From 16fbbc6fa16b62b587c3a433fcec68ab9d9b0e44 Mon Sep 17 00:00:00 2001 From: Google APIs Date: Fri, 15 Mar 2019 14:33:33 -0700 Subject: [PATCH] Synchronize new proto/yaml changes. PiperOrigin-RevId: 238711925 --- google/iam/artman_iam_meta_api.yaml | 34 ++++++ google/iam/iam_meta_api.yaml | 61 +++++++++++ google/iam/v1/iam_meta_api_gapic.yaml | 146 ++++++++++++++++++++++++++ google/iam/v1/iam_policy.proto | 24 +++-- google/iam/v1/policy.proto | 87 +++++++++++++-- 5 files changed, 331 insertions(+), 21 deletions(-) create mode 100644 google/iam/artman_iam_meta_api.yaml create mode 100644 google/iam/iam_meta_api.yaml create mode 100644 google/iam/v1/iam_meta_api_gapic.yaml diff --git a/google/iam/artman_iam_meta_api.yaml b/google/iam/artman_iam_meta_api.yaml new file mode 100644 index 00000000..187b2294 --- /dev/null +++ b/google/iam/artman_iam_meta_api.yaml @@ -0,0 +1,34 @@ +common: + api_name: iam_meta_api + api_version: v1 + organization_name: google-cloud + proto_deps: + - name: google-common-protos + src_proto_paths: + - v1 + service_yaml: iam_meta_api.yaml + gapic_yaml: v1/iam_meta_api_gapic.yaml +artifacts: +- name: gapic_config + type: GAPIC_CONFIG +- name: java_gapic + type: GAPIC + language: JAVA +- name: python_gapic + type: GAPIC + language: PYTHON +- name: nodejs_gapic + type: GAPIC + language: NODEJS +- name: php_gapic + type: GAPIC + language: PHP +- name: go_gapic + type: GAPIC + language: GO +- name: ruby_gapic + type: GAPIC + language: RUBY +- name: csharp_gapic + type: GAPIC + language: CSHARP diff --git a/google/iam/iam_meta_api.yaml b/google/iam/iam_meta_api.yaml new file mode 100644 index 00000000..a4a29b6f --- /dev/null +++ b/google/iam/iam_meta_api.yaml @@ -0,0 +1,61 @@ +type: google.api.Service +config_version: 2 +name: iam-meta-api.googleapis.com +title: IAM Meta API + +apis: + - name: google.iam.v1.IAMPolicy + +types: + - name: google.iam.v1.PolicyDelta + +documentation: + summary: Manages access control for Google Cloud Platform resources. + overview: |- + # Google Identity and Access Management (IAM) API + + Documentation of the access control API that will be implemented by all 1st + party services provided by the Google Cloud Platform (like Cloud Storage, + Compute Engine, App Engine). + + Any implementation of an API that offers access control features will + implement the google.iam.v1.IAMPolicy interface. + + ## Data model + + Access control is applied when a principal (user or service account), takes + some action on a resource exposed by a service. Resources, identified by + URI-like names, are the unit of access control specification. It is up to + the service implementations to choose what granularity of access control to + support and what set of actions (permissions) to support for the resources + they provide. For example one database service may allow access control to + be specified only at the Table level, whereas another might allow access + control to also be specified at the Column level. + + This is intentionally not a CRUD style API because access control policies + are created and deleted implicitly with the resources to which they are + attached. + + ## Policy + + A `Policy` consists of a list of bindings. A `Binding` binds a set of + members to a role, where the members can include user accounts, user groups, + user domains, and service accounts. A role is a named set of permissions, + defined by the IAM system. The definition of a role is outside the policy. + + A permission check involves determining the roles that include the specified + permission, and then determining if the principal specified by the check is + a member of a binding to at least one of these roles. The membership check + is recursive when a group is bound to a role. + +http: + rules: + - selector: google.iam.v1.IAMPolicy.GetIamPolicy + post: '/v1/{resource=**}:getIamPolicy' + body: '*' + - selector: google.iam.v1.IAMPolicy.SetIamPolicy + post: '/v1/{resource=**}:setIamPolicy' + body: '*' + - selector: google.iam.v1.IAMPolicy.TestIamPermissions + post: '/v1/{resource=**}:testIamPermissions' + body: '*' diff --git a/google/iam/v1/iam_meta_api_gapic.yaml b/google/iam/v1/iam_meta_api_gapic.yaml new file mode 100644 index 00000000..424ccece --- /dev/null +++ b/google/iam/v1/iam_meta_api_gapic.yaml @@ -0,0 +1,146 @@ +type: com.google.api.codegen.ConfigProto +config_schema_version: 1.0.0 +# The settings of generated code in a specific language. +language_settings: + java: + package_name: com.google.cloud.iam.v1 + python: + package_name: google.cloud.iam_v1.gapic + go: + package_name: cloud.google.com/go/iam/apiv1 + csharp: + package_name: Google.Iam.V1 + ruby: + package_name: Google::Cloud::Iam::V1 + php: + package_name: Google\Cloud\Iam\V1 + nodejs: + package_name: iam.v1 +# The configuration for the license header to put on generated files. +license_header: + # The file containing the copyright line(s). + copyright_file: copyright-google.txt + # The file containing the raw license header without any copyright line(s). + license_file: license-header-apache-2.0.txt +# A list of API interface configurations. +interfaces: + # The fully qualified name of the API interface. +- name: google.iam.v1.IAMPolicy + # A list of resource collection configurations. + # Consists of a name_pattern and an entity_name. + # The name_pattern is a pattern to describe the names of the resources of this + # collection, using the platform's conventions for URI patterns. A generator + # may use this to generate methods to compose and decompose such names. The + # pattern should use named placeholders as in `shelves/{shelf}/books/{book}`; + # those will be taken as hints for the parameter names of the generated + # methods. If empty, no name methods are generated. + # The entity_name is the name to be used as a basis for generated methods and + # classes. + collections: [] + # Definition for retryable codes. + retry_codes_def: + - name: idempotent + retry_codes: + - DEADLINE_EXCEEDED + - UNAVAILABLE + - name: non_idempotent + retry_codes: [] + # Definition for retry/backoff parameters. + retry_params_def: + - name: default + initial_retry_delay_millis: 100 + retry_delay_multiplier: 1.3 + max_retry_delay_millis: 60000 + initial_rpc_timeout_millis: 20000 + rpc_timeout_multiplier: 1 + max_rpc_timeout_millis: 20000 + total_timeout_millis: 600000 + # A list of method configurations. + # Common properties: + # + # name - The simple name of the method. + # + # flattening - Specifies the configuration for parameter flattening. + # Describes the parameter groups for which a generator should produce method + # overloads which allow a client to directly pass request message fields as + # method parameters. This information may or may not be used, depending on + # the target language. + # Consists of groups, which each represent a list of parameters to be + # flattened. Each parameter listed must be a field of the request message. + # + # required_fields - Fields that are always required for a request to be + # valid. + # + # resource_name_treatment - An enum that specifies how to treat the resource + # name formats defined in the field_name_patterns and + # response_field_name_patterns fields. + # UNSET: default value + # NONE: the collection configs will not be used by the generated code. + # VALIDATE: string fields will be validated by the client against the + # specified resource name formats. + # STATIC_TYPES: the client will use generated types for resource names. + # + # page_streaming - Specifies the configuration for paging. + # Describes information for generating a method which transforms a paging + # list RPC into a stream of resources. + # Consists of a request and a response. + # The request specifies request information of the list method. It defines + # which fields match the paging pattern in the request. The request consists + # of a page_size_field and a token_field. The page_size_field is the name of + # the optional field specifying the maximum number of elements to be + # returned in the response. The token_field is the name of the field in the + # request containing the page token. + # The response specifies response information of the list method. It defines + # which fields match the paging pattern in the response. The response + # consists of a token_field and a resources_field. The token_field is the + # name of the field in the response containing the next page token. The + # resources_field is the name of the field in the response containing the + # list of resources belonging to the page. + # + # retry_codes_name - Specifies the configuration for retryable codes. The + # name must be defined in interfaces.retry_codes_def. + # + # retry_params_name - Specifies the configuration for retry/backoff + # parameters. The name must be defined in interfaces.retry_params_def. + # + # field_name_patterns - Maps the field name of the request type to + # entity_name of interfaces.collections. + # Specifies the string pattern that the field must follow. + # + # timeout_millis - Specifies the default timeout for a non-retrying call. If + # the call is retrying, refer to retry_params_name instead. + methods: + - name: SetIamPolicy + flattening: + groups: + - parameters: + - resource + - policy + required_fields: + - resource + - policy + retry_codes_name: non_idempotent + retry_params_name: default + timeout_millis: 60000 + - name: GetIamPolicy + flattening: + groups: + - parameters: + - resource + required_fields: + - resource + retry_codes_name: non_idempotent + retry_params_name: default + timeout_millis: 60000 + - name: TestIamPermissions + flattening: + groups: + - parameters: + - resource + - permissions + required_fields: + - resource + - permissions + retry_codes_name: non_idempotent + retry_params_name: default + timeout_millis: 60000 diff --git a/google/iam/v1/iam_policy.proto b/google/iam/v1/iam_policy.proto index 7cd1b0b9..011db1f0 100644 --- a/google/iam/v1/iam_policy.proto +++ b/google/iam/v1/iam_policy.proto @@ -1,4 +1,4 @@ -// Copyright 2016 Google Inc. +// Copyright 2019 Google LLC. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -11,13 +11,16 @@ // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. +// syntax = "proto3"; package google.iam.v1; -import "google/api/annotations.proto"; +import "google/api/resource.proto"; import "google/iam/v1/policy.proto"; +import "google/protobuf/field_mask.proto"; +import "google/api/annotations.proto"; option cc_enable_arenas = true; option csharp_namespace = "Google.Cloud.Iam.V1"; @@ -27,6 +30,7 @@ option java_outer_classname = "IamPolicyProto"; option java_package = "com.google.iam.v1"; option php_namespace = "Google\\Cloud\\Iam\\V1"; + // ## API Overview // // Manages Identity and Access Management (IAM) policies. @@ -75,8 +79,11 @@ service IAMPolicy { // Returns permissions that a caller has on the specified resource. // If the resource does not exist, this will return an empty set of // permissions, not a NOT_FOUND error. - rpc TestIamPermissions(TestIamPermissionsRequest) - returns (TestIamPermissionsResponse) { + // + // Note: This operation is designed to be used for building permission-aware + // UIs and command-line tools, not for authorization checking. This operation + // may "fail open" without warning. + rpc TestIamPermissions(TestIamPermissionsRequest) returns (TestIamPermissionsResponse) { option (google.api.http) = { post: "/v1/{resource=**}:testIamPermissions" body: "*" @@ -87,8 +94,7 @@ service IAMPolicy { // Request message for `SetIamPolicy` method. message SetIamPolicyRequest { // REQUIRED: The resource for which the policy is being specified. - // `resource` is usually specified as a path. For example, a Project - // resource is specified as `projects/{project}`. + // See the operation documentation for the appropriate value for this field. string resource = 1; // REQUIRED: The complete policy to be applied to the `resource`. The size of @@ -101,16 +107,14 @@ message SetIamPolicyRequest { // Request message for `GetIamPolicy` method. message GetIamPolicyRequest { // REQUIRED: The resource for which the policy is being requested. - // `resource` is usually specified as a path. For example, a Project - // resource is specified as `projects/{project}`. + // See the operation documentation for the appropriate value for this field. string resource = 1; } // Request message for `TestIamPermissions` method. message TestIamPermissionsRequest { // REQUIRED: The resource for which the policy detail is being requested. - // `resource` is usually specified as a path. For example, a Project - // resource is specified as `projects/{project}`. + // See the operation documentation for the appropriate value for this field. string resource = 1; // The set of permissions to check for the `resource`. Permissions with diff --git a/google/iam/v1/policy.proto b/google/iam/v1/policy.proto index 78aa5f33..075edb59 100644 --- a/google/iam/v1/policy.proto +++ b/google/iam/v1/policy.proto @@ -1,4 +1,4 @@ -// Copyright 2016 Google Inc. +// Copyright 2019 Google LLC. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -11,11 +11,13 @@ // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. +// syntax = "proto3"; package google.iam.v1; +import public "google/type/expr.proto"; import "google/api/annotations.proto"; option cc_enable_arenas = true; @@ -26,16 +28,17 @@ option java_outer_classname = "PolicyProto"; option java_package = "com.google.iam.v1"; option php_namespace = "Google\\Cloud\\Iam\\V1"; + // Defines an Identity and Access Management (IAM) policy. It is used to // specify access control policies for Cloud Platform resources. // // -// A `Policy` consists of a list of `bindings`. A `Binding` binds a list of +// A `Policy` consists of a list of `bindings`. A `binding` binds a list of // `members` to a `role`, where the members can be user accounts, Google groups, // Google domains, and service accounts. A `role` is a named list of permissions // defined by IAM. // -// **Example** +// **JSON Example** // // { // "bindings": [ @@ -45,7 +48,7 @@ option php_namespace = "Google\\Cloud\\Iam\\V1"; // "user:mike@example.com", // "group:admins@example.com", // "domain:google.com", -// "serviceAccount:my-other-app@appspot.gserviceaccount.com", +// "serviceAccount:my-other-app@appspot.gserviceaccount.com" // ] // }, // { @@ -55,14 +58,27 @@ option php_namespace = "Google\\Cloud\\Iam\\V1"; // ] // } // +// **YAML Example** +// +// bindings: +// - members: +// - user:mike@example.com +// - group:admins@example.com +// - domain:google.com +// - serviceAccount:my-other-app@appspot.gserviceaccount.com +// role: roles/owner +// - members: +// - user:sean@example.com +// role: roles/viewer +// +// // For a description of IAM and its features, see the -// [IAM developer's guide](https://cloud.google.com/iam). +// [IAM developer's guide](https://cloud.google.com/iam/docs). message Policy { - // Version of the `Policy`. The default version is 0. - int32 version = 1; + // Deprecated. + int32 version = 1 [deprecated = true]; // Associates a list of `members` to a `role`. - // Multiple `bindings` must not be specified for the same `role`. // `bindings` with no members will result in an error. repeated Binding bindings = 4; @@ -83,7 +99,6 @@ message Policy { message Binding { // Role that is assigned to `members`. // For example, `roles/viewer`, `roles/editor`, or `roles/owner`. - // Required string role = 1; // Specifies the identities requesting access for a Cloud Platform resource. @@ -96,7 +111,7 @@ message Binding { // who is authenticated with a Google account or a service account. // // * `user:{emailid}`: An email address that represents a specific Google - // account. For example, `alice@gmail.com` or `joe@example.com`. + // account. For example, `alice@gmail.com` . // // // * `serviceAccount:{emailid}`: An email address that represents a service @@ -105,17 +120,27 @@ message Binding { // * `group:{emailid}`: An email address that represents a Google group. // For example, `admins@example.com`. // - // * `domain:{domain}`: A Google Apps domain name that represents all the + // + // * `domain:{domain}`: The G Suite domain (primary) that represents all the // users of that domain. For example, `google.com` or `example.com`. // // repeated string members = 2; + + // Unimplemented. The condition that is associated with this binding. + // NOTE: an unsatisfied condition will not allow user access via current + // binding. Different bindings, including their conditions, are examined + // independently. + google.type.Expr condition = 3; } // The difference delta between two policies. message PolicyDelta { // The delta for Bindings between two policies. repeated BindingDelta binding_deltas = 1; + + // The delta for AuditConfigs between two policies. + repeated AuditConfigDelta audit_config_deltas = 2; } // One delta entry for Binding. Each individual change (only one member in each @@ -146,4 +171,44 @@ message BindingDelta { // Follows the same format of Binding.members. // Required string member = 3; + + // Unimplemented. The condition that is associated with this binding. + // This field is logged only for Cloud Audit Logging. + google.type.Expr condition = 4; +} + +// One delta entry for AuditConfig. Each individual change (only one +// exempted_member in each entry) to a AuditConfig will be a separate entry. +message AuditConfigDelta { + // The type of action performed on an audit configuration in a policy. + enum Action { + // Unspecified. + ACTION_UNSPECIFIED = 0; + + // Addition of an audit configuration. + ADD = 1; + + // Removal of an audit configuration. + REMOVE = 2; + } + + // The action that was performed on an audit configuration in a policy. + // Required + Action action = 1; + + // Specifies a service that was configured for Cloud Audit Logging. + // For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. + // `allServices` is a special value that covers all services. + // Required + string service = 2; + + // A single identity that is exempted from "data access" audit + // logging for the `service` specified above. + // Follows the same format of Binding.members. + string exempted_member = 3; + + // Specifies the log_type that was be enabled. ADMIN_ACTIVITY is always + // enabled, and cannot be configured. + // Required + string log_type = 4; }