Chiebot-Mirror
/
googleapis
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Updates to IAM mixins

Browse Source
pull/175/head
landrito 9 years ago
parent 629959247d
commit 438f35394f
2 changed files with 95 additions and 78 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 52
      google/iam/v1/iam_policy.proto
  2. 121
      google/iam/v1/policy.proto

52
google/iam/v1/iam_policy.proto
Unescape View File

@ -1,4 +1,4 @@
// Copyright (c) 2015, Google Inc.
// Copyright 2016 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
@ -16,8 +16,10 @@ syntax = "proto3";
package google.iam.v1;
import "google/api/annotations.proto";
import "google/iam/v1/policy.proto";
option cc_enable_arenas = true;
option java_multiple_files = true;
option java_outer_classname = "IamPolicyProto";
option java_package = "com.google.iam.v1";
@ -25,6 +27,8 @@ option java_package = "com.google.iam.v1";
// ## API Overview
//
// Manages Identity and Access Management (IAM) policies.
//
// Any implementation of an API that offers access control features
// implements the google.iam.v1.IAMPolicy interface.
//
@ -49,44 +53,56 @@ option java_package = "com.google.iam.v1";
service IAMPolicy {
// Sets the access control policy on the specified resource. Replaces any
// existing policy.
rpc SetIamPolicy(SetIamPolicyRequest) returns (Policy);
rpc SetIamPolicy(SetIamPolicyRequest) returns (Policy) {
option (google.api.http) = { post: "/v1/{resource=**}:setIamPolicy" body: "*" };
}
// Gets the access control policy for a resource. Is empty if the
// policy or the resource does not exist.
rpc GetIamPolicy(GetIamPolicyRequest) returns (Policy);
// Gets the access control policy for a resource.
// Returns an empty policy if the resource exists and does not have a policy
// set.
rpc GetIamPolicy(GetIamPolicyRequest) returns (Policy) {
option (google.api.http) = { post: "/v1/{resource=**}:getIamPolicy" body: "*" };
}
// Returns permissions that a caller has on the specified resource.
rpc TestIamPermissions(TestIamPermissionsRequest) returns (TestIamPermissionsResponse);
rpc TestIamPermissions(TestIamPermissionsRequest) returns (TestIamPermissionsResponse) {
option (google.api.http) = { post: "/v1/{resource=**}:testIamPermissions" body: "*" };
}
}
// Request message for `SetIamPolicy` method.
message SetIamPolicyRequest {
// REQUIRED: The resource for which policy is being specified.
// Resource is usually specified as a path, such as,
// projects/{project}/zones/{zone}/disks/{disk}.
// REQUIRED: The resource for which the policy is being specified.
// `resource` is usually specified as a path. For example, a Project
// resource is specified as `projects/{project}`.
string resource = 1;
// REQUIRED: The complete policy to be applied to the 'resource'. The size of
// the policy is limited to a few 10s of KB. An empty policy is in general a
// valid policy but certain services (like Projects) might reject them.
// REQUIRED: The complete policy to be applied to the `resource`. The size of
// the policy is limited to a few 10s of KB. An empty policy is a
// valid policy but certain Cloud Platform services (such as Projects)
// might reject them.
Policy policy = 2;
}
// Request message for `GetIamPolicy` method.
message GetIamPolicyRequest {
// REQUIRED: The resource for which policy is being requested. Resource
// is usually specified as a path, such as, projects/{project}.
// REQUIRED: The resource for which the policy is being requested.
// `resource` is usually specified as a path. For example, a Project
// resource is specified as `projects/{project}`.
string resource = 1;
}
// Request message for `TestIamPermissions` method.
message TestIamPermissionsRequest {
// REQUIRED: The resource for which policy detail is being requested.
// Resource is usually specified as a path, such as, projects/{project}.
// REQUIRED: The resource for which the policy detail is being requested.
// `resource` is usually specified as a path. For example, a Project
// resource is specified as `projects/{project}`.
string resource = 1;
// The set of permissions to check for the 'resource'. Permissions with
// wildcards (such as '*' or 'storage.*') are not allowed.
// The set of permissions to check for the `resource`. Permissions with
// wildcards (such as '*' or 'storage.*') are not allowed. For more
// information see
// [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).
repeated string permissions = 2;
}

121
google/iam/v1/policy.proto
Unescape View File

@ -1,4 +1,4 @@
// Copyright (c) 2015, Google Inc.
// Copyright 2016 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
@ -16,92 +16,93 @@ syntax = "proto3";
package google.iam.v1;
option cc_enable_arenas = true;
option java_multiple_files = true;
option java_outer_classname = "PolicyProto";
option java_package = "com.google.iam.v1";
// # Overview
// Defines an Identity and Access Management (IAM) policy. It is used to
// specify access control policies for Cloud Platform resources.
//
// The `Policy` defines an access control policy language. It is used to
// define policies that are attached to resources like files, folders, VMs,
// etc.
//
// A `Policy` consists of a list of `bindings`. A `Binding` binds a list of
// `members` to a `role`, where the members can be user accounts, Google groups,
// Google domains, and service accounts. A `role` is a named list of permissions
// defined by IAM.
//
// # Policy structure
// **Example**
//
// A `Policy` consists of a list of bindings. A `Binding` binds a set of members
// to a role, where the members include user accounts, user groups, user
// domains, and service accounts. A 'role' is a named set of permissions,
// defined by IAM. The definition of a role is outside the policy.
//
// A permission check first determines the roles that include the specified
// permission, and then determines if the principal specified is a
// member of a binding to at least one of these roles. The membership check is
// recursive when a group is bound to a role.
//
// Policy examples:
//
// ```
// {
// "bindings": [
// {
// "role": "roles/owner",
// "members": [
// "user:mike@example.com",
// "group:admins@example.com",
// "domain:google.com",
// "serviceAccount:frontend@example.iam.gserviceaccounts.com"]
// },
// {
// "role": "roles/viewer",
// "members": ["user:sean@example.com"]
// "bindings": [
// {
// "role": "roles/owner",
// "members": [
// "user:mike@example.com",
// "group:admins@example.com",
// "domain:google.com",
// "serviceAccount:my-other-app@appspot.gserviceaccount.com",
// ]
// },
// {
// "role": "roles/viewer",
// "members": ["user:sean@example.com"]
// }
// ]
// }
// ]
// }
// ```
//
// For a description of IAM and its features, see the
// [IAM developer's guide](https://cloud.google.com/iam).
message Policy {
// The policy language version. The version of the policy is
// represented by the etag. The default version is 0.
// Version of the `Policy`. The default version is 0.
int32 version = 1;
// It is an error to specify multiple bindings for the same role.
// It is an error to specify a binding with no members.
// Associates a list of `members` to a `role`.
// Multiple `bindings` must not be specified for the same `role`.
// `bindings` with no members will result in an error.
repeated Binding bindings = 4;
// Can be used to perform a read-modify-write.
// `etag` is used for optimistic concurrency control as a way to help
// prevent simultaneous updates of a policy from overwriting each other.
// It is strongly suggested that systems make use of the `etag` in the
// read-modify-write cycle to perform policy updates in order to avoid race
// conditions: An `etag` is returned in the response to `getIamPolicy`, and
// systems are expected to put that etag in the request to `setIamPolicy` to
// ensure that their change will be applied to the same version of the policy.
//
// If no `etag` is provided in the call to `setIamPolicy`, then the existing
// policy is overwritten blindly.
bytes etag = 3;
}
// Associates members with roles. See below for allowed
// formats of members.
// Associates `members` with a `role`.
message Binding {
// The name of the role to which the members should be bound.
// Examples: "roles/viewer", "roles/editor", "roles/owner".
// Role that is assigned to `members`.
// For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
// Required
string role = 1;
// Format of member entries:
// 1. allUsers
// Matches any requesting principal (users, service accounts or anonymous).
// Specifies the identities requesting access for a Cloud Platform resource.
// `members` can have the following values:
//
// * `allUsers`: A special identifier that represents anyone who is
// on the internet; with or without a Google account.
//
// * `allAuthenticatedUsers`: A special identifier that represents anyone
// who is authenticated with a Google account or a service account.
//
// * `user:{emailid}`: An email address that represents a specific Google
// account. For example, `alice@gmail.com` or `joe@example.com`.
//
// 2. allAuthenticatedUsers
// Matches any requesting authenticated principal (users or service
// accounts).
// * `serviceAccount:{emailid}`: An email address that represents a service
// account. For example, `my-other-app@appspot.gserviceaccount.com`.
//
// 3. user:{emailid}
// A google user account using an email address.
// For example alice@gmail.com, joe@example.com
// * `group:{emailid}`: An email address that represents a Google group.
// For example, `admins@example.com`.
//
// 4. serviceAccount:{emailid}
// An service account email.
// * `domain:{domain}`: A Google Apps domain name that represents all the
// users of that domain. For example, `google.com` or `example.com`.
//
// 5. group:{emailid}
// A google group with an email address. For example
// auth-ti-cloud@google.com
//
// 6. domain:{domain}
// A Google Apps domain name.
// For example google.com, example.com
repeated string members = 2;
}

Write Preview
Loading…
Cancel
Save