Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: resolve issue where protos are not updating #123

Merged
merged 8 commits into from
Aug 14, 2024
Merged

ci: resolve issue where protos are not updating #123

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
65d2714
ci: resolve issue where protos are not updating
parthea Feb 10, 2024
d3af5b1
clean up google/iam directory
parthea Feb 10, 2024
eb799af
Merge branch 'main' into update-protos
parthea Aug 14, 2024
0f26a6c
🦉 Updates from OwlBot post-processor
gcf-owl-bot[bot] Aug 14, 2024
4cc54fa
address review feedback
parthea Aug 14, 2024
8214c3f
🦉 Updates from OwlBot post-processor
gcf-owl-bot[bot] Aug 14, 2024
55dbce5
revert google/rpc
parthea Aug 14, 2024
3f2da42
fix build
parthea Aug 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
123 changes: 103 additions & 20 deletions google/cloud/audit/audit_log.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright 2020 Google LLC
// Copyright 2022 Google LLC
//
parthea marked this conversation as resolved.
Show resolved Hide resolved
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
Expand All @@ -16,6 +16,7 @@ syntax = "proto3";

package google.cloud.audit;

import "google/api/field_behavior.proto";
import "google/protobuf/any.proto";
import "google/protobuf/struct.proto";
import "google/rpc/context/attribute_context.proto";
Expand All @@ -30,23 +31,23 @@ option java_package = "com.google.cloud.audit";
// Common audit log format for Google Cloud Platform API operations.
message AuditLog {
// The name of the API service performing the operation. For example,
// `"datastore.googleapis.com"`.
// `"compute.googleapis.com"`.
string service_name = 7;

// The name of the service method or operation.
// For API calls, this should be the name of the API method.
// For example,
//
// "google.datastore.v1.Datastore.RunQuery"
// "google.logging.v1.LoggingService.DeleteLog"
// "google.cloud.bigquery.v2.TableService.InsertTable"
// "google.logging.v2.ConfigServiceV2.CreateSink"
string method_name = 8;

// The resource or collection that is the target of the operation.
// The name is a scheme-less URI, not including the API service name.
// For example:
//
// "shelves/SHELF_ID/books"
// "shelves/SHELF_ID/books/BOOK_ID"
// "projects/PROJECT_ID/zones/us-central1-a/instances"
// "projects/PROJECT_ID/datasets/DATASET_ID"
string resource_name = 11;

// The resource location information.
Expand Down Expand Up @@ -76,6 +77,11 @@ message AuditLog {
// one AuthorizationInfo element for each {resource, permission} tuple.
repeated AuthorizationInfo authorization_info = 9;

// Indicates the policy violations for this request. If the request
// is denied by the policy, violation information will be logged
// here.
PolicyViolationInfo policy_violation_info = 25;

// Metadata about the operation.
RequestMetadata request_metadata = 4;

Expand All @@ -99,18 +105,20 @@ message AuditLog {
// information associated with the current audited event.
google.protobuf.Struct metadata = 18;

// Deprecated, use `metadata` field instead.
// Deprecated. Use the `metadata` field instead.
// Other service-specific data about the request, response, and other
// activities.
google.protobuf.Any service_data = 15;
google.protobuf.Any service_data = 15 [deprecated = true];
}

// Authentication information for the operation.
message AuthenticationInfo {
// The email address of the authenticated user (or service account on behalf
// of third party principal) making the request. For privacy reasons, the
// principal email address is redacted for all read-only operations that fail
// with a "permission denied" error.
// of third party principal) making the request. For third party identity
// callers, the `principal_subject` field is populated instead of this field.
// For privacy reasons, the principal email address is sometimes redacted.
// For more information, see [Caller identities in audit
// logs](https://cloud.google.com/logging/docs/audit#user-id).
string principal_email = 1;

// The authority selector specified by the requestor, if any.
Expand Down Expand Up @@ -144,9 +152,12 @@ message AuthenticationInfo {

// Authorization information for the operation.
message AuthorizationInfo {
// The resource being accessed, as a REST-style string. For example:
// The resource being accessed, as a REST-style or cloud resource string.
// For example:
//
// bigquery.googleapis.com/projects/PROJECTID/datasets/DATASETID
// or
// projects/PROJECTID/datasets/DATASETID
string resource = 1;

// The required IAM permission.
Expand All @@ -168,14 +179,16 @@ message AuthorizationInfo {
// Metadata about the request.
message RequestMetadata {
// The IP address of the caller.
// For caller from internet, this will be public IPv4 or IPv6 address.
// For caller from a Compute Engine VM with external IP address, this
// will be the VM's external IP address. For caller from a Compute
// Engine VM without external IP address, if the VM is in the same
// organization (or project) as the accessed resource, `caller_ip` will
// be the VM's internal IPv4 address, otherwise the `caller_ip` will be
// redacted to "gce-internal-ip".
// See https://cloud.google.com/compute/docs/vpc/ for more information.
// For a caller from the internet, this will be the public IPv4 or IPv6
// address. For calls made from inside Google's internal production network
// from one GCP service to another, `caller_ip` will be redacted to "private".
// For a caller from a Compute Engine VM with a external IP address,
// `caller_ip` will be the VM's external IP address. For a caller from a
// Compute Engine VM without a external IP address, if the VM is in the same
// organization (or project) as the accessed resource, `caller_ip` will be the
// VM's internal IPv4 address, otherwise `caller_ip` will be redacted to
// "gce-internal-ip". See https://cloud.google.com/compute/docs/vpc/ for more
// information.
string caller_ip = 1;

// The user agent of the caller.
Expand Down Expand Up @@ -258,6 +271,14 @@ message ServiceAccountDelegationInfo {
google.protobuf.Struct third_party_claims = 1;
}

// A string representing the principal_subject associated with the identity.
// For most identities, the format will be
// `principal://iam.googleapis.com/{identity pool name}/subject/{subject)`
// except for some GKE identities (GKE_WORKLOAD, FREEFORM, GKE_HUB_WORKLOAD)
// that are still in the legacy format `serviceAccount:{identity pool
// name}[{subject}]`
string principal_subject = 3;

// Entity that creates credentials for service account and assumes its
// identity for authentication.
oneof Authority {
Expand All @@ -268,3 +289,65 @@ message ServiceAccountDelegationInfo {
ThirdPartyPrincipal third_party_principal = 2;
}
}

// Information related to policy violations for this request.
message PolicyViolationInfo {
// Indicates the orgpolicy violations for this resource.
OrgPolicyViolationInfo org_policy_violation_info = 1;
}

// Represents OrgPolicy Violation information.
message OrgPolicyViolationInfo {
// Optional. Resource payload that is currently in scope and is subjected to orgpolicy
// conditions. This payload may be the subset of the actual Resource that may
// come in the request. This payload should not contain any core content.
google.protobuf.Struct payload = 1 [(google.api.field_behavior) = OPTIONAL];

// Optional. Resource type that the orgpolicy is checked against.
// Example: compute.googleapis.com/Instance, store.googleapis.com/bucket
string resource_type = 2 [(google.api.field_behavior) = OPTIONAL];

// Optional. Tags referenced on the resource at the time of evaluation. These also
// include the federated tags, if they are supplied in the CheckOrgPolicy
// or CheckCustomConstraints Requests.
//
// Optional field as of now. These tags are the Cloud tags that are
// available on the resource during the policy evaluation and will
// be available as part of the OrgPolicy check response for logging purposes.
map<string, string> resource_tags = 3 [(google.api.field_behavior) = OPTIONAL];

// Optional. Policy violations
repeated ViolationInfo violation_info = 4 [(google.api.field_behavior) = OPTIONAL];
}

// Provides information about the Policy violation info for this request.
message ViolationInfo {
// Policy Type enum
enum PolicyType {
// Default value. This value should not be used.
POLICY_TYPE_UNSPECIFIED = 0;

// Indicates boolean policy constraint
BOOLEAN_CONSTRAINT = 1;

// Indicates list policy constraint
LIST_CONSTRAINT = 2;

// Indicates custom policy constraint
CUSTOM_CONSTRAINT = 3;
}

// Optional. Constraint name
string constraint = 1 [(google.api.field_behavior) = OPTIONAL];

// Optional. Error message that policy is indicating.
string error_message = 2 [(google.api.field_behavior) = OPTIONAL];

// Optional. Value that is being checked for the policy.
// This could be in encrypted form (if pii sensitive).
// This field will only be emitted in LIST_POLICY types
string checked_value = 3 [(google.api.field_behavior) = OPTIONAL];

// Optional. Indicates the type of the policy.
PolicyType policy_type = 4 [(google.api.field_behavior) = OPTIONAL];
}
Loading
Loading