lenn
/
grpc1.45.2


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240
							// Copyright 2019 Google LLC.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//

syntax = "proto3";

package google.iam.v1;

import "google/type/expr.proto";
import "google/api/annotations.proto";

option cc_enable_arenas = true;
option csharp_namespace = "Google.Cloud.Iam.V1";
option go_package = "google.golang.org/genproto/googleapis/iam/v1;iam";
option java_multiple_files = true;
option java_outer_classname = "PolicyProto";
option java_package = "com.google.iam.v1";
option php_namespace = "Google\\Cloud\\Iam\\V1";

// Defines an Identity and Access Management (IAM) policy. It is used to
// specify access control policies for Cloud Platform resources.
//
//
// A `Policy` is a collection of `bindings`. A `binding` binds one or more
// `members` to a single `role`. Members can be user accounts, service accounts,
// Google groups, and domains (such as G Suite). A `role` is a named list of
// permissions (defined by IAM or configured by users). A `binding` can
// optionally specify a `condition`, which is a logic expression that further
// constrains the role binding based on attributes about the request and/or
// target resource.
//
// **JSON Example**
//
//     {
//       "bindings": [
//         {
//           "role": "roles/resourcemanager.organizationAdmin",
//           "members": [
//             "user:mike@example.com",
//             "group:admins@example.com",
//             "domain:google.com",
//             "serviceAccount:my-project-id@appspot.gserviceaccount.com"
//           ]
//         },
//         {
//           "role": "roles/resourcemanager.organizationViewer",
//           "members": ["user:eve@example.com"],
//           "condition": {
//             "title": "expirable access",
//             "description": "Does not grant access after Sep 2020",
//             "expression": "request.time <
//             timestamp('2020-10-01T00:00:00.000Z')",
//           }
//         }
//       ]
//     }
//
// **YAML Example**
//
//     bindings:
//     - members:
//       - user:mike@example.com
//       - group:admins@example.com
//       - domain:google.com
//       - serviceAccount:my-project-id@appspot.gserviceaccount.com
//       role: roles/resourcemanager.organizationAdmin
//     - members:
//       - user:eve@example.com
//       role: roles/resourcemanager.organizationViewer
//       condition:
//         title: expirable access
//         description: Does not grant access after Sep 2020
//         expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
//
// For a description of IAM and its features, see the
// [IAM developer's guide](https://cloud.google.com/iam/docs).
message Policy {
  // Specifies the format of the policy.
  //
  // Valid values are 0, 1, and 3. Requests specifying an invalid value will be
  // rejected.
  //
  // Operations affecting conditional bindings must specify version 3. This can
  // be either setting a conditional policy, modifying a conditional binding,
  // or removing a binding (conditional or unconditional) from the stored
  // conditional policy.
  // Operations on non-conditional policies may specify any valid value or
  // leave the field unset.
  //
  // If no etag is provided in the call to `setIamPolicy`, version compliance
  // checks against the stored policy is skipped.
  int32 version = 1;

  // Associates a list of `members` to a `role`. Optionally may specify a
  // `condition` that determines when binding is in effect.
  // `bindings` with no members will result in an error.
  repeated Binding bindings = 4;

  // `etag` is used for optimistic concurrency control as a way to help
  // prevent simultaneous updates of a policy from overwriting each other.
  // It is strongly suggested that systems make use of the `etag` in the
  // read-modify-write cycle to perform policy updates in order to avoid race
  // conditions: An `etag` is returned in the response to `getIamPolicy`, and
  // systems are expected to put that etag in the request to `setIamPolicy` to
  // ensure that their change will be applied to the same version of the policy.
  //
  // If no `etag` is provided in the call to `setIamPolicy`, then the existing
  // policy is overwritten. Due to blind-set semantics of an etag-less policy,
  // 'setIamPolicy' will not fail even if the incoming policy version does not
  // meet the requirements for modifying the stored policy.
  bytes etag = 3;
}

// Associates `members` with a `role`.
message Binding {
  // Role that is assigned to `members`.
  // For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
  string role = 1;

  // Specifies the identities requesting access for a Cloud Platform resource.
  // `members` can have the following values:
  //
  // * `allUsers`: A special identifier that represents anyone who is
  //    on the internet; with or without a Google account.
  //
  // * `allAuthenticatedUsers`: A special identifier that represents anyone
  //    who is authenticated with a Google account or a service account.
  //
  // * `user:{emailid}`: An email address that represents a specific Google
  //    account. For example, `alice@example.com` .
  //
  //
  // * `serviceAccount:{emailid}`: An email address that represents a service
  //    account. For example, `my-other-app@appspot.gserviceaccount.com`.
  //
  // * `group:{emailid}`: An email address that represents a Google group.
  //    For example, `admins@example.com`.
  //
  //
  // * `domain:{domain}`: The G Suite domain (primary) that represents all the
  //    users of that domain. For example, `google.com` or `example.com`.
  //
  //
  repeated string members = 2;

  // The condition that is associated with this binding.
  // NOTE: An unsatisfied condition will not allow user access via current
  // binding. Different bindings, including their conditions, are examined
  // independently.
  google.type.Expr condition = 3;
}

// The difference delta between two policies.
message PolicyDelta {
  // The delta for Bindings between two policies.
  repeated BindingDelta binding_deltas = 1;

  // The delta for AuditConfigs between two policies.
  repeated AuditConfigDelta audit_config_deltas = 2;
}

// One delta entry for Binding. Each individual change (only one member in each
// entry) to a binding will be a separate entry.
message BindingDelta {
  // The type of action performed on a Binding in a policy.
  enum Action {
    // Unspecified.
    ACTION_UNSPECIFIED = 0;

    // Addition of a Binding.
    ADD = 1;

    // Removal of a Binding.
    REMOVE = 2;
  }

  // The action that was performed on a Binding.
  // Required
  Action action = 1;

  // Role that is assigned to `members`.
  // For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
  // Required
  string role = 2;

  // A single identity requesting access for a Cloud Platform resource.
  // Follows the same format of Binding.members.
  // Required
  string member = 3;

  // The condition that is associated with this binding.
  google.type.Expr condition = 4;
}

// One delta entry for AuditConfig. Each individual change (only one
// exempted_member in each entry) to a AuditConfig will be a separate entry.
message AuditConfigDelta {
  // The type of action performed on an audit configuration in a policy.
  enum Action {
    // Unspecified.
    ACTION_UNSPECIFIED = 0;

    // Addition of an audit configuration.
    ADD = 1;

    // Removal of an audit configuration.
    REMOVE = 2;
  }

  // The action that was performed on an audit configuration in a policy.
  // Required
  Action action = 1;

  // Specifies a service that was configured for Cloud Audit Logging.
  // For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
  // `allServices` is a special value that covers all services.
  // Required
  string service = 2;

  // A single identity that is exempted from "data access" audit
  // logging for the `service` specified above.
  // Follows the same format of Binding.members.
  string exempted_member = 3;

  // Specifies the log_type that was be enabled. ADMIN_ACTIVITY is always
  // enabled, and cannot be configured.
  // Required
  string log_type = 4;
}