google-cloud-asset-v1 0.6.0 → 0.9.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/google/cloud/asset/v1.rb +3 -0
- data/lib/google/cloud/asset/v1/asset_service/client.rb +33 -48
- data/lib/google/cloud/asset/v1/asset_service/operations.rb +1 -1
- data/lib/google/cloud/asset/v1/asset_service_pb.rb +18 -33
- data/lib/google/cloud/asset/v1/asset_service_services_pb.rb +20 -20
- data/lib/google/cloud/asset/v1/assets_pb.rb +4 -0
- data/lib/google/cloud/asset/v1/version.rb +1 -1
- data/lib/google/cloud/osconfig/v1/inventory_pb.rb +108 -0
- data/proto_docs/google/api/resource.rb +50 -14
- data/proto_docs/google/cloud/asset/v1/asset_service.rb +160 -180
- data/proto_docs/google/cloud/asset/v1/assets.rb +16 -20
- data/proto_docs/google/cloud/osconfig/v1/inventory.rb +284 -0
- metadata +5 -3
@@ -43,12 +43,12 @@ module Google
|
|
43
43
|
#
|
44
44
|
# The ResourceDescriptor Yaml config will look like:
|
45
45
|
#
|
46
|
-
#
|
47
|
-
#
|
48
|
-
#
|
49
|
-
#
|
50
|
-
#
|
51
|
-
#
|
46
|
+
# resources:
|
47
|
+
# - type: "pubsub.googleapis.com/Topic"
|
48
|
+
# name_descriptor:
|
49
|
+
# - pattern: "projects/{project}/topics/{topic}"
|
50
|
+
# parent_type: "cloudresourcemanager.googleapis.com/Project"
|
51
|
+
# parent_name_extractor: "projects/{project}"
|
52
52
|
#
|
53
53
|
# Sometimes, resources have multiple patterns, typically because they can
|
54
54
|
# live under multiple parents.
|
@@ -183,15 +183,24 @@ module Google
|
|
183
183
|
# }
|
184
184
|
# @!attribute [rw] plural
|
185
185
|
# @return [::String]
|
186
|
-
# The plural name used in the resource name, such as
|
187
|
-
# the name of 'projects/\\{project}'
|
188
|
-
#
|
186
|
+
# The plural name used in the resource name and permission names, such as
|
187
|
+
# 'projects' for the resource name of 'projects/\\{project}' and the permission
|
188
|
+
# name of 'cloudresourcemanager.googleapis.com/projects.get'. It is the same
|
189
|
+
# concept of the `plural` field in k8s CRD spec
|
189
190
|
# https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/
|
191
|
+
#
|
192
|
+
# Note: The plural form is required even for singleton resources. See
|
193
|
+
# https://aip.dev/156
|
190
194
|
# @!attribute [rw] singular
|
191
195
|
# @return [::String]
|
192
196
|
# The same concept of the `singular` field in k8s CRD spec
|
193
197
|
# https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/
|
194
198
|
# Such as "project" for the `resourcemanager.googleapis.com/Project` type.
|
199
|
+
# @!attribute [rw] style
|
200
|
+
# @return [::Array<::Google::Api::ResourceDescriptor::Style>]
|
201
|
+
# Style flag(s) for this resource.
|
202
|
+
# These indicate that a resource is expected to conform to a given
|
203
|
+
# style. See the specific style flags for additional information.
|
195
204
|
class ResourceDescriptor
|
196
205
|
include ::Google::Protobuf::MessageExts
|
197
206
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -211,6 +220,22 @@ module Google
|
|
211
220
|
# that from being necessary once there are multiple patterns.)
|
212
221
|
FUTURE_MULTI_PATTERN = 2
|
213
222
|
end
|
223
|
+
|
224
|
+
# A flag representing a specific style that a resource claims to conform to.
|
225
|
+
module Style
|
226
|
+
# The unspecified value. Do not use.
|
227
|
+
STYLE_UNSPECIFIED = 0
|
228
|
+
|
229
|
+
# This resource is intended to be "declarative-friendly".
|
230
|
+
#
|
231
|
+
# Declarative-friendly resources must be more strictly consistent, and
|
232
|
+
# setting this to true communicates to tools that this resource should
|
233
|
+
# adhere to declarative-friendly expectations.
|
234
|
+
#
|
235
|
+
# Note: This is used by the API linter (linter.aip.dev) to enable
|
236
|
+
# additional checks.
|
237
|
+
DECLARATIVE_FRIENDLY = 1
|
238
|
+
end
|
214
239
|
end
|
215
240
|
|
216
241
|
# Defines a proto annotation that describes a string field that refers to
|
@@ -226,6 +251,17 @@ module Google
|
|
226
251
|
# type: "pubsub.googleapis.com/Topic"
|
227
252
|
# }];
|
228
253
|
# }
|
254
|
+
#
|
255
|
+
# Occasionally, a field may reference an arbitrary resource. In this case,
|
256
|
+
# APIs use the special value * in their resource reference.
|
257
|
+
#
|
258
|
+
# Example:
|
259
|
+
#
|
260
|
+
# message GetIamPolicyRequest {
|
261
|
+
# string resource = 2 [(google.api.resource_reference) = {
|
262
|
+
# type: "*"
|
263
|
+
# }];
|
264
|
+
# }
|
229
265
|
# @!attribute [rw] child_type
|
230
266
|
# @return [::String]
|
231
267
|
# The resource type of a child collection that the annotated field
|
@@ -234,11 +270,11 @@ module Google
|
|
234
270
|
#
|
235
271
|
# Example:
|
236
272
|
#
|
237
|
-
#
|
238
|
-
#
|
239
|
-
#
|
240
|
-
#
|
241
|
-
#
|
273
|
+
# message ListLogEntriesRequest {
|
274
|
+
# string parent = 1 [(google.api.resource_reference) = {
|
275
|
+
# child_type: "logging.googleapis.com/LogEntry"
|
276
|
+
# };
|
277
|
+
# }
|
242
278
|
class ResourceReference
|
243
279
|
include ::Google::Protobuf::MessageExts
|
244
280
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -287,11 +287,91 @@ module Google
|
|
287
287
|
# table will be overwritten by the contents of assets snapshot. If the flag
|
288
288
|
# is `FALSE` or unset and the destination table already exists, the export
|
289
289
|
# call returns an INVALID_ARGUMEMT error.
|
290
|
+
# @!attribute [rw] partition_spec
|
291
|
+
# @return [::Google::Cloud::Asset::V1::PartitionSpec]
|
292
|
+
# [partition_spec] determines whether to export to partitioned table(s) and
|
293
|
+
# how to partition the data.
|
294
|
+
#
|
295
|
+
# If [partition_spec] is unset or [partition_spec.partition_key] is unset or
|
296
|
+
# `PARTITION_KEY_UNSPECIFIED`, the snapshot results will be exported to
|
297
|
+
# non-partitioned table(s). [force] will decide whether to overwrite existing
|
298
|
+
# table(s).
|
299
|
+
#
|
300
|
+
# If [partition_spec] is specified. First, the snapshot results will be
|
301
|
+
# written to partitioned table(s) with two additional timestamp columns,
|
302
|
+
# readTime and requestTime, one of which will be the partition key. Secondly,
|
303
|
+
# in the case when any destination table already exists, it will first try to
|
304
|
+
# update existing table's schema as necessary by appending additional
|
305
|
+
# columns. Then, if [force] is `TRUE`, the corresponding partition will be
|
306
|
+
# overwritten by the snapshot results (data in different partitions will
|
307
|
+
# remain intact); if [force] is unset or `FALSE`, it will append the data. An
|
308
|
+
# error will be returned if the schema update or data appension fails.
|
309
|
+
# @!attribute [rw] separate_tables_per_asset_type
|
310
|
+
# @return [::Boolean]
|
311
|
+
# If this flag is `TRUE`, the snapshot results will be written to one or
|
312
|
+
# multiple tables, each of which contains results of one asset type. The
|
313
|
+
# [force] and [partition_spec] fields will apply to each of them.
|
314
|
+
#
|
315
|
+
# Field [table] will be concatenated with "_" and the asset type names (see
|
316
|
+
# https://cloud.google.com/asset-inventory/docs/supported-asset-types for
|
317
|
+
# supported asset types) to construct per-asset-type table names, in which
|
318
|
+
# all non-alphanumeric characters like "." and "/" will be substituted by
|
319
|
+
# "_". Example: if field [table] is "mytable" and snapshot results
|
320
|
+
# contain "storage.googleapis.com/Bucket" assets, the corresponding table
|
321
|
+
# name will be "mytable_storage_googleapis_com_Bucket". If any of these
|
322
|
+
# tables does not exist, a new table with the concatenated name will be
|
323
|
+
# created.
|
324
|
+
#
|
325
|
+
# When [content_type] in the ExportAssetsRequest is `RESOURCE`, the schema of
|
326
|
+
# each table will include RECORD-type columns mapped to the nested fields in
|
327
|
+
# the Asset.resource.data field of that asset type (up to the 15 nested level
|
328
|
+
# BigQuery supports
|
329
|
+
# (https://cloud.google.com/bigquery/docs/nested-repeated#limitations)). The
|
330
|
+
# fields in >15 nested levels will be stored in JSON format string as a child
|
331
|
+
# column of its parent RECORD column.
|
332
|
+
#
|
333
|
+
# If error occurs when exporting to any table, the whole export call will
|
334
|
+
# return an error but the export results that already succeed will persist.
|
335
|
+
# Example: if exporting to table_type_A succeeds when exporting to
|
336
|
+
# table_type_B fails during one export call, the results in table_type_A will
|
337
|
+
# persist and there will not be partial results persisting in a table.
|
290
338
|
class BigQueryDestination
|
291
339
|
include ::Google::Protobuf::MessageExts
|
292
340
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
293
341
|
end
|
294
342
|
|
343
|
+
# Specifications of BigQuery partitioned table as export destination.
|
344
|
+
# @!attribute [rw] partition_key
|
345
|
+
# @return [::Google::Cloud::Asset::V1::PartitionSpec::PartitionKey]
|
346
|
+
# The partition key for BigQuery partitioned table.
|
347
|
+
class PartitionSpec
|
348
|
+
include ::Google::Protobuf::MessageExts
|
349
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
350
|
+
|
351
|
+
# This enum is used to determine the partition key column when exporting
|
352
|
+
# assets to BigQuery partitioned table(s). Note that, if the partition key is
|
353
|
+
# a timestamp column, the actual partition is based on its date value
|
354
|
+
# (expressed in UTC. see details in
|
355
|
+
# https://cloud.google.com/bigquery/docs/partitioned-tables#date_timestamp_partitioned_tables).
|
356
|
+
module PartitionKey
|
357
|
+
# Unspecified partition key. If used, it means using non-partitioned table.
|
358
|
+
PARTITION_KEY_UNSPECIFIED = 0
|
359
|
+
|
360
|
+
# The time when the snapshot is taken. If specified as partition key, the
|
361
|
+
# result table(s) is partitoned by the additional timestamp column,
|
362
|
+
# readTime. If [read_time] in ExportAssetsRequest is specified, the
|
363
|
+
# readTime column's value will be the same as it. Otherwise, its value will
|
364
|
+
# be the current time that is used to take the snapshot.
|
365
|
+
READ_TIME = 1
|
366
|
+
|
367
|
+
# The time when the request is received and started to be processed. If
|
368
|
+
# specified as partition key, the result table(s) is partitoned by the
|
369
|
+
# requestTime column, an additional timestamp column representing when the
|
370
|
+
# request was received.
|
371
|
+
REQUEST_TIME = 2
|
372
|
+
end
|
373
|
+
end
|
374
|
+
|
295
375
|
# A Pub/Sub destination.
|
296
376
|
# @!attribute [rw] topic
|
297
377
|
# @return [::String]
|
@@ -548,7 +628,7 @@ module Google
|
|
548
628
|
# IAM policy analysis query message.
|
549
629
|
# @!attribute [rw] scope
|
550
630
|
# @return [::String]
|
551
|
-
# The relative name of the root asset. Only resources and IAM policies within
|
631
|
+
# Required. The relative name of the root asset. Only resources and IAM policies within
|
552
632
|
# the scope will be analyzed.
|
553
633
|
#
|
554
634
|
# This can only be an organization number (such as "organizations/123"), a
|
@@ -562,16 +642,16 @@ module Google
|
|
562
642
|
# ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects).
|
563
643
|
# @!attribute [rw] resource_selector
|
564
644
|
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::ResourceSelector]
|
565
|
-
# Specifies a resource for analysis.
|
645
|
+
# Optional. Specifies a resource for analysis.
|
566
646
|
# @!attribute [rw] identity_selector
|
567
647
|
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::IdentitySelector]
|
568
|
-
# Specifies an identity for analysis.
|
648
|
+
# Optional. Specifies an identity for analysis.
|
569
649
|
# @!attribute [rw] access_selector
|
570
650
|
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::AccessSelector]
|
571
|
-
# Specifies roles or permissions for analysis. This is optional.
|
651
|
+
# Optional. Specifies roles or permissions for analysis. This is optional.
|
572
652
|
# @!attribute [rw] options
|
573
653
|
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::Options]
|
574
|
-
# The query options.
|
654
|
+
# Optional. The query options.
|
575
655
|
class IamPolicyAnalysisQuery
|
576
656
|
include ::Google::Protobuf::MessageExts
|
577
657
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -581,7 +661,7 @@ module Google
|
|
581
661
|
# projects.
|
582
662
|
# @!attribute [rw] full_resource_name
|
583
663
|
# @return [::String]
|
584
|
-
# The [full resource name]
|
664
|
+
# Required. The [full resource name]
|
585
665
|
# (https://cloud.google.com/asset-inventory/docs/resource-name-format)
|
586
666
|
# of a resource of [supported resource
|
587
667
|
# types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types).
|
@@ -595,7 +675,7 @@ module Google
|
|
595
675
|
# directly or indirectly.
|
596
676
|
# @!attribute [rw] identity
|
597
677
|
# @return [::String]
|
598
|
-
# The identity appear in the form of members in
|
678
|
+
# Required. The identity appear in the form of members in
|
599
679
|
# [IAM policy
|
600
680
|
# binding](https://cloud.google.com/iam/reference/rest/v1/Binding).
|
601
681
|
#
|
@@ -615,13 +695,14 @@ module Google
|
|
615
695
|
# Specifies roles and/or permissions to analyze, to determine both the
|
616
696
|
# identities possessing them and the resources they control. If multiple
|
617
697
|
# values are specified, results will include roles or permissions matching
|
618
|
-
# any of them.
|
698
|
+
# any of them. The total number of roles and permissions should be equal or
|
699
|
+
# less than 10.
|
619
700
|
# @!attribute [rw] roles
|
620
701
|
# @return [::Array<::String>]
|
621
|
-
# The roles to appear in result.
|
702
|
+
# Optional. The roles to appear in result.
|
622
703
|
# @!attribute [rw] permissions
|
623
704
|
# @return [::Array<::String>]
|
624
|
-
# The permissions to appear in result.
|
705
|
+
# Optional. The permissions to appear in result.
|
625
706
|
class AccessSelector
|
626
707
|
include ::Google::Protobuf::MessageExts
|
627
708
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -630,67 +711,64 @@ module Google
|
|
630
711
|
# Contains query options.
|
631
712
|
# @!attribute [rw] expand_groups
|
632
713
|
# @return [::Boolean]
|
633
|
-
# If true, the identities section of the result will expand any
|
714
|
+
# Optional. If true, the identities section of the result will expand any
|
634
715
|
# Google groups appearing in an IAM policy binding.
|
635
716
|
#
|
636
|
-
# If
|
637
|
-
#
|
638
|
-
# is
|
639
|
-
# selector, and this flag is not allowed to set.
|
717
|
+
# If {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#identity_selector IamPolicyAnalysisQuery.identity_selector} is specified, the
|
718
|
+
# identity in the result will be determined by the selector, and this flag
|
719
|
+
# is not allowed to set.
|
640
720
|
#
|
641
721
|
# Default is false.
|
642
722
|
# @!attribute [rw] expand_roles
|
643
723
|
# @return [::Boolean]
|
644
|
-
# If true, the access section of result will expand any roles
|
724
|
+
# Optional. If true, the access section of result will expand any roles
|
645
725
|
# appearing in IAM policy bindings to include their permissions.
|
646
726
|
#
|
647
|
-
# If
|
648
|
-
#
|
649
|
-
# is
|
650
|
-
# selector, and this flag is not allowed to set.
|
727
|
+
# If {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#access_selector IamPolicyAnalysisQuery.access_selector} is specified, the access
|
728
|
+
# section of the result will be determined by the selector, and this flag
|
729
|
+
# is not allowed to set.
|
651
730
|
#
|
652
731
|
# Default is false.
|
653
732
|
# @!attribute [rw] expand_resources
|
654
733
|
# @return [::Boolean]
|
655
|
-
# If true and
|
656
|
-
#
|
657
|
-
#
|
658
|
-
#
|
659
|
-
# resource hierarchy.
|
734
|
+
# Optional. If true and {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} is not
|
735
|
+
# specified, the resource section of the result will expand any resource
|
736
|
+
# attached to an IAM policy to include resources lower in the resource
|
737
|
+
# hierarchy.
|
660
738
|
#
|
661
739
|
# For example, if the request analyzes for which resources user A has
|
662
740
|
# permission P, and the results include an IAM policy with P on a GCP
|
663
741
|
# folder, the results will also include resources in that folder with
|
664
742
|
# permission P.
|
665
743
|
#
|
666
|
-
# If true and
|
667
|
-
#
|
668
|
-
#
|
669
|
-
#
|
744
|
+
# If true and {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} is specified,
|
745
|
+
# the resource section of the result will expand the specified resource to
|
746
|
+
# include resources lower in the resource hierarchy. Only project or
|
747
|
+
# lower resources are supported. Folder and organization resource cannot be
|
748
|
+
# used together with this option.
|
670
749
|
#
|
671
750
|
# For example, if the request analyzes for which users have permission P on
|
672
|
-
# a GCP
|
673
|
-
# who have permission P on that
|
751
|
+
# a GCP project with this option enabled, the results will include all
|
752
|
+
# users who have permission P on that project or any lower resource.
|
674
753
|
#
|
675
754
|
# Default is false.
|
676
755
|
# @!attribute [rw] output_resource_edges
|
677
756
|
# @return [::Boolean]
|
678
|
-
# If true, the result will output resource edges, starting
|
757
|
+
# Optional. If true, the result will output resource edges, starting
|
679
758
|
# from the policy attached resource, to any expanded resources.
|
680
759
|
# Default is false.
|
681
760
|
# @!attribute [rw] output_group_edges
|
682
761
|
# @return [::Boolean]
|
683
|
-
# If true, the result will output group identity edges, starting
|
762
|
+
# Optional. If true, the result will output group identity edges, starting
|
684
763
|
# from the binding's group members, to any expanded identities.
|
685
764
|
# Default is false.
|
686
765
|
# @!attribute [rw] analyze_service_account_impersonation
|
687
766
|
# @return [::Boolean]
|
688
|
-
# If true, the response will include access analysis from identities to
|
767
|
+
# Optional. If true, the response will include access analysis from identities to
|
689
768
|
# resources via service account impersonation. This is a very expensive
|
690
769
|
# operation, because many derived queries will be executed. We highly
|
691
|
-
# recommend you use
|
692
|
-
#
|
693
|
-
# rpc instead.
|
770
|
+
# recommend you use {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning} rpc
|
771
|
+
# instead.
|
694
772
|
#
|
695
773
|
# For example, if the request analyzes for which resources user A has
|
696
774
|
# permission P, and there's an IAM policy states user A has
|
@@ -698,7 +776,7 @@ module Google
|
|
698
776
|
# and there's another IAM policy states service account SA has permission P
|
699
777
|
# to a GCP folder F, then user A potentially has access to the GCP folder
|
700
778
|
# F. And those advanced analysis results will be included in
|
701
|
-
# {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis
|
779
|
+
# {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}.
|
702
780
|
#
|
703
781
|
# Another example, if the request analyzes for who has
|
704
782
|
# permission P to a GCP folder F, and there's an IAM policy states user A
|
@@ -706,34 +784,22 @@ module Google
|
|
706
784
|
# there's another IAM policy states service account SA has permission P to
|
707
785
|
# the GCP folder F, then user A potentially has access to the GCP folder
|
708
786
|
# F. And those advanced analysis results will be included in
|
709
|
-
# {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis
|
787
|
+
# {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}.
|
710
788
|
#
|
711
789
|
# Default is false.
|
712
|
-
# @!attribute [rw] max_fanouts_per_group
|
713
|
-
# @return [::Integer]
|
714
|
-
# The maximum number of fanouts per group when [expand_groups][expand_groups]
|
715
|
-
# is enabled. This internal field is to help load testing and determine a
|
716
|
-
# proper value, and won't be public in the future.
|
717
|
-
# @!attribute [rw] max_fanouts_per_resource
|
718
|
-
# @return [::Integer]
|
719
|
-
# The maximum number of fanouts per parent resource, such as
|
720
|
-
# GCP Project etc., when [expand_resources][] is enabled. This internal
|
721
|
-
# field is to help load testing and determine a proper value, and won't be
|
722
|
-
# public in the future.
|
723
790
|
class Options
|
724
791
|
include ::Google::Protobuf::MessageExts
|
725
792
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
726
793
|
end
|
727
794
|
end
|
728
795
|
|
729
|
-
# A request message for
|
730
|
-
# {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy google.cloud.asset.v1.AssetService.AnalyzeIamPolicy}.
|
796
|
+
# A request message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy AssetService.AnalyzeIamPolicy}.
|
731
797
|
# @!attribute [rw] analysis_query
|
732
798
|
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery]
|
733
|
-
# The request query.
|
799
|
+
# Required. The request query.
|
734
800
|
# @!attribute [rw] execution_timeout
|
735
801
|
# @return [::Google::Protobuf::Duration]
|
736
|
-
# Amount of time executable has to complete. See JSON representation of
|
802
|
+
# Optional. Amount of time executable has to complete. See JSON representation of
|
737
803
|
# [Duration](https://developers.google.com/protocol-buffers/docs/proto3#json).
|
738
804
|
#
|
739
805
|
# If this field is set with a value less than the RPC deadline, and the
|
@@ -743,40 +809,24 @@ module Google
|
|
743
809
|
# If it's not finished until then, you will get a DEADLINE_EXCEEDED error.
|
744
810
|
#
|
745
811
|
# Default is empty.
|
746
|
-
#
|
747
|
-
# (-- We had discussion of whether we should have this field in the --)
|
748
|
-
# (-- request or use the RPC deadline instead. We finally choose this --)
|
749
|
-
# (-- approach for the following reasons (detailed in --)
|
750
|
-
# (-- go/analyze-iam-policy-deadlines): --)
|
751
|
-
# (-- * HTTP clients have very limited support of the RPC deadline. --)
|
752
|
-
# (-- There is an X-Server-Timeout header introduced in 2019/09, but --)
|
753
|
-
# (-- only implemented in the C++ HTTP server library. --)
|
754
|
-
# (-- * The purpose of the RPC deadline is for RPC clients to --)
|
755
|
-
# (-- communicate its max waiting time to the server. This deadline --)
|
756
|
-
# (-- could be further propagated to the downstream servers. It is --)
|
757
|
-
# (-- mainly used for servers to cancel the request processing --)
|
758
|
-
# (-- to avoid resource wasting. Overloading the RPC deadline for --)
|
759
|
-
# (-- other purposes could make our backend system harder to reason --)
|
760
|
-
# (-- about. --)
|
761
812
|
class AnalyzeIamPolicyRequest
|
762
813
|
include ::Google::Protobuf::MessageExts
|
763
814
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
764
815
|
end
|
765
816
|
|
766
|
-
# A response message for
|
767
|
-
# {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy google.cloud.asset.v1.AssetService.AnalyzeIamPolicy}.
|
817
|
+
# A response message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy AssetService.AnalyzeIamPolicy}.
|
768
818
|
# @!attribute [rw] main_analysis
|
769
819
|
# @return [::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis]
|
770
820
|
# The main analysis that matches the original request.
|
771
821
|
# @!attribute [rw] service_account_impersonation_analysis
|
772
822
|
# @return [::Array<::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis>]
|
773
823
|
# The service account impersonation analysis if
|
774
|
-
# [
|
775
|
-
#
|
824
|
+
# [AnalyzeIamPolicyRequest.analyze_service_account_impersonation][] is
|
825
|
+
# enabled.
|
776
826
|
# @!attribute [rw] fully_explored
|
777
827
|
# @return [::Boolean]
|
778
|
-
# Represents whether all entries in the
|
779
|
-
#
|
828
|
+
# Represents whether all entries in the {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#main_analysis main_analysis} and
|
829
|
+
# {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis service_account_impersonation_analysis} have been fully explored to
|
780
830
|
# answer the query in the request.
|
781
831
|
class AnalyzeIamPolicyResponse
|
782
832
|
include ::Google::Protobuf::MessageExts
|
@@ -788,87 +838,18 @@ module Google
|
|
788
838
|
# The analysis query.
|
789
839
|
# @!attribute [rw] analysis_results
|
790
840
|
# @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult>]
|
791
|
-
# A list of {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult
|
792
|
-
#
|
841
|
+
# A list of {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult IamPolicyAnalysisResult} that matches the analysis query, or
|
842
|
+
# empty if no result is found.
|
793
843
|
# @!attribute [rw] fully_explored
|
794
844
|
# @return [::Boolean]
|
795
|
-
# Represents whether all entries in the
|
796
|
-
#
|
797
|
-
# the query.
|
798
|
-
# @!attribute [rw] stats
|
799
|
-
# @return [::Array<::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis::Stats>]
|
800
|
-
# The stats of how the analysis has been explored.
|
845
|
+
# Represents whether all entries in the {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis#analysis_results analysis_results} have been
|
846
|
+
# fully explored to answer the query.
|
801
847
|
# @!attribute [rw] non_critical_errors
|
802
848
|
# @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisState>]
|
803
849
|
# A list of non-critical errors happened during the query handling.
|
804
850
|
class IamPolicyAnalysis
|
805
851
|
include ::Google::Protobuf::MessageExts
|
806
852
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
807
|
-
|
808
|
-
# A stats message that contains a set of analysis metrics.
|
809
|
-
#
|
810
|
-
# Here are some equations to show relationships of the explicitly specified
|
811
|
-
# metrics with other implicit metrics:
|
812
|
-
# * node_count = discovered_node_count + undiscovered_node_count(implicit)
|
813
|
-
# * discovered_node_count = explored_node_count +
|
814
|
-
# unexplored_node_count(implicit)
|
815
|
-
# * explored_node_count = capped_node_count + uncapped_node_count(implicit)
|
816
|
-
# * unexplored_node_count(implicit) = permission_denied_node_count +
|
817
|
-
# execution_timeout_node_count + other_unexplored_node_count(implicit)
|
818
|
-
# * discovered_node_count = matched_node_count +
|
819
|
-
# unmatched_node_count(implicit)
|
820
|
-
# @!attribute [rw] node_type
|
821
|
-
# @return [::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis::Stats::NodeType]
|
822
|
-
# Node type.
|
823
|
-
# @!attribute [rw] node_subtype
|
824
|
-
# @return [::String]
|
825
|
-
# The subtype of a node, such as:
|
826
|
-
# * For Identity: Group, User, ServiceAccount etc.
|
827
|
-
# * For Resource: resource type name, such as
|
828
|
-
# cloudresourcemanager.googleapis.com/Organization, etc.
|
829
|
-
# * For Access: Role or Permission
|
830
|
-
# @!attribute [rw] discovered_node_count
|
831
|
-
# @return [::Integer]
|
832
|
-
# The count of discovered nodes.
|
833
|
-
# @!attribute [rw] matched_node_count
|
834
|
-
# @return [::Integer]
|
835
|
-
# The count of nodes that match the query. These nodes form a sub-graph
|
836
|
-
# of discovered nodes.
|
837
|
-
# @!attribute [rw] explored_node_count
|
838
|
-
# @return [::Integer]
|
839
|
-
# The count of explored nodes.
|
840
|
-
# @!attribute [rw] capped_node_count
|
841
|
-
# @return [::Integer]
|
842
|
-
# The count of nodes that get explored, but are capped by max fanout
|
843
|
-
# setting.
|
844
|
-
# @!attribute [rw] permision_denied_node_count
|
845
|
-
# @return [::Integer]
|
846
|
-
# The count of unexplored nodes caused by permission denied error.
|
847
|
-
# @!attribute [rw] execution_timeout_node_count
|
848
|
-
# @return [::Integer]
|
849
|
-
# The count of unexplored nodes caused by execution timeout.
|
850
|
-
class Stats
|
851
|
-
include ::Google::Protobuf::MessageExts
|
852
|
-
extend ::Google::Protobuf::MessageExts::ClassMethods
|
853
|
-
|
854
|
-
# Type of the node.
|
855
|
-
module NodeType
|
856
|
-
# Unspecified node type.
|
857
|
-
NODE_TYPE_UNSPECIFIED = 0
|
858
|
-
|
859
|
-
# IAM Policy Binding node type.
|
860
|
-
BINDING = 1
|
861
|
-
|
862
|
-
# Identity node type.
|
863
|
-
IDENTITY = 2
|
864
|
-
|
865
|
-
# Resource node type.
|
866
|
-
RESOURCE = 3
|
867
|
-
|
868
|
-
# Access node type.
|
869
|
-
ACCESS = 4
|
870
|
-
end
|
871
|
-
end
|
872
853
|
end
|
873
854
|
end
|
874
855
|
|
@@ -886,11 +867,10 @@ module Google
|
|
886
867
|
# A Cloud Storage location.
|
887
868
|
# @!attribute [rw] uri
|
888
869
|
# @return [::String]
|
889
|
-
# The uri of the Cloud Storage object. It's the same uri that is used by
|
890
|
-
# gsutil. For example: "gs://bucket_name/object_name". See
|
891
|
-
#
|
892
|
-
#
|
893
|
-
# for more information.
|
870
|
+
# Required. The uri of the Cloud Storage object. It's the same uri that is used by
|
871
|
+
# gsutil. For example: "gs://bucket_name/object_name". See
|
872
|
+
# [Quickstart: Using the gsutil tool]
|
873
|
+
# (https://cloud.google.com/storage/docs/quickstart-gsutil) for examples.
|
894
874
|
class GcsDestination
|
895
875
|
include ::Google::Protobuf::MessageExts
|
896
876
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -899,25 +879,36 @@ module Google
|
|
899
879
|
# A BigQuery destination.
|
900
880
|
# @!attribute [rw] dataset
|
901
881
|
# @return [::String]
|
902
|
-
# The BigQuery dataset in format "projects/projectId/datasets/datasetId",
|
882
|
+
# Required. The BigQuery dataset in format "projects/projectId/datasets/datasetId",
|
903
883
|
# to which the analysis results should be exported. If this dataset does
|
904
884
|
# not exist, the export call will return an INVALID_ARGUMENT error.
|
905
885
|
# @!attribute [rw] table_prefix
|
906
886
|
# @return [::String]
|
907
|
-
# The prefix of the BigQuery tables to which the analysis results will be
|
887
|
+
# Required. The prefix of the BigQuery tables to which the analysis results will be
|
908
888
|
# written. Tables will be created based on this table_prefix if not exist:
|
909
889
|
# * <table_prefix>_analysis table will contain export operation's metadata.
|
910
890
|
# * <table_prefix>_analysis_result will contain all the
|
911
|
-
#
|
891
|
+
# {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult IamPolicyAnalysisResult}.
|
912
892
|
# When [partition_key] is specified, both tables will be partitioned based
|
913
893
|
# on the [partition_key].
|
914
894
|
# @!attribute [rw] partition_key
|
915
895
|
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::BigQueryDestination::PartitionKey]
|
916
896
|
# The partition key for BigQuery partitioned table.
|
917
|
-
# @!attribute [rw]
|
918
|
-
# @return [::
|
919
|
-
#
|
920
|
-
#
|
897
|
+
# @!attribute [rw] write_disposition
|
898
|
+
# @return [::String]
|
899
|
+
# Optional. Specifies the action that occurs if the destination table or partition
|
900
|
+
# already exists. The following values are supported:
|
901
|
+
#
|
902
|
+
# * WRITE_TRUNCATE: If the table or partition already exists, BigQuery
|
903
|
+
# overwrites the entire table or all the partitions data.
|
904
|
+
# * WRITE_APPEND: If the table or partition already exists, BigQuery
|
905
|
+
# appends the data to the table or the latest partition.
|
906
|
+
# * WRITE_EMPTY: If the table already exists and contains data, an error is
|
907
|
+
# returned.
|
908
|
+
#
|
909
|
+
# The default value is WRITE_APPEND. Each action is atomic and only occurs
|
910
|
+
# if BigQuery is able to complete the job successfully. Details are at
|
911
|
+
# https://cloud.google.com/bigquery/docs/loading-data-local#appending_to_or_overwriting_a_table_using_a_local_file.
|
921
912
|
class BigQueryDestination
|
922
913
|
include ::Google::Protobuf::MessageExts
|
923
914
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -936,37 +927,23 @@ module Google
|
|
936
927
|
# additional timestamp column representing when the request was received.
|
937
928
|
REQUEST_TIME = 1
|
938
929
|
end
|
939
|
-
|
940
|
-
# Write mode types if table exists.
|
941
|
-
module WriteMode
|
942
|
-
# Unspecified write mode. We expect one of the following valid modes must
|
943
|
-
# be specified when table or partition exists.
|
944
|
-
WRITE_MODE_UNSPECIFIED = 0
|
945
|
-
|
946
|
-
# Abort the export when table or partition exists.
|
947
|
-
ABORT = 1
|
948
|
-
|
949
|
-
# Overwrite the table when table exists. When partitioned, overwrite
|
950
|
-
# the existing partition.
|
951
|
-
OVERWRITE = 2
|
952
|
-
end
|
953
930
|
end
|
954
931
|
end
|
955
932
|
|
956
|
-
# A request message for
|
933
|
+
# A request message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning}.
|
957
934
|
# @!attribute [rw] analysis_query
|
958
935
|
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery]
|
959
|
-
# The request query.
|
936
|
+
# Required. The request query.
|
960
937
|
# @!attribute [rw] output_config
|
961
938
|
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig]
|
962
|
-
# Output configuration indicating where the results will be output to.
|
963
|
-
class
|
939
|
+
# Required. Output configuration indicating where the results will be output to.
|
940
|
+
class AnalyzeIamPolicyLongrunningRequest
|
964
941
|
include ::Google::Protobuf::MessageExts
|
965
942
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
966
943
|
end
|
967
944
|
|
968
|
-
#
|
969
|
-
class
|
945
|
+
# A response message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning}.
|
946
|
+
class AnalyzeIamPolicyLongrunningResponse
|
970
947
|
include ::Google::Protobuf::MessageExts
|
971
948
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
972
949
|
end
|
@@ -987,6 +964,9 @@ module Google
|
|
987
964
|
|
988
965
|
# The Cloud Access context manager Policy set on an asset.
|
989
966
|
ACCESS_POLICY = 5
|
967
|
+
|
968
|
+
# The runtime OS Inventory information.
|
969
|
+
OS_INVENTORY = 6
|
990
970
|
end
|
991
971
|
end
|
992
972
|
end
|