suguo
/
googleapis
0
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

cloudasset: add SearchAllResources and SearchAllIamPolicies RPCs 

PiperOrigin-RevId: 311601348
This commit is contained in:
Google APIs 2020-05-14 14:03:19 -07:00 committed by Copybara-Service
parent 123873dc7e
commit 2433bd5065
3 changed files with 378 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

212
google/cloud/asset/v1/asset_service.proto
View File

@ -37,12 +37,14 @@ option php_namespace = "Google\\Cloud\\Asset\\V1";
// Asset service definition.
service AssetService {
option (google.api.default_host) = "cloudasset.googleapis.com";
option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
option (google.api.oauth_scopes) =
"https://www.googleapis.com/auth/cloud-platform";
// Exports assets with time and resource types to a given Cloud Storage
// location. The output format is newline-delimited JSON.
// This API implements the [google.longrunning.Operation][google.longrunning.Operation] API allowing you
// to keep track of the export.
// This API implements the
// [google.longrunning.Operation][google.longrunning.Operation] API allowing
// you to keep track of the export.
rpc ExportAssets(ExportAssetsRequest) returns (google.longrunning.Operation) {
option (google.api.http) = {
post: "/v1/{parent=*/*}:exportAssets"
@ -61,7 +63,8 @@ service AssetService {
// attached IAM POLICY both exist. This can create gaps in the output history.
// If a specified asset does not exist, this API returns an INVALID_ARGUMENT
// error.
rpc BatchGetAssetsHistory(BatchGetAssetsHistoryRequest) returns (BatchGetAssetsHistoryResponse) {
rpc BatchGetAssetsHistory(BatchGetAssetsHistoryRequest)
returns (BatchGetAssetsHistoryResponse) {
option (google.api.http) = {
get: "/v1/{parent=*/*}:batchGetAssetsHistory"
};
@ -109,6 +112,30 @@ service AssetService {
};
option (google.api.method_signature) = "name";
}
// Searches all the resources within the given accessible scope (e.g., a
// project, a folder or an organization). Callers should have
// cloud.assets.SearchAllResources permission upon the requested scope,
// otherwise the request will be rejected.
rpc SearchAllResources(SearchAllResourcesRequest)
returns (SearchAllResourcesResponse) {
option (google.api.http) = {
get: "/v1/{scope=*/*}:searchAllResources"
};
option (google.api.method_signature) = "scope,query,asset_types";
}
// Searches all the IAM policies within the given accessible scope (e.g., a
// project, a folder or an organization). Callers should have
// cloud.assets.SearchAllIamPolicies permission upon the requested scope,
// otherwise the request will be rejected.
rpc SearchAllIamPolicies(SearchAllIamPoliciesRequest)
returns (SearchAllIamPoliciesResponse) {
option (google.api.http) = {
get: "/v1/{scope=*/*}:searchAllIamPolicies"
};
option (google.api.method_signature) = "scope,query";
}
}
// Export asset request.
@ -148,8 +175,10 @@ message ExportAssetsRequest {
}
// The export asset response. This message is returned by the
// [google.longrunning.Operations.GetOperation][google.longrunning.Operations.GetOperation] method in the returned
// [google.longrunning.Operation.response][google.longrunning.Operation.response] field.
// [google.longrunning.Operations.GetOperation][google.longrunning.Operations.GetOperation]
// method in the returned
// [google.longrunning.Operation.response][google.longrunning.Operation.response]
// field.
message ExportAssetsResponse {
// Time the snapshot was taken.
google.protobuf.Timestamp read_time = 1;
@ -214,9 +243,8 @@ message CreateFeedRequest {
// be unique under a specific parent project/folder/organization.
string feed_id = 2 [(google.api.field_behavior) = REQUIRED];
// Required. The feed details. The field `name` must be empty and it will be generated
// in the format of:
// projects/project_number/feeds/feed_id
// Required. The feed details. The field `name` must be empty and it will be
// generated in the format of: projects/project_number/feeds/feed_id
// folders/folder_number/feeds/feed_id
// organizations/organization_number/feeds/feed_id
Feed feed = 3 [(google.api.field_behavior) = REQUIRED];
@ -230,9 +258,7 @@ message GetFeedRequest {
// organizations/organization_number/feeds/feed_id
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudasset.googleapis.com/Feed"
}
(google.api.resource_reference) = { type: "cloudasset.googleapis.com/Feed" }
];
}
@ -251,8 +277,8 @@ message ListFeedsResponse {
// Update asset feed request.
message UpdateFeedRequest {
// Required. The new values of feed details. It must match an existing feed and the
// field `name` must be in the format of:
// Required. The new values of feed details. It must match an existing feed
// and the field `name` must be in the format of:
// projects/project_number/feeds/feed_id or
// folders/folder_number/feeds/feed_id or
// organizations/organization_number/feeds/feed_id.
@ -261,7 +287,8 @@ message UpdateFeedRequest {
// Required. Only updates the `feed` fields indicated by this mask.
// The field mask must not be empty, and it must not contain fields that
// are immutable or only set by the server.
google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];
google.protobuf.FieldMask update_mask = 2
[(google.api.field_behavior) = REQUIRED];
}
message DeleteFeedRequest {
@ -271,9 +298,7 @@ message DeleteFeedRequest {
// organizations/organization_number/feeds/feed_id
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudasset.googleapis.com/Feed"
}
(google.api.resource_reference) = { type: "cloudasset.googleapis.com/Feed" }
];
}
@ -401,7 +426,156 @@ message Feed {
// Required. Feed output configuration defining where the asset updates are
// published to.
FeedOutputConfig feed_output_config = 5 [(google.api.field_behavior) = REQUIRED];
FeedOutputConfig feed_output_config = 5
[(google.api.field_behavior) = REQUIRED];
}
// Search all resources request.
message SearchAllResourcesRequest {
// Required. A scope can be a project, a folder or an organization. The search
// is limited to the resources within the `scope`.
//
// The allowed values are:
//
// * projects/{PROJECT_ID}
// * projects/{PROJECT_NUMBER}
// * folders/{FOLDER_NUMBER}
// * organizations/{ORGANIZATION_NUMBER}
string scope = 1 [(google.api.field_behavior) = REQUIRED];
// Optional. The query statement. An empty query can be specified to search
// all the resources of certain `asset_types` within the given `scope`.
//
// Examples:
//
// * `name : "Important"` to find Cloud resources whose name contains
// "Important" as a word.
// * `displayName : "Impor*"` to find Cloud resources whose display name
// contains "Impor" as a word prefix.
// * `description : "*por*"` to find Cloud resources whose description
// contains "por" as a substring.
// * `location : "us-west*"` to find Cloud resources whose location is
// prefixed with "us-west".
// * `labels : "prod"` to find Cloud resources whose labels contain "prod" as
// a key or value.
// * `labels.env : "prod"` to find Cloud resources which have a label "env"
// and its value is "prod".
// * `labels.env : *` to find Cloud resources which have a label "env".
// * `"Important"` to find Cloud resources which contain "Important" as a word
// in any of the searchable fields.
// * `"Impor*"` to find Cloud resources which contain "Impor" as a word prefix
// in any of the searchable fields.
// * `"*por*"` to find Cloud resources which contain "por" as a substring in
// any of the searchable fields.
// * `("Important" AND location : ("us-west1" OR "global"))` to find Cloud
// resources which contain "Important" as a word in any of the searchable
// fields and are also located in the "us-west1" region or the "global"
// location.
//
// See [how to construct a
// query](https://cloud.google.com/asset-inventory/docs/searching-resources#how_to_construct_a_query)
// for more details.
string query = 2 [(google.api.field_behavior) = OPTIONAL];
// Optional. A list of asset types that this request searches for. If empty,
// it will search all the [searchable asset
// types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types).
repeated string asset_types = 3 [(google.api.field_behavior) = OPTIONAL];
// Optional. The page size for search result pagination. Page size is capped
// at 500 even if a larger value is given. If set to zero, server will pick an
// appropriate default. Returned results may be fewer than requested. When
// this happens, there could be more results as long as `next_page_token` is
// returned.
int32 page_size = 4 [(google.api.field_behavior) = OPTIONAL];
// Optional. If present, then retrieve the next batch of results from the
// preceding call to this method. `page_token` must be the value of
// `next_page_token` from the previous response. The values of all other
// method parameters, must be identical to those in the previous call.
string page_token = 5 [(google.api.field_behavior) = OPTIONAL];
// Optional. A comma separated list of fields specifying the sorting order of
// the results. The default order is ascending. Add " DESC" after the field
// name to indicate descending order. Redundant space characters are ignored.
// Example: "location DESC, name". See [supported resource metadata
// fields](https://cloud.google.com/asset-inventory/docs/searching-resources#query_on_resource_metadata_fields)
// for more details.
string order_by = 6 [(google.api.field_behavior) = OPTIONAL];
}
// Search all resources response.
message SearchAllResourcesResponse {
// A list of Resources that match the search query. It contains the resource
// standard metadata information.
repeated ResourceSearchResult results = 1;
// If there are more results than those appearing in this response, then
// `next_page_token` is included. To get the next set of results, call this
// method again using the value of `next_page_token` as `page_token`.
string next_page_token = 2;
}
// Search all IAM policies request.
message SearchAllIamPoliciesRequest {
// Required. A scope can be a project, a folder or an organization. The search
// is limited to the IAM policies within the `scope`.
//
// The allowed values are:
//
// * projects/{PROJECT_ID}
// * projects/{PROJECT_NUMBER}
// * folders/{FOLDER_NUMBER}
// * organizations/{ORGANIZATION_NUMBER}
string scope = 1 [(google.api.field_behavior) = REQUIRED];
// Optional. The query statement. An empty query can be specified to search
// all the IAM policies within the given `scope`.
//
// Examples:
//
// * `policy : "amy@gmail.com"` to find Cloud IAM policy bindings that
// specify user "amy@gmail.com".
// * `policy : "roles/compute.admin"` to find Cloud IAM policy bindings that
// specify the Compute Admin role.
// * `policy.role.permissions : "storage.buckets.update"` to find Cloud IAM
// policy bindings that specify a role containing "storage.buckets.update"
// permission.
// * `resource : "organizations/123"` to find Cloud IAM policy bindings that
// are set on "organizations/123".
// * `(resource : ("organizations/123" OR "folders/1234") AND policy : "amy")`
// to find Cloud IAM policy bindings that are set on "organizations/123" or
// "folders/1234", and also specify user "amy".
//
// See [how to construct a
// query](https://cloud.google.com/asset-inventory/docs/searching-iam-policies#how_to_construct_a_query)
// for more details.
string query = 2 [(google.api.field_behavior) = OPTIONAL];
// Optional. The page size for search result pagination. Page size is capped
// at 500 even if a larger value is given. If set to zero, server will pick an
// appropriate default. Returned results may be fewer than requested. When
// this happens, there could be more results as long as `next_page_token` is
// returned.
int32 page_size = 3 [(google.api.field_behavior) = OPTIONAL];
// Optional. If present, retrieve the next batch of results from the preceding
// call to this method. `page_token` must be the value of `next_page_token`
// from the previous response. The values of all other method parameters must
// be identical to those in the previous call.
string page_token = 4 [(google.api.field_behavior) = OPTIONAL];
}
// Search all IAM policies response.
message SearchAllIamPoliciesResponse {
// A list of IamPolicy that match the search query. Related information such
// as the associated resource is returned along with the policy.
repeated IamPolicySearchResult results = 1;
// Set if there are more results than those appearing in this response; to get
// the next set of results, call this method again, using this value as the
// `page_token`.
string next_page_token = 2;
}
// Asset content type.

164
google/cloud/asset/v1/assets.proto
View File

@ -16,6 +16,7 @@ syntax = "proto3";
package google.cloud.asset.v1;
import "google/api/annotations.proto";
import "google/api/resource.proto";
import "google/cloud/orgpolicy/v1/orgpolicy.proto";
import "google/iam/v1/policy.proto";
@ -25,7 +26,6 @@ import "google/identity/accesscontextmanager/v1/service_perimeter.proto";
import "google/protobuf/any.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/timestamp.proto";
import "google/api/annotations.proto";
option cc_enable_arenas = true;
option csharp_namespace = "Google.Cloud.Asset.V1";
@ -111,7 +111,8 @@ message Asset {
google.identity.accesscontextmanager.v1.AccessLevel access_level = 8;
google.identity.accesscontextmanager.v1.ServicePerimeter service_perimeter = 9;
google.identity.accesscontextmanager.v1.ServicePerimeter service_perimeter =
9;
}
// The ancestry path of an asset in Google Cloud [resource
@ -169,4 +170,163 @@ message Resource {
// The content of the resource, in which some sensitive fields are removed
// and may not be present.
google.protobuf.Struct data = 6;
// The location of the resource in Google Cloud, such as its zone and region.
// For more information, see https://cloud.google.com/about/locations/.
string location = 8;
}
// A result of Resource Search, containing information of a cloud resoure.
message ResourceSearchResult {
// The full resource name of this resource. Example:
// "//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1".
// See [Cloud Asset Inventory Resource Name
// Format](https://cloud.google.com/asset-inventory/docs/resource-name-format)
// for more information.
//
// To search against the `name`:
//
// * use a field query. Example: `name : "instance1"`
// * use a free text query. Example: `"instance1"`
string name = 1;
// The type of this resource. Example: "compute.googleapis.com/Disk".
//
// To search against the `asset_type`:
//
// * specify the `asset_type` field in your search request.
string asset_type = 2;
// The project that this resource belongs to, in the form of
// projects/{PROJECT_NUMBER}.
//
// To search against the `project`:
//
// * specify the `scope` field as this project in your search request.
string project = 3;
// The display name of this resource.
//
// To search against the `display_name`:
//
// * use a field query. Example: `displayName : "My Instance"`
// * use a free text query. Example: `"My Instance"`
string display_name = 4;
// One or more paragraphs of text description of this resource. Maximum length
// could be up to 1M bytes.
//
// To search against the `description`:
//
// * use a field query. Example: `description : "*important instance*"`
// * use a free text query. Example: `"*important instance*"`
string description = 5;
// Location can be "global", regional like "us-east1", or zonal like
// "us-west1-b".
//
// To search against the `location`:
//
// * use a field query. Example: `location : "us-west*"`
// * use a free text query. Example: `"us-west*"`
string location = 6;
// Labels associated with this resource. See [Labelling and grouping GCP
// resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources)
// for more information.
//
// To search against the `labels`:
//
// * use a field query, as following:
// - query on any label's key or value. Example: `labels : "prod"`
// - query by a given label. Example: `labels.env : "prod"`
// - query by a given label'sexistence. Example: `labels.env : *`
// * use a free text query. Example: `"prod"`
map<string, string> labels = 7;
// Network tags associated with this resource. Like labels, network tags are a
// type of annotations used to group GCP resources. See [Labelling GCP
// resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources)
// for more information.
//
// To search against the `network_tags`:
//
// * use a field query. Example: `networkTags : "internal"`
// * use a free text query. Example: `"internal"`
repeated string network_tags = 8;
// The additional attributes of this resource. The attributes may vary from
// one resource type to another. Examples: "projectId" for Project,
// "dnsName" for DNS ManagedZone.
//
// To search against the `additional_attributes`:
//
// * use a free text query to match the attributes values. Example: to search
// additional_attributes = { dnsName: "foobar" }, you can issue a query
// `"foobar"`.
google.protobuf.Struct additional_attributes = 9;
}
// A result of IAM Policy search, containing information of an IAM policy.
message IamPolicySearchResult {
// Explanation about the IAM policy search result.
message Explanation {
// IAM permissions
message Permissions {
// A list of permissions. A sample permission string: "compute.disk.get".
repeated string permissions = 1;
}
// The map from roles to their included permissions that match the
// permission query (i.e., a query containing `policy.role.permissions:`).
// Example: if query `policy.role.permissions : "compute.disk.get"`
// matches a policy binding that contains owner role, the
// matched_permissions will be {"roles/owner": ["compute.disk.get"]}. The
// roles can also be found in the returned `policy` bindings. Note that the
// map is populated only for requests with permission queries.
map<string, Permissions> matched_permissions = 1;
}
// The full resource name of the resource associated with this IAM policy.
// Example:
// "//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1".
// See [Cloud Asset Inventory Resource Name
// Format](https://cloud.google.com/asset-inventory/docs/resource-name-format)
// for more information.
//
// To search against the `resource`:
//
// * use a field query. Example: `resource : "organizations/123"`
string resource = 1;
// The project that the associated GCP resource belongs to, in the form of
// projects/{PROJECT_NUMBER}. If an IAM policy is set on a resource (like VM
// instance, Cloud Storage bucket), the project field will indicate the
// project that contains the resource. If an IAM policy is set on a folder or
// orgnization, the project field will be empty.
//
// To search against the `project`:
//
// * specify the `scope` field as this project in your search request.
string project = 2;
// The IAM policy directly set on the given resource. Note that the original
// IAM policy can contain multiple bindings. This only contains the bindings
// that match the given query. For queries that don't contain a constrain on
// policies (e.g., an empty query), this contains all the bindings.
//
// To search against the `policy` bindings:
//
// * use a field query, as following:
// - query by the policy contained members. Example:
// `policy : "amy@gmail.com"`
// - query by the policy contained roles. Example:
// `policy : "roles/compute.admin"`
// - query by the policy contained roles' implied permissions. Example:
// `policy.role.permissions : "compute.instances.create"`
google.iam.v1.Policy policy = 3;
// Explanation about the IAM policy search result. It contains additional
// information to explain why the search result matches the query.
Explanation explanation = 4;
}

23
google/cloud/asset/v1/cloudasset_grpc_service_config.json
View File

@ -26,6 +26,29 @@
"UNAVAILABLE"
]
}
},
{
"name": [
{
"service": "google.cloud.asset.v1.AssetService",
"method": "SearchAllResources"
},
{
"service": "google.cloud.asset.v1.AssetService",
"method": "SearchAllIamPolicies"
}
],
"timeout": "15s",
"retryPolicy": {
"maxAttempts": 5,
"initialBackoff": "0.100s",
"maxBackoff": "60s",
"backoffMultiplier": 1.3,
"retryableStatusCodes": [
"DEADLINE_EXCEEDED",
"UNAVAILABLE"
]
}
}
]
}