github.com/cloudwan/edgelq-sdk@v1.15.4/iam/proto/v1/member_assignment.proto (about) 1 syntax = "proto3"; 2 3 package ntt.iam.v1; 4 5 import "edgelq-sdk/iam/proto/v1/common.proto"; 6 import "google/api/resource.proto"; 7 import "goten-sdk/types/meta.proto"; 8 9 option go_package = "github.com/cloudwan/edgelq-sdk/iam/resources/v1/member_assignment;member_assignment"; 10 option java_multiple_files = true; 11 option java_outer_classname = "MemberAssignmentProto"; 12 option java_package = "com.ntt.iam.pb.v1"; 13 14 // MemberAssignment - it is an internal resource, not for end users. It tracks 15 // REGIONAL RoleBindings per combination of scope/member for organization and 16 // project RoleBindings. 17 // 18 // If multiple RoleBindings point to same project/org and member, they will all 19 // share single MemberAssignment. 20 // 21 // MemberAssignment are managed by IAM Server, they are created/updated/deleted 22 // in TX when RoleBinding is created/updated/deleted. MemberAssignment shares 23 // same region as RoleBinding, otherwise tx-level synchronization would not be 24 // possible. 25 // 26 // For example: We create RoleBinding { project = "X", member = "M", role = 27 // "r1"}. It will create MemberAssignment { scope = "projects/x", member = "M" 28 // }. If another RoleBinding with same project and member would be created, then 29 // no additional MemberAssignment is created. When last RoleBinding per 30 // scope/member is deleted, MemberAssignment is deleted. 31 // 32 // Not all RoleBindings however have MemberAssignment instances. We track only 33 // organization and project RoleBindings! Therefore, system and service 34 // RoleBindings don't get their MemberAssignment. However, there is some caveat 35 // about this... 36 // 37 // When lets say project enables Service "S", and we create RoleBinding WHERE: 38 // {project = "X", member = "M", role = "r1", metadata.services.allowedServices 39 // CONTAINS "S"}, then special MemberAssignment is created with params: { scope 40 // = "services/S", member = "M" }, apart of { scope = "projects/x", member = "M" 41 // } mentioned previously. We create those service MemberAssignment only for 3rd 42 // party services (non core EdgeLQ), so we know if User/ServiceAccount is 43 // eligible user of some service. 44 // 45 // Main task of MemberAssignment is to track participations of all users/service 46 // accounts in projects/organizations. We use it for things like ListMyProjects, 47 // ListMyOrganizations. We also use those special service MemberAssignment 48 // instances to track who is using Service by proxy of Project/Organization! 49 // With this we can forbid/allow specific users using particular service. 50 // 51 // System RoleBindings are managed only by EdgeLQ admins for internal cases, and 52 // we dont need this tracking. 53 message MemberAssignment { 54 option (google.api.resource) = { 55 type : "iam.edgelq.com/MemberAssignment" 56 pattern : "regions/{region}/memberAssignments/{member_assignment}" 57 }; 58 59 // Name of MemberAssignment 60 // First letter is source indicator (p, o, s for project, org, service). 61 // Then we have proper scope identifier (projectId etc), then member 62 // identifier (like user:$EMAIL). 63 string name = 1; 64 65 // Metadata is an object with information like create, update and delete time 66 // (for async deleted resources), has user labels/annotations, sharding 67 // information, multi-region syncing information and may have non-schema 68 // owners (useful for taking ownership of resources belonging to lower level 69 // services by higher ones). 70 goten.types.Meta metadata = 2; 71 72 // Points to Organization/Project of RoleBindings, OR service for those 73 // special MemberAssignments. It is already part of name, but we track 74 // in field for filter purpose. 75 string scope = 3; 76 77 // Populated for organization/project scopes. Skipped for service ones. 78 string scope_title = 4; 79 80 // Populated for organization/project scopes. Skipped for service ones. 81 string parent_organization = 5; 82 83 // It has PARTIAL metadata inherited from scope (labels, annotations, tags). 84 // Populated for organization/project scopes. Skipped for service ones. 85 goten.types.Meta scope_metadata = 6; 86 87 // Populated for organization/project scopes. Skipped for service ones. 88 // Contains multi_region_policy.default_control_region 89 string multi_region_control_region = 7; 90 91 // Populated for organization/project scopes. Skipped for service ones. 92 // Contains multi_region_policy.enabled_regions 93 repeated string multi_region_enabled_regions = 8; 94 95 // Populated for organization/project scopes. Skipped for service ones. 96 // Contains allowed or enabled services. 97 repeated string scope_services = 9; 98 99 // Populated for organization/project scopes. Skipped for service ones. 100 BusinessTier business_tier = 10; 101 102 // Member pointed by RoleBinding. Part of name, but we also need for filtering 103 // purposes. 104 string member = 11; 105 106 // Region ID holding member resource (User, ServiceAccount...) 107 string member_region = 12; 108 109 WorkStatus ctrl_status = 13; 110 111 message WorkStatus { 112 // if controller has some work on this resource 113 bool pending = 1; 114 115 // If this resource should be deleted. 116 bool pending_deletion = 2; 117 } 118 }