github.com/cloudwan/edgelq-sdk@v1.15.4/iam/proto/v1alpha2/condition.proto

github.com/cloudwan/edgelq-sdk@v1.15.4/iam/proto/v1alpha2/condition.proto (about)

     1  syntax = "proto3";
     2  
     3  package ntt.iam.v1alpha2;
     4  
     5  import "edgelq-sdk/iam/proto/v1alpha2/organization.proto";
     6  import "edgelq-sdk/iam/proto/v1alpha2/project.proto";
     7  import "google/api/resource.proto";
     8  import "google/protobuf/struct.proto";
     9  import "goten-sdk/types/meta.proto";
    10  
    11  option go_package = "github.com/cloudwan/edgelq-sdk/iam/resources/v1alpha2/condition;condition";
    12  option java_multiple_files = true;
    13  option java_outer_classname = "ConditionProto";
    14  option java_package = "com.ntt.iam.pb.v1alpha2";
    15  
    16  // Condition Resource provides an extension to primary RBAC model, which allows
    17  // customizable (scriptable) access. Conditions can only be used to further
    18  // limit (or narrow) access compared to standard (or unconditional) RBAC.
    19  //
    20  // Usage:
    21  //
    22  // 1. Condition is created with expression and parameter declarations.
    23  //    Consider this a definition, which will be later "bound".
    24  // 2. When creating a [RoleBinding] pass [ConditionBinding] with reference to
    25  // [Condition] and bound parameters.
    26  //
    27  // When checking for principal access (anonymous, user, service account), for
    28  // RoleBinding to grant permissions included in bound [Role], both RBAC and
    29  // Condition expression evaluation must grant access.
    30  message Condition {
    31    option (google.api.resource) = {
    32      type : "iam.edgelq.com/Condition"
    33      pattern : "conditions/{condition}"
    34      pattern : "projects/{project}/conditions/{condition}"
    35      pattern : "organizations/{organization}/conditions/{condition}"
    36    };
    37  
    38    // Name of Condition
    39    // When creating a new instance, this field is optional and if not provided,
    40    // it will be generated automatically. Last ID segment must conform to the
    41    // following regex: [a-zA-Z0-9_.-]{1,128}
    42    string name = 1;
    43  
    44    // Display Name
    45    string display_name = 2;
    46  
    47    // Description
    48    string description = 3;
    49  
    50    // Condition expression in [Google
    51    // CEL](https://github.com/google/cel-spec/blob/v0.4.0/doc/intro.md), syntax,
    52    // e.g. `resource.name == "projects/xyz/instances/abc"`
    53    //
    54    // Accessible parameters:
    55    // | variable | type | description | examples |
    56    // |-|-|-|-|
    57    // | `resource.body` | `string` | Resource type | `"iam.edgelq.com/Condition"`
    58    // | | `request.action` | `string` | Action verb | `"create"`, `"batchGet"` |
    59    // | `request.body` | `dyn` | Request body (in native format). |
    60    // request.body.page_size | | `parameters` | `map(string, dyn)` | Bound
    61    // parameters. | `parameters.minSeverity` | | `attest.policy` | `string` |
    62    // Name of attestation policy attested with by the atestee; empty string if
    63    // none. | `""`, `"projects/myProj/AttestationPolicies/myPol"` |
    64    //
    65    // Extension:
    66    //
    67    // Some
    68    //
    69    // Filter.`satisfies(other)`
    70    //
    71    // Access is determined by the return value. Return `true` to grant access or
    72    // `false` to deny. Any execution error results in access denied.
    73    string expression = 4;
    74  
    75    // Typed parameters declarations. When binding a Condition passed parameters
    76    // must correspond to declarations.
    77    repeated ParameterDeclaration parameter_declarations = 5;
    78  
    79    // Metadata
    80    goten.types.Meta metadata = 6;
    81  
    82    // Parameter Declarations used
    83    message ParameterDeclaration {
    84      // Parameter Key - must be unique within condition. Defined parameter
    85      // variables are accessible in condition expression via `parameters.<key>`,
    86      // e.g.`parameters.projectId`
    87      string key = 1;
    88  
    89      // Parameter value type
    90      ParameterType type = 2;
    91    }
    92  
    93    // Parameter Type.
    94    enum ParameterType {
    95      TYPE_UNSPECIFIED = 0;
    96  
    97      STRING = 1;
    98  
    99      INT64 = 2;
   100  
   101      DOUBLE = 3;
   102  
   103      BOOL = 4;
   104  
   105      STRING_ARRAY = 5;
   106  
   107      INT64_ARRAY = 6;
   108  
   109      DOUBLE_ARRAY = 7;
   110  
   111      BOOL_ARRAY = 8;
   112  
   113      OBJECT = 9;
   114    }
   115  }
   116  
   117  // ConditionBinding represents instantiantion of condi
   118  message ConditionBinding {
   119    // Reference to Condition which may also be parameterized
   120    string condition = 1;
   121  
   122    // TODO: Deprecated, use params instead
   123    map<string, string> parameters = 2;
   124  
   125    // Parameters in string form. Parameters must match
   126    // [declarations][ntt.iam.v1alpha2.Condition.parameter_declarations]
   127    google.protobuf.Struct params = 3;
   128  }