feat: Cloud Bigtable Authorized Views admin APIs protos

PiperOrigin-RevId: 612537460

google/bigtable/admin/v2/bigtable_table_admin.proto

@@ -136,6 +136,61 @@ service BigtableTableAdmin {
     };
   }
 
+  // Creates a new AuthorizedView in a table.
+  rpc CreateAuthorizedView(CreateAuthorizedViewRequest)
+      returns (google.longrunning.Operation) {
+    option (google.api.http) = {
+      post: "/v2/{parent=projects/*/instances/*/tables/*}/authorizedViews"
+      body: "authorized_view"
+    };
+    option (google.api.method_signature) =
+        "parent,authorized_view,authorized_view_id";
+    option (google.longrunning.operation_info) = {
+      response_type: "AuthorizedView"
+      metadata_type: "CreateAuthorizedViewMetadata"
+    };
+  }
+
+  // Lists all AuthorizedViews from a specific table.
+  rpc ListAuthorizedViews(ListAuthorizedViewsRequest)
+      returns (ListAuthorizedViewsResponse) {
+    option (google.api.http) = {
+      get: "/v2/{parent=projects/*/instances/*/tables/*}/authorizedViews"
+    };
+    option (google.api.method_signature) = "parent";
+  }
+
+  // Gets information from a specified AuthorizedView.
+  rpc GetAuthorizedView(GetAuthorizedViewRequest) returns (AuthorizedView) {
+    option (google.api.http) = {
+      get: "/v2/{name=projects/*/instances/*/tables/*/authorizedViews/*}"
+    };
+    option (google.api.method_signature) = "name";
+  }
+
+  // Updates an AuthorizedView in a table.
+  rpc UpdateAuthorizedView(UpdateAuthorizedViewRequest)
+      returns (google.longrunning.Operation) {
+    option (google.api.http) = {
+      patch: "/v2/{authorized_view.name=projects/*/instances/*/tables/*/authorizedViews/*}"
+      body: "authorized_view"
+    };
+    option (google.api.method_signature) = "authorized_view,update_mask";
+    option (google.longrunning.operation_info) = {
+      response_type: "AuthorizedView"
+      metadata_type: "UpdateAuthorizedViewMetadata"
+    };
+  }
+
+  // Permanently deletes a specified AuthorizedView.
+  rpc DeleteAuthorizedView(DeleteAuthorizedViewRequest)
+      returns (google.protobuf.Empty) {
+    option (google.api.http) = {
+      delete: "/v2/{name=projects/*/instances/*/tables/*/authorizedViews/*}"
+    };
+    option (google.api.method_signature) = "name";
+  }
+
   // Performs a series of column family modifications on the specified table.
   // Either all or none of the modifications will occur before this method
   // returns, but data requests received prior to that point may see a table
@@ -1194,3 +1249,158 @@ message CopyBackupMetadata {
   // operation.
   OperationProgress progress = 3;
 }
+
+// The request for
+// [CreateAuthorizedView][google.bigtable.admin.v2.BigtableTableAdmin.CreateAuthorizedView]
+message CreateAuthorizedViewRequest {
+  // Required. This is the name of the table the AuthorizedView belongs to.
+  // Values are of the form
+  // `projects/{project}/instances/{instance}/tables/{table}`.
+  string parent = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      child_type: "bigtableadmin.googleapis.com/AuthorizedView"
+    }
+  ];
+
+  // Required. The id of the AuthorizedView to create. This AuthorizedView must
+  // not already exist. The `authorized_view_id` appended to `parent` forms the
+  // full AuthorizedView name of the form
+  // `projects/{project}/instances/{instance}/tables/{table}/authorizedView/{authorized_view}`.
+  string authorized_view_id = 2 [(google.api.field_behavior) = REQUIRED];
+
+  // Required. The AuthorizedView to create.
+  AuthorizedView authorized_view = 3 [(google.api.field_behavior) = REQUIRED];
+}
+
+// The metadata for the Operation returned by CreateAuthorizedView.
+message CreateAuthorizedViewMetadata {
+  // The request that prompted the initiation of this CreateInstance operation.
+  CreateAuthorizedViewRequest original_request = 1;
+
+  // The time at which the original request was received.
+  google.protobuf.Timestamp request_time = 2;
+
+  // The time at which the operation failed or was completed successfully.
+  google.protobuf.Timestamp finish_time = 3;
+}
+
+// Request message for
+// [google.bigtable.admin.v2.BigtableTableAdmin.ListAuthorizedViews][google.bigtable.admin.v2.BigtableTableAdmin.ListAuthorizedViews]
+message ListAuthorizedViewsRequest {
+  // Required. The unique name of the table for which AuthorizedViews should be
+  // listed. Values are of the form
+  // `projects/{project}/instances/{instance}/tables/{table}`.
+  string parent = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      child_type: "bigtableadmin.googleapis.com/AuthorizedView"
+    }
+  ];
+
+  // Optional. Maximum number of results per page.
+  //
+  // A page_size of zero lets the server choose the number of items to return.
+  // A page_size which is strictly positive will return at most that many items.
+  // A negative page_size will cause an error.
+  //
+  // Following the first request, subsequent paginated calls are not required
+  // to pass a page_size. If a page_size is set in subsequent calls, it must
+  // match the page_size given in the first request.
+  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. The value of `next_page_token` returned by a previous call.
+  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. The resource_view to be applied to the returned views' fields.
+  // Default to NAME_ONLY.
+  AuthorizedView.ResponseView view = 4 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// Response message for
+// [google.bigtable.admin.v2.BigtableTableAdmin.ListAuthorizedViews][google.bigtable.admin.v2.BigtableTableAdmin.ListAuthorizedViews]
+message ListAuthorizedViewsResponse {
+  // The AuthorizedViews present in the requested table.
+  repeated AuthorizedView authorized_views = 1;
+
+  // Set if not all tables could be returned in a single response.
+  // Pass this value to `page_token` in another request to get the next
+  // page of results.
+  string next_page_token = 2;
+}
+
+// Request message for
+// [google.bigtable.admin.v2.BigtableTableAdmin.GetAuthorizedView][google.bigtable.admin.v2.BigtableTableAdmin.GetAuthorizedView]
+message GetAuthorizedViewRequest {
+  // Required. The unique name of the requested AuthorizedView.
+  // Values are of the form
+  // `projects/{project}/instances/{instance}/tables/{table}/authorizedViews/{authorized_view}`.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "bigtableadmin.googleapis.com/AuthorizedView"
+    }
+  ];
+
+  // Optional. The resource_view to be applied to the returned AuthorizedView's
+  // fields. Default to BASIC.
+  AuthorizedView.ResponseView view = 2 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// The request for
+// [UpdateAuthorizedView][google.bigtable.admin.v2.BigtableTableAdmin.UpdateAuthorizedView].
+message UpdateAuthorizedViewRequest {
+  // Required. The AuthorizedView to update. The `name` in `authorized_view` is
+  // used to identify the AuthorizedView. AuthorizedView name must in this
+  // format
+  // projects/<project>/instances/<instance>/tables/<table>/authorizedViews/<authorized_view>
+  AuthorizedView authorized_view = 1 [(google.api.field_behavior) = REQUIRED];
+
+  // Optional. The list of fields to update.
+  // A mask specifying which fields in the AuthorizedView resource should be
+  // updated. This mask is relative to the AuthorizedView resource, not to the
+  // request message. A field will be overwritten if it is in the mask. If
+  // empty, all fields set in the request will be overwritten. A special value
+  // `*` means to overwrite all fields (including fields not set in the
+  // request).
+  google.protobuf.FieldMask update_mask = 2
+      [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. If true, ignore the safety checks when updating the
+  // AuthorizedView.
+  bool ignore_warnings = 3 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// Metadata for the google.longrunning.Operation returned by
+// [UpdateAuthorizedView][google.bigtable.admin.v2.BigtableTableAdmin.UpdateAuthorizedView].
+message UpdateAuthorizedViewMetadata {
+  // The request that prompted the initiation of this UpdateAuthorizedView
+  // operation.
+  UpdateAuthorizedViewRequest original_request = 1;
+
+  // The time at which the original request was received.
+  google.protobuf.Timestamp request_time = 2;
+
+  // The time at which the operation failed or was completed successfully.
+  google.protobuf.Timestamp finish_time = 3;
+}
+
+// Request message for
+// [google.bigtable.admin.v2.BigtableTableAdmin.DeleteAuthorizedView][google.bigtable.admin.v2.BigtableTableAdmin.DeleteAuthorizedView]
+message DeleteAuthorizedViewRequest {
+  // Required. The unique name of the AuthorizedView to be deleted.
+  // Values are of the form
+  // `projects/{project}/instances/{instance}/tables/{table}/authorizedViews/{authorized_view}`.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "bigtableadmin.googleapis.com/AuthorizedView"
+    }
+  ];
+
+  // Optional. The current etag of the AuthorizedView.
+  // If an etag is provided and does not match the current etag of the
+  // AuthorizedView, deletion will be blocked and an ABORTED error will be
+  // returned.
+  string etag = 2 [(google.api.field_behavior) = OPTIONAL];
+}

google/bigtable/admin/v2/bigtableadmin_v2.yaml

@@ -10,6 +10,7 @@ apis:
 types:
 - name: google.bigtable.admin.v2.Backup
 - name: google.bigtable.admin.v2.CopyBackupMetadata
+- name: google.bigtable.admin.v2.CreateAuthorizedViewMetadata
 - name: google.bigtable.admin.v2.CreateBackupMetadata
 - name: google.bigtable.admin.v2.CreateClusterMetadata
 - name: google.bigtable.admin.v2.CreateInstanceMetadata
@@ -20,6 +21,7 @@ types:
 - name: google.bigtable.admin.v2.SnapshotTableMetadata
 - name: google.bigtable.admin.v2.UndeleteTableMetadata
 - name: google.bigtable.admin.v2.UpdateAppProfileMetadata
+- name: google.bigtable.admin.v2.UpdateAuthorizedViewMetadata
 - name: google.bigtable.admin.v2.UpdateClusterMetadata
 - name: google.bigtable.admin.v2.UpdateInstanceMetadata
 - name: google.bigtable.admin.v2.UpdateTableMetadata

google/bigtable/admin/v2/table.proto

@@ -186,6 +186,79 @@ message Table {
   bool deletion_protection = 9;
 }
 
+// AuthorizedViews represent subsets of a particular Cloud Bigtable table. Users
+// can configure access to each Authorized View independently from the table and
+// use the existing Data APIs to access the subset of data.
+message AuthorizedView {
+  option (google.api.resource) = {
+    type: "bigtableadmin.googleapis.com/AuthorizedView"
+    pattern: "projects/{project}/instances/{instance}/tables/{table}/authorizedViews/{authorized_view}"
+    plural: "authorizedViews"
+    singular: "authorizedView"
+  };
+
+  // Subsets of a column family that are included in this AuthorizedView.
+  message FamilySubsets {
+    // Individual exact column qualifiers to be included in the AuthorizedView.
+    repeated bytes qualifiers = 1;
+
+    // Prefixes for qualifiers to be included in the AuthorizedView. Every
+    // qualifier starting with one of these prefixes is included in the
+    // AuthorizedView. To provide access to all qualifiers, include the empty
+    // string as a prefix
+    // ("").
+    repeated bytes qualifier_prefixes = 2;
+  }
+
+  // Defines a simple AuthorizedView that is a subset of the underlying Table.
+  message SubsetView {
+    // Row prefixes to be included in the AuthorizedView.
+    // To provide access to all rows, include the empty string as a prefix ("").
+    repeated bytes row_prefixes = 1;
+
+    // Map from column family name to the columns in this family to be included
+    // in the AuthorizedView.
+    map<string, FamilySubsets> family_subsets = 2;
+  }
+
+  // Defines a subset of an AuthorizedView's fields.
+  enum ResponseView {
+    // Uses the default view for each method as documented in the request.
+    RESPONSE_VIEW_UNSPECIFIED = 0;
+
+    // Only populates `name`.
+    NAME_ONLY = 1;
+
+    // Only populates the AuthorizedView's basic metadata. This includes:
+    // name, deletion_protection, etag.
+    BASIC = 2;
+
+    // Populates every fields.
+    FULL = 3;
+  }
+
+  // Identifier. The name of this AuthorizedView.
+  // Values are of the form
+  // `projects/{project}/instances/{instance}/tables/{table}/authorizedViews/{authorized_view}`
+  string name = 1 [(google.api.field_behavior) = IDENTIFIER];
+
+  // The type of this AuthorizedView.
+  oneof authorized_view {
+    // An AuthorizedView permitting access to an explicit subset of a Table.
+    SubsetView subset_view = 2;
+  }
+
+  // The etag for this AuthorizedView.
+  // If this is provided on update, it must match the server's etag. The server
+  // returns ABORTED error on a mismatched etag.
+  string etag = 3;
+
+  // Set to true to make the AuthorizedView protected against deletion.
+  // The parent Table and containing Instance cannot be deleted if an
+  // AuthorizedView has this bit set.
+  bool deletion_protection = 4;
+}
+
 // A set of columns within a table which share a common configuration.
 message ColumnFamily {
   // Garbage collection rule specified as a protobuf.