github.com/cloudwan/edgelq-sdk@v1.15.4/iam/proto/v1/role_binding.proto

github.com/cloudwan/edgelq-sdk@v1.15.4/iam/proto/v1/role_binding.proto (about)

     1  syntax = "proto3";
     2  
     3  package ntt.iam.v1;
     4  
     5  import "edgelq-sdk/iam/proto/v1/condition.proto";
     6  import "edgelq-sdk/iam/proto/v1/role.proto";
     7  import "google/api/resource.proto";
     8  import "goten-sdk/types/meta.proto";
     9  
    10  option go_package = "github.com/cloudwan/edgelq-sdk/iam/resources/v1/role_binding;role_binding";
    11  option java_multiple_files = true;
    12  option java_outer_classname = "RoleBindingProto";
    13  option java_package = "com.ntt.iam.pb.v1";
    14  
    15  // RoleBinding Resource
    16  message RoleBinding {
    17    option (google.api.resource) = {
    18      type : "iam.edgelq.com/RoleBinding"
    19      pattern : "roleBindings/{role_binding}"
    20      pattern : "projects/{project}/roleBindings/{role_binding}"
    21      pattern : "organizations/{organization}/roleBindings/{role_binding}"
    22      pattern : "services/{service}/roleBindings/{role_binding}"
    23    };
    24  
    25    // Name of RoleBinding
    26    string name = 1;
    27  
    28    // Metadata is an object with information like create, update and delete time
    29    // (for async deleted resources), has user labels/annotations, sharding
    30    // information, multi-region syncing information and may have non-schema
    31    // owners (useful for taking ownership of resources belonging to lower level
    32    // services by higher ones).
    33    goten.types.Meta metadata = 8;
    34  
    35    // Applied role.
    36    string role = 2;
    37  
    38    // Binding members
    39    // Format of the string is one of:
    40    // - "allUsers" (anyone)
    41    // - "allAuthenticatedUsers" (anyone logged in from handling service point of
    42    // view)
    43    // - "user:admin.super@example.com"
    44    // - "serviceAccount:device_agent@watchdog.serviceaccounts.iam.edgelq.com"
    45    // - "group:nice.group@example.com"
    46    // - "domain:example.com" (anyone with exact email domain)
    47    string member = 4;
    48  
    49    // All scope params defined as required by a role
    50    repeated ScopeParam scope_params = 5;
    51  
    52    // optional executable conditions to be added to the role binding.
    53    // They are matched with the executable conditions in a role grants
    54    // by condition reference. If there is condition defined in RoleBinding,
    55    // but not in any role grant, then executable condition is applied to
    56    // all role grants.
    57    repeated ExecutableCondition executable_conditions = 6;
    58  
    59    // List of owned objects WITHIN role binding scope - for example
    60    // if role binding is a child of project and owner_objects contain some
    61    // device, member has all possible permissions for this device in project,
    62    // regardless of method. In case ownership is for whole role binding scope, it
    63    // will contain "-" string. This is computed based on a role with
    64    // wildcard grants.
    65    repeated string owned_objects = 3;
    66  
    67    // Member type, its prefix from member before ':' rune, fo example "user".
    68    // If member has no ':' (like allUsers), then it will contain same value.
    69    string member_type = 9;
    70  
    71    // Role category, taken from role itself, allows for additional filtering.
    72    Role.Category category = 14;
    73  
    74    // Internal field used by IAM controller to note role binding ancestry path
    75    // for Group type (RoleBindings inherited from Group)
    76    repeated Parent ancestry_path = 7;
    77  
    78    // Internal field used by IAM controller to note parent role binding
    79    // from Parent Organization type. It is much different compared to
    80    // "ancestry_path", we just need direct parent. This is because it is simpler
    81    // - controller for this inheritance does not need full ancestry path for loop
    82    // detection. Groups are complicated and it is legal for two groups containing
    83    // each other as members. But organization ancestry path does not allow loops,
    84    // so we can afford simple field!
    85    string parent_by_org = 12;
    86  
    87    // Internal field used to synchronize role binding with role.
    88    // This value increases when we spec in a role changes in a way requiring role
    89    // binding resynchronization.
    90    int64 spec_generation = 10;
    91  
    92    // Internal field indicating if role binding has owned objects.
    93    // It is used for filtering, as its not possible to filter by
    94    // len(owned_objects) > 0
    95    bool has_owned_objects = 11;
    96  
    97    // If true, then this RoleBinding DOES NOT apply to child entities.
    98    // TODO: For now IAM Server decides if this RB is not assignable, consider
    99    // opening this.
   100    bool disable_for_child_scopes = 13;
   101  
   102    // Provides information about inheritance of this role binding - if it was
   103    // created from another role binding.
   104    message Parent {
   105      // Role bindings which have group as member have child for each service
   106      // account and user in that group. All those role bindings have one common
   107      // parent pointing at group role binding
   108      string parent = 1;
   109  
   110      // Member of the parent role binding
   111      string member = 2;
   112    }
   113  }