feat: Add ListDatabaseRoles API to support role based access control

PiperOrigin-RevId: 462086058
3 years ago · 4f072bff78
parent 45e4f3084b
commit 4f072bff78
3 changed files with 132 additions and 0 deletions
--- a/google/spanner/admin/database/v1/spanner.yaml
+++ b/google/spanner/admin/database/v1/spanner.yaml
@ -0,0 +1,68 @@
+type: google.api.Service
+config_version: 3
+name: spanner.googleapis.com
+title: Cloud Spanner API
+
+apis:
+- name: google.longrunning.Operations
+- name: google.spanner.admin.database.v1.DatabaseAdmin
+
+types:
+- name: google.spanner.admin.database.v1.CopyBackupMetadata
+- name: google.spanner.admin.database.v1.CreateBackupMetadata
+- name: google.spanner.admin.database.v1.CreateDatabaseMetadata
+- name: google.spanner.admin.database.v1.OptimizeRestoredDatabaseMetadata
+- name: google.spanner.admin.database.v1.RestoreDatabaseMetadata
+- name: google.spanner.admin.database.v1.UpdateDatabaseDdlMetadata
+
+documentation:
+  summary: |-
+    Cloud Spanner is a managed, mission-critical, globally consistent and
+    scalable relational database service.
+
+backend:
+  rules:
+  - selector: 'google.longrunning.Operations.*'
+    deadline: 3600.0
+  - selector: 'google.spanner.admin.database.v1.DatabaseAdmin.*'
+    deadline: 3600.0
+
+http:
+  rules:
+  - selector: google.longrunning.Operations.CancelOperation
+    post: '/v1/{name=projects/*/instances/*/databases/*/operations/*}:cancel'
+    additional_bindings:
+    - post: '/v1/{name=projects/*/instances/*/operations/*}:cancel'
+    - post: '/v1/{name=projects/*/instances/*/backups/*/operations/*}:cancel'
+    - post: '/v1/{name=projects/*/instanceConfigs/*/operations/*}:cancel'
+  - selector: google.longrunning.Operations.DeleteOperation
+    delete: '/v1/{name=projects/*/instances/*/databases/*/operations/*}'
+    additional_bindings:
+    - delete: '/v1/{name=projects/*/instances/*/operations/*}'
+    - delete: '/v1/{name=projects/*/instances/*/backups/*/operations/*}'
+    - delete: '/v1/{name=projects/*/instanceConfigs/*/operations/*}'
+  - selector: google.longrunning.Operations.GetOperation
+    get: '/v1/{name=projects/*/instances/*/databases/*/operations/*}'
+    additional_bindings:
+    - get: '/v1/{name=projects/*/instances/*/operations/*}'
+    - get: '/v1/{name=projects/*/instances/*/backups/*/operations/*}'
+    - get: '/v1/{name=projects/*/instanceConfigs/*/operations/*}'
+  - selector: google.longrunning.Operations.ListOperations
+    get: '/v1/{name=projects/*/instances/*/databases/*/operations}'
+    additional_bindings:
+    - get: '/v1/{name=projects/*/instances/*/operations}'
+    - get: '/v1/{name=projects/*/instances/*/backups/*/operations}'
+    - get: '/v1/{name=projects/*/instanceConfigs/*/operations}'
+
+authentication:
+  rules:
+  - selector: 'google.longrunning.Operations.*'
+    oauth:
+      canonical_scopes: |-
+        https://www.googleapis.com/auth/cloud-platform,
+        https://www.googleapis.com/auth/spanner.admin
+  - selector: 'google.spanner.admin.database.v1.DatabaseAdmin.*'
+    oauth:
+      canonical_scopes: |-
+        https://www.googleapis.com/auth/cloud-platform,
+        https://www.googleapis.com/auth/spanner.admin
--- a/google/spanner/admin/database/v1/spanner_admin_database_grpc_service_config.json
+++ b/google/spanner/admin/database/v1/spanner_admin_database_grpc_service_config.json
@ -45,6 +45,10 @@
        {
          "service": "google.spanner.admin.database.v1.DatabaseAdmin",
          "method": "ListBackupOperations"
+        },
+        {
+          "service": "google.spanner.admin.database.v1.DatabaseAdmin",
+          "method": "ListDatabaseRoles"
        }
      ],
      "timeout": "3600s",
--- a/google/spanner/admin/database/v1/spanner_database_admin.proto
+++ b/google/spanner/admin/database/v1/spanner_database_admin.proto
@ -187,6 +187,10 @@ service DatabaseAdmin {
        post: "/v1/{resource=projects/*/instances/*/backups/*}:testIamPermissions"
        body: "*"
      }
+      additional_bindings {
+        post: "/v1/{resource=projects/*/instances/*/databases/*/databaseRoles/*}:testIamPermissions"
+        body: "*"
+      }
    };
    option (google.api.method_signature) = "resource,permissions";
  }
@ -334,6 +338,14 @@ service DatabaseAdmin {
    };
    option (google.api.method_signature) = "parent";
  }
+
+  // Lists Cloud Spanner database roles.
+  rpc ListDatabaseRoles(ListDatabaseRolesRequest) returns (ListDatabaseRolesResponse) {
+    option (google.api.http) = {
+      get: "/v1/{parent=projects/*/instances/*/databases/*}/databaseRoles"
+    };
+    option (google.api.method_signature) = "parent";
+  }
 }

 // Information about the database restore.
@ -868,3 +880,51 @@ enum RestoreSourceType {
  // A backup was used as the source of the restore.
  BACKUP = 1;
 }
+
+// A Cloud Spanner database role.
+message DatabaseRole {
+  option (google.api.resource) = {
+    type: "spanner.googleapis.com/DatabaseRole"
+    pattern: "projects/{project}/instances/{instance}/databases/{database}/databaseRoles/{role}"
+  };
+
+  // Required. The name of the database role. Values are of the form
+  // `projects/<project>/instances/<instance>/databases/<database>/databaseRoles/
+  // {role}`, where `<role>` is as specified in the `CREATE ROLE`
+  // DDL statement. This name can be passed to Get/Set IAMPolicy methods to
+  // identify the database role.
+  string name = 1 [(google.api.field_behavior) = REQUIRED];
+}
+
+// The request for [ListDatabaseRoles][google.spanner.admin.database.v1.DatabaseAdmin.ListDatabaseRoles].
+message ListDatabaseRolesRequest {
+  // Required. The database whose roles should be listed.
+  // Values are of the form
+  // `projects/<project>/instances/<instance>/databases/<database>/databaseRoles`.
+  string parent = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "spanner.googleapis.com/Database"
+    }
+  ];
+
+  // Number of database roles to be returned in the response. If 0 or less,
+  // defaults to the server's maximum allowed page size.
+  int32 page_size = 2;
+
+  // If non-empty, `page_token` should contain a
+  // [next_page_token][google.spanner.admin.database.v1.ListDatabaseRolesResponse.next_page_token] from a
+  // previous [ListDatabaseRolesResponse][google.spanner.admin.database.v1.ListDatabaseRolesResponse].
+  string page_token = 3;
+}
+
+// The response for [ListDatabaseRoles][google.spanner.admin.database.v1.DatabaseAdmin.ListDatabaseRoles].
+message ListDatabaseRolesResponse {
+  // Database roles that matched the request.
+  repeated DatabaseRole database_roles = 1;
+
+  // `next_page_token` can be sent in a subsequent
+  // [ListDatabaseRoles][google.spanner.admin.database.v1.DatabaseAdmin.ListDatabaseRoles]
+  // call to fetch more of the matching roles.
+  string next_page_token = 2;
+}