-
Notifications
You must be signed in to change notification settings - Fork 2.2k
/
troubleshooter.proto
757 lines (641 loc) · 31 KB
/
troubleshooter.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
// Copyright 2023 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
package google.cloud.policytroubleshooter.iam.v3;
import "google/api/annotations.proto";
import "google/api/client.proto";
import "google/api/field_behavior.proto";
import "google/iam/v1/policy.proto";
import "google/iam/v2/policy.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/timestamp.proto";
import "google/rpc/status.proto";
import "google/type/expr.proto";
option cc_enable_arenas = true;
option csharp_namespace = "Google.Cloud.PolicyTroubleshooter.Iam.V3";
option go_package = "cloud.google.com/go/policytroubleshooter/iam/apiv3/iampb;iampb";
option java_multiple_files = true;
option java_outer_classname = "TroubleshooterProto";
option java_package = "com.google.cloud.policytroubleshooter.iam.v3";
option php_namespace = "Google\\Cloud\\PolicyTroubleshooter\\Iam\\V3";
option ruby_package = "Google::Cloud::PolicyTroubleshooter::Iam::V3";
// IAM Policy Troubleshooter service.
//
// This service helps you troubleshoot access issues for Google Cloud resources.
service PolicyTroubleshooter {
option (google.api.default_host) = "policytroubleshooter.googleapis.com";
option (google.api.oauth_scopes) =
"https://www.googleapis.com/auth/cloud-platform";
// Checks whether a principal has a specific permission for a specific
// resource, and explains why the principal does or doesn't have that
// permission.
rpc TroubleshootIamPolicy(TroubleshootIamPolicyRequest)
returns (TroubleshootIamPolicyResponse) {
option (google.api.http) = {
post: "/v3/iam:troubleshoot"
body: "*"
};
}
}
// Whether IAM allow policies gives the principal the permission.
enum AllowAccessState {
// Not specified.
ALLOW_ACCESS_STATE_UNSPECIFIED = 0;
// The allow policy gives the principal the permission.
ALLOW_ACCESS_STATE_GRANTED = 1;
// The allow policy doesn't give the principal the permission.
ALLOW_ACCESS_STATE_NOT_GRANTED = 2;
// The allow policy gives the principal the permission if a condition
// expression evaluate to `true`. However, the sender of the request didn't
// provide enough context for Policy Troubleshooter to evaluate the condition
// expression.
ALLOW_ACCESS_STATE_UNKNOWN_CONDITIONAL = 3;
// The sender of the request doesn't have access to all of the allow policies
// that Policy Troubleshooter needs to evaluate the principal's access.
ALLOW_ACCESS_STATE_UNKNOWN_INFO = 4;
}
// Whether IAM deny policies deny the principal the permission.
enum DenyAccessState {
// Not specified.
DENY_ACCESS_STATE_UNSPECIFIED = 0;
// The deny policy denies the principal the permission.
DENY_ACCESS_STATE_DENIED = 1;
// The deny policy doesn't deny the principal the permission.
DENY_ACCESS_STATE_NOT_DENIED = 2;
// The deny policy denies the principal the permission if a condition
// expression evaluates to `true`. However, the sender of the request didn't
// provide enough context for Policy Troubleshooter to evaluate the condition
// expression.
DENY_ACCESS_STATE_UNKNOWN_CONDITIONAL = 3;
// The sender of the request does not have access to all of the deny policies
// that Policy Troubleshooter needs to evaluate the principal's access.
DENY_ACCESS_STATE_UNKNOWN_INFO = 4;
}
// Whether a role includes a specific permission.
enum RolePermissionInclusionState {
// Not specified.
ROLE_PERMISSION_INCLUSION_STATE_UNSPECIFIED = 0;
// The permission is included in the role.
ROLE_PERMISSION_INCLUDED = 1;
// The permission is not included in the role.
ROLE_PERMISSION_NOT_INCLUDED = 2;
// The sender of the request is not allowed to access the role definition.
ROLE_PERMISSION_UNKNOWN_INFO = 3;
}
// Whether the permission in the request matches the permission in the policy.
enum PermissionPatternMatchingState {
// Not specified.
PERMISSION_PATTERN_MATCHING_STATE_UNSPECIFIED = 0;
// The permission in the request matches the permission in the policy.
PERMISSION_PATTERN_MATCHED = 1;
// The permission in the request matches the permission in the policy.
PERMISSION_PATTERN_NOT_MATCHED = 2;
}
// Whether the principal in the request matches the principal in the policy.
enum MembershipMatchingState {
// Not specified.
MEMBERSHIP_MATCHING_STATE_UNSPECIFIED = 0;
// The principal in the request matches the principal in the policy. The
// principal can be included directly or indirectly:
//
// * A principal is included directly if that principal is listed in the
// role binding.
// * A principal is included indirectly if that principal is in a Google
// group, Google Workspace account, or Cloud Identity domain that is listed
// in the policy.
MEMBERSHIP_MATCHED = 1;
// The principal in the request doesn't match the principal in the policy.
MEMBERSHIP_NOT_MATCHED = 2;
// The principal in the policy is a group or domain, and the sender of the
// request doesn't have permission to view whether the principal in the
// request is a member of the group or domain.
MEMBERSHIP_UNKNOWN_INFO = 3;
// The principal is an unsupported type.
MEMBERSHIP_UNKNOWN_UNSUPPORTED = 4;
}
// The extent to which a single data point contributes to an overall
// determination.
enum HeuristicRelevance {
// Not specified.
HEURISTIC_RELEVANCE_UNSPECIFIED = 0;
// The data point has a limited effect on the result. Changing the data point
// is unlikely to affect the overall determination.
HEURISTIC_RELEVANCE_NORMAL = 1;
// The data point has a strong effect on the result. Changing the data point
// is likely to affect the overall determination.
HEURISTIC_RELEVANCE_HIGH = 2;
}
// Request for
// [TroubleshootIamPolicy][google.cloud.policytroubleshooter.iam.v3.PolicyTroubleshooter.TroubleshootIamPolicy].
message TroubleshootIamPolicyRequest {
// The information to use for checking whether a principal has a permission
// for a resource.
AccessTuple access_tuple = 1;
}
// Response for
// [TroubleshootIamPolicy][google.cloud.policytroubleshooter.iam.v3.PolicyTroubleshooter.TroubleshootIamPolicy].
message TroubleshootIamPolicyResponse {
// Whether the principal has the permission on the resource.
enum OverallAccessState {
// Not specified.
OVERALL_ACCESS_STATE_UNSPECIFIED = 0;
// The principal has the permission.
CAN_ACCESS = 1;
// The principal doesn't have the permission.
CANNOT_ACCESS = 2;
// The principal might have the permission, but the sender can't access all
// of the information needed to fully evaluate the principal's access.
UNKNOWN_INFO = 3;
// The principal might have the permission, but Policy Troubleshooter can't
// fully evaluate the principal's access because the sender didn't provide
// the required context to evaluate the condition.
UNKNOWN_CONDITIONAL = 4;
}
// Indicates whether the principal has the specified permission for the
// specified resource, based on evaluating all types of the applicable IAM
// policies.
OverallAccessState overall_access_state = 1;
// The access tuple from the request, including any provided context used to
// evaluate the condition.
AccessTuple access_tuple = 2;
// An explanation of how the applicable IAM allow policies affect the final
// access state.
AllowPolicyExplanation allow_policy_explanation = 3;
// An explanation of how the applicable IAM deny policies affect the final
// access state.
DenyPolicyExplanation deny_policy_explanation = 4;
}
// Information about the principal, resource, and permission to check.
message AccessTuple {
// Required. The email address of the principal whose access you want to
// check. For example, `alice@example.com` or
// `my-service-account@my-project.iam.gserviceaccount.com`.
//
// The principal must be a Google Account or a service account. Other types of
// principals are not supported.
string principal = 1 [(google.api.field_behavior) = REQUIRED];
// Required. The full resource name that identifies the resource. For example,
// `//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/my-instance`.
//
// For examples of full resource names for Google Cloud services, see
// https://cloud.google.com/iam/help/troubleshooter/full-resource-names.
string full_resource_name = 2 [(google.api.field_behavior) = REQUIRED];
// Required. The IAM permission to check for, either in the `v1` permission
// format or the `v2` permission format.
//
// For a complete list of IAM permissions in the `v1` format, see
// https://cloud.google.com/iam/help/permissions/reference.
//
// For a list of IAM permissions in the `v2` format, see
// https://cloud.google.com/iam/help/deny/supported-permissions.
//
// For a complete list of predefined IAM roles and the permissions in each
// role, see https://cloud.google.com/iam/help/roles/reference.
string permission = 3 [(google.api.field_behavior) = REQUIRED];
// Output only. The permission that Policy Troubleshooter checked for, in
// the `v2` format.
string permission_fqdn = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
// Optional. Additional context for the request, such as the request time or
// IP address. This context allows Policy Troubleshooter to troubleshoot
// conditional role bindings and deny rules.
ConditionContext condition_context = 5
[(google.api.field_behavior) = OPTIONAL];
}
// Additional context for troubleshooting conditional role bindings and deny
// rules.
message ConditionContext {
// Core attributes for a resource. A resource is an
// addressable (named) entity provided by the destination service. For
// example, a Compute Engine instance.
message Resource {
// The name of the service that this resource belongs to, such as
// `compute.googleapis.com`. The service name might not match the DNS
// hostname that actually serves the request.
//
// For a full list of resource service values, see
// https://cloud.google.com/iam/help/conditions/resource-services
string service = 1;
// The stable identifier (name) of a resource on the `service`. A resource
// can be logically identified as `//{resource.service}/{resource.name}`.
// Unlike the resource URI, the resource name doesn't contain any protocol
// and version information.
//
// For a list of full resource name formats, see
// https://cloud.google.com/iam/help/troubleshooter/full-resource-names
string name = 2;
// The type of the resource, in the format `{service}/{kind}`.
//
// For a full list of resource type values, see
// https://cloud.google.com/iam/help/conditions/resource-types
string type = 3;
}
// This message defines attributes for a node that handles a network request.
// The node can be either a service or an application that sends, forwards,
// or receives the request. Service peers should fill in
// `principal` and `labels` as appropriate.
message Peer {
// The IPv4 or IPv6 address of the peer.
string ip = 1;
// The network port of the peer.
int64 port = 2;
}
// This message defines attributes for an HTTP request. If the actual
// request is not an HTTP request, the runtime system should try to map
// the actual request to an equivalent HTTP request.
message Request {
// Optional. The timestamp when the destination service receives the first
// byte of the request.
google.protobuf.Timestamp receive_time = 1
[(google.api.field_behavior) = OPTIONAL];
}
// A tag that applies to a resource during policy evaluation. Tags can be
// either directly bound to a resource or inherited from its ancestor.
// `EffectiveTag` contains the `name` and `namespaced_name` of the tag value
// and tag key, with additional fields of `inherited` to indicate the
// inheritance status of the effective tag.
message EffectiveTag {
// Output only. Resource name for TagValue in the format `tagValues/456`.
string tag_value = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
// Output only. The namespaced name of the TagValue. Can be in the form
// `{organization_id}/{tag_key_short_name}/{tag_value_short_name}` or
// `{project_id}/{tag_key_short_name}/{tag_value_short_name}` or
// `{project_number}/{tag_key_short_name}/{tag_value_short_name}`.
string namespaced_tag_value = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
// Output only. The name of the TagKey, in the format `tagKeys/{id}`, such
// as `tagKeys/123`.
string tag_key = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
// Output only. The namespaced name of the TagKey. Can be in the form
// `{organization_id}/{tag_key_short_name}` or
// `{project_id}/{tag_key_short_name}` or
// `{project_number}/{tag_key_short_name}`.
string namespaced_tag_key = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
// The parent name of the tag key.
// Must be in the format `organizations/{organization_id}` or
// `projects/{project_number}`
string tag_key_parent_name = 6;
// Output only. Indicates the inheritance status of a tag value
// attached to the given resource. If the tag value is inherited from one of
// the resource's ancestors, inherited will be true. If false, then the tag
// value is directly attached to the resource, inherited will be false.
bool inherited = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
}
// Represents a target resource that is involved with a network activity.
// If multiple resources are involved with an activity, this must be the
// primary one.
Resource resource = 1;
// The destination of a network activity, such as accepting a TCP connection.
// In a multi-hop network activity, the destination represents the receiver of
// the last hop.
Peer destination = 2;
// Represents a network request, such as an HTTP request.
Request request = 3;
// Output only. The effective tags on the resource. The effective tags are
// fetched during troubleshooting.
repeated EffectiveTag effective_tags = 4
[(google.api.field_behavior) = OUTPUT_ONLY];
}
// Details about how the relevant IAM allow policies affect the final access
// state.
message AllowPolicyExplanation {
// Indicates whether the principal has the specified permission for the
// specified resource, based on evaluating all applicable IAM allow policies.
AllowAccessState allow_access_state = 1;
// List of IAM allow policies that were evaluated to check the principal's
// permissions, with annotations to indicate how each policy contributed to
// the final result.
//
// The list of policies includes the policy for the resource itself, as well
// as allow policies that are inherited from higher levels of the resource
// hierarchy, including the organization, the folder, and the project.
//
// To learn more about the resource hierarchy, see
// https://cloud.google.com/iam/help/resource-hierarchy.
repeated ExplainedAllowPolicy explained_policies = 2;
// The relevance of the allow policy type to the overall access state.
HeuristicRelevance relevance = 3;
}
// Details about how a specific IAM allow policy contributed to the final access
// state.
message ExplainedAllowPolicy {
// Required. Indicates whether _this policy_ provides the specified permission
// to the specified principal for the specified resource.
//
// This field does _not_ indicate whether the principal actually has the
// permission for the resource. There might be another policy that overrides
// this policy. To determine whether the principal actually has the
// permission, use the `overall_access_state` field in the
// [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse].
AllowAccessState allow_access_state = 1
[(google.api.field_behavior) = REQUIRED];
// The full resource name that identifies the resource. For example,
// `//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/my-instance`.
//
// If the sender of the request does not have access to the policy, this field
// is omitted.
//
// For examples of full resource names for Google Cloud services, see
// https://cloud.google.com/iam/help/troubleshooter/full-resource-names.
string full_resource_name = 2;
// Details about how each role binding in the policy affects the principal's
// ability, or inability, to use the permission for the resource. The order of
// the role bindings matches the role binding order in the policy.
//
// If the sender of the request does not have access to the policy, this field
// is omitted.
repeated AllowBindingExplanation binding_explanations = 3;
// The relevance of this policy to the overall access state in the
// [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse].
//
// If the sender of the request does not have access to the policy, this field
// is omitted.
HeuristicRelevance relevance = 4;
// The IAM allow policy attached to the resource.
//
// If the sender of the request does not have access to the policy, this field
// is empty.
google.iam.v1.Policy policy = 5;
}
// Details about how a role binding in an allow policy affects a principal's
// ability to use a permission.
message AllowBindingExplanation {
// Details about whether the role binding includes the principal.
message AnnotatedAllowMembership {
// Indicates whether the role binding includes the principal.
MembershipMatchingState membership = 1;
// The relevance of the principal's status to the overall determination for
// the role binding.
HeuristicRelevance relevance = 2;
}
// Required. Indicates whether _this role binding_ gives the specified
// permission to the specified principal on the specified resource.
//
// This field does _not_ indicate whether the principal actually has the
// permission on the resource. There might be another role binding that
// overrides this role binding. To determine whether the principal actually
// has the permission, use the `overall_access_state` field in the
// [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse].
AllowAccessState allow_access_state = 1
[(google.api.field_behavior) = REQUIRED];
// The role that this role binding grants. For example,
// `roles/compute.admin`.
//
// For a complete list of predefined IAM roles, as well as the permissions in
// each role, see https://cloud.google.com/iam/help/roles/reference.
string role = 2;
// Indicates whether the role granted by this role binding contains the
// specified permission.
RolePermissionInclusionState role_permission = 3;
// The relevance of the permission's existence, or nonexistence, in the role
// to the overall determination for the entire policy.
HeuristicRelevance role_permission_relevance = 4;
// The combined result of all memberships. Indicates if the principal is
// included in any role binding, either directly or indirectly.
AnnotatedAllowMembership combined_membership = 5;
// Indicates whether each role binding includes the principal specified in the
// request, either directly or indirectly. Each key identifies a principal in
// the role binding, and each value indicates whether the principal in the
// role binding includes the principal in the request.
//
// For example, suppose that a role binding includes the following principals:
//
// * `user:alice@example.com`
// * `group:product-eng@example.com`
//
// You want to troubleshoot access for `user:bob@example.com`. This user is a
// member of the group `group:product-eng@example.com`.
//
// For the first principal in the role binding, the key is
// `user:alice@example.com`, and the `membership` field in the value is set to
// `NOT_INCLUDED`.
//
// For the second principal in the role binding, the key is
// `group:product-eng@example.com`, and the `membership` field in the value is
// set to `INCLUDED`.
map<string, AnnotatedAllowMembership> memberships = 6;
// The relevance of this role binding to the overall determination for the
// entire policy.
HeuristicRelevance relevance = 7;
// A condition expression that specifies when the role binding grants access.
//
// To learn about IAM Conditions, see
// https://cloud.google.com/iam/help/conditions/overview.
google.type.Expr condition = 8;
// Condition evaluation state for this role binding.
ConditionExplanation condition_explanation = 9;
}
// Details about how the relevant IAM deny policies affect the final access
// state.
message DenyPolicyExplanation {
// Indicates whether the principal is denied the specified permission for
// the specified resource, based on evaluating all applicable IAM deny
// policies.
DenyAccessState deny_access_state = 1;
// List of resources with IAM deny policies that were evaluated to check the
// principal's denied permissions, with annotations to indicate how each
// policy contributed to the final result.
//
// The list of resources includes the policy for the resource itself, as well
// as policies that are inherited from higher levels of the resource
// hierarchy, including the organization, the folder, and the project. The
// order of the resources starts from the resource and climbs up the resource
// hierarchy.
//
// To learn more about the resource hierarchy, see
// https://cloud.google.com/iam/help/resource-hierarchy.
repeated ExplainedDenyResource explained_resources = 2;
// The relevance of the deny policy result to the overall access state.
HeuristicRelevance relevance = 3;
// Indicates whether the permission to troubleshoot is supported in deny
// policies.
bool permission_deniable = 4;
}
// Details about how a specific resource contributed to the deny policy
// evaluation.
message ExplainedDenyResource {
// Required. Indicates whether any policies attached to _this resource_ deny
// the specific permission to the specified principal for the specified
// resource.
//
// This field does _not_ indicate whether the principal actually has the
// permission for the resource. There might be another policy that overrides
// this policy. To determine whether the principal actually has the
// permission, use the `overall_access_state` field in the
// [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse].
DenyAccessState deny_access_state = 1
[(google.api.field_behavior) = REQUIRED];
// The full resource name that identifies the resource. For example,
// `//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/my-instance`.
//
// If the sender of the request does not have access to the policy, this field
// is omitted.
//
// For examples of full resource names for Google Cloud services, see
// https://cloud.google.com/iam/help/troubleshooter/full-resource-names.
string full_resource_name = 2;
// List of IAM deny policies that were evaluated to check the principal's
// denied permissions, with annotations to indicate how each policy
// contributed to the final result.
repeated ExplainedDenyPolicy explained_policies = 3;
// The relevance of this policy to the overall access state in the
// [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse].
//
// If the sender of the request does not have access to the policy, this field
// is omitted.
HeuristicRelevance relevance = 4;
}
// Details about how a specific IAM deny policy [Policy][google.iam.v2.Policy]
// contributed to the access check.
message ExplainedDenyPolicy {
// Required. Indicates whether _this policy_ denies the specified permission
// to the specified principal for the specified resource.
//
// This field does _not_ indicate whether the principal actually has the
// permission for the resource. There might be another policy that overrides
// this policy. To determine whether the principal actually has the
// permission, use the `overall_access_state` field in the
// [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse].
DenyAccessState deny_access_state = 1
[(google.api.field_behavior) = REQUIRED];
// The IAM deny policy attached to the resource.
//
// If the sender of the request does not have access to the policy, this field
// is omitted.
google.iam.v2.Policy policy = 2;
// Details about how each rule in the policy affects the principal's inability
// to use the permission for the resource. The order of the deny rule matches
// the order of the rules in the deny policy.
//
// If the sender of the request does not have access to the policy, this field
// is omitted.
repeated DenyRuleExplanation rule_explanations = 3;
// The relevance of this policy to the overall access state in the
// [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse].
//
// If the sender of the request does not have access to the policy, this field
// is omitted.
HeuristicRelevance relevance = 4;
}
// Details about how a deny rule in a deny policy affects a principal's ability
// to use a permission.
message DenyRuleExplanation {
// Details about whether the permission in the request is denied by the
// deny rule.
message AnnotatedPermissionMatching {
// Indicates whether the permission in the request is denied by the deny
// rule.
PermissionPatternMatchingState permission_matching_state = 1;
// The relevance of the permission status to the overall determination for
// the rule.
HeuristicRelevance relevance = 2;
}
// Details about whether the principal in the request is listed as a denied
// principal in the deny rule, either directly or through membership in a
// principal set.
message AnnotatedDenyPrincipalMatching {
// Indicates whether the principal is listed as a denied principal in the
// deny rule, either directly or through membership in a principal set.
MembershipMatchingState membership = 1;
// The relevance of the principal's status to the overall determination for
// the role binding.
HeuristicRelevance relevance = 2;
}
// Required. Indicates whether _this rule_ denies the specified permission to
// the specified principal for the specified resource.
//
// This field does _not_ indicate whether the principal is actually denied on
// the permission for the resource. There might be another rule that overrides
// this rule. To determine whether the principal actually has the permission,
// use the `overall_access_state` field in the
// [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse].
DenyAccessState deny_access_state = 1
[(google.api.field_behavior) = REQUIRED];
// Indicates whether the permission in the request is listed as a denied
// permission in the deny rule.
AnnotatedPermissionMatching combined_denied_permission = 2;
// Lists all denied permissions in the deny rule and indicates whether each
// permission matches the permission in the request.
//
// Each key identifies a denied permission in the rule, and each value
// indicates whether the denied permission matches the permission in the
// request.
map<string, AnnotatedPermissionMatching> denied_permissions = 3;
// Indicates whether the permission in the request is listed as an exception
// permission in the deny rule.
AnnotatedPermissionMatching combined_exception_permission = 4;
// Lists all exception permissions in the deny rule and indicates whether each
// permission matches the permission in the request.
//
// Each key identifies a exception permission in the rule, and each value
// indicates whether the exception permission matches the permission in the
// request.
map<string, AnnotatedPermissionMatching> exception_permissions = 5;
// Indicates whether the principal is listed as a denied principal in the
// deny rule, either directly or through membership in a principal set.
AnnotatedDenyPrincipalMatching combined_denied_principal = 6;
// Lists all denied principals in the deny rule and indicates whether each
// principal matches the principal in the request, either directly or through
// membership in a principal set.
//
// Each key identifies a denied principal in the rule, and each value
// indicates whether the denied principal matches the principal in the
// request.
map<string, AnnotatedDenyPrincipalMatching> denied_principals = 7;
// Indicates whether the principal is listed as an exception principal in the
// deny rule, either directly or through membership in a principal set.
AnnotatedDenyPrincipalMatching combined_exception_principal = 8;
// Lists all exception principals in the deny rule and indicates whether each
// principal matches the principal in the request, either directly or through
// membership in a principal set.
//
// Each key identifies a exception principal in the rule, and each value
// indicates whether the exception principal matches the principal in the
// request.
map<string, AnnotatedDenyPrincipalMatching> exception_principals = 9;
// The relevance of this role binding to the overall determination for the
// entire policy.
HeuristicRelevance relevance = 10;
// A condition expression that specifies when the deny rule denies the
// principal access.
//
// To learn about IAM Conditions, see
// https://cloud.google.com/iam/help/conditions/overview.
google.type.Expr condition = 11;
// Condition evaluation state for this role binding.
ConditionExplanation condition_explanation = 12;
}
// Explanation for how a condition affects a principal's access
message ConditionExplanation {
// Evaluated state of a condition expression.
message EvaluationState {
// Start position of an expression in the condition, by character.
int32 start = 1;
// End position of an expression in the condition, by character,
// end included, for example: the end position of the first part of
// `a==b || c==d` would be 4.
int32 end = 2;
// Value of this expression.
google.protobuf.Value value = 3;
// Any errors that prevented complete evaluation of the condition
// expression.
repeated google.rpc.Status errors = 4;
}
// Value of the condition.
google.protobuf.Value value = 1;
// Any errors that prevented complete evaluation of the condition expression.
repeated google.rpc.Status errors = 3;
// The value of each statement of the condition expression. The value can be
// `true`, `false`, or `null`. The value is `null` if the statement can't be
// evaluated.
repeated EvaluationState evaluation_states = 2;
}