x8f, 0xd2, 0x96, 0x3e, 0x98, 0x50, 0xe4, 0x41, 0x5b, 0x9e, 0x68, 0x6b,
+	0xba, 0x1d, 0xb5, 0x43, 0xd6, 0xf0, 0x29, 0x38, 0xa5, 0x30, 0x6c, 0x00, 0xcd, 0x4b, 0x5c, 0x13,
-	0xf0, 0x14, 0xfc, 0xca, 0x35, 0xa4, 0x0f, 0xce, 0x25, 0xae, 0x35, 0x33, 0xb1, 0x14, 0x34, 0x56,
+	0x87, 0xfc, 0x93, 0x1d, 0x41, 0x7b, 0x15, 0x2c, 0x33, 0xc3, 0x42, 0x1b, 0x9f, 0x34, 0x9e, 0x58,
-	0xf1, 0xa2, 0x30, 0xdc, 0x94, 0xf1, 0x99, 0xfd, 0xc4, 0x0a, 0x67, 0xd0, 0x89, 0x90, 0xe5, 0x05,
+	0xde, 0x1c, 0xba, 0x3e, 0x8a, 0x24, 0xe3, 0x21, 0xe6, 0x54, 0xe3, 0xe0, 0x0a, 0xe9, 0xa0, 0xfa,
-	0x4d, 0x50, 0x08, 0x90, 0xc5, 0x57, 0xa8, 0x1d, 0xe5, 0xba, 0x51, 0x94, 0x01, 0x74, 0x30, 0x9b,
+	0xae, 0xa5, 0x3f, 0x84, 0x2e, 0xc6, 0x8b, 0x34, 0x89, 0x62, 0xa9, 0x14, 0xde, 0xf7, 0x0b, 0xdb,
-	0x2f, 0xf3, 0x34, 0xe3, 0x52, 0xf7, 0xfd, 0xa8, 0xb4, 0xc3, 0x3f, 0x6c, 0x38, 0x9c, 0x62, 0x86,
+	0xfb, 0xbd, 0x01, 0x87, 0x33, 0x8c, 0x91, 0x07, 0x12, 0xa9, 0x5c, 0xb6, 0x24, 0xfd, 0x6c, 0x43,
-	0x34, 0xe6, 0xa8, 0x9b, 0x68, 0x4b, 0xe8, 0x52, 0x54, 0x7b, 0x53, 0xd4, 0x2f, 0x36, 0x44, 0x75,
+	0xbe, 0xa6, 0x92, 0xef, 0x83, 0x8a, 0x7c, 0x15, 0x0f, 0x37, 0x90, 0xb1, 0x55, 0x92, 0xf1, 0x5a,
-	0xa4, 0xa8, 0x1f, 0xd5, 0x44, 0xad, 0xc5, 0xbd, 0x81, 0xb8, 0x6e, 0x45, 0xdc, 0x6b, 0x01, 0x5b,
+	0xaa, 0xf6, 0xa6, 0x54, 0x05, 0x1b, 0xbb, 0xcc, 0xa6, 0x90, 0xbc, 0x53, 0x96, 0xfc, 0xbf, 0x49,
-	0x9b, 0x02, 0x96, 0x1c, 0xbd, 0x2a, 0xc7, 0xb2, 0x10, 0xed, 0x6a, 0x21, 0xfe, 0x9b, 0xe0, 0x63,
+	0x3b, 0x81, 0xc1, 0x35, 0x0f, 0xea, 0x90, 0x8f, 0xa0, 0x43, 0x95, 0xaf, 0x7c, 0xec, 0x6e, 0x10,
-	0xe8, 0x5f, 0xf3, 0xd0, 0xaf, 0xe9, 0x13, 0x68, 0xeb, 0x57, 0x22, 0x63, 0xec, 0x7e, 0x4c, 0x06,
+	0x03, 0xf3, 0xbe, 0x85, 0xfe, 0x8c, 0x07, 0xb1, 0x34, 0x62, 0x1e, 0x41, 0x5b, 0x91, 0xa4, 0x1c,
-	0x16, 0xbe, 0x86, 0xde, 0x94, 0xc6, 0x19, 0x37, 0x12, 0x13, 0x70, 0x85, 0x8a, 0xa6, 0x74, 0x62,
+	0xb4, 0xc1, 0x1e, 0x43, 0x97, 0xd3, 0x35, 0xaa, 0x44, 0x7a, 0xe3, 0xb7, 0x2a, 0x8e, 0xcd, 0x2d,
-	0x4d, 0x1e, 0x43, 0x87, 0xea, 0xd2, 0xca, 0x34, 0xba, 0xa3, 0x77, 0x6a, 0x61, 0x4d, 0xe5, 0xa3,
+	0xfb, 0x05, 0xd0, 0x3b, 0x04, 0x87, 0x5c, 0xeb, 0xec, 0xbc, 0xef, 0xc0, 0xf1, 0x71, 0x95, 0x5c,
-	0x12, 0x18, 0x1e, 0x82, 0xaf, 0x03, 0xab, 0xdc, 0xc2, 0xef, 0xc0, 0x8f, 0x70, 0x95, 0x5f, 0xe2,
+	0xe2, 0xff, 0x10, 0x6c, 0x00, 0x07, 0xc6, 0x37, 0x45, 0x7b, 0x17, 0x0e, 0x9e, 0xc7, 0x22, 0xc5,
-	0xff, 0x7e, 0x55, 0x1f, 0x0e, 0x4c, 0x64, 0x7d, 0xd7, 0xfb, 0x70, 0xf0, 0x3c, 0x63, 0x4b, 0x4c,
+	0x70, 0x93, 0xdb, 0x66, 0xeb, 0x6b, 0xc3, 0x7b, 0x06, 0x87, 0x05, 0xee, 0x5f, 0xcb, 0xf8, 0x2b,
-	0x4a, 0x5e, 0x47, 0xd0, 0xda, 0x1c, 0x11, 0xca, 0x08, 0x9f, 0xc1, 0x61, 0x89, 0xfb, 0xd7, 0x12,
+	0xf4, 0xd5, 0x74, 0xd8, 0x55, 0x93, 0xd7, 0x15, 0xd3, 0x28, 0x55, 0xcc, 0xd6, 0xc4, 0x69, 0xd6,
-	0xfe, 0x0a, 0x3d, 0x39, 0x45, 0x76, 0x75, 0xe9, 0x75, 0xb7, 0xd8, 0x95, 0x6e, 0xd9, 0x9a, 0x4c,
+	0x4c, 0x9c, 0x07, 0xd0, 0x57, 0x9b, 0xaf, 0x4b, 0xd3, 0xa5, 0xa7, 0xd6, 0xa6, 0x7a, 0xc4, 0x3c,
-	0x4e, 0xc3, 0x64, 0x7a, 0x00, 0x3d, 0x79, 0xf8, 0xa6, 0x32, 0x85, 0xba, 0x72, 0x6f, 0xa2, 0x46,
+	0x05, 0x87, 0xe2, 0x13, 0x85, 0x47, 0x9b, 0x5c, 0x7b, 0xe3, 0xa3, 0x0a, 0x01, 0x0d, 0x26, 0x05,
-	0xd1, 0x53, 0xf0, 0xf5, 0xfd, 0x9a, 0xc2, 0xa3, 0x4d, 0xae, 0xdd, 0xd1, 0x51, 0x8d, 0x80, 0x02,
+	0xfe, 0xb0, 0xa0, 0xe5, 0x67, 0x4b, 0xdc, 0xca, 0xba, 0xb8, 0x9f, 0xc6, 0xae, 0xfb, 0x69, 0xde,
-	0x6b, 0x05, 0xfe, 0xb4, 0xc0, 0x8d, 0x8a, 0x05, 0x36, 0x0d, 0x31, 0x59, 0x1d, 0x7b, 0x47, 0x75,
+	0xf0, 0x7e, 0xd8, 0x87, 0x60, 0xeb, 0x49, 0xab, 0xb2, 0x3f, 0x18, 0xdf, 0xde, 0x56, 0x14, 0x85,
-	0x9c, 0x1b, 0x56, 0x87, 0x7c, 0x0c, 0x9e, 0x9a, 0xc7, 0x32, 0xf7, 0x83, 0xd1, 0xed, 0x6d, 0x3d,
+	0xf0, 0x09, 0xa4, 0xbb, 0x26, 0x4a, 0x78, 0x24, 0xd7, 0xaa, 0xc7, 0xda, 0x7e, 0x61, 0x7b, 0x4f,
-	0x91, 0xb1, 0x48, 0x83, 0xd4, 0x7b, 0x49, 0x73, 0x9a, 0xf2, 0xb5, 0x7c, 0x5d, 0xad, 0xa8, 0xb4,
+	0xc0, 0x79, 0xa6, 0x26, 0xae, 0x11, 0xfb, 0x3d, 0x68, 0xf1, 0x6c, 0x89, 0x44, 0xf5, 0x56, 0x35,
-	0xc3, 0x27, 0xe0, 0x3f, 0x93, 0x73, 0xd9, 0x48, 0xfd, 0x01, 0xb8, 0xb4, 0xd0, 0x2d, 0xd4, 0x1d,
+	0x99, 0x6c, 0x89, 0xbe, 0x02, 0xe4, 0x45, 0x62, 0x4e, 0x52, 0x91, 0xdc, 0x07, 0x67, 0x82, 0x4b,
-	0xdd, 0xaa, 0x27, 0x53, 0x2c, 0x30, 0x92, 0x00, 0xd1, 0x22, 0xc6, 0x53, 0xb7, 0xc8, 0x7d, 0xf0,
+	0xdc, 0x39, 0x4c, 0xf2, 0x23, 0x06, 0x40, 0x47, 0x1c, 0xe8, 0xe5, 0xaf, 0x93, 0x79, 0xac, 0x3e,
-	0xc7, 0xb8, 0xc0, 0x9d, 0xc3, 0x45, 0xb8, 0x18, 0x80, 0x76, 0xf1, 0xa1, 0x2b, 0xbe, 0x61, 0xe6,
+	0x86, 0xbe, 0x36, 0x49, 0xf8, 0xf7, 0xa1, 0x9d, 0xc7, 0x32, 0x2f, 0x54, 0x6d, 0x36, 0x1a, 0xf1,
-	0x93, 0xf6, 0x29, 0xf4, 0x94, 0xa9, 0x65, 0xff, 0x10, 0x5a, 0xe2, 0x2e, 0xf3, 0x1d, 0x6b, 0xcc,
+	0x68, 0x04, 0xb6, 0xa6, 0xcd, 0x7a, 0xd0, 0xf9, 0x7a, 0xfe, 0xf9, 0xfc, 0xcb, 0x6f, 0xe6, 0x83,
-	0x46, 0x21, 0x1e, 0x0d, 0xc1, 0x53, 0xb4, 0x49, 0x17, 0xda, 0xdf, 0xce, 0xbe, 0x9c, 0x7d, 0xfd,
+	0xbd, 0xdc, 0x98, 0xf9, 0xe7, 0xf3, 0x57, 0xd3, 0xc9, 0xc0, 0x62, 0x00, 0xf6, 0x64, 0x3a, 0x7f,
-	0x7a, 0xd6, 0xdf, 0x13, 0xc6, 0x34, 0x3a, 0x9f, 0xbd, 0x9a, 0x8c, 0xfb, 0x16, 0x01, 0xf0, 0xc6,
+	0x3e, 0x9d, 0x0c, 0x1a, 0xe3, 0xbf, 0x2c, 0x68, 0x9d, 0x67, 0xf2, 0x82, 0xbd, 0x84, 0xae, 0x69,
-	0x93, 0xd9, 0xf3, 0xc9, 0xb8, 0x6f, 0x8f, 0xfe, 0xb6, 0xc0, 0x3d, 0x2f, 0xf8, 0x05, 0x79, 0x09,
+	0x7d, 0x76, 0xef, 0xcd, 0xb3, 0x6d, 0x78, 0x7f, 0xe7, 0x3e, 0xf1, 0xd9, 0x63, 0x2f, 0xa0, 0x43,
-	0x1d, 0xf3, 0xe8, 0xc9, 0xbd, 0xb7, 0x4f, 0xb5, 0xc1, 0xfd, 0x9d, 0xe7, 0x9a, 0xcf, 0x1e, 0x79,
+	0x1d, 0xc0, 0x8e, 0x2b, 0xe8, 0x72, 0x07, 0x0d, 0xef, 0xed, 0xda, 0x2e, 0x7c, 0x4d, 0xcc, 0x73,
-	0x01, 0x6d, 0xdd, 0xff, 0xe4, 0xb8, 0x86, 0xae, 0xbe, 0x9f, 0xc1, 0xbd, 0x5d, 0xc7, 0x65, 0xac,
+	0x7b, 0xb7, 0xb6, 0xe2, 0xc8, 0xcf, 0xdb, 0xf5, 0x9b, 0xc6, 0xcb, 0xf8, 0x7b, 0xe8, 0x9a, 0xd7,
-	0xb1, 0xf9, 0x28, 0xdf, 0x6d, 0xec, 0x37, 0x1d, 0xe7, 0xdd, 0xe6, 0x43, 0x13, 0x65, 0xf4, 0x3d,
+	0x9f, 0x7d, 0x05, 0xad, 0x5c, 0x60, 0xe6, 0x55, 0xce, 0xd4, 0xfc, 0x39, 0x0c, 0x1f, 0xbe, 0x11,
-	0x74, 0xcc, 0x3f, 0x02, 0xf9, 0x06, 0x5c, 0x21, 0x30, 0x09, 0x6b, 0x3e, 0x0d, 0xff, 0x17, 0x83,
+	0x53, 0xb8, 0xff, 0xd3, 0x82, 0x76, 0x7e, 0x11, 0x82, 0xcd, 0xc0, 0xd6, 0x15, 0xc1, 0xaa, 0x29,
-	0x87, 0x6f, 0xc5, 0x94, 0xe1, 0xff, 0xb2, 0xa0, 0x25, 0x0a, 0xc1, 0xc8, 0x14, 0x3c, 0xd5, 0x11,
+	0x95, 0x4a, 0x6c, 0x78, 0xbc, 0x63, 0xb7, 0xe0, 0x3d, 0x03, 0x5b, 0xd7, 0xc9, 0x96, 0xa3, 0x52,
-	0xa4, 0x9e, 0x52, 0xa5, 0xc5, 0x06, 0xc7, 0x3b, 0x4e, 0x4b, 0xde, 0x53, 0xf0, 0x54, 0x9f, 0x6c,
+	0x7d, 0x6d, 0x39, 0xaa, 0x14, 0xd7, 0x1e, 0x3b, 0x27, 0xba, 0xc3, 0x1a, 0x2a, 0xc6, 0xc9, 0xdd,
-	0x05, 0xaa, 0xf4, 0xd7, 0x56, 0xa0, 0x5a, 0x73, 0xed, 0x91, 0x73, 0x4d, 0x77, 0xd0, 0x40, 0xc5,
+	0xda, 0x3d, 0xe3, 0xe2, 0x07, 0x5b, 0xfd, 0x6c, 0x3d, 0xfe, 0x27, 0x00, 0x00, 0xff, 0xff, 0xda,
-	0x04, 0xb9, 0xdb, 0x78, 0x66, 0x42, 0xfc, 0xe0, 0xc9, 0x5f, 0xb2, 0xc7, 0xff, 0x04, 0x00, 0x00,
+	0xef, 0x0e, 0x5f, 0x8d, 0x09, 0x00, 0x00,
 	0xff, 0xff, 0x27, 0x7b, 0xf3, 0x60, 0xb3, 0x09, 0x00, 0x00,
 }
 // Reference imports to suppress errors if they are not otherwise used.
--- a/auth/service/proto/auth.proto
+++ b/auth/service/proto/auth.proto
@ -35,7 +35,6 @@ message Token {
 message Account {
 	string id = 1;
 	string type = 2;
 	repeated string roles = 3;
 	map<string, string> metadata = 4;
 	repeated string scopes = 5;
 	string provider = 6;
@ -50,7 +49,6 @@ message Resource{
 message GenerateRequest {
 	string id = 1;
 	repeated string roles = 2;
 	map<string, string> metadata = 3;
 	repeated string scopes = 4;
 	string secret = 5;
@ -63,14 +61,14 @@ message GenerateResponse {
 }
 message GrantRequest {
-	string role = 1;
+	string scope = 1;
 	Resource resource = 2;
 }
 message GrantResponse {}
 message RevokeRequest {
-	string role = 1;
+	string scope = 1;
 	Resource resource = 2;
 }
@ -103,7 +101,7 @@ enum Access {
 message Rule {
 	string id = 1;
-	string role = 2;
+	string scope = 2;
 	Resource resource = 3;
 	Access access = 4;
 	int32 priority = 5;
--- a/auth/service/service.go
+++ b/auth/service/service.go
@ -65,7 +65,6 @@ func (s *svc) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, e
 		Id:       id,
 		Type:     options.Type,
 		Secret:   options.Secret,
 		Roles:    options.Roles,
 		Scopes:   options.Scopes,
 		Metadata: options.Metadata,
 		Provider: options.Provider,
@ -82,7 +81,7 @@ func (s *svc) Grant(rule *auth.Rule) error {
 	_, err := s.rule.Create(context.TODO(), &pb.CreateRequest{
 		Rule: &pb.Rule{
 			Id:       rule.ID,
-			Role:     rule.Role,
+			Scope:    rule.Scope,
 			Priority: rule.Priority,
 			Access:   pb.Access_GRANTED,
 			Resource: &pb.Resource{
@ -156,35 +155,6 @@ func (s *svc) Token(opts ...auth.TokenOption) (*auth.Token, error) {
 	return serializeToken(rsp.Token), nil
 }
 var ruleJoinKey = ":"
 // accessForRule returns a rule status, indicating if a rule permits access to a
 // resource for a given account
 func accessForRule(rule *pb.Rule, acc *auth.Account, res *auth.Resource) pb.Access {
 	// a blank role permits access to the public
 	if rule.Role == "" {
 		return rule.Access
 	}
 	// a * role permits access to any user
 	if rule.Role == "*" && acc != nil {
 		return rule.Access
 	}
 	for _, role := range acc.Roles {
 		if rule.Role == role {
 			return rule.Access
 		}
 		// allow user.anything if role is user.*
 		if strings.HasSuffix(rule.Role, ".*") && strings.HasPrefix(rule.Role, role+".") {
 			return rule.Access
 		}
 	}
 	return pb.Access_UNKNOWN
 }
 // loadRules retrieves the rules from the auth service. Since this implementation is used by micro
 // clients, which support muti-tenancy we may have to persist rules in multiple namespaces.
 func (s *svc) loadRules(namespace string) {
@ -206,7 +176,7 @@ func (s *svc) loadRules(namespace string) {
 		rules = append(rules, &auth.Rule{
 			ID:       r.Id,
-			Role:     r.Role,
+			Scope:    r.Scope,
 			Access:   access,
 			Priority: r.Priority,
 			Resource: &auth.Resource{
@ -244,7 +214,6 @@ func serializeToken(t *pb.Token) *auth.Token {
 func serializeAccount(a *pb.Account) *auth.Account {
 	return &auth.Account{
 		ID:       a.Id,
 		Roles:    a.Roles,
 		Secret:   a.Secret,
 		Metadata: a.Metadata,
 		Provider: a.Provider,
--- a/auth/token/basic/basic_test.go
+++ b/auth/token/basic/basic_test.go
@ -32,10 +32,10 @@ func TestInspect(t *testing.T) {
 	t.Run("Valid token", func(t *testing.T) {
 		md := map[string]string{"foo": "bar"}
-		roles := []string{"admin"}
+		scopes := []string{"admin"}
 		subject := "test"
-		tok, err := b.Generate(&auth.Account{ID: subject, Roles: roles, Metadata: md})
+		tok, err := b.Generate(&auth.Account{ID: subject, Scopes: scopes, Metadata: md})
 		if err != nil {
 			t.Fatalf("Generate returned %v error, expected nil", err)
 		}
@ -47,8 +47,8 @@ func TestInspect(t *testing.T) {
 		if tok2.ID != subject {
 			t.Errorf("Inspect returned %v as the token subject, expected %v", tok2.ID, subject)
 		}
-		if len(tok2.Roles) != len(roles) {
+		if len(tok2.Scopes) != len(scopes) {
-			t.Errorf("Inspect returned %v roles, expected %v", len(tok2.Roles), len(roles))
+			t.Errorf("Inspect returned %v scopes, expected %v", len(tok2.Scopes), len(scopes))
 		}
 		if len(tok2.Metadata) != len(md) {
 			t.Errorf("Inspect returned %v as the token metadata, expected %v", tok2.Metadata, md)
--- a/auth/token/jwt/jwt.go
+++ b/auth/token/jwt/jwt.go
@ -12,7 +12,6 @@ import (
 // authClaims to be encoded in the JWT
 type authClaims struct {
 	Type     string            `json:"type"`
 	Roles    []string          `json:"roles"`
 	Scopes   []string          `json:"scopes"`
 	Provider string            `json:"provider"`
 	Metadata map[string]string `json:"metadata"`
@ -52,7 +51,7 @@ func (j *JWT) Generate(acc *auth.Account, opts ...token.GenerateOption) (*token.
 	// generate the JWT
 	expiry := time.Now().Add(options.Expiry)
 	t := jwt.NewWithClaims(jwt.SigningMethodRS256, authClaims{
-		acc.Type, acc.Roles, acc.Scopes, acc.Provider, acc.Metadata, jwt.StandardClaims{
+		acc.Type, acc.Scopes, acc.Provider, acc.Metadata, jwt.StandardClaims{
 			Subject:   acc.ID,
 			ExpiresAt: expiry.Unix(),
 		},
@ -99,7 +98,6 @@ func (j *JWT) Inspect(t string) (*auth.Account, error) {
 	return &auth.Account{
 		ID:       claims.Subject,
 		Type:     claims.Type,
 		Roles:    claims.Roles,
 		Scopes:   claims.Scopes,
 		Provider: claims.Provider,
 		Metadata: claims.Metadata,
--- a/auth/token/jwt/jwt_test.go
+++ b/auth/token/jwt/jwt_test.go
@ -42,10 +42,10 @@ func TestInspect(t *testing.T) {
 	t.Run("Valid token", func(t *testing.T) {
 		md := map[string]string{"foo": "bar"}
-		roles := []string{"admin"}
+		scopes := []string{"admin"}
 		subject := "test"
-		acc := &auth.Account{ID: subject, Roles: roles, Metadata: md}
+		acc := &auth.Account{ID: subject, Scopes: scopes, Metadata: md}
 		tok, err := j.Generate(acc)
 		if err != nil {
 			t.Fatalf("Generate returned %v error, expected nil", err)
@ -58,8 +58,8 @@ func TestInspect(t *testing.T) {
 		if acc.ID != subject {
 			t.Errorf("Inspect returned %v as the token subject, expected %v", acc.ID, subject)
 		}
-		if len(tok2.Roles) != len(roles) {
+		if len(tok2.Scopes) != len(scopes) {
-			t.Errorf("Inspect returned %v roles, expected %v", len(tok2.Roles), len(roles))
+			t.Errorf("Inspect returned %v scopes, expected %v", len(tok2.Scopes), len(scopes))
 		}
 		if len(tok2.Metadata) != len(md) {
 			t.Errorf("Inspect returned %v as the token metadata, expected %v", tok2.Metadata, md)
--- a/util/auth/auth.go
+++ b/util/auth/auth.go
@ -18,12 +18,10 @@ func Generate(id string, name string, a auth.Auth) error {
 	// if no credentials were provided, generate an account
 	if len(accID) == 0 || len(accSecret) == 0 {
 		name := fmt.Sprintf("%v-%v", name, id)
 		scope := "namespace." + a.Options().Namespace
 		opts := []auth.GenerateOption{
 			auth.WithType("service"),
-			auth.WithRoles("service"),
+			auth.WithScopes("service"),
 			auth.WithScopes(scope),
 		}
 		acc, err := a.Generate(name, opts...)