You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
167 lines
6.8 KiB
167 lines
6.8 KiB
// Copyright 2020 Google LLC |
|
// |
|
// Licensed under the Apache License, Version 2.0 (the "License"); |
|
// you may not use this file except in compliance with the License. |
|
// You may obtain a copy of the License at |
|
// |
|
// http://www.apache.org/licenses/LICENSE-2.0 |
|
// |
|
// Unless required by applicable law or agreed to in writing, software |
|
// distributed under the License is distributed on an "AS IS" BASIS, |
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
// See the License for the specific language governing permissions and |
|
// limitations under the License. |
|
|
|
syntax = "proto3"; |
|
|
|
package google.cloud.asset.v1p4beta1; |
|
|
|
import "google/iam/v1/policy.proto"; |
|
import "google/rpc/code.proto"; |
|
import "google/api/annotations.proto"; |
|
|
|
option cc_enable_arenas = true; |
|
option csharp_namespace = "Google.Cloud.Asset.V1P4Beta1"; |
|
option go_package = "google.golang.org/genproto/googleapis/cloud/asset/v1p4beta1;asset"; |
|
option java_multiple_files = true; |
|
option java_outer_classname = "AssetProto"; |
|
option java_package = "com.google.cloud.asset.v1p4beta1"; |
|
option php_namespace = "Google\\Cloud\\Asset\\V1p4beta1"; |
|
|
|
// IAM Policy analysis result, consisting of one IAM policy binding and derived |
|
// access control lists. |
|
message IamPolicyAnalysisResult { |
|
// Represents analysis state of each node in the result graph or non-critical |
|
// errors in the response. |
|
message AnalysisState { |
|
// The Google standard error code that best describes the state. |
|
// For example: |
|
// - OK means the node has been successfully explored; |
|
// - PERMISSION_DENIED means an access denied error is encountered; |
|
// - DEADLINE_EXCEEDED means the node hasn't been explored in time; |
|
google.rpc.Code code = 1; |
|
|
|
// The human-readable description of the cause of failure. |
|
string cause = 2; |
|
} |
|
|
|
// A GCP resource that appears in an access control list. |
|
message Resource { |
|
// The [full resource name](https://aip.dev/122#full-resource-names). |
|
string full_resource_name = 1; |
|
|
|
// The analysis state of this resource node. |
|
AnalysisState analysis_state = 2; |
|
} |
|
|
|
// A role or permission that appears in an access control list. |
|
message Access { |
|
oneof oneof_access { |
|
// The role. |
|
string role = 1; |
|
|
|
// The permission. |
|
string permission = 2; |
|
} |
|
|
|
// The analysis state of this access node. |
|
AnalysisState analysis_state = 3; |
|
} |
|
|
|
// A directional edge. |
|
message Edge { |
|
// The source node of the edge. |
|
string source_node = 1; |
|
|
|
// The target node of the edge. |
|
string target_node = 2; |
|
} |
|
|
|
// An identity that appears in an access control list. |
|
message Identity { |
|
// The identity name in any form of members appear in |
|
// [IAM policy |
|
// binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such |
|
// as: |
|
// - user:foo@google.com |
|
// - group:group1@google.com |
|
// - serviceAccount:s1@prj1.iam.gserviceaccount.com |
|
// - projectOwner:some_project_id |
|
// - domain:google.com |
|
// - allUsers |
|
// - etc. |
|
string name = 1; |
|
|
|
// The analysis state of this identity node. |
|
AnalysisState analysis_state = 2; |
|
} |
|
|
|
// An access control list, derived from the above IAM policy binding, which |
|
// contains a set of resources and accesses. May include one |
|
// item from each set to compose an access control entry. |
|
// |
|
// NOTICE that there could be multiple access control lists for one IAM policy |
|
// binding. The access control lists are created based on resource and access |
|
// combinations. |
|
// |
|
// For example, assume we have the following cases in one IAM policy binding: |
|
// - Permission P1 and P2 apply to resource R1 and R2; |
|
// - Permission P3 applies to resource R2 and R3; |
|
// |
|
// This will result in the following access control lists: |
|
// - AccessControlList 1: [R1, R2], [P1, P2] |
|
// - AccessControlList 2: [R2, R3], [P3] |
|
message AccessControlList { |
|
// The resources that match one of the following conditions: |
|
// - The resource_selector, if it is specified in request; |
|
// - Otherwise, resources reachable from the policy attached resource. |
|
repeated Resource resources = 1; |
|
|
|
// The accesses that match one of the following conditions: |
|
// - The access_selector, if it is specified in request; |
|
// - Otherwise, access specifiers reachable from the policy binding's role. |
|
repeated Access accesses = 2; |
|
|
|
// Resource edges of the graph starting from the policy attached |
|
// resource to any descendant resources. The [Edge.source_node][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult.Edge.source_node] contains |
|
// the full resource name of a parent resource and [Edge.target_node][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult.Edge.target_node] |
|
// contains the full resource name of a child resource. This field is |
|
// present only if the output_resource_edges option is enabled in request. |
|
repeated Edge resource_edges = 3; |
|
} |
|
|
|
message IdentityList { |
|
// Only the identities that match one of the following conditions will be |
|
// presented: |
|
// - The identity_selector, if it is specified in request; |
|
// - Otherwise, identities reachable from the policy binding's members. |
|
repeated Identity identities = 1; |
|
|
|
// Group identity edges of the graph starting from the binding's |
|
// group members to any node of the [identities][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult.IdentityList.identities]. The [Edge.source_node][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult.Edge.source_node] |
|
// contains a group, such as "group:parent@google.com". The |
|
// [Edge.target_node][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult.Edge.target_node] contains a member of the group, |
|
// such as "group:child@google.com" or "user:foo@google.com". |
|
// This field is present only if the output_group_edges option is enabled in |
|
// request. |
|
repeated Edge group_edges = 2; |
|
} |
|
|
|
// The full name of the resource to which the [iam_binding][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult.iam_binding] policy attaches. |
|
string attached_resource_full_name = 1; |
|
|
|
// The Cloud IAM policy binding under analysis. |
|
google.iam.v1.Binding iam_binding = 2; |
|
|
|
// The access control lists derived from the [iam_binding][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult.iam_binding] that match or |
|
// potentially match resource and access selectors specified in the request. |
|
repeated AccessControlList access_control_lists = 3; |
|
|
|
// The identity list derived from members of the [iam_binding][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult.iam_binding] that match or |
|
// potentially match identity selector specified in the request. |
|
IdentityList identity_list = 4; |
|
|
|
// Represents whether all nodes in the transitive closure of the |
|
// [iam_binding][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult.iam_binding] node have been explored. |
|
bool fully_explored = 5; |
|
}
|
|
|