diff options
Diffstat (limited to '')
| -rw-r--r-- | crates/secd/proto/google/iam/v1/iam_policy.proto | 145 | ||||
| -rw-r--r-- | crates/secd/proto/google/iam/v1/logging/audit_data.proto | 34 | ||||
| -rw-r--r-- | crates/secd/proto/google/iam/v1/options.proto | 41 | ||||
| -rw-r--r-- | crates/secd/proto/google/iam/v1/policy.proto | 240 |
4 files changed, 460 insertions, 0 deletions
diff --git a/crates/secd/proto/google/iam/v1/iam_policy.proto b/crates/secd/proto/google/iam/v1/iam_policy.proto new file mode 100644 index 0000000..7072854 --- /dev/null +++ b/crates/secd/proto/google/iam/v1/iam_policy.proto @@ -0,0 +1,145 @@ +// Copyright 2019 Google LLC. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +syntax = "proto3"; + +package google.iam.v1; + +import "google/iam/v1/options.proto"; +import "google/iam/v1/policy.proto"; +import "google/api/annotations.proto"; +import "google/api/client.proto"; +import "google/api/field_behavior.proto"; +import "google/api/resource.proto"; + +option cc_enable_arenas = true; +option csharp_namespace = "Google.Cloud.Iam.V1"; +option go_package = "google.golang.org/genproto/googleapis/iam/v1;iam"; +option java_multiple_files = true; +option java_outer_classname = "IamPolicyProto"; +option java_package = "com.google.iam.v1"; +option php_namespace = "Google\\Cloud\\Iam\\V1"; + +// ## API Overview +// +// Manages Identity and Access Management (IAM) policies. +// +// Any implementation of an API that offers access control features +// implements the google.iam.v1.IAMPolicy interface. +// +// ## Data model +// +// Access control is applied when a principal (user or service account), takes +// some action on a resource exposed by a service. Resources, identified by +// URI-like names, are the unit of access control specification. Service +// implementations can choose the granularity of access control and the +// supported permissions for their resources. +// For example one database service may allow access control to be +// specified only at the Table level, whereas another might allow access control +// to also be specified at the Column level. +// +// ## Policy Structure +// +// See google.iam.v1.Policy +// +// This is intentionally not a CRUD style API because access control policies +// are created and deleted implicitly with the resources to which they are +// attached. +service IAMPolicy { + option (google.api.default_host) = "iam-meta-api.googleapis.com"; + + // Sets the access control policy on the specified resource. Replaces any + // existing policy. + rpc SetIamPolicy(SetIamPolicyRequest) returns (Policy) { + option (google.api.http) = { + post: "/v1/{resource=**}:setIamPolicy" + body: "*" + }; + } + + // Gets the access control policy for a resource. + // Returns an empty policy if the resource exists and does not have a policy + // set. + rpc GetIamPolicy(GetIamPolicyRequest) returns (Policy) { + option (google.api.http) = { + post: "/v1/{resource=**}:getIamPolicy" + body: "*" + }; + } + + // Returns permissions that a caller has on the specified resource. + // If the resource does not exist, this will return an empty set of + // permissions, not a NOT_FOUND error. + // + // Note: This operation is designed to be used for building permission-aware + // UIs and command-line tools, not for authorization checking. This operation + // may "fail open" without warning. + rpc TestIamPermissions(TestIamPermissionsRequest) returns (TestIamPermissionsResponse) { + option (google.api.http) = { + post: "/v1/{resource=**}:testIamPermissions" + body: "*" + }; + } +} + +// Request message for `SetIamPolicy` method. +message SetIamPolicyRequest { + // REQUIRED: The resource for which the policy is being specified. + // See the operation documentation for the appropriate value for this field. + string resource = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference).type = "*"]; + + // REQUIRED: The complete policy to be applied to the `resource`. The size of + // the policy is limited to a few 10s of KB. An empty policy is a + // valid policy but certain Cloud Platform services (such as Projects) + // might reject them. + Policy policy = 2 [(google.api.field_behavior) = REQUIRED]; +} + +// Request message for `GetIamPolicy` method. +message GetIamPolicyRequest { + // REQUIRED: The resource for which the policy is being requested. + // See the operation documentation for the appropriate value for this field. + string resource = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference).type = "*"]; + + // OPTIONAL: A `GetPolicyOptions` object for specifying options to + // `GetIamPolicy`. This field is only used by Cloud IAM. + GetPolicyOptions options = 2; +} + +// Request message for `TestIamPermissions` method. +message TestIamPermissionsRequest { + // REQUIRED: The resource for which the policy detail is being requested. + // See the operation documentation for the appropriate value for this field. + string resource = 1[ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference).type = "*"]; + + // The set of permissions to check for the `resource`. Permissions with + // wildcards (such as '*' or 'storage.*') are not allowed. For more + // information see + // [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions). + repeated string permissions = 2 [(google.api.field_behavior) = REQUIRED]; +} + +// Response message for `TestIamPermissions` method. +message TestIamPermissionsResponse { + // A subset of `TestPermissionsRequest.permissions` that the caller is + // allowed. + repeated string permissions = 1; +} diff --git a/crates/secd/proto/google/iam/v1/logging/audit_data.proto b/crates/secd/proto/google/iam/v1/logging/audit_data.proto new file mode 100644 index 0000000..dfe441b --- /dev/null +++ b/crates/secd/proto/google/iam/v1/logging/audit_data.proto @@ -0,0 +1,34 @@ +// Copyright 2017 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.iam.v1.logging; + +import "google/api/annotations.proto"; +import "google/iam/v1/policy.proto"; + +option csharp_namespace = "Google.Cloud.Iam.V1.Logging"; +option go_package = "google.golang.org/genproto/googleapis/iam/v1/logging;logging"; +option java_multiple_files = true; +option java_outer_classname = "AuditDataProto"; +option java_package = "com.google.iam.v1.logging"; + +// Audit log information specific to Cloud IAM. This message is serialized +// as an `Any` type in the `ServiceData` message of an +// `AuditLog` message. +message AuditData { + // Policy delta between the original policy and the newly set policy. + google.iam.v1.PolicyDelta policy_delta = 2; +} diff --git a/crates/secd/proto/google/iam/v1/options.proto b/crates/secd/proto/google/iam/v1/options.proto new file mode 100644 index 0000000..a4e17e5 --- /dev/null +++ b/crates/secd/proto/google/iam/v1/options.proto @@ -0,0 +1,41 @@ +// Copyright 2019 Google LLC. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +syntax = "proto3"; + +package google.iam.v1; + +import "google/api/annotations.proto"; + +option cc_enable_arenas = true; +option csharp_namespace = "Google.Cloud.Iam.V1"; +option go_package = "google.golang.org/genproto/googleapis/iam/v1;iam"; +option java_multiple_files = true; +option java_outer_classname = "OptionsProto"; +option java_package = "com.google.iam.v1"; +option php_namespace = "Google\\Cloud\\Iam\\V1"; + +// Encapsulates settings provided to GetIamPolicy. +message GetPolicyOptions { + // Optional. The policy format version to be returned. + // + // Valid values are 0, 1, and 3. Requests specifying an invalid value will be + // rejected. + // + // Requests for policies with any conditional bindings must specify version 3. + // Policies without any conditional bindings may specify any valid value or + // leave the field unset. + int32 requested_policy_version = 1; +} diff --git a/crates/secd/proto/google/iam/v1/policy.proto b/crates/secd/proto/google/iam/v1/policy.proto new file mode 100644 index 0000000..e3aba47 --- /dev/null +++ b/crates/secd/proto/google/iam/v1/policy.proto @@ -0,0 +1,240 @@ +// Copyright 2019 Google LLC. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +syntax = "proto3"; + +package google.iam.v1; + +import "google/type/expr.proto"; +import "google/api/annotations.proto"; + +option cc_enable_arenas = true; +option csharp_namespace = "Google.Cloud.Iam.V1"; +option go_package = "google.golang.org/genproto/googleapis/iam/v1;iam"; +option java_multiple_files = true; +option java_outer_classname = "PolicyProto"; +option java_package = "com.google.iam.v1"; +option php_namespace = "Google\\Cloud\\Iam\\V1"; + +// Defines an Identity and Access Management (IAM) policy. It is used to +// specify access control policies for Cloud Platform resources. +// +// +// A `Policy` is a collection of `bindings`. A `binding` binds one or more +// `members` to a single `role`. Members can be user accounts, service accounts, +// Google groups, and domains (such as G Suite). A `role` is a named list of +// permissions (defined by IAM or configured by users). A `binding` can +// optionally specify a `condition`, which is a logic expression that further +// constrains the role binding based on attributes about the request and/or +// target resource. +// +// **JSON Example** +// +// { +// "bindings": [ +// { +// "role": "roles/resourcemanager.organizationAdmin", +// "members": [ +// "user:mike@example.com", +// "group:admins@example.com", +// "domain:google.com", +// "serviceAccount:my-project-id@appspot.gserviceaccount.com" +// ] +// }, +// { +// "role": "roles/resourcemanager.organizationViewer", +// "members": ["user:eve@example.com"], +// "condition": { +// "title": "expirable access", +// "description": "Does not grant access after Sep 2020", +// "expression": "request.time < +// timestamp('2020-10-01T00:00:00.000Z')", +// } +// } +// ] +// } +// +// **YAML Example** +// +// bindings: +// - members: +// - user:mike@example.com +// - group:admins@example.com +// - domain:google.com +// - serviceAccount:my-project-id@appspot.gserviceaccount.com +// role: roles/resourcemanager.organizationAdmin +// - members: +// - user:eve@example.com +// role: roles/resourcemanager.organizationViewer +// condition: +// title: expirable access +// description: Does not grant access after Sep 2020 +// expression: request.time < timestamp('2020-10-01T00:00:00.000Z') +// +// For a description of IAM and its features, see the +// [IAM developer's guide](https://cloud.google.com/iam/docs). +message Policy { + // Specifies the format of the policy. + // + // Valid values are 0, 1, and 3. Requests specifying an invalid value will be + // rejected. + // + // Operations affecting conditional bindings must specify version 3. This can + // be either setting a conditional policy, modifying a conditional binding, + // or removing a binding (conditional or unconditional) from the stored + // conditional policy. + // Operations on non-conditional policies may specify any valid value or + // leave the field unset. + // + // If no etag is provided in the call to `setIamPolicy`, version compliance + // checks against the stored policy is skipped. + int32 version = 1; + + // Associates a list of `members` to a `role`. Optionally may specify a + // `condition` that determines when binding is in effect. + // `bindings` with no members will result in an error. + repeated Binding bindings = 4; + + // `etag` is used for optimistic concurrency control as a way to help + // prevent simultaneous updates of a policy from overwriting each other. + // It is strongly suggested that systems make use of the `etag` in the + // read-modify-write cycle to perform policy updates in order to avoid race + // conditions: An `etag` is returned in the response to `getIamPolicy`, and + // systems are expected to put that etag in the request to `setIamPolicy` to + // ensure that their change will be applied to the same version of the policy. + // + // If no `etag` is provided in the call to `setIamPolicy`, then the existing + // policy is overwritten. Due to blind-set semantics of an etag-less policy, + // 'setIamPolicy' will not fail even if the incoming policy version does not + // meet the requirements for modifying the stored policy. + bytes etag = 3; +} + +// Associates `members` with a `role`. +message Binding { + // Role that is assigned to `members`. + // For example, `roles/viewer`, `roles/editor`, or `roles/owner`. + string role = 1; + + // Specifies the identities requesting access for a Cloud Platform resource. + // `members` can have the following values: + // + // * `allUsers`: A special identifier that represents anyone who is + // on the internet; with or without a Google account. + // + // * `allAuthenticatedUsers`: A special identifier that represents anyone + // who is authenticated with a Google account or a service account. + // + // * `user:{emailid}`: An email address that represents a specific Google + // account. For example, `alice@example.com` . + // + // + // * `serviceAccount:{emailid}`: An email address that represents a service + // account. For example, `my-other-app@appspot.gserviceaccount.com`. + // + // * `group:{emailid}`: An email address that represents a Google group. + // For example, `admins@example.com`. + // + // + // * `domain:{domain}`: The G Suite domain (primary) that represents all the + // users of that domain. For example, `google.com` or `example.com`. + // + // + repeated string members = 2; + + // The condition that is associated with this binding. + // NOTE: An unsatisfied condition will not allow user access via current + // binding. Different bindings, including their conditions, are examined + // independently. + google.type.Expr condition = 3; +} + +// The difference delta between two policies. +message PolicyDelta { + // The delta for Bindings between two policies. + repeated BindingDelta binding_deltas = 1; + + // The delta for AuditConfigs between two policies. + repeated AuditConfigDelta audit_config_deltas = 2; +} + +// One delta entry for Binding. Each individual change (only one member in each +// entry) to a binding will be a separate entry. +message BindingDelta { + // The type of action performed on a Binding in a policy. + enum Action { + // Unspecified. + ACTION_UNSPECIFIED = 0; + + // Addition of a Binding. + ADD = 1; + + // Removal of a Binding. + REMOVE = 2; + } + + // The action that was performed on a Binding. + // Required + Action action = 1; + + // Role that is assigned to `members`. + // For example, `roles/viewer`, `roles/editor`, or `roles/owner`. + // Required + string role = 2; + + // A single identity requesting access for a Cloud Platform resource. + // Follows the same format of Binding.members. + // Required + string member = 3; + + // The condition that is associated with this binding. + google.type.Expr condition = 4; +} + +// One delta entry for AuditConfig. Each individual change (only one +// exempted_member in each entry) to a AuditConfig will be a separate entry. +message AuditConfigDelta { + // The type of action performed on an audit configuration in a policy. + enum Action { + // Unspecified. + ACTION_UNSPECIFIED = 0; + + // Addition of an audit configuration. + ADD = 1; + + // Removal of an audit configuration. + REMOVE = 2; + } + + // The action that was performed on an audit configuration in a policy. + // Required + Action action = 1; + + // Specifies a service that was configured for Cloud Audit Logging. + // For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. + // `allServices` is a special value that covers all services. + // Required + string service = 2; + + // A single identity that is exempted from "data access" audit + // logging for the `service` specified above. + // Follows the same format of Binding.members. + string exempted_member = 3; + + // Specifies the log_type that was be enabled. ADMIN_ACTIVITY is always + // enabled, and cannot be configured. + // Required + string log_type = 4; +} |