google-cloud-asset-v1 0.6.0 → 0.9.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/google/cloud/asset/v1.rb +3 -0
- data/lib/google/cloud/asset/v1/asset_service/client.rb +33 -48
- data/lib/google/cloud/asset/v1/asset_service/operations.rb +1 -1
- data/lib/google/cloud/asset/v1/asset_service_pb.rb +18 -33
- data/lib/google/cloud/asset/v1/asset_service_services_pb.rb +20 -20
- data/lib/google/cloud/asset/v1/assets_pb.rb +4 -0
- data/lib/google/cloud/asset/v1/version.rb +1 -1
- data/lib/google/cloud/osconfig/v1/inventory_pb.rb +108 -0
- data/proto_docs/google/api/resource.rb +50 -14
- data/proto_docs/google/cloud/asset/v1/asset_service.rb +160 -180
- data/proto_docs/google/cloud/asset/v1/assets.rb +16 -20
- data/proto_docs/google/cloud/osconfig/v1/inventory.rb +284 -0
- metadata +5 -3
@@ -43,12 +43,12 @@ module Google
|
|
43
43
|
#
|
44
44
|
# The ResourceDescriptor Yaml config will look like:
|
45
45
|
#
|
46
|
-
#
|
47
|
-
#
|
48
|
-
#
|
49
|
-
#
|
50
|
-
#
|
51
|
-
#
|
46
|
+
# resources:
|
47
|
+
# - type: "pubsub.googleapis.com/Topic"
|
48
|
+
# name_descriptor:
|
49
|
+
# - pattern: "projects/{project}/topics/{topic}"
|
50
|
+
# parent_type: "cloudresourcemanager.googleapis.com/Project"
|
51
|
+
# parent_name_extractor: "projects/{project}"
|
52
52
|
#
|
53
53
|
# Sometimes, resources have multiple patterns, typically because they can
|
54
54
|
# live under multiple parents.
|
@@ -183,15 +183,24 @@ module Google
|
|
183
183
|
# }
|
184
184
|
# @!attribute [rw] plural
|
185
185
|
# @return [::String]
|
186
|
-
# The plural name used in the resource name, such as
|
187
|
-
# the name of 'projects/\\{project}'
|
188
|
-
#
|
186
|
+
# The plural name used in the resource name and permission names, such as
|
187
|
+
# 'projects' for the resource name of 'projects/\\{project}' and the permission
|
188
|
+
# name of 'cloudresourcemanager.googleapis.com/projects.get'. It is the same
|
189
|
+
# concept of the `plural` field in k8s CRD spec
|
189
190
|
# https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/
|
191
|
+
#
|
192
|
+
# Note: The plural form is required even for singleton resources. See
|
193
|
+
# https://aip.dev/156
|
190
194
|
# @!attribute [rw] singular
|
191
195
|
# @return [::String]
|
192
196
|
# The same concept of the `singular` field in k8s CRD spec
|
193
197
|
# https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/
|
194
198
|
# Such as "project" for the `resourcemanager.googleapis.com/Project` type.
|
199
|
+
# @!attribute [rw] style
|
200
|
+
# @return [::Array<::Google::Api::ResourceDescriptor::Style>]
|
201
|
+
# Style flag(s) for this resource.
|
202
|
+
# These indicate that a resource is expected to conform to a given
|
203
|
+
# style. See the specific style flags for additional information.
|
195
204
|
class ResourceDescriptor
|
196
205
|
include ::Google::Protobuf::MessageExts
|
197
206
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -211,6 +220,22 @@ module Google
|
|
211
220
|
# that from being necessary once there are multiple patterns.)
|
212
221
|
FUTURE_MULTI_PATTERN = 2
|
213
222
|
end
|
223
|
+
|
224
|
+
# A flag representing a specific style that a resource claims to conform to.
|
225
|
+
module Style
|
226
|
+
# The unspecified value. Do not use.
|
227
|
+
STYLE_UNSPECIFIED = 0
|
228
|
+
|
229
|
+
# This resource is intended to be "declarative-friendly".
|
230
|
+
#
|
231
|
+
# Declarative-friendly resources must be more strictly consistent, and
|
232
|
+
# setting this to true communicates to tools that this resource should
|
233
|
+
# adhere to declarative-friendly expectations.
|
234
|
+
#
|
235
|
+
# Note: This is used by the API linter (linter.aip.dev) to enable
|
236
|
+
# additional checks.
|
237
|
+
DECLARATIVE_FRIENDLY = 1
|
238
|
+
end
|
214
239
|
end
|
215
240
|
|
216
241
|
# Defines a proto annotation that describes a string field that refers to
|
@@ -226,6 +251,17 @@ module Google
|
|
226
251
|
# type: "pubsub.googleapis.com/Topic"
|
227
252
|
# }];
|
228
253
|
# }
|
254
|
+
#
|
255
|
+
# Occasionally, a field may reference an arbitrary resource. In this case,
|
256
|
+
# APIs use the special value * in their resource reference.
|
257
|
+
#
|
258
|
+
# Example:
|
259
|
+
#
|
260
|
+
# message GetIamPolicyRequest {
|
261
|
+
# string resource = 2 [(google.api.resource_reference) = {
|
262
|
+
# type: "*"
|
263
|
+
# }];
|
264
|
+
# }
|
229
265
|
# @!attribute [rw] child_type
|
230
266
|
# @return [::String]
|
231
267
|
# The resource type of a child collection that the annotated field
|
@@ -234,11 +270,11 @@ module Google
|
|
234
270
|
#
|
235
271
|
# Example:
|
236
272
|
#
|
237
|
-
#
|
238
|
-
#
|
239
|
-
#
|
240
|
-
#
|
241
|
-
#
|
273
|
+
# message ListLogEntriesRequest {
|
274
|
+
# string parent = 1 [(google.api.resource_reference) = {
|
275
|
+
# child_type: "logging.googleapis.com/LogEntry"
|
276
|
+
# };
|
277
|
+
# }
|
242
278
|
class ResourceReference
|
243
279
|
include ::Google::Protobuf::MessageExts
|
244
280
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -287,11 +287,91 @@ module Google
|
|
287
287
|
# table will be overwritten by the contents of assets snapshot. If the flag
|
288
288
|
# is `FALSE` or unset and the destination table already exists, the export
|
289
289
|
# call returns an INVALID_ARGUMEMT error.
|
290
|
+
# @!attribute [rw] partition_spec
|
291
|
+
# @return [::Google::Cloud::Asset::V1::PartitionSpec]
|
292
|
+
# [partition_spec] determines whether to export to partitioned table(s) and
|
293
|
+
# how to partition the data.
|
294
|
+
#
|
295
|
+
# If [partition_spec] is unset or [partition_spec.partition_key] is unset or
|
296
|
+
# `PARTITION_KEY_UNSPECIFIED`, the snapshot results will be exported to
|
297
|
+
# non-partitioned table(s). [force] will decide whether to overwrite existing
|
298
|
+
# table(s).
|
299
|
+
#
|
300
|
+
# If [partition_spec] is specified. First, the snapshot results will be
|
301
|
+
# written to partitioned table(s) with two additional timestamp columns,
|
302
|
+
# readTime and requestTime, one of which will be the partition key. Secondly,
|
303
|
+
# in the case when any destination table already exists, it will first try to
|
304
|
+
# update existing table's schema as necessary by appending additional
|
305
|
+
# columns. Then, if [force] is `TRUE`, the corresponding partition will be
|
306
|
+
# overwritten by the snapshot results (data in different partitions will
|
307
|
+
# remain intact); if [force] is unset or `FALSE`, it will append the data. An
|
308
|
+
# error will be returned if the schema update or data appension fails.
|
309
|
+
# @!attribute [rw] separate_tables_per_asset_type
|
310
|
+
# @return [::Boolean]
|
311
|
+
# If this flag is `TRUE`, the snapshot results will be written to one or
|
312
|
+
# multiple tables, each of which contains results of one asset type. The
|
313
|
+
# [force] and [partition_spec] fields will apply to each of them.
|
314
|
+
#
|
315
|
+
# Field [table] will be concatenated with "_" and the asset type names (see
|
316
|
+
# https://cloud.google.com/asset-inventory/docs/supported-asset-types for
|
317
|
+
# supported asset types) to construct per-asset-type table names, in which
|
318
|
+
# all non-alphanumeric characters like "." and "/" will be substituted by
|
319
|
+
# "_". Example: if field [table] is "mytable" and snapshot results
|
320
|
+
# contain "storage.googleapis.com/Bucket" assets, the corresponding table
|
321
|
+
# name will be "mytable_storage_googleapis_com_Bucket". If any of these
|
322
|
+
# tables does not exist, a new table with the concatenated name will be
|
323
|
+
# created.
|
324
|
+
#
|
325
|
+
# When [content_type] in the ExportAssetsRequest is `RESOURCE`, the schema of
|
326
|
+
# each table will include RECORD-type columns mapped to the nested fields in
|
327
|
+
# the Asset.resource.data field of that asset type (up to the 15 nested level
|
328
|
+
# BigQuery supports
|
329
|
+
# (https://cloud.google.com/bigquery/docs/nested-repeated#limitations)). The
|
330
|
+
# fields in >15 nested levels will be stored in JSON format string as a child
|
331
|
+
# column of its parent RECORD column.
|
332
|
+
#
|
333
|
+
# If error occurs when exporting to any table, the whole export call will
|
334
|
+
# return an error but the export results that already succeed will persist.
|
335
|
+
# Example: if exporting to table_type_A succeeds when exporting to
|
336
|
+
# table_type_B fails during one export call, the results in table_type_A will
|
337
|
+
# persist and there will not be partial results persisting in a table.
|
290
338
|
class BigQueryDestination
|
291
339
|
include ::Google::Protobuf::MessageExts
|
292
340
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
293
341
|
end
|
294
342
|
|
343
|
+
# Specifications of BigQuery partitioned table as export destination.
|
344
|
+
# @!attribute [rw] partition_key
|
345
|
+
# @return [::Google::Cloud::Asset::V1::PartitionSpec::PartitionKey]
|
346
|
+
# The partition key for BigQuery partitioned table.
|
347
|
+
class PartitionSpec
|
348
|
+
include ::Google::Protobuf::MessageExts
|
349
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
350
|
+
|
351
|
+
# This enum is used to determine the partition key column when exporting
|
352
|
+
# assets to BigQuery partitioned table(s). Note that, if the partition key is
|
353
|
+
# a timestamp column, the actual partition is based on its date value
|
354
|
+
# (expressed in UTC. see details in
|
355
|
+
# https://cloud.google.com/bigquery/docs/partitioned-tables#date_timestamp_partitioned_tables).
|
356
|
+
module PartitionKey
|
357
|
+
# Unspecified partition key. If used, it means using non-partitioned table.
|
358
|
+
PARTITION_KEY_UNSPECIFIED = 0
|
359
|
+
|
360
|
+
# The time when the snapshot is taken. If specified as partition key, the
|
361
|
+
# result table(s) is partitoned by the additional timestamp column,
|
362
|
+
# readTime. If [read_time] in ExportAssetsRequest is specified, the
|
363
|
+
# readTime column's value will be the same as it. Otherwise, its value will
|
364
|
+
# be the current time that is used to take the snapshot.
|
365
|
+
READ_TIME = 1
|
366
|
+
|
367
|
+
# The time when the request is received and started to be processed. If
|
368
|
+
# specified as partition key, the result table(s) is partitoned by the
|
369
|
+
# requestTime column, an additional timestamp column representing when the
|
370
|
+
# request was received.
|
371
|
+
REQUEST_TIME = 2
|
372
|
+
end
|
373
|
+
end
|
374
|
+
|
295
375
|
# A Pub/Sub destination.
|
296
376
|
# @!attribute [rw] topic
|
297
377
|
# @return [::String]
|
@@ -548,7 +628,7 @@ module Google
|
|
548
628
|
# IAM policy analysis query message.
|
549
629
|
# @!attribute [rw] scope
|
550
630
|
# @return [::String]
|
551
|
-
# The relative name of the root asset. Only resources and IAM policies within
|
631
|
+
# Required. The relative name of the root asset. Only resources and IAM policies within
|
552
632
|
# the scope will be analyzed.
|
553
633
|
#
|
554
634
|
# This can only be an organization number (such as "organizations/123"), a
|
@@ -562,16 +642,16 @@ module Google
|
|
562
642
|
# ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects).
|
563
643
|
# @!attribute [rw] resource_selector
|
564
644
|
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::ResourceSelector]
|
565
|
-
# Specifies a resource for analysis.
|
645
|
+
# Optional. Specifies a resource for analysis.
|
566
646
|
# @!attribute [rw] identity_selector
|
567
647
|
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::IdentitySelector]
|
568
|
-
# Specifies an identity for analysis.
|
648
|
+
# Optional. Specifies an identity for analysis.
|
569
649
|
# @!attribute [rw] access_selector
|
570
650
|
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::AccessSelector]
|
571
|
-
# Specifies roles or permissions for analysis. This is optional.
|
651
|
+
# Optional. Specifies roles or permissions for analysis. This is optional.
|
572
652
|
# @!attribute [rw] options
|
573
653
|
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::Options]
|
574
|
-
# The query options.
|
654
|
+
# Optional. The query options.
|
575
655
|
class IamPolicyAnalysisQuery
|
576
656
|
include ::Google::Protobuf::MessageExts
|
577
657
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -581,7 +661,7 @@ module Google
|
|
581
661
|
# projects.
|
582
662
|
# @!attribute [rw] full_resource_name
|
583
663
|
# @return [::String]
|
584
|
-
# The [full resource name]
|
664
|
+
# Required. The [full resource name]
|
585
665
|
# (https://cloud.google.com/asset-inventory/docs/resource-name-format)
|
586
666
|
# of a resource of [supported resource
|
587
667
|
# types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types).
|
@@ -595,7 +675,7 @@ module Google
|
|
595
675
|
# directly or indirectly.
|
596
676
|
# @!attribute [rw] identity
|
597
677
|
# @return [::String]
|
598
|
-
# The identity appear in the form of members in
|
678
|
+
# Required. The identity appear in the form of members in
|
599
679
|
# [IAM policy
|
600
680
|
# binding](https://cloud.google.com/iam/reference/rest/v1/Binding).
|
601
681
|
#
|
@@ -615,13 +695,14 @@ module Google
|
|
615
695
|
# Specifies roles and/or permissions to analyze, to determine both the
|
616
696
|
# identities possessing them and the resources they control. If multiple
|
617
697
|
# values are specified, results will include roles or permissions matching
|
618
|
-
# any of them.
|
698
|
+
# any of them. The total number of roles and permissions should be equal or
|
699
|
+
# less than 10.
|
619
700
|
# @!attribute [rw] roles
|
620
701
|
# @return [::Array<::String>]
|
621
|
-
# The roles to appear in result.
|
702
|
+
# Optional. The roles to appear in result.
|
622
703
|
# @!attribute [rw] permissions
|
623
704
|
# @return [::Array<::String>]
|
624
|
-
# The permissions to appear in result.
|
705
|
+
# Optional. The permissions to appear in result.
|
625
706
|
class AccessSelector
|
626
707
|
include ::Google::Protobuf::MessageExts
|
627
708
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -630,67 +711,64 @@ module Google
|
|
630
711
|
# Contains query options.
|
631
712
|
# @!attribute [rw] expand_groups
|
632
713
|
# @return [::Boolean]
|
633
|
-
# If true, the identities section of the result will expand any
|
714
|
+
# Optional. If true, the identities section of the result will expand any
|
634
715
|
# Google groups appearing in an IAM policy binding.
|
635
716
|
#
|
636
|
-
# If
|
637
|
-
#
|
638
|
-
# is
|
639
|
-
# selector, and this flag is not allowed to set.
|
717
|
+
# If {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#identity_selector IamPolicyAnalysisQuery.identity_selector} is specified, the
|
718
|
+
# identity in the result will be determined by the selector, and this flag
|
719
|
+
# is not allowed to set.
|
640
720
|
#
|
641
721
|
# Default is false.
|
642
722
|
# @!attribute [rw] expand_roles
|
643
723
|
# @return [::Boolean]
|
644
|
-
# If true, the access section of result will expand any roles
|
724
|
+
# Optional. If true, the access section of result will expand any roles
|
645
725
|
# appearing in IAM policy bindings to include their permissions.
|
646
726
|
#
|
647
|
-
# If
|
648
|
-
#
|
649
|
-
# is
|
650
|
-
# selector, and this flag is not allowed to set.
|
727
|
+
# If {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#access_selector IamPolicyAnalysisQuery.access_selector} is specified, the access
|
728
|
+
# section of the result will be determined by the selector, and this flag
|
729
|
+
# is not allowed to set.
|
651
730
|
#
|
652
731
|
# Default is false.
|
653
732
|
# @!attribute [rw] expand_resources
|
654
733
|
# @return [::Boolean]
|
655
|
-
# If true and
|
656
|
-
#
|
657
|
-
#
|
658
|
-
#
|
659
|
-
# resource hierarchy.
|
734
|
+
# Optional. If true and {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} is not
|
735
|
+
# specified, the resource section of the result will expand any resource
|
736
|
+
# attached to an IAM policy to include resources lower in the resource
|
737
|
+
# hierarchy.
|
660
738
|
#
|
661
739
|
# For example, if the request analyzes for which resources user A has
|
662
740
|
# permission P, and the results include an IAM policy with P on a GCP
|
663
741
|
# folder, the results will also include resources in that folder with
|
664
742
|
# permission P.
|
665
743
|
#
|
666
|
-
# If true and
|
667
|
-
#
|
668
|
-
#
|
669
|
-
#
|
744
|
+
# If true and {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} is specified,
|
745
|
+
# the resource section of the result will expand the specified resource to
|
746
|
+
# include resources lower in the resource hierarchy. Only project or
|
747
|
+
# lower resources are supported. Folder and organization resource cannot be
|
748
|
+
# used together with this option.
|
670
749
|
#
|
671
750
|
# For example, if the request analyzes for which users have permission P on
|
672
|
-
# a GCP
|
673
|
-
# who have permission P on that
|
751
|
+
# a GCP project with this option enabled, the results will include all
|
752
|
+
# users who have permission P on that project or any lower resource.
|
674
753
|
#
|
675
754
|
# Default is false.
|
676
755
|
# @!attribute [rw] output_resource_edges
|
677
756
|
# @return [::Boolean]
|
678
|
-
# If true, the result will output resource edges, starting
|
757
|
+
# Optional. If true, the result will output resource edges, starting
|
679
758
|
# from the policy attached resource, to any expanded resources.
|
680
759
|
# Default is false.
|
681
760
|
# @!attribute [rw] output_group_edges
|
682
761
|
# @return [::Boolean]
|
683
|
-
# If true, the result will output group identity edges, starting
|
762
|
+
# Optional. If true, the result will output group identity edges, starting
|
684
763
|
# from the binding's group members, to any expanded identities.
|
685
764
|
# Default is false.
|
686
765
|
# @!attribute [rw] analyze_service_account_impersonation
|
687
766
|
# @return [::Boolean]
|
688
|
-
# If true, the response will include access analysis from identities to
|
767
|
+
# Optional. If true, the response will include access analysis from identities to
|
689
768
|
# resources via service account impersonation. This is a very expensive
|
690
769
|
# operation, because many derived queries will be executed. We highly
|
691
|
-
# recommend you use
|
692
|
-
#
|
693
|
-
# rpc instead.
|
770
|
+
# recommend you use {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning} rpc
|
771
|
+
# instead.
|
694
772
|
#
|
695
773
|
# For example, if the request analyzes for which resources user A has
|
696
774
|
# permission P, and there's an IAM policy states user A has
|
@@ -698,7 +776,7 @@ module Google
|
|
698
776
|
# and there's another IAM policy states service account SA has permission P
|
699
777
|
# to a GCP folder F, then user A potentially has access to the GCP folder
|
700
778
|
# F. And those advanced analysis results will be included in
|
701
|
-
# {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis
|
779
|
+
# {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}.
|
702
780
|
#
|
703
781
|
# Another example, if the request analyzes for who has
|
704
782
|
# permission P to a GCP folder F, and there's an IAM policy states user A
|
@@ -706,34 +784,22 @@ module Google
|
|
706
784
|
# there's another IAM policy states service account SA has permission P to
|
707
785
|
# the GCP folder F, then user A potentially has access to the GCP folder
|
708
786
|
# F. And those advanced analysis results will be included in
|
709
|
-
# {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis
|
787
|
+
# {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}.
|
710
788
|
#
|
711
789
|
# Default is false.
|
712
|
-
# @!attribute [rw] max_fanouts_per_group
|
713
|
-
# @return [::Integer]
|
714
|
-
# The maximum number of fanouts per group when [expand_groups][expand_groups]
|
715
|
-
# is enabled. This internal field is to help load testing and determine a
|
716
|
-
# proper value, and won't be public in the future.
|
717
|
-
# @!attribute [rw] max_fanouts_per_resource
|
718
|
-
# @return [::Integer]
|
719
|
-
# The maximum number of fanouts per parent resource, such as
|
720
|
-
# GCP Project etc., when [expand_resources][] is enabled. This internal
|
721
|
-
# field is to help load testing and determine a proper value, and won't be
|
722
|
-
# public in the future.
|
723
790
|
class Options
|
724
791
|
include ::Google::Protobuf::MessageExts
|
725
792
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
726
793
|
end
|
727
794
|
end
|
728
795
|
|
729
|
-
# A request message for
|
730
|
-
# {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy google.cloud.asset.v1.AssetService.AnalyzeIamPolicy}.
|
796
|
+
# A request message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy AssetService.AnalyzeIamPolicy}.
|
731
797
|
# @!attribute [rw] analysis_query
|
732
798
|
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery]
|
733
|
-
# The request query.
|
799
|
+
# Required. The request query.
|
734
800
|
# @!attribute [rw] execution_timeout
|
735
801
|
# @return [::Google::Protobuf::Duration]
|
736
|
-
# Amount of time executable has to complete. See JSON representation of
|
802
|
+
# Optional. Amount of time executable has to complete. See JSON representation of
|
737
803
|
# [Duration](https://developers.google.com/protocol-buffers/docs/proto3#json).
|
738
804
|
#
|
739
805
|
# If this field is set with a value less than the RPC deadline, and the
|
@@ -743,40 +809,24 @@ module Google
|
|
743
809
|
# If it's not finished until then, you will get a DEADLINE_EXCEEDED error.
|
744
810
|
#
|
745
811
|
# Default is empty.
|
746
|
-
#
|
747
|
-
# (-- We had discussion of whether we should have this field in the --)
|
748
|
-
# (-- request or use the RPC deadline instead. We finally choose this --)
|
749
|
-
# (-- approach for the following reasons (detailed in --)
|
750
|
-
# (-- go/analyze-iam-policy-deadlines): --)
|
751
|
-
# (-- * HTTP clients have very limited support of the RPC deadline. --)
|
752
|
-
# (-- There is an X-Server-Timeout header introduced in 2019/09, but --)
|
753
|
-
# (-- only implemented in the C++ HTTP server library. --)
|
754
|
-
# (-- * The purpose of the RPC deadline is for RPC clients to --)
|
755
|
-
# (-- communicate its max waiting time to the server. This deadline --)
|
756
|
-
# (-- could be further propagated to the downstream servers. It is --)
|
757
|
-
# (-- mainly used for servers to cancel the request processing --)
|
758
|
-
# (-- to avoid resource wasting. Overloading the RPC deadline for --)
|
759
|
-
# (-- other purposes could make our backend system harder to reason --)
|
760
|
-
# (-- about. --)
|
761
812
|
class AnalyzeIamPolicyRequest
|
762
813
|
include ::Google::Protobuf::MessageExts
|
763
814
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
764
815
|
end
|
765
816
|
|
766
|
-
# A response message for
|
767
|
-
# {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy google.cloud.asset.v1.AssetService.AnalyzeIamPolicy}.
|
817
|
+
# A response message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy AssetService.AnalyzeIamPolicy}.
|
768
818
|
# @!attribute [rw] main_analysis
|
769
819
|
# @return [::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis]
|
770
820
|
# The main analysis that matches the original request.
|
771
821
|
# @!attribute [rw] service_account_impersonation_analysis
|
772
822
|
# @return [::Array<::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis>]
|
773
823
|
# The service account impersonation analysis if
|
774
|
-
# [
|
775
|
-
#
|
824
|
+
# [AnalyzeIamPolicyRequest.analyze_service_account_impersonation][] is
|
825
|
+
# enabled.
|
776
826
|
# @!attribute [rw] fully_explored
|
777
827
|
# @return [::Boolean]
|
778
|
-
# Represents whether all entries in the
|
779
|
-
#
|
828
|
+
# Represents whether all entries in the {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#main_analysis main_analysis} and
|
829
|
+
# {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis service_account_impersonation_analysis} have been fully explored to
|
780
830
|
# answer the query in the request.
|
781
831
|
class AnalyzeIamPolicyResponse
|
782
832
|
include ::Google::Protobuf::MessageExts
|
@@ -788,87 +838,18 @@ module Google
|
|
788
838
|
# The analysis query.
|
789
839
|
# @!attribute [rw] analysis_results
|
790
840
|
# @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult>]
|
791
|
-
# A list of {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult
|
792
|
-
#
|
841
|
+
# A list of {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult IamPolicyAnalysisResult} that matches the analysis query, or
|
842
|
+
# empty if no result is found.
|
793
843
|
# @!attribute [rw] fully_explored
|
794
844
|
# @return [::Boolean]
|
795
|
-
# Represents whether all entries in the
|
796
|
-
#
|
797
|
-
# the query.
|
798
|
-
# @!attribute [rw] stats
|
799
|
-
# @return [::Array<::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis::Stats>]
|
800
|
-
# The stats of how the analysis has been explored.
|
845
|
+
# Represents whether all entries in the {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis#analysis_results analysis_results} have been
|
846
|
+
# fully explored to answer the query.
|
801
847
|
# @!attribute [rw] non_critical_errors
|
802
848
|
# @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisState>]
|
803
849
|
# A list of non-critical errors happened during the query handling.
|
804
850
|
class IamPolicyAnalysis
|
805
851
|
include ::Google::Protobuf::MessageExts
|
806
852
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
807
|
-
|
808
|
-
# A stats message that contains a set of analysis metrics.
|
809
|
-
#
|
810
|
-
# Here are some equations to show relationships of the explicitly specified
|
811
|
-
# metrics with other implicit metrics:
|
812
|
-
# * node_count = discovered_node_count + undiscovered_node_count(implicit)
|
813
|
-
# * discovered_node_count = explored_node_count +
|
814
|
-
# unexplored_node_count(implicit)
|
815
|
-
# * explored_node_count = capped_node_count + uncapped_node_count(implicit)
|
816
|
-
# * unexplored_node_count(implicit) = permission_denied_node_count +
|
817
|
-
# execution_timeout_node_count + other_unexplored_node_count(implicit)
|
818
|
-
# * discovered_node_count = matched_node_count +
|
819
|
-
# unmatched_node_count(implicit)
|
820
|
-
# @!attribute [rw] node_type
|
821
|
-
# @return [::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis::Stats::NodeType]
|
822
|
-
# Node type.
|
823
|
-
# @!attribute [rw] node_subtype
|
824
|
-
# @return [::String]
|
825
|
-
# The subtype of a node, such as:
|
826
|
-
# * For Identity: Group, User, ServiceAccount etc.
|
827
|
-
# * For Resource: resource type name, such as
|
828
|
-
# cloudresourcemanager.googleapis.com/Organization, etc.
|
829
|
-
# * For Access: Role or Permission
|
830
|
-
# @!attribute [rw] discovered_node_count
|
831
|
-
# @return [::Integer]
|
832
|
-
# The count of discovered nodes.
|
833
|
-
# @!attribute [rw] matched_node_count
|
834
|
-
# @return [::Integer]
|
835
|
-
# The count of nodes that match the query. These nodes form a sub-graph
|
836
|
-
# of discovered nodes.
|
837
|
-
# @!attribute [rw] explored_node_count
|
838
|
-
# @return [::Integer]
|
839
|
-
# The count of explored nodes.
|
840
|
-
# @!attribute [rw] capped_node_count
|
841
|
-
# @return [::Integer]
|
842
|
-
# The count of nodes that get explored, but are capped by max fanout
|
843
|
-
# setting.
|
844
|
-
# @!attribute [rw] permision_denied_node_count
|
845
|
-
# @return [::Integer]
|
846
|
-
# The count of unexplored nodes caused by permission denied error.
|
847
|
-
# @!attribute [rw] execution_timeout_node_count
|
848
|
-
# @return [::Integer]
|
849
|
-
# The count of unexplored nodes caused by execution timeout.
|
850
|
-
class Stats
|
851
|
-
include ::Google::Protobuf::MessageExts
|
852
|
-
extend ::Google::Protobuf::MessageExts::ClassMethods
|
853
|
-
|
854
|
-
# Type of the node.
|
855
|
-
module NodeType
|
856
|
-
# Unspecified node type.
|
857
|
-
NODE_TYPE_UNSPECIFIED = 0
|
858
|
-
|
859
|
-
# IAM Policy Binding node type.
|
860
|
-
BINDING = 1
|
861
|
-
|
862
|
-
# Identity node type.
|
863
|
-
IDENTITY = 2
|
864
|
-
|
865
|
-
# Resource node type.
|
866
|
-
RESOURCE = 3
|
867
|
-
|
868
|
-
# Access node type.
|
869
|
-
ACCESS = 4
|
870
|
-
end
|
871
|
-
end
|
872
853
|
end
|
873
854
|
end
|
874
855
|
|
@@ -886,11 +867,10 @@ module Google
|
|
886
867
|
# A Cloud Storage location.
|
887
868
|
# @!attribute [rw] uri
|
888
869
|
# @return [::String]
|
889
|
-
# The uri of the Cloud Storage object. It's the same uri that is used by
|
890
|
-
# gsutil. For example: "gs://bucket_name/object_name". See
|
891
|
-
#
|
892
|
-
#
|
893
|
-
# for more information.
|
870
|
+
# Required. The uri of the Cloud Storage object. It's the same uri that is used by
|
871
|
+
# gsutil. For example: "gs://bucket_name/object_name". See
|
872
|
+
# [Quickstart: Using the gsutil tool]
|
873
|
+
# (https://cloud.google.com/storage/docs/quickstart-gsutil) for examples.
|
894
874
|
class GcsDestination
|
895
875
|
include ::Google::Protobuf::MessageExts
|
896
876
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -899,25 +879,36 @@ module Google
|
|
899
879
|
# A BigQuery destination.
|
900
880
|
# @!attribute [rw] dataset
|
901
881
|
# @return [::String]
|
902
|
-
# The BigQuery dataset in format "projects/projectId/datasets/datasetId",
|
882
|
+
# Required. The BigQuery dataset in format "projects/projectId/datasets/datasetId",
|
903
883
|
# to which the analysis results should be exported. If this dataset does
|
904
884
|
# not exist, the export call will return an INVALID_ARGUMENT error.
|
905
885
|
# @!attribute [rw] table_prefix
|
906
886
|
# @return [::String]
|
907
|
-
# The prefix of the BigQuery tables to which the analysis results will be
|
887
|
+
# Required. The prefix of the BigQuery tables to which the analysis results will be
|
908
888
|
# written. Tables will be created based on this table_prefix if not exist:
|
909
889
|
# * <table_prefix>_analysis table will contain export operation's metadata.
|
910
890
|
# * <table_prefix>_analysis_result will contain all the
|
911
|
-
#
|
891
|
+
# {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult IamPolicyAnalysisResult}.
|
912
892
|
# When [partition_key] is specified, both tables will be partitioned based
|
913
893
|
# on the [partition_key].
|
914
894
|
# @!attribute [rw] partition_key
|
915
895
|
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::BigQueryDestination::PartitionKey]
|
916
896
|
# The partition key for BigQuery partitioned table.
|
917
|
-
# @!attribute [rw]
|
918
|
-
# @return [::
|
919
|
-
#
|
920
|
-
#
|
897
|
+
# @!attribute [rw] write_disposition
|
898
|
+
# @return [::String]
|
899
|
+
# Optional. Specifies the action that occurs if the destination table or partition
|
900
|
+
# already exists. The following values are supported:
|
901
|
+
#
|
902
|
+
# * WRITE_TRUNCATE: If the table or partition already exists, BigQuery
|
903
|
+
# overwrites the entire table or all the partitions data.
|
904
|
+
# * WRITE_APPEND: If the table or partition already exists, BigQuery
|
905
|
+
# appends the data to the table or the latest partition.
|
906
|
+
# * WRITE_EMPTY: If the table already exists and contains data, an error is
|
907
|
+
# returned.
|
908
|
+
#
|
909
|
+
# The default value is WRITE_APPEND. Each action is atomic and only occurs
|
910
|
+
# if BigQuery is able to complete the job successfully. Details are at
|
911
|
+
# https://cloud.google.com/bigquery/docs/loading-data-local#appending_to_or_overwriting_a_table_using_a_local_file.
|
921
912
|
class BigQueryDestination
|
922
913
|
include ::Google::Protobuf::MessageExts
|
923
914
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -936,37 +927,23 @@ module Google
|
|
936
927
|
# additional timestamp column representing when the request was received.
|
937
928
|
REQUEST_TIME = 1
|
938
929
|
end
|
939
|
-
|
940
|
-
# Write mode types if table exists.
|
941
|
-
module WriteMode
|
942
|
-
# Unspecified write mode. We expect one of the following valid modes must
|
943
|
-
# be specified when table or partition exists.
|
944
|
-
WRITE_MODE_UNSPECIFIED = 0
|
945
|
-
|
946
|
-
# Abort the export when table or partition exists.
|
947
|
-
ABORT = 1
|
948
|
-
|
949
|
-
# Overwrite the table when table exists. When partitioned, overwrite
|
950
|
-
# the existing partition.
|
951
|
-
OVERWRITE = 2
|
952
|
-
end
|
953
930
|
end
|
954
931
|
end
|
955
932
|
|
956
|
-
# A request message for
|
933
|
+
# A request message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning}.
|
957
934
|
# @!attribute [rw] analysis_query
|
958
935
|
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery]
|
959
|
-
# The request query.
|
936
|
+
# Required. The request query.
|
960
937
|
# @!attribute [rw] output_config
|
961
938
|
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig]
|
962
|
-
# Output configuration indicating where the results will be output to.
|
963
|
-
class
|
939
|
+
# Required. Output configuration indicating where the results will be output to.
|
940
|
+
class AnalyzeIamPolicyLongrunningRequest
|
964
941
|
include ::Google::Protobuf::MessageExts
|
965
942
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
966
943
|
end
|
967
944
|
|
968
|
-
#
|
969
|
-
class
|
945
|
+
# A response message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning}.
|
946
|
+
class AnalyzeIamPolicyLongrunningResponse
|
970
947
|
include ::Google::Protobuf::MessageExts
|
971
948
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
972
949
|
end
|
@@ -987,6 +964,9 @@ module Google
|
|
987
964
|
|
988
965
|
# The Cloud Access context manager Policy set on an asset.
|
989
966
|
ACCESS_POLICY = 5
|
967
|
+
|
968
|
+
# The runtime OS Inventory information.
|
969
|
+
OS_INVENTORY = 6
|
990
970
|
end
|
991
971
|
end
|
992
972
|
end
|