xuyiping
/
kpt-grpc-demo


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287
							// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.iam.v2;

import "google/api/annotations.proto";
import "google/api/client.proto";
import "google/api/field_behavior.proto";
import "google/iam/v2/deny.proto";
import "google/longrunning/operations.proto";
import "google/protobuf/timestamp.proto";

option csharp_namespace = "Google.Cloud.Iam.V2";
option go_package = "google.golang.org/genproto/googleapis/iam/v2;iam";
option java_multiple_files = true;
option java_outer_classname = "PolicyProto";
option java_package = "com.google.iam.v2";
option php_namespace = "Google\\Cloud\\Iam\\V2";

// An interface for managing Identity and Access Management (IAM) policies.
service Policies {
  option (google.api.default_host) = "iam.googleapis.com";
  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";

  // Retrieves the policies of the specified kind that are attached to a
  // resource.
  //
  // The response lists only policy metadata. In particular, policy rules are
  // omitted.
  rpc ListPolicies(ListPoliciesRequest) returns (ListPoliciesResponse) {
    option (google.api.http) = {
      get: "/v2/{parent=policies/*/*}"
    };
    option (google.api.method_signature) = "parent";
  }

  // Gets a policy.
  rpc GetPolicy(GetPolicyRequest) returns (Policy) {
    option (google.api.http) = {
      get: "/v2/{name=policies/*/*/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Creates a policy.
  rpc CreatePolicy(CreatePolicyRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v2/{parent=policies/*/*}"
      body: "policy"
    };
    option (google.api.method_signature) = "parent,policy,policy_id";
    option (google.longrunning.operation_info) = {
      response_type: "Policy"
      metadata_type: "PolicyOperationMetadata"
    };
  }

  // Updates the specified policy.
  //
  // You can update only the rules and the display name for the policy.
  //
  // To update a policy, you should use a read-modify-write loop:
  //
  // 1. Use [GetPolicy][google.iam.v2.Policies.GetPolicy] to read the current version of the policy.
  // 2. Modify the policy as needed.
  // 3. Use `UpdatePolicy` to write the updated policy.
  //
  // This pattern helps prevent conflicts between concurrent updates.
  rpc UpdatePolicy(UpdatePolicyRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      put: "/v2/{policy.name=policies/*/*/*}"
      body: "policy"
    };
    option (google.longrunning.operation_info) = {
      response_type: "Policy"
      metadata_type: "PolicyOperationMetadata"
    };
  }

  // Deletes a policy. This action is permanent.
  rpc DeletePolicy(DeletePolicyRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      delete: "/v2/{name=policies/*/*/*}"
    };
    option (google.api.method_signature) = "name";
    option (google.longrunning.operation_info) = {
      response_type: "Policy"
      metadata_type: "PolicyOperationMetadata"
    };
  }
}

// Data for an IAM policy.
message Policy {
  // Immutable. The resource name of the `Policy`, which must be unique. Format:
  // `policies/{attachment_point}/denypolicies/{policy_id}`
  //
  //
  // The attachment point is identified by its URL-encoded full resource name,
  // which means that the forward-slash character, `/`, must be written as
  // `%2F`. For example,
  // `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-deny-policy`.
  //
  // For organizations and folders, use the numeric ID in the full resource
  // name. For projects, requests can use the alphanumeric or the numeric ID.
  // Responses always contain the numeric ID.
  string name = 1 [(google.api.field_behavior) = IMMUTABLE];

  // Immutable. The globally unique ID of the `Policy`. Assigned automatically when the
  // `Policy` is created.
  string uid = 2 [(google.api.field_behavior) = IMMUTABLE];

  // Output only. The kind of the `Policy`. Always contains the value `DenyPolicy`.
  string kind = 3 [(google.api.field_behavior) = OUTPUT_ONLY];

  // A user-specified description of the `Policy`. This value can be up to 63
  // characters.
  string display_name = 4;

  // A key-value map to store arbitrary metadata for the `Policy`. Keys
  // can be up to 63 characters. Values can be up to 255 characters.
  map<string, string> annotations = 5;

  // An opaque tag that identifies the current version of the `Policy`. IAM uses
  // this value to help manage concurrent updates, so they do not cause one
  // update to be overwritten by another.
  //
  // If this field is present in a [CreatePolicy][] request, the value is
  // ignored.
  string etag = 6;

  // Output only. The time when the `Policy` was created.
  google.protobuf.Timestamp create_time = 7 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The time when the `Policy` was last updated.
  google.protobuf.Timestamp update_time = 8 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The time when the `Policy` was deleted. Empty if the policy is not deleted.
  google.protobuf.Timestamp delete_time = 9 [(google.api.field_behavior) = OUTPUT_ONLY];

  // A list of rules that specify the behavior of the `Policy`. All of the rules
  // should be of the `kind` specified in the `Policy`.
  repeated PolicyRule rules = 10;

  // Immutable. Specifies that this policy is managed by an authority and can only be
  // modified by that authority. Usage is restricted.
  string managing_authority = 11 [(google.api.field_behavior) = IMMUTABLE];
}

// A single rule in a `Policy`.
message PolicyRule {
  oneof kind {
    // A rule for a deny policy.
    DenyRule deny_rule = 2;
  }

  // A user-specified description of the rule. This value can be up to 256
  // characters.
  string description = 1;
}

// Request message for `ListPolicies`.
message ListPoliciesRequest {
  // Required. The resource that the policy is attached to, along with the kind of policy
  // to list. Format:
  // `policies/{attachment_point}/denypolicies`
  //
  //
  // The attachment point is identified by its URL-encoded full resource name,
  // which means that the forward-slash character, `/`, must be written as
  // `%2F`. For example,
  // `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies`.
  //
  // For organizations and folders, use the numeric ID in the full resource
  // name. For projects, you can use the alphanumeric or the numeric ID.
  string parent = 1 [(google.api.field_behavior) = REQUIRED];

  // The maximum number of policies to return. IAM ignores this value and uses
  // the value 1000.
  int32 page_size = 2;

  // A page token received in a [ListPoliciesResponse][google.iam.v2.ListPoliciesResponse]. Provide this token to
  // retrieve the next page.
  string page_token = 3;
}

// Response message for `ListPolicies`.
message ListPoliciesResponse {
  // Metadata for the policies that are attached to the resource.
  repeated Policy policies = 1;

  // A page token that you can use in a [ListPoliciesRequest][google.iam.v2.ListPoliciesRequest] to retrieve the
  // next page. If this field is omitted, there are no additional pages.
  string next_page_token = 2;
}

// Request message for `GetPolicy`.
message GetPolicyRequest {
  // Required. The resource name of the policy to retrieve. Format:
  // `policies/{attachment_point}/denypolicies/{policy_id}`
  //
  //
  // Use the URL-encoded full resource name, which means that the forward-slash
  // character, `/`, must be written as `%2F`. For example,
  // `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-policy`.
  //
  // For organizations and folders, use the numeric ID in the full resource
  // name. For projects, you can use the alphanumeric or the numeric ID.
  string name = 1 [(google.api.field_behavior) = REQUIRED];
}

// Request message for `CreatePolicy`.
message CreatePolicyRequest {
  // Required. The resource that the policy is attached to, along with the kind of policy
  // to create. Format: `policies/{attachment_point}/denypolicies`
  //
  //
  // The attachment point is identified by its URL-encoded full resource name,
  // which means that the forward-slash character, `/`, must be written as
  // `%2F`. For example,
  // `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies`.
  //
  // For organizations and folders, use the numeric ID in the full resource
  // name. For projects, you can use the alphanumeric or the numeric ID.
  string parent = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. The policy to create.
  Policy policy = 2 [(google.api.field_behavior) = REQUIRED];

  // The ID to use for this policy, which will become the final component of
  // the policy's resource name. The ID must contain 3 to 63 characters. It can
  // contain lowercase letters and numbers, as well as dashes (`-`) and periods
  // (`.`). The first character must be a lowercase letter.
  string policy_id = 3;
}

// Request message for `UpdatePolicy`.
message UpdatePolicyRequest {
  // Required. The policy to update.
  //
  // To prevent conflicting updates, the `etag` value must match the value that
  // is stored in IAM. If the `etag` values do not match, the request fails with
  // a `409` error code and `ABORTED` status.
  Policy policy = 1 [(google.api.field_behavior) = REQUIRED];
}

// Request message for `DeletePolicy`.
message DeletePolicyRequest {
  // Required. The resource name of the policy to delete. Format:
  // `policies/{attachment_point}/denypolicies/{policy_id}`
  //
  //
  // Use the URL-encoded full resource name, which means that the forward-slash
  // character, `/`, must be written as `%2F`. For example,
  // `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-policy`.
  //
  // For organizations and folders, use the numeric ID in the full resource
  // name. For projects, you can use the alphanumeric or the numeric ID.
  string name = 1 [(google.api.field_behavior) = REQUIRED];

  // Optional. The expected `etag` of the policy to delete. If the value does not match
  // the value that is stored in IAM, the request fails with a `409` error code
  // and `ABORTED` status.
  //
  // If you omit this field, the policy is deleted regardless of its current
  // `etag`.
  string etag = 2 [(google.api.field_behavior) = OPTIONAL];
}

// Metadata for long-running `Policy` operations.
message PolicyOperationMetadata {
  // Timestamp when the `google.longrunning.Operation` was created.
  google.protobuf.Timestamp create_time = 1;
}