assets.proto 6.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167
  1. // Copyright 2020 Google LLC
  2. //
  3. // Licensed under the Apache License, Version 2.0 (the "License");
  4. // you may not use this file except in compliance with the License.
  5. // You may obtain a copy of the License at
  6. //
  7. // http://www.apache.org/licenses/LICENSE-2.0
  8. //
  9. // Unless required by applicable law or agreed to in writing, software
  10. // distributed under the License is distributed on an "AS IS" BASIS,
  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. // See the License for the specific language governing permissions and
  13. // limitations under the License.
  14. syntax = "proto3";
  15. package google.cloud.asset.v1p4beta1;
  16. import "google/iam/v1/policy.proto";
  17. import "google/rpc/code.proto";
  18. import "google/api/annotations.proto";
  19. option cc_enable_arenas = true;
  20. option csharp_namespace = "Google.Cloud.Asset.V1P4Beta1";
  21. option go_package = "google.golang.org/genproto/googleapis/cloud/asset/v1p4beta1;asset";
  22. option java_multiple_files = true;
  23. option java_outer_classname = "AssetProto";
  24. option java_package = "com.google.cloud.asset.v1p4beta1";
  25. option php_namespace = "Google\\Cloud\\Asset\\V1p4beta1";
  26. // IAM Policy analysis result, consisting of one IAM policy binding and derived
  27. // access control lists.
  28. message IamPolicyAnalysisResult {
  29. // Represents analysis state of each node in the result graph or non-critical
  30. // errors in the response.
  31. message AnalysisState {
  32. // The Google standard error code that best describes the state.
  33. // For example:
  34. // - OK means the node has been successfully explored;
  35. // - PERMISSION_DENIED means an access denied error is encountered;
  36. // - DEADLINE_EXCEEDED means the node hasn't been explored in time;
  37. google.rpc.Code code = 1;
  38. // The human-readable description of the cause of failure.
  39. string cause = 2;
  40. }
  41. // A GCP resource that appears in an access control list.
  42. message Resource {
  43. // The [full resource name](https://aip.dev/122#full-resource-names).
  44. string full_resource_name = 1;
  45. // The analysis state of this resource node.
  46. AnalysisState analysis_state = 2;
  47. }
  48. // A role or permission that appears in an access control list.
  49. message Access {
  50. oneof oneof_access {
  51. // The role.
  52. string role = 1;
  53. // The permission.
  54. string permission = 2;
  55. }
  56. // The analysis state of this access node.
  57. AnalysisState analysis_state = 3;
  58. }
  59. // A directional edge.
  60. message Edge {
  61. // The source node of the edge.
  62. string source_node = 1;
  63. // The target node of the edge.
  64. string target_node = 2;
  65. }
  66. // An identity that appears in an access control list.
  67. message Identity {
  68. // The identity name in any form of members appear in
  69. // [IAM policy
  70. // binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such
  71. // as:
  72. // - user:foo@google.com
  73. // - group:group1@google.com
  74. // - serviceAccount:s1@prj1.iam.gserviceaccount.com
  75. // - projectOwner:some_project_id
  76. // - domain:google.com
  77. // - allUsers
  78. // - etc.
  79. string name = 1;
  80. // The analysis state of this identity node.
  81. AnalysisState analysis_state = 2;
  82. }
  83. // An access control list, derived from the above IAM policy binding, which
  84. // contains a set of resources and accesses. May include one
  85. // item from each set to compose an access control entry.
  86. //
  87. // NOTICE that there could be multiple access control lists for one IAM policy
  88. // binding. The access control lists are created based on resource and access
  89. // combinations.
  90. //
  91. // For example, assume we have the following cases in one IAM policy binding:
  92. // - Permission P1 and P2 apply to resource R1 and R2;
  93. // - Permission P3 applies to resource R2 and R3;
  94. //
  95. // This will result in the following access control lists:
  96. // - AccessControlList 1: [R1, R2], [P1, P2]
  97. // - AccessControlList 2: [R2, R3], [P3]
  98. message AccessControlList {
  99. // The resources that match one of the following conditions:
  100. // - The resource_selector, if it is specified in request;
  101. // - Otherwise, resources reachable from the policy attached resource.
  102. repeated Resource resources = 1;
  103. // The accesses that match one of the following conditions:
  104. // - The access_selector, if it is specified in request;
  105. // - Otherwise, access specifiers reachable from the policy binding's role.
  106. repeated Access accesses = 2;
  107. // Resource edges of the graph starting from the policy attached
  108. // resource to any descendant resources. The [Edge.source_node][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult.Edge.source_node] contains
  109. // the full resource name of a parent resource and [Edge.target_node][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult.Edge.target_node]
  110. // contains the full resource name of a child resource. This field is
  111. // present only if the output_resource_edges option is enabled in request.
  112. repeated Edge resource_edges = 3;
  113. }
  114. message IdentityList {
  115. // Only the identities that match one of the following conditions will be
  116. // presented:
  117. // - The identity_selector, if it is specified in request;
  118. // - Otherwise, identities reachable from the policy binding's members.
  119. repeated Identity identities = 1;
  120. // Group identity edges of the graph starting from the binding's
  121. // group members to any node of the [identities][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult.IdentityList.identities]. The [Edge.source_node][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult.Edge.source_node]
  122. // contains a group, such as "group:parent@google.com". The
  123. // [Edge.target_node][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult.Edge.target_node] contains a member of the group,
  124. // such as "group:child@google.com" or "user:foo@google.com".
  125. // This field is present only if the output_group_edges option is enabled in
  126. // request.
  127. repeated Edge group_edges = 2;
  128. }
  129. // The full name of the resource to which the [iam_binding][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult.iam_binding] policy attaches.
  130. string attached_resource_full_name = 1;
  131. // The Cloud IAM policy binding under analysis.
  132. google.iam.v1.Binding iam_binding = 2;
  133. // The access control lists derived from the [iam_binding][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult.iam_binding] that match or
  134. // potentially match resource and access selectors specified in the request.
  135. repeated AccessControlList access_control_lists = 3;
  136. // The identity list derived from members of the [iam_binding][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult.iam_binding] that match or
  137. // potentially match identity selector specified in the request.
  138. IdentityList identity_list = 4;
  139. // Represents whether all nodes in the transitive closure of the
  140. // [iam_binding][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult.iam_binding] node have been explored.
  141. bool fully_explored = 5;
  142. }