github.com/cloudwan/edgelq-sdk@v1.15.4/iam/proto/v1/role.proto (about) 1 syntax = "proto3"; 2 3 package ntt.iam.v1; 4 5 import "edgelq-sdk/iam/proto/v1/condition.proto"; 6 import "google/api/resource.proto"; 7 import "goten-sdk/types/meta.proto"; 8 9 option go_package = "github.com/cloudwan/edgelq-sdk/iam/resources/v1/role;role"; 10 option java_multiple_files = true; 11 option java_outer_classname = "RoleProto"; 12 option java_package = "com.ntt.iam.pb.v1"; 13 14 // Role Resource 15 message Role { 16 option (google.api.resource) = { 17 type : "iam.edgelq.com/Role" 18 pattern : "services/{service}/roles/{role}" 19 pattern : "projects/{project}/roles/{role}" 20 pattern : "organizations/{organization}/roles/{role}" 21 }; 22 23 // Name of Role 24 string name = 1; 25 26 // Metadata is an object with information like create, update and delete time 27 // (for async deleted resources), has user labels/annotations, sharding 28 // information, multi-region syncing information and may have non-schema 29 // owners (useful for taking ownership of resources belonging to lower level 30 // services by higher ones). 31 goten.types.Meta metadata = 4; 32 33 // Display Name 34 string display_name = 2; 35 36 // Optional description 37 string description = 9; 38 39 // Category to which Role belongs to. It cannot be changed. 40 Category category = 10; 41 42 // List of scope params, they are used to evaluate object prefixes in 43 // grants and values in their field conditions, if any. 44 repeated ScopeParamType scope_params = 3; 45 46 // List of const scope params for this role 47 repeated ScopeParam const_values = 11; 48 49 // List of default value for the passed scope params 50 repeated ScopeParam default_values = 12; 51 52 // List of permissions granted per each object prefix. 53 repeated Grant grants = 5; 54 55 // List of owned objects templates - during binding of a role, each owned 56 // object specified in this role is computed against scope params from role 57 // binding to evaluate final owned objects. For example, if owned_objects in 58 // Role contains value "regions/{region}/devices/{device}, and RoleBinding 59 // specifies region=useast and device=d1, then final owned_object will be 60 // regions/useast/devices/d1. Ownership also would include any potential child 61 // resources of this device. Note that RoleBinding scope (project, 62 // organization, service) will still be prepended before each owned object to 63 // form fully qualified name of the owned resource. Owned objects may contain 64 // wildcards: '-'. As a special case, if owned objects contain string with 65 // only single character: '-', then it means member of the role binding is 66 // considered as full owner of the scope. 67 // This field cannot be modified after role creation. 68 repeated string owned_objects = 6; 69 70 // List of services used by this role. It is being detected by the usage of 71 // permissions in grants - or if it has owned objects, it contains all 72 // services used by parent service. 73 repeated string services = 7; 74 75 // Internal field used by controller to ensure role bindings are in sync with 76 // role updates. 77 int64 rb_spec_generation = 8; 78 79 message ScopeParamType { 80 string name = 1; 81 82 Type type = 2; 83 84 enum Type { 85 UNDEFINED = 0; 86 87 STRING = 1; 88 89 ARRAY_OF_STRINGS = 2; 90 } 91 } 92 93 message Grant { 94 // Optional prefix that is APPENDED to the scope inherited from RoleBinding 95 // (project, organization, service). If not specified, then scope is 96 // equal to the one from RoleBinding. 97 string sub_scope = 1; 98 99 // List of applicable permissions for this grant. Not relevant if is_owner 100 // is true. 101 repeated string permissions = 2; 102 103 // List of resource field conditions. Values for conditions are extracted 104 // from assigned RoleBinding (scope params). 105 // Resource extraction is following: 106 // - If request has resource body, then it is used. 107 // - If request has resource name, then resource is extracted from database 108 // and its fields are used. 109 // - If request has filter object applicable for collection requests (like 110 // list, 111 // collection watch...), then service uses resource field paths and values 112 // extracted from filter conditions. 113 repeated FieldCondition resource_field_conditions = 3; 114 115 // List of request field conditions. Values for conditions are extracted 116 // from assigned RoleBinding (scope params). 117 repeated FieldCondition request_field_conditions = 4; 118 119 // List of executable conditions to be applied in order to validate this 120 // grant. Note that executable conditions are also specified in RoleBinding, 121 // as often it is not possible to define all params in the Role itself, 122 // before binding. Final executable conditions, in RoleBinding context, are 123 // computed in the following way: 124 // - Executable conditions from RoleBinding and Role are matched by 125 // condition reference. 126 // - Params are merged FROM condition in Role into condition in RoleBinding. 127 // It is expected that Role defined "common" params and RoleBinding 128 // defines remaining ones. 129 repeated ExecutableCondition executable_conditions = 5; 130 131 message FieldCondition { 132 string path = 1; 133 134 string value = 2; 135 } 136 } 137 138 // Category points to the intended role use. It may restrict how RoleBindings 139 // are created. 140 enum Category { 141 // Undefined, not allowed. 142 UNDEFINED = 0; 143 144 // Role is intended for public access. Restricted members: allUsers, 145 // allAuthenticatedUsers. No RoleBinding scope restrictions. 146 PUBLIC = 1; 147 148 // Role is for internal purposes, defined by a parent service. There are no 149 // restrictions to scope and members. 150 INTERNAL = 2; 151 152 // Special owner role - reserved to "scope-admin" role in IAM. It is de 153 // facto reserved category for EdgeLQ core services only, but is also kind 154 // of USER type. 155 OWNER = 3; 156 157 // Role relevant for Service Management, check display name and/or 158 // description for more information. 159 SERVICE = 4; 160 161 // Role for various edge agents. Restricted to project scope and service 162 // account member types. Cannot be assigned to groups. 163 AGENT = 5; 164 165 // Role relevant for users, provides an access to various actions on 166 // organization/project level. Typically should be given to users, but 167 // ServiceAccount is also possible. Can be assigned to group members. 168 USER = 6; 169 } 170 } 171 172 message ScopeParam { 173 // Name of the variable to be used in conditions/scope values. 174 string name = 1; 175 176 oneof value { 177 // Value is a single string 178 StringValue string = 2; 179 180 // List of alternative values. 181 ArrayOfStringsValue strings = 3; 182 183 // Value is extracted dynamically from pointed object type. 184 FromValue value_from = 4; 185 } 186 187 // StringValue represents single value 188 message StringValue { string value = 1; } 189 190 // ArrayOfStringsValue represents array of strings value 191 message ArrayOfStringsValue { repeated string values = 1; } 192 193 // FromValue represents a value(s) from specific dynamic object. 194 message FromValue { 195 // Source indicates type of dynamic object from where we take value(s). 196 Source source = 1; 197 198 // Path within specified object from which exactly we get value(s). 199 string path = 2; 200 201 // Source indicates which dynamic object is used to extract value from. 202 enum Source { 203 UNDEFINED = 0; 204 205 // Object from which value is taken is metadata. 206 // Valid for Service Accounts and user types. 207 PRINCIPAL_METADATA = 1; 208 209 // Object from which value is taken is User principal. 210 // If principal executing an Action is not a User, then 211 // value will be empty. 212 PRINCIPAL_USER = 2; 213 214 // Object from which value is taken is ServiceAccount principal. 215 // If principal executing an Action is not a ServiceAccount, then 216 // value will be empty. 217 PRINCIPAL_SVCACC = 3; 218 } 219 } 220 }