github.com/cloudwan/edgelq-sdk@v1.15.4/iam/proto/v1alpha2/role_binding.proto

github.com/cloudwan/edgelq-sdk@v1.15.4/iam/proto/v1alpha2/role_binding.proto (about)

     1  syntax = "proto3";
     2  
     3  package ntt.iam.v1alpha2;
     4  
     5  import "edgelq-sdk/iam/proto/v1alpha2/condition.proto";
     6  import "google/api/resource.proto";
     7  import "goten-sdk/types/meta.proto";
     8  
     9  option go_package = "github.com/cloudwan/edgelq-sdk/iam/resources/v1alpha2/role_binding;role_binding";
    10  option java_multiple_files = true;
    11  option java_outer_classname = "RoleBindingProto";
    12  option java_package = "com.ntt.iam.pb.v1alpha2";
    13  
    14  // RoleBinding in iam RBAC model is the way of granting access to a party (user,
    15  // service account, etc) to edgelq resources. Creating RoleBinding requires user
    16  // to answer 3 questions:
    17  //
    18  // Who: with member field, e.g. "user:wile.e.coyote@customers.acme.com"
    19  // What: specify scope (or parent), e.g.: `projects/acme/roleBindings/<uuid>`
    20  // How: bind role and optional condition to grant access to resources within
    21  // above scope
    22  //
    23  // RoleBindings are additive, meaning that creating a new RoleBinding may only
    24  // extend ability of given member to perform actions. In other words RoleBinding
    25  // doesn't affect other RoleBindings and
    26  // [PermissionCheck][ntt.iam.v1alpha2.PermissionCheck] method needs to find
    27  // *any* RoleBinding granting permission
    28  message RoleBinding {
    29    option (google.api.resource) = {
    30      type : "iam.edgelq.com/RoleBinding"
    31      pattern : "roleBindings/{role_binding}"
    32      pattern : "projects/{project}/roleBindings/{role_binding}"
    33      pattern : "organizations/{organization}/roleBindings/{role_binding}"
    34    };
    35  
    36    // Name of RoleBinding
    37    // When creating a new instance, this field is optional and if not provided,
    38    // it will be generated automatically. Last ID segment must conform to the
    39    // following regex: [\\w.|-]{1,128}
    40    string name = 1;
    41  
    42    // Role
    43    string role = 2 [ (google.api.resource_reference) = {type : "Role"} ];
    44  
    45    // Binding members
    46    // Format of the string is one of:
    47    // - "allUsers" (anyone)
    48    // - "allAuthenticatedUsers" (anyone logged in)
    49    // - "user:admin.super@example.com"
    50    // - "serviceAccount:device_agent@watchdog.serviceaccounts.iam.edgelq.com"
    51    // - "group:nice.group@example.com"
    52    // - "domain:example.com" (anyone with exact email domain)
    53    string member = 4;
    54  
    55    // optional ConditionBinding
    56    // TODO: Make it repeated and make sure backend will check all before
    57    // verifying
    58    ConditionBinding condition_binding = 6;
    59  
    60    // Internal field used by IAM controller to note role binding ancestry path
    61    repeated Parent ancestry_path = 7;
    62  
    63    // Metadata
    64    goten.types.Meta metadata = 8;
    65  
    66    // Provides information about inheritance of this role binding - if it was
    67    // created from another role binding.
    68    message Parent {
    69      // Role bindings which have group as member have child for each service
    70      // account and user in that group. All those role bindings have one common
    71      // parent pointing at group role binding
    72      string parent = 1
    73          [ (google.api.resource_reference) = {type : "RoleBinding"} ];
    74  
    75      // Member of the parent role binding
    76      string member = 2;
    77    }
    78  
    79    reserved 5;
    80  }