mirror of
https://github.com/musix-org/musix-oss
synced 2025-01-12 15:04:50 +00:00
241 lines
8.5 KiB
Protocol Buffer
241 lines
8.5 KiB
Protocol Buffer
|
// Copyright 2019 Google LLC.
|
||
|
//
|
||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||
|
// you may not use this file except in compliance with the License.
|
||
|
// You may obtain a copy of the License at
|
||
|
//
|
||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||
|
//
|
||
|
// Unless required by applicable law or agreed to in writing, software
|
||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
// See the License for the specific language governing permissions and
|
||
|
// limitations under the License.
|
||
|
//
|
||
|
|
||
|
syntax = "proto3";
|
||
|
|
||
|
package google.iam.v1;
|
||
|
|
||
|
import "google/type/expr.proto";
|
||
|
import "google/api/annotations.proto";
|
||
|
|
||
|
option cc_enable_arenas = true;
|
||
|
option csharp_namespace = "Google.Cloud.Iam.V1";
|
||
|
option go_package = "google.golang.org/genproto/googleapis/iam/v1;iam";
|
||
|
option java_multiple_files = true;
|
||
|
option java_outer_classname = "PolicyProto";
|
||
|
option java_package = "com.google.iam.v1";
|
||
|
option php_namespace = "Google\\Cloud\\Iam\\V1";
|
||
|
|
||
|
// Defines an Identity and Access Management (IAM) policy. It is used to
|
||
|
// specify access control policies for Cloud Platform resources.
|
||
|
//
|
||
|
//
|
||
|
// A `Policy` is a collection of `bindings`. A `binding` binds one or more
|
||
|
// `members` to a single `role`. Members can be user accounts, service accounts,
|
||
|
// Google groups, and domains (such as G Suite). A `role` is a named list of
|
||
|
// permissions (defined by IAM or configured by users). A `binding` can
|
||
|
// optionally specify a `condition`, which is a logic expression that further
|
||
|
// constrains the role binding based on attributes about the request and/or
|
||
|
// target resource.
|
||
|
//
|
||
|
// **JSON Example**
|
||
|
//
|
||
|
// {
|
||
|
// "bindings": [
|
||
|
// {
|
||
|
// "role": "roles/resourcemanager.organizationAdmin",
|
||
|
// "members": [
|
||
|
// "user:mike@example.com",
|
||
|
// "group:admins@example.com",
|
||
|
// "domain:google.com",
|
||
|
// "serviceAccount:my-project-id@appspot.gserviceaccount.com"
|
||
|
// ]
|
||
|
// },
|
||
|
// {
|
||
|
// "role": "roles/resourcemanager.organizationViewer",
|
||
|
// "members": ["user:eve@example.com"],
|
||
|
// "condition": {
|
||
|
// "title": "expirable access",
|
||
|
// "description": "Does not grant access after Sep 2020",
|
||
|
// "expression": "request.time <
|
||
|
// timestamp('2020-10-01T00:00:00.000Z')",
|
||
|
// }
|
||
|
// }
|
||
|
// ]
|
||
|
// }
|
||
|
//
|
||
|
// **YAML Example**
|
||
|
//
|
||
|
// bindings:
|
||
|
// - members:
|
||
|
// - user:mike@example.com
|
||
|
// - group:admins@example.com
|
||
|
// - domain:google.com
|
||
|
// - serviceAccount:my-project-id@appspot.gserviceaccount.com
|
||
|
// role: roles/resourcemanager.organizationAdmin
|
||
|
// - members:
|
||
|
// - user:eve@example.com
|
||
|
// role: roles/resourcemanager.organizationViewer
|
||
|
// condition:
|
||
|
// title: expirable access
|
||
|
// description: Does not grant access after Sep 2020
|
||
|
// expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
|
||
|
//
|
||
|
// For a description of IAM and its features, see the
|
||
|
// [IAM developer's guide](https://cloud.google.com/iam/docs).
|
||
|
message Policy {
|
||
|
// Specifies the format of the policy.
|
||
|
//
|
||
|
// Valid values are 0, 1, and 3. Requests specifying an invalid value will be
|
||
|
// rejected.
|
||
|
//
|
||
|
// Operations affecting conditional bindings must specify version 3. This can
|
||
|
// be either setting a conditional policy, modifying a conditional binding,
|
||
|
// or removing a binding (conditional or unconditional) from the stored
|
||
|
// conditional policy.
|
||
|
// Operations on non-conditional policies may specify any valid value or
|
||
|
// leave the field unset.
|
||
|
//
|
||
|
// If no etag is provided in the call to `setIamPolicy`, version compliance
|
||
|
// checks against the stored policy is skipped.
|
||
|
int32 version = 1;
|
||
|
|
||
|
// Associates a list of `members` to a `role`. Optionally may specify a
|
||
|
// `condition` that determines when binding is in effect.
|
||
|
// `bindings` with no members will result in an error.
|
||
|
repeated Binding bindings = 4;
|
||
|
|
||
|
// `etag` is used for optimistic concurrency control as a way to help
|
||
|
// prevent simultaneous updates of a policy from overwriting each other.
|
||
|
// It is strongly suggested that systems make use of the `etag` in the
|
||
|
// read-modify-write cycle to perform policy updates in order to avoid race
|
||
|
// conditions: An `etag` is returned in the response to `getIamPolicy`, and
|
||
|
// systems are expected to put that etag in the request to `setIamPolicy` to
|
||
|
// ensure that their change will be applied to the same version of the policy.
|
||
|
//
|
||
|
// If no `etag` is provided in the call to `setIamPolicy`, then the existing
|
||
|
// policy is overwritten. Due to blind-set semantics of an etag-less policy,
|
||
|
// 'setIamPolicy' will not fail even if the incoming policy version does not
|
||
|
// meet the requirements for modifying the stored policy.
|
||
|
bytes etag = 3;
|
||
|
}
|
||
|
|
||
|
// Associates `members` with a `role`.
|
||
|
message Binding {
|
||
|
// Role that is assigned to `members`.
|
||
|
// For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
|
||
|
string role = 1;
|
||
|
|
||
|
// Specifies the identities requesting access for a Cloud Platform resource.
|
||
|
// `members` can have the following values:
|
||
|
//
|
||
|
// * `allUsers`: A special identifier that represents anyone who is
|
||
|
// on the internet; with or without a Google account.
|
||
|
//
|
||
|
// * `allAuthenticatedUsers`: A special identifier that represents anyone
|
||
|
// who is authenticated with a Google account or a service account.
|
||
|
//
|
||
|
// * `user:{emailid}`: An email address that represents a specific Google
|
||
|
// account. For example, `alice@example.com` .
|
||
|
//
|
||
|
//
|
||
|
// * `serviceAccount:{emailid}`: An email address that represents a service
|
||
|
// account. For example, `my-other-app@appspot.gserviceaccount.com`.
|
||
|
//
|
||
|
// * `group:{emailid}`: An email address that represents a Google group.
|
||
|
// For example, `admins@example.com`.
|
||
|
//
|
||
|
//
|
||
|
// * `domain:{domain}`: The G Suite domain (primary) that represents all the
|
||
|
// users of that domain. For example, `google.com` or `example.com`.
|
||
|
//
|
||
|
//
|
||
|
repeated string members = 2;
|
||
|
|
||
|
// The condition that is associated with this binding.
|
||
|
// NOTE: An unsatisfied condition will not allow user access via current
|
||
|
// binding. Different bindings, including their conditions, are examined
|
||
|
// independently.
|
||
|
google.type.Expr condition = 3;
|
||
|
}
|
||
|
|
||
|
// The difference delta between two policies.
|
||
|
message PolicyDelta {
|
||
|
// The delta for Bindings between two policies.
|
||
|
repeated BindingDelta binding_deltas = 1;
|
||
|
|
||
|
// The delta for AuditConfigs between two policies.
|
||
|
repeated AuditConfigDelta audit_config_deltas = 2;
|
||
|
}
|
||
|
|
||
|
// One delta entry for Binding. Each individual change (only one member in each
|
||
|
// entry) to a binding will be a separate entry.
|
||
|
message BindingDelta {
|
||
|
// The type of action performed on a Binding in a policy.
|
||
|
enum Action {
|
||
|
// Unspecified.
|
||
|
ACTION_UNSPECIFIED = 0;
|
||
|
|
||
|
// Addition of a Binding.
|
||
|
ADD = 1;
|
||
|
|
||
|
// Removal of a Binding.
|
||
|
REMOVE = 2;
|
||
|
}
|
||
|
|
||
|
// The action that was performed on a Binding.
|
||
|
// Required
|
||
|
Action action = 1;
|
||
|
|
||
|
// Role that is assigned to `members`.
|
||
|
// For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
|
||
|
// Required
|
||
|
string role = 2;
|
||
|
|
||
|
// A single identity requesting access for a Cloud Platform resource.
|
||
|
// Follows the same format of Binding.members.
|
||
|
// Required
|
||
|
string member = 3;
|
||
|
|
||
|
// The condition that is associated with this binding.
|
||
|
google.type.Expr condition = 4;
|
||
|
}
|
||
|
|
||
|
// One delta entry for AuditConfig. Each individual change (only one
|
||
|
// exempted_member in each entry) to a AuditConfig will be a separate entry.
|
||
|
message AuditConfigDelta {
|
||
|
// The type of action performed on an audit configuration in a policy.
|
||
|
enum Action {
|
||
|
// Unspecified.
|
||
|
ACTION_UNSPECIFIED = 0;
|
||
|
|
||
|
// Addition of an audit configuration.
|
||
|
ADD = 1;
|
||
|
|
||
|
// Removal of an audit configuration.
|
||
|
REMOVE = 2;
|
||
|
}
|
||
|
|
||
|
// The action that was performed on an audit configuration in a policy.
|
||
|
// Required
|
||
|
Action action = 1;
|
||
|
|
||
|
// Specifies a service that was configured for Cloud Audit Logging.
|
||
|
// For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
|
||
|
// `allServices` is a special value that covers all services.
|
||
|
// Required
|
||
|
string service = 2;
|
||
|
|
||
|
// A single identity that is exempted from "data access" audit
|
||
|
// logging for the `service` specified above.
|
||
|
// Follows the same format of Binding.members.
|
||
|
string exempted_member = 3;
|
||
|
|
||
|
// Specifies the log_type that was be enabled. ADMIN_ACTIVITY is always
|
||
|
// enabled, and cannot be configured.
|
||
|
// Required
|
||
|
string log_type = 4;
|
||
|
}
|