Add protobuf definition of DelegationProfile resource

[boxofrad]

See: RFD 0029e

[boxofrad]

I went for the string representation here instead of types.ResourceID to make the YAML representation more easily editable.

Not sure if there's a better way to do that? Maybe at the marshal/unmarshal function level?

[strideynet]

Overriding the marshal/unmarshal for proto generated structs feels like a bit of an anti-pattern - we've definitely had some issues with that before.

[greedy52]

FYI, we are likely moving away from the old resource id to this new json format:
https://github.com/gravitational/teleport/pull/59288/files

[boxofrad]

Thanks for the heads-up, @greedy52! The JSON-based format discussed in that RFD isn't very human-writable either, but they're apparently changing tack and the old slash-delimited format will keep working (see: #59288 (comment)).

[greedy52]

thanks. mcp-tools can be set as constraints tho, similar to logins, db_users

(sorry for carrying that discussion here. i didn't know about constraints stuff when reviewing the delegation RFD).

[kiosion]

just to throw in my 2 cents, using the serialized /<cluster>/<kind>/<name> string path format here feels like a potential foot-gun w/r/t forwards-compatibility...

[boxofrad]

Hmmm, okay maybe it's worth having our own user-facing representation that "compiles down" to AllowedResourceIDs or ConstrainedResourceID?

Something like:

required_resources:
  - kind: mcp
    name: github
    tools: [merge_pull_request]

[greedy52]

i like the idea. it is more user-friendly than reusing ConstrainedResourceID but downside you have to maintain this separately. one small nit maybe mcp_tools instead of tools? like

required_resources:
  - kind: mcp
    name: github
    mcp_tools: [merge_pull_request]
  - kind: db
    name: postgres
    db_users: [teleport-admin]
    db_names: [sales]

[strideynet]

Approved pending final RFD approvals.