Synchronize new proto/yaml changes.

PiperOrigin-RevId: 238726437

google/iam/artman_iam_meta_api.yaml

@@ -1,34 +0,0 @@
-common:
-  api_name: iam_meta_api
-  api_version: v1
-  organization_name: google-cloud
-  proto_deps:
-    - name: google-common-protos
-  src_proto_paths:
-  - v1
-  service_yaml: iam_meta_api.yaml
-  gapic_yaml: v1/iam_meta_api_gapic.yaml
-artifacts:
-- name: gapic_config
-  type: GAPIC_CONFIG
-- name: java_gapic
-  type: GAPIC
-  language: JAVA
-- name: python_gapic
-  type: GAPIC
-  language: PYTHON
-- name: nodejs_gapic
-  type: GAPIC
-  language: NODEJS
-- name: php_gapic
-  type: GAPIC
-  language: PHP
-- name: go_gapic
-  type: GAPIC
-  language: GO
-- name: ruby_gapic
-  type: GAPIC
-  language: RUBY
-- name: csharp_gapic
-  type: GAPIC
-  language: CSHARP

google/iam/iam_meta_api.yaml

@@ -1,61 +0,0 @@
-type: google.api.Service
-config_version: 2
-name: iam-meta-api.googleapis.com
-title: IAM Meta API
-
-apis:
-  - name: google.iam.v1.IAMPolicy
-
-types:
-  - name: google.iam.v1.PolicyDelta
-
-documentation:
-  summary: Manages access control for Google Cloud Platform resources.
-  overview: |-
-    # Google Identity and Access Management (IAM) API
-
-    Documentation of the access control API that will be implemented by all 1st
-    party services provided by the Google Cloud Platform (like Cloud Storage,
-    Compute Engine, App Engine).
-
-    Any implementation of an API that offers access control features will
-    implement the google.iam.v1.IAMPolicy interface.
-
-    ## Data model
-
-    Access control is applied when a principal (user or service account), takes
-    some action on a resource exposed by a service. Resources, identified by
-    URI-like names, are the unit of access control specification. It is up to
-    the service implementations to choose what granularity of access control to
-    support and what set of actions (permissions) to support for the resources
-    they provide. For example one database service may allow access control to
-    be specified only at the Table level, whereas another might allow access
-    control to also be specified at the Column level.
-
-    This is intentionally not a CRUD style API because access control policies
-    are created and deleted implicitly with the resources to which they are
-    attached.
-
-    ## Policy
-
-    A `Policy` consists of a list of bindings. A `Binding` binds a set of
-    members to a role, where the members can include user accounts, user groups,
-    user domains, and service accounts. A role is a named set of permissions,
-    defined by the IAM system. The definition of a role is outside the policy.
-
-    A permission check involves determining the roles that include the specified
-    permission, and then determining if the principal specified by the check is
-    a member of a binding to at least one of these roles. The membership check
-    is recursive when a group is bound to a role.
-
-http:
-  rules:
-    - selector: google.iam.v1.IAMPolicy.GetIamPolicy
-      post: '/v1/{resource=**}:getIamPolicy'
-      body: '*'
-    - selector: google.iam.v1.IAMPolicy.SetIamPolicy
-      post: '/v1/{resource=**}:setIamPolicy'
-      body: '*'
-    - selector: google.iam.v1.IAMPolicy.TestIamPermissions
-      post: '/v1/{resource=**}:testIamPermissions'
-      body: '*'

google/iam/v1/iam_meta_api_gapic.yaml

@@ -1,146 +0,0 @@
-type: com.google.api.codegen.ConfigProto
-config_schema_version: 1.0.0
-# The settings of generated code in a specific language.
-language_settings:
-  java:
-    package_name: com.google.cloud.iam.v1
-  python:
-    package_name: google.cloud.iam_v1.gapic
-  go:
-    package_name: cloud.google.com/go/iam/apiv1
-  csharp:
-    package_name: Google.Iam.V1
-  ruby:
-    package_name: Google::Cloud::Iam::V1
-  php:
-    package_name: Google\Cloud\Iam\V1
-  nodejs:
-    package_name: iam.v1
-# The configuration for the license header to put on generated files.
-license_header:
-  # The file containing the copyright line(s).
-  copyright_file: copyright-google.txt
-  # The file containing the raw license header without any copyright line(s).
-  license_file: license-header-apache-2.0.txt
-# A list of API interface configurations.
-interfaces:
-  # The fully qualified name of the API interface.
-- name: google.iam.v1.IAMPolicy
-  # A list of resource collection configurations.
-  # Consists of a name_pattern and an entity_name.
-  # The name_pattern is a pattern to describe the names of the resources of this
-  # collection, using the platform's conventions for URI patterns. A generator
-  # may use this to generate methods to compose and decompose such names. The
-  # pattern should use named placeholders as in `shelves/{shelf}/books/{book}`;
-  # those will be taken as hints for the parameter names of the generated
-  # methods. If empty, no name methods are generated.
-  # The entity_name is the name to be used as a basis for generated methods and
-  # classes.
-  collections: []
-  # Definition for retryable codes.
-  retry_codes_def:
-  - name: idempotent
-    retry_codes:
-    - DEADLINE_EXCEEDED
-    - UNAVAILABLE
-  - name: non_idempotent
-    retry_codes: []
-  # Definition for retry/backoff parameters.
-  retry_params_def:
-  - name: default
-    initial_retry_delay_millis: 100
-    retry_delay_multiplier: 1.3
-    max_retry_delay_millis: 60000
-    initial_rpc_timeout_millis: 20000
-    rpc_timeout_multiplier: 1
-    max_rpc_timeout_millis: 20000
-    total_timeout_millis: 600000
-  # A list of method configurations.
-  # Common properties:
-  #
-  #   name - The simple name of the method.
-  #
-  #   flattening - Specifies the configuration for parameter flattening.
-  #   Describes the parameter groups for which a generator should produce method
-  #   overloads which allow a client to directly pass request message fields as
-  #   method parameters. This information may or may not be used, depending on
-  #   the target language.
-  #   Consists of groups, which each represent a list of parameters to be
-  #   flattened. Each parameter listed must be a field of the request message.
-  #
-  #   required_fields - Fields that are always required for a request to be
-  #   valid.
-  #
-  #   resource_name_treatment - An enum that specifies how to treat the resource
-  #   name formats defined in the field_name_patterns and
-  #   response_field_name_patterns fields.
-  #   UNSET: default value
-  #   NONE: the collection configs will not be used by the generated code.
-  #   VALIDATE: string fields will be validated by the client against the
-  #   specified resource name formats.
-  #   STATIC_TYPES: the client will use generated types for resource names.
-  #
-  #   page_streaming - Specifies the configuration for paging.
-  #   Describes information for generating a method which transforms a paging
-  #   list RPC into a stream of resources.
-  #   Consists of a request and a response.
-  #   The request specifies request information of the list method. It defines
-  #   which fields match the paging pattern in the request. The request consists
-  #   of a page_size_field and a token_field. The page_size_field is the name of
-  #   the optional field specifying the maximum number of elements to be
-  #   returned in the response. The token_field is the name of the field in the
-  #   request containing the page token.
-  #   The response specifies response information of the list method. It defines
-  #   which fields match the paging pattern in the response. The response
-  #   consists of a token_field and a resources_field. The token_field is the
-  #   name of the field in the response containing the next page token. The
-  #   resources_field is the name of the field in the response containing the
-  #   list of resources belonging to the page.
-  #
-  #   retry_codes_name - Specifies the configuration for retryable codes. The
-  #   name must be defined in interfaces.retry_codes_def.
-  #
-  #   retry_params_name - Specifies the configuration for retry/backoff
-  #   parameters. The name must be defined in interfaces.retry_params_def.
-  #
-  #   field_name_patterns - Maps the field name of the request type to
-  #   entity_name of interfaces.collections.
-  #   Specifies the string pattern that the field must follow.
-  #
-  #   timeout_millis - Specifies the default timeout for a non-retrying call. If
-  #   the call is retrying, refer to retry_params_name instead.
-  methods:
-  - name: SetIamPolicy
-    flattening:
-      groups:
-      - parameters:
-        - resource
-        - policy
-    required_fields:
-    - resource
-    - policy
-    retry_codes_name: non_idempotent
-    retry_params_name: default
-    timeout_millis: 60000
-  - name: GetIamPolicy
-    flattening:
-      groups:
-      - parameters:
-        - resource
-    required_fields:
-    - resource
-    retry_codes_name: non_idempotent
-    retry_params_name: default
-    timeout_millis: 60000
-  - name: TestIamPermissions
-    flattening:
-      groups:
-      - parameters:
-        - resource
-        - permissions
-    required_fields:
-    - resource
-    - permissions
-    retry_codes_name: non_idempotent
-    retry_params_name: default
-    timeout_millis: 60000

google/iam/v1/iam_policy.proto

@@ -1,4 +1,4 @@
-// Copyright 2019 Google LLC.
+// Copyright 2016 Google Inc.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -11,16 +11,13 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
-//
 
 syntax = "proto3";
 
 package google.iam.v1;
 
-import "google/api/resource.proto";
-import "google/iam/v1/policy.proto";
-import "google/protobuf/field_mask.proto";
 import "google/api/annotations.proto";
+import "google/iam/v1/policy.proto";
 
 option cc_enable_arenas = true;
 option csharp_namespace = "Google.Cloud.Iam.V1";
@@ -30,7 +27,6 @@ option java_outer_classname = "IamPolicyProto";
 option java_package = "com.google.iam.v1";
 option php_namespace = "Google\\Cloud\\Iam\\V1";
 
-
 // ## API Overview
 //
 // Manages Identity and Access Management (IAM) policies.
@@ -79,11 +75,8 @@ service IAMPolicy {
   // Returns permissions that a caller has on the specified resource.
   // If the resource does not exist, this will return an empty set of
   // permissions, not a NOT_FOUND error.
-  //
-  // Note: This operation is designed to be used for building permission-aware
-  // UIs and command-line tools, not for authorization checking. This operation
-  // may "fail open" without warning.
-  rpc TestIamPermissions(TestIamPermissionsRequest) returns (TestIamPermissionsResponse) {
+  rpc TestIamPermissions(TestIamPermissionsRequest)
+      returns (TestIamPermissionsResponse) {
     option (google.api.http) = {
       post: "/v1/{resource=**}:testIamPermissions"
       body: "*"
@@ -94,7 +87,8 @@ service IAMPolicy {
 // Request message for `SetIamPolicy` method.
 message SetIamPolicyRequest {
   // REQUIRED: The resource for which the policy is being specified.
-  // See the operation documentation for the appropriate value for this field.
+  // `resource` is usually specified as a path. For example, a Project
+  // resource is specified as `projects/{project}`.
   string resource = 1;
 
   // REQUIRED: The complete policy to be applied to the `resource`. The size of
@@ -107,14 +101,16 @@ message SetIamPolicyRequest {
 // Request message for `GetIamPolicy` method.
 message GetIamPolicyRequest {
   // REQUIRED: The resource for which the policy is being requested.
-  // See the operation documentation for the appropriate value for this field.
+  // `resource` is usually specified as a path. For example, a Project
+  // resource is specified as `projects/{project}`.
   string resource = 1;
 }
 
 // Request message for `TestIamPermissions` method.
 message TestIamPermissionsRequest {
   // REQUIRED: The resource for which the policy detail is being requested.
-  // See the operation documentation for the appropriate value for this field.
+  // `resource` is usually specified as a path. For example, a Project
+  // resource is specified as `projects/{project}`.
   string resource = 1;
 
   // The set of permissions to check for the `resource`. Permissions with

google/iam/v1/policy.proto

@@ -1,4 +1,4 @@
-// Copyright 2019 Google LLC.
+// Copyright 2016 Google Inc.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -11,13 +11,11 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
-//
 
 syntax = "proto3";
 
 package google.iam.v1;
 
-import public "google/type/expr.proto";
 import "google/api/annotations.proto";
 
 option cc_enable_arenas = true;
@@ -28,17 +26,16 @@ option java_outer_classname = "PolicyProto";
 option java_package = "com.google.iam.v1";
 option php_namespace = "Google\\Cloud\\Iam\\V1";
 
-
 // Defines an Identity and Access Management (IAM) policy. It is used to
 // specify access control policies for Cloud Platform resources.
 //
 //
-// A `Policy` consists of a list of `bindings`. A `binding` binds a list of
+// A `Policy` consists of a list of `bindings`. A `Binding` binds a list of
 // `members` to a `role`, where the members can be user accounts, Google groups,
 // Google domains, and service accounts. A `role` is a named list of permissions
 // defined by IAM.
 //
-// **JSON Example**
+// **Example**
 //
 //     {
 //       "bindings": [
@@ -48,7 +45,7 @@ option php_namespace = "Google\\Cloud\\Iam\\V1";
 //             "user:mike@example.com",
 //             "group:admins@example.com",
 //             "domain:google.com",
-//             "serviceAccount:my-other-app@appspot.gserviceaccount.com"
+//             "serviceAccount:my-other-app@appspot.gserviceaccount.com",
 //           ]
 //         },
 //         {
@@ -58,27 +55,14 @@ option php_namespace = "Google\\Cloud\\Iam\\V1";
 //       ]
 //     }
 //
-// **YAML Example**
-//
-//     bindings:
-//     - members:
-//       - user:mike@example.com
-//       - group:admins@example.com
-//       - domain:google.com
-//       - serviceAccount:my-other-app@appspot.gserviceaccount.com
-//       role: roles/owner
-//     - members:
-//       - user:sean@example.com
-//       role: roles/viewer
-//
-//
 // For a description of IAM and its features, see the
-// [IAM developer's guide](https://cloud.google.com/iam/docs).
+// [IAM developer's guide](https://cloud.google.com/iam).
 message Policy {
-  // Deprecated.
-  int32 version = 1 [deprecated = true];
+  // Version of the `Policy`. The default version is 0.
+  int32 version = 1;
 
   // Associates a list of `members` to a `role`.
+  // Multiple `bindings` must not be specified for the same `role`.
   // `bindings` with no members will result in an error.
   repeated Binding bindings = 4;
 
@@ -99,6 +83,7 @@ message Policy {
 message Binding {
   // Role that is assigned to `members`.
   // For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
+  // Required
   string role = 1;
 
   // Specifies the identities requesting access for a Cloud Platform resource.
@@ -111,7 +96,7 @@ message Binding {
   //    who is authenticated with a Google account or a service account.
   //
   // * `user:{emailid}`: An email address that represents a specific Google
-  //    account. For example, `alice@gmail.com` .
+  //    account. For example, `alice@gmail.com` or `joe@example.com`.
   //
   //
   // * `serviceAccount:{emailid}`: An email address that represents a service
@@ -120,27 +105,17 @@ message Binding {
   // * `group:{emailid}`: An email address that represents a Google group.
   //    For example, `admins@example.com`.
   //
-  //
-  // * `domain:{domain}`: The G Suite domain (primary) that represents all the
+  // * `domain:{domain}`: A Google Apps domain name that represents all the
   //    users of that domain. For example, `google.com` or `example.com`.
   //
   //
   repeated string members = 2;
-
-  // Unimplemented. The condition that is associated with this binding.
-  // NOTE: an unsatisfied condition will not allow user access via current
-  // binding. Different bindings, including their conditions, are examined
-  // independently.
-  google.type.Expr condition = 3;
 }
 
 // The difference delta between two policies.
 message PolicyDelta {
   // The delta for Bindings between two policies.
   repeated BindingDelta binding_deltas = 1;
-
-  // The delta for AuditConfigs between two policies.
-  repeated AuditConfigDelta audit_config_deltas = 2;
 }
 
 // One delta entry for Binding. Each individual change (only one member in each
@@ -171,44 +146,4 @@ message BindingDelta {
   // Follows the same format of Binding.members.
   // Required
   string member = 3;
-
-  // Unimplemented. The condition that is associated with this binding.
-  // This field is logged only for Cloud Audit Logging.
-  google.type.Expr condition = 4;
-}
-
-// One delta entry for AuditConfig. Each individual change (only one
-// exempted_member in each entry) to a AuditConfig will be a separate entry.
-message AuditConfigDelta {
-  // The type of action performed on an audit configuration in a policy.
-  enum Action {
-    // Unspecified.
-    ACTION_UNSPECIFIED = 0;
-
-    // Addition of an audit configuration.
-    ADD = 1;
-
-    // Removal of an audit configuration.
-    REMOVE = 2;
-  }
-
-  // The action that was performed on an audit configuration in a policy.
-  // Required
-  Action action = 1;
-
-  // Specifies a service that was configured for Cloud Audit Logging.
-  // For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
-  // `allServices` is a special value that covers all services.
-  // Required
-  string service = 2;
-
-  // A single identity that is exempted from "data access" audit
-  // logging for the `service` specified above.
-  // Follows the same format of Binding.members.
-  string exempted_member = 3;
-
-  // Specifies the log_type that was be enabled. ADMIN_ACTIVITY is always
-  // enabled, and cannot be configured.
-  // Required
-  string log_type = 4;
 }