ActivityLogService tracks historical changes to configuration made through Pomerium Enterprise
rpc GetActivityLogEntry(GetActivityLogEntryRequest) GetActivityLogEntryResponse
GetActivityLogEntry retrieves a specific activity log entry
rpc ListActivityLogEntries(ListActivityLogEntriesRequest) ListActivityLogEntriesResponse
ListActivityLogEntries lists activity log entries based on paramters in the ListActivityLogEntriesRequest
ActivityLogEntry contains context associated with a change in the deployment history
| Field | Type | Description |
|---|---|---|
| id | string | none |
| activity_type | string | DELETE or SET |
| created_at | google.protobuf.Timestamp | none |
| namespace_id | string | none |
| namespace_name | string | none |
| user_id | string | none |
| user_name | string | none |
| user_email | string | none |
| entity_type | string | route |
| entity_id | string | none |
| entity_data | string | none |
| diff_summary | ActivityLogEntry.DiffSummary | none |
| db_version | uint64 | databroker version this change synced to |
| session_id | string | none |
| service_account_id | string | none |
| impersonate_user_id | string | none |
| impersonate_user_name | string | none |
| impersonate_user_email | string | none |
| impersonate_user_groups | repeated string | none |
| Field | Type | Description |
|---|---|---|
| added | int64 | number of lines added |
| removed | int64 | number of lines removed |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| entry | ActivityLogEntry | none |
ListActivityLogEntriesRequest defines the types of Activity Log entries to list
| Field | Type | Description |
|---|---|---|
| oneof _activity_type.activity_type | optional string | DELETE |
| oneof _namespace_id.namespace_id | optional string | none |
| oneof _user_id.user_id | optional string | none |
| oneof _entity_type.entity_type | optional string | route |
| oneof _entity_id.entity_id | optional string | none |
| oneof _query.query | optional string | newest |
| oneof _offset.offset | optional int64 | list entries starting from an offset in the total list |
| oneof _limit.limit | optional int64 | limit the number of entries returned |
| db_versions | repeated uint64 | databroker versions of the change |
| oneof _recurse_namespace.recurse_namespace | optional bool | if true, show activity for the namespace and any child namespaces |
| entities | repeated ListActivityLogEntriesRequest.Entity | the entities are a list of entities to retrieve the activity log for |
| oneof _sort.sort | optional ListActivityLogEntriesRequest.Sort | none |
| date_filter | ListActivityLogEntriesRequest.DateFilter | none |
| string_filter | ListActivityLogEntriesRequest.StringFilter | none |
filter for dates
| Field | Type | Description |
|---|---|---|
| operator | string | = |
| date | google.protobuf.Timestamp | none |
an entity is a single entity (route, policy, etc.)
| Field | Type | Description |
|---|---|---|
| type | string | none |
| id | string | none |
used to sort the db query
| Field | Type | Description |
|---|---|---|
| column | string | activity_type |
| direction | string | ASC |
filter for strings
| Field | Type | Description |
|---|---|---|
| fieldName | string | none |
| operator | string | contains |
| value | string | none |
ListActivityLogEntriesResponse is a list of Activity Log entries found from a ListActivityLogEntriesRequest
| Field | Type | Description |
|---|---|---|
| entries | repeated ActivityLogEntry | Activity Log entries |
| total_count | int64 | none |
| Field | Type | Description |
|---|---|---|
| key_pairs | repeated KeyPair | none |
| namespaces | repeated Namespace | none |
| policies | repeated Policy | none |
| routes | repeated Route | none |
| settings | Settings | none |
Events represent configuration changes made to envoy's controle plane by Pomerium
rpc Sync(SyncRequest) SyncResponse
Sync sends all current events and then pushes new events as they arrive
Event represents a single envoy DeltaDiscovery event
| Field | Type | Description |
|---|---|---|
| time | google.protobuf.Timestamp | none |
| message | string | none |
| code | int32 | none |
| details | repeated string | JSON serialized details |
| config_version | uint64 | databroker config version |
| type_url | string | envoy resource type (i.e. listener, cluster) |
| kind | Event.EventKind | envoy event kind |
| resource_subscribed | repeated string | envoy clusters or listeners that were added to the configuration |
| resource_unsubscribed | repeated string | clusters or listeners that were removed from the envoy configuration |
| instance | string | pomerium instance this event originated from |
| seq_no | uint64 | databroker record version during this event |
| nonce | string | none |
| Field | Type | Description |
|---|---|---|
| event | Event | none |
| Name | Number | Description |
|---|---|---|
| EVENT_KIND_UNDEFINED | 0 | none |
| EVENT_DISCOVERY_REQUEST_ACK | 1 | envoy_service_discovery_v3.DeltaDiscoveryRequest |
| EVENT_DISCOVERY_REQUEST_NACK | 2 | none |
| EVENT_DISCOVERY_RESPONSE | 3 | envoy_service_discovery_v3.DeltaDiscoveryResponse |
KeyChainService manages and store TLS Certificates, Keys and CAs, known as Key Pairs
rpc DeleteKeyPair(DeleteKeyPairRequest) DeleteKeyPairResponse
DeleteKeyPair remove an x509 key pair based on a DeleteKeyPairRequest
rpc GetKeyPair(GetKeyPairRequest) GetKeyPairResponse
GetKeyPair retrieves an existing key pair
rpc ListKeyPairs(ListKeyPairsRequest) ListKeyPairsResponse
ListKeyPairs lists existing key pairs based on parameters in ListKeyPairsRequest
rpc CreateKeyPair(CreateKeyPairRequest) CreateKeyPairResponse
CreateKeyPair creates a new key pair
rpc UpdateKeyPair(UpdateKeyPairRequest) UpdateKeyPairResponse
CreateKeyPair creates a new key pair
CertificateInfo is a .proto reflection of https://golang.org/pkg/crypto/x509/#Certificate
| Field | Type | Description |
|---|---|---|
| version | int64 | none |
| serial | string | none |
| issuer | Name | none |
| subject | Name | none |
| not_before | google.protobuf.Timestamp | none |
| not_after | google.protobuf.Timestamp | none |
| key_usage | KeyUsage | none |
| dns_names | repeated string | none |
| email_addresses | repeated string | none |
| ip_addresses | repeated string | none |
| uris | repeated string | none |
| permitted_dns_domains_critical | bool | none |
| permitted_dns_domains | repeated string | none |
| excluded_dns_domains | repeated string | none |
| permitted_ip_ranges | repeated string | none |
| excluded_ip_ranges | repeated string | none |
| permitted_email_addresses | repeated string | none |
| excluded_email_addresses | repeated string | none |
| permitted_uri_domains | repeated string | none |
| excluded_uri_domains | repeated string | none |
CreateKeyPairRequest defines a Key Pair to create
| Field | Type | Description |
|---|---|---|
| name | string | none |
| namespace_id | string | none |
| format | Format | encoding format of data |
| certificate | bytes | public certificate data |
| key | bytes | private key data |
| Field | Type | Description |
|---|---|---|
| key_pair | KeyPairRecord | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| key_pair | KeyPairRecord | none |
KeyPair represents raw Key Pair data for internal usage
| Field | Type | Description |
|---|---|---|
| id | string | none |
| name | string | none |
| namespace_id | string | none |
| created_at | google.protobuf.Timestamp | none |
| modified_at | google.protobuf.Timestamp | none |
| certificate | bytes | public certificate data |
| key | bytes | private key data |
KeyPairRecord provides existing Key Pair metadata
| Field | Type | Description |
|---|---|---|
| id | string | none |
| name | string | none |
| namespace_id | string | none |
| created_at | google.protobuf.Timestamp | database record creation time |
| modified_at | google.protobuf.Timestamp | database record modification time |
| cert_info | CertificateInfo | information about the public certificate |
| has_private_key | bool | Key Pair has a private key attached |
KeyUsage specifies the usage flags set on a signed TLS certificate
| Field | Type | Description |
|---|---|---|
| digital_signature | bool | standard key usages |
| content_commitment | bool | none |
| key_encipherment | bool | none |
| data_encipherment | bool | none |
| key_agreement | bool | none |
| cert_sign | bool | certificate authority |
| crl_sign | bool | none |
| encipher_only | bool | none |
| decipher_only | bool | none |
| server_auth | bool | extensions derived from x509.ExtKeyUsage server certificate |
| client_auth | bool | client certificate |
ListKeyPairsRequest defines the types of key pairs to list
| Field | Type | Description |
|---|---|---|
| namespace_id | string | none |
| oneof _query.query | optional string | list Key Pairs whose name contains the query string |
| oneof _offset.offset | optional int64 | list Key Pairs starting from an offset in the total list |
| oneof _limit.limit | optional int64 | limit the number of entries returned |
| oneof _order_by.order_by | optional string | newest, oldest, name, from |
ListKeyPairsResponse is the list of Key Pairs found from a ListKeyPairsRequest
| Field | Type | Description |
|---|---|---|
| key_pairs | repeated KeyPairRecord | Key Pairs found |
| total_count | int64 | none |
Name defines the x509 identity
| Field | Type | Description |
|---|---|---|
| country | repeated string | none |
| organization | repeated string | none |
| organizational_unit | repeated string | none |
| locality | repeated string | none |
| province | repeated string | none |
| street_address | repeated string | none |
| postal_code | repeated string | none |
| serial_number | string | none |
| common_name | string | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| format | Format | encoding format of data |
| certificate | bytes | public certificate data |
| key | bytes | private key data |
| Field | Type | Description |
|---|---|---|
| key_pair | KeyPairRecord | none |
Format specifies the encoding format of a certificate or key
| Name | Number | Description |
|---|---|---|
| FORMAT_UNDEFINED_DO_NOT_USE | 0 | none |
| PEM | 1 | none |
PublicKeyAlgorithm is the algorithm of a public key
| Name | Number | Description |
|---|---|---|
| PKA_UNKNOWN_DO_NOT_USE | 0 | none |
| RSA | 1 | none |
| DSA | 2 | none |
| ECDSA | 3 | none |
| ED25519 | 4 | none |
NamespacePermissionService manages permissions set on namespaces
rpc DeleteNamespacePermission(DeleteNamespacePermissionRequest) DeleteNamespacePermissionResponse
DeleteNamespacePermission removes an existing permission definition
rpc GetNamespacePermission(GetNamespacePermissionRequest) GetNamespacePermissionResponse
GetNamespacePermission retrieves an existing permission definition
rpc ListNamespacePermissions(ListNamespacePermissionsRequest) ListNamespacePermissionsResponse
ListNamespacePermissions retrieves existing permissions for all namespaces
rpc ListNamespacePermissionGroups(ListNamespacePermissionGroupsRequest) ListNamespacePermissionGroupsResponse
ListNamespacePermissionGroups retrieves existing group based permissions on a namespace
rpc ListNamespacePermissionUsers(ListNamespacePermissionUsersRequest) ListNamespacePermissionUsersResponse
ListNamespacePermissionUsers retrieves existing user based permissions on a namespace
rpc SetNamespacePermission(SetNamespacePermissionRequest) SetNamespacePermissionResponse
SetNamespacePermission set a new permission definition on a namespace
NamespaceService manages namespaces
rpc DeleteNamespace(DeleteNamespaceRequest) DeleteNamespaceResponse
DeleteNamespace deletes a namespace
rpc GetNamespace(GetNamespaceRequest) GetNamespaceResponse
GetNamespace retrieves a namespace
rpc ListNamespaces(ListNamespacesRequest) ListNamespacesResponse
ListNamespaces lists all namespaces
rpc SetNamespace(SetNamespaceRequest) SetNamespaceResponse
SetNamespace creates a namespace or, if the id is specified, updates an existing namespace
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| namespace_permission | NamespacePermission | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| namespace | Namespace | none |
| Field | Type | Description |
|---|---|---|
| namespace_id | string | none |
| Field | Type | Description |
|---|---|---|
| groups | repeated NamespacePermissionGroup | none |
| Field | Type | Description |
|---|---|---|
| namespace_id | string | none |
| Field | Type | Description |
|---|---|---|
| users | repeated NamespacePermissionUser | none |
| Field | Type | Description |
|---|---|---|
| namespace_permissions | repeated NamespacePermission | none |
| Field | Type | Description |
|---|---|---|
| namespaces | repeated Namespace | none |
Namespace defines a namespace
| Field | Type | Description |
|---|---|---|
| id | string | none |
| parent_id | string | none |
| created_at | google.protobuf.Timestamp | none |
| modified_at | google.protobuf.Timestamp | none |
| deleted_at | google.protobuf.Timestamp | none |
| name | string | none |
| route_count | int64 | computed |
| policy_count | int64 | computed |
NamespacePermission defines a permission binding to an identity
| Field | Type | Description |
|---|---|---|
| id | string | none |
| created_at | google.protobuf.Timestamp | none |
| modified_at | google.protobuf.Timestamp | none |
| namespace_id | string | none |
| namespace_name | string | none |
| subject_type | string | none |
| subject_id | string | none |
| role | string | none |
NamespacePermissionGroup defines a permission binding to a group identity
| Field | Type | Description |
|---|---|---|
| group_id | string | none |
| group_name | string | none |
| group_email | string | none |
| namespace_id | string | none |
| namespace_name | string | none |
| role | string | none |
NamespacePermissionUser defines a permission binding to a user identity
| Field | Type | Description |
|---|---|---|
| user_id | string | none |
| user_name | string | none |
| user_email | string | none |
| group_ids | repeated string | none |
| namespace_id | string | none |
| namespace_name | string | none |
| role | string | none |
| Field | Type | Description |
|---|---|---|
| namespace_permission | NamespacePermission | none |
| Field | Type | Description |
|---|---|---|
| namespace_permission | NamespacePermission | none |
| Field | Type | Description |
|---|---|---|
| namespace | Namespace | none |
| Field | Type | Description |
|---|---|---|
| namespace | Namespace | none |
PolicyService manages policy creation and definition
rpc DeletePolicy(DeletePolicyRequest) DeletePolicyResponse
DeletePolicy deletes an existing policy
rpc GetPolicy(GetPolicyRequest) GetPolicyResponse
GetPolicy retrieves an existing policy
rpc ListPolicies(ListPoliciesRequest) ListPoliciesResponse
ListPolicies lists existing policies based on the ListPoliciesRequest parameters
rpc SetPolicy(SetPolicyRequest) SetPolicyResponse
SetPolicy creates a new policy or, if the id is specified, updates an existing policy
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| policy | Policy | none |
ListPoliciesRequest specifies the policies to list
| Field | Type | Description |
|---|---|---|
| namespace | string | none |
| oneof _query.query | optional string | list Policies whose name contains the query string |
| oneof _offset.offset | optional int64 | list Policies starting from an offset in the total list |
| oneof _limit.limit | optional int64 | limit the number of entries returned |
| oneof _order_by.order_by | optional string | sort the Policies by newest, oldest or name |
ListPoliciesResponse is the list of policies found for a ListPoliciesRequest
| Field | Type | Description |
|---|---|---|
| policies | repeated Policy | none |
| total_count | int64 | none |
Policy defines an authorization policy which can be applied to a route or routes
| Field | Type | Description |
|---|---|---|
| id | string | none |
| namespace_id | string | none |
| created_at | google.protobuf.Timestamp | none |
| modified_at | google.protobuf.Timestamp | none |
| deleted_at | google.protobuf.Timestamp | none |
| name | string | none |
| description | string | none |
| allowed_users | repeated string | none |
| allowed_groups | repeated string | none |
| allowed_domains | repeated string | none |
| allowed_idp_claims | map Policy.AllowedIdpClaimsEntry | none |
| rego | repeated string | custom rego definition in string format |
| ppl | string | PPL definition in JSON format |
| enforced | bool | policy is automatically applied to all routes in namespace_id and child namespaces |
| routes | map Policy.RoutesEntry | computed |
route id => name | | namespace_name | string | computed |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | google.protobuf.ListValue | none |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | string | none |
| Field | Type | Description |
|---|---|---|
| policy | Policy | none |
| Field | Type | Description |
|---|---|---|
| policy | Policy | none |
rpc PolicyReport(PolicyReportRequest) PolicyReportResponse
PolicyReport generates a policy report
PolicyReportRequest may either specify a list of routes, or request to report all routes of the namespace
| Field | Type | Description |
|---|---|---|
| route_ids | repeated string | none |
| namespace_id | string | none |
| Field | Type | Description |
|---|---|---|
| routes | repeated Route | none |
| policies | repeated Policy | none |
RouteService manages proxy route definitions
rpc DeleteRoute(DeleteRouteRequest) DeleteRouteResponse
DeleteRoute removes an existing route
rpc GetRoute(GetRouteRequest) GetRouteResponse
GetRoute retrieves an existing route
rpc ListRoutes(ListRoutesRequest) ListRoutesResponse
ListRoutes lists routes based on ListRoutesRequest
rpc LoadRoutes(LoadRoutesRequest) LoadRoutesResponse
LoadRoutes imports routes from an existing OSS configuration
rpc SetRoute(SetRouteRequest) SetRouteResponse
SetRoute creates or, if id is defined, updates an existing route
rpc MoveRoutes(MoveRoutesRequest) MoveRoutesResponse
MoveRoutes takes an array of routeIds and moves them to a new namespace
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| route | Route | none |
ListRoutesRequest defines the routes to list
| Field | Type | Description |
|---|---|---|
| namespace | string | none |
| oneof _query.query | optional string | list Routes who's name, from or to contains the query string |
| oneof _offset.offset | optional int64 | list Routes starting from an offset in the total list |
| oneof _limit.limit | optional int64 | limit the number of Route entries returned |
| oneof _order_by.order_by | optional string | sort the Routes by newest, oldest, name or from |
ListRoutesResponse is the list of routes found for a ListRoutesRequest
| Field | Type | Description |
|---|---|---|
| routes | repeated Route | none |
| total_count | int64 | none |
LoadRoutesRequest creates a route based on a yaml payload
| Field | Type | Description |
|---|---|---|
| name | string | none |
| contents | bytes | OSS pomerium policy block |
LoadRoutesResponse contains the routes and policies crated from a LoadRoutesRequest
| Field | Type | Description |
|---|---|---|
| routes | repeated RouteWithPolicies | none |
| Field | Type | Description |
|---|---|---|
| route_ids | repeated string | none |
| new_namespace_id | string | none |
Route defines a proxy route's settings and policy associations
| Field | Type | Description |
|---|---|---|
| id | string | none |
| namespace_id | string | none |
| created_at | google.protobuf.Timestamp | none |
| modified_at | google.protobuf.Timestamp | none |
| deleted_at | google.protobuf.Timestamp | none |
| name | string | none |
| stat_name | string | name for prometheus stats, computed on first save |
| from | string | none |
| to | repeated string | none |
| oneof _prefix.prefix | optional string | none |
| oneof _path.path | optional string | none |
| oneof _regex.regex | optional string | none |
| oneof _prefix_rewrite.prefix_rewrite | optional string | none |
| oneof _regex_rewrite_pattern.regex_rewrite_pattern | optional string | none |
| oneof _regex_rewrite_substitution.regex_rewrite_substitution | optional string | none |
| oneof _host_rewrite.host_rewrite | optional string | none |
| oneof _host_rewrite_header.host_rewrite_header | optional string | none |
| oneof _host_path_regex_rewrite_pattern.host_path_regex_rewrite_pattern | optional string | none |
| oneof _host_path_regex_rewrite_substitution.host_path_regex_rewrite_substitution | optional string | none |
| oneof _regex_priority_order.regex_priority_order | optional int64 | none |
| oneof _timeout.timeout | optional google.protobuf.Duration | none |
| oneof _idle_timeout.idle_timeout | optional google.protobuf.Duration | none |
| oneof _allow_websockets.allow_websockets | optional bool | none |
| oneof _allow_spdy.allow_spdy | optional bool | none |
| oneof _tls_skip_verify.tls_skip_verify | optional bool | none |
| oneof _tls_server_name.tls_server_name | optional string | none |
| oneof _tls_custom_ca_key_pair_id.tls_custom_ca_key_pair_id | optional string | none |
| oneof _tls_client_key_pair_id.tls_client_key_pair_id | optional string | none |
| oneof _tls_downstream_client_ca_key_pair_id.tls_downstream_client_ca_key_pair_id | optional string | none |
| set_request_headers | map Route.SetRequestHeadersEntry | none |
| remove_request_headers | repeated string | none |
| rewrite_response_headers | repeated RouteRewriteHeader | none |
| oneof _preserve_host_header.preserve_host_header | optional bool | none |
| oneof _pass_identity_headers.pass_identity_headers | optional bool | none |
| oneof _kubernetes_service_account_token.kubernetes_service_account_token | optional string | none |
| envoy_opts | envoy.config.cluster.v3.Cluster | none |
| redirect | envoy.config.route.v3.RedirectAction | none |
| enable_google_cloud_serverless_authentication | bool | none |
| policy_ids | repeated string | policies applied to this route |
| policy_names | repeated string | computed properties (may be nil) |
| namespace_name | string | computed |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | string | none |
| Field | Type | Description |
|---|---|---|
| header | string | none |
| oneof matcher.prefix | string | none |
| value | string | none |
RouteWithPolicies contains automatically created routes and policies from a LoadRoutesRequest
| Field | Type | Description |
|---|---|---|
| route | Route | none |
| policies | repeated Policy | none |
| Field | Type | Description |
|---|---|---|
| route | Route | none |
| Field | Type | Description |
|---|---|---|
| route | Route | none |
SettingsService manages global pomerium settings
rpc GetSettings(GetSettingsRequest) GetSettingsResponse
GetSettings retrieves the currently applied settings
rpc SetSettings(SetSettingsRequest) SetSettingsResponse
SetSettings applies new global settings
| Field | Type | Description |
|---|---|---|
| settings | Settings | none |
| Field | Type | Description |
|---|---|---|
| settings | Settings | none |
| Field | Type | Description |
|---|---|---|
| settings | Settings | none |
Settings defines the global pomerium settings
| Field | Type | Description |
|---|---|---|
| modified_at | google.protobuf.Timestamp | none |
| oneof _installation_id.installation_id | optional string | none |
| oneof _debug.debug | optional bool | none |
| oneof _log_level.log_level | optional string | none |
| oneof _proxy_log_level.proxy_log_level | optional string | none |
| oneof _shared_secret.shared_secret | optional string | none |
| oneof _services.services | optional string | none |
| oneof _address.address | optional string | none |
| oneof _insecure_server.insecure_server | optional bool | none |
| oneof _dns_lookup_family.dns_lookup_family | optional string | none |
| certificates | repeated Settings.Certificate | none |
| oneof _http_redirect_addr.http_redirect_addr | optional string | none |
| oneof _timeout_read.timeout_read | optional google.protobuf.Duration | none |
| oneof _timeout_write.timeout_write | optional google.protobuf.Duration | none |
| oneof _timeout_idle.timeout_idle | optional google.protobuf.Duration | none |
| oneof _authenticate_service_url.authenticate_service_url | optional string | none |
| oneof _authenticate_callback_path.authenticate_callback_path | optional string | none |
| oneof _cookie_name.cookie_name | optional string | none |
| oneof _cookie_secret.cookie_secret | optional string | none |
| oneof _cookie_domain.cookie_domain | optional string | none |
| oneof _cookie_secure.cookie_secure | optional bool | none |
| oneof _cookie_http_only.cookie_http_only | optional bool | none |
| oneof _cookie_expire.cookie_expire | optional google.protobuf.Duration | none |
| oneof _idp_client_id.idp_client_id | optional string | none |
| oneof _idp_client_secret.idp_client_secret | optional string | none |
| oneof _idp_provider.idp_provider | optional string | none |
| oneof _idp_provider_url.idp_provider_url | optional string | none |
| scopes | repeated string | none |
| oneof _idp_service_account.idp_service_account | optional string | none |
| oneof _idp_refresh_directory_timeout.idp_refresh_directory_timeout | optional google.protobuf.Duration | none |
| oneof _idp_refresh_directory_interval.idp_refresh_directory_interval | optional google.protobuf.Duration | none |
| request_params | map Settings.RequestParamsEntry | none |
| oneof _authorize_service_url.authorize_service_url | optional string | none |
| oneof _certificate_authority.certificate_authority | optional string | none |
| oneof _certificate_authority_file.certificate_authority_file | optional string | none |
| oneof _certificate_authority_key_pair_id.certificate_authority_key_pair_id | optional string | none |
| set_response_headers | map Settings.SetResponseHeadersEntry | none |
| jwt_claims_headers | map Settings.JwtClaimsHeadersEntry | none |
| oneof _default_upstream_timeout.default_upstream_timeout | optional google.protobuf.Duration | none |
| oneof _metrics_address.metrics_address | optional string | none |
| oneof _tracing_provider.tracing_provider | optional string | none |
| oneof _tracing_sample_rate.tracing_sample_rate | optional double | none |
| oneof _tracing_jaeger_collector_endpoint.tracing_jaeger_collector_endpoint | optional string | none |
| oneof _tracing_jaeger_agent_endpoint.tracing_jaeger_agent_endpoint | optional string | none |
| oneof _tracing_zipkin_endpoint.tracing_zipkin_endpoint | optional string | none |
| oneof _grpc_address.grpc_address | optional string | none |
| oneof _grpc_insecure.grpc_insecure | optional bool | none |
| oneof _forward_auth_url.forward_auth_url | optional string | none |
| oneof _cache_service_url.cache_service_url | optional string | none |
| oneof _databroker_service_url.databroker_service_url | optional string | none |
| oneof _client_ca.client_ca | optional string | none |
| oneof _client_ca_file.client_ca_file | optional string | none |
| oneof _client_ca_key_pair_id.client_ca_key_pair_id | optional string | none |
| oneof _google_cloud_serverless_authentication_service_account.google_cloud_serverless_authentication_service_account | optional string | none |
| oneof _autocert.autocert | optional bool | none |
| oneof _autocert_use_staging.autocert_use_staging | optional bool | none |
| oneof _autocert_must_staple.autocert_must_staple | optional bool | none |
| oneof _autocert_dir.autocert_dir | optional string | none |
| oneof _skip_xff_append.skip_xff_append | optional bool | none |
| Field | Type | Description |
|---|---|---|
| cert_bytes | bytes | none |
| key_bytes | bytes | none |
| key_pair_id | string | none |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | string | none |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | string | none |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | string | none |
TimeSeriesDB is a generic service that is meant to be able to query for historical metrics and should provide a sufficient abstraction between the UI and underlying time series service, would it be Prometheus, embedded TSDB or other 3rd party provider
rpc GetRouteMetricChange(RouteMetricChangeRequest) Scalar
returns metric change for a period of time
rpc GetRouteMetricChangeHistogram(RouteMetricChangeRequest) ScalarBuckets
returns buckets of values for a given metric
rpc GetRouteMetricSeries(RouteMetricSeriesRequest) TimeSeriesResponse
returns metric change as time series
rpc GetRouteMetricSeriesHistogram(RouteMetricSeriesHistogramRequest) TimeSeriesResponse
returns metric change as time series
rpc GetRouteMetricSeriesMulti(RouteMetricSeriesRequest) TimeSeriesResponseMulti
returns multiple annotated time series
rpc GetUptime(UptimeRequest) UptimeResponse
returns service uptime statistics
rpc GetInstances(GetInstancesRequest) Instances
returns list of system services with metrics
rpc GetServerMetricSeries(ServerMetricSeriesRequest) TimeSeriesResponse
returns server queries
rpc GetServerMetric(ServerMetricRequest) Sample
returns current metric value
rpc GetStatus(GetStatusRequest) GetStatusResponse
returns current status of scraping targets
| Field | Type | Description |
|---|---|---|
| component | Component | none |
| instance_id | string | none |
| Field | Type | Description |
|---|---|---|
| start | google.protobuf.Timestamp | none |
| end | google.protobuf.Timestamp | none |
| Field | Type | Description |
|---|---|---|
| targets | repeated GetStatusResponse.Target | none |
| oneof status.ok | bool | none |
| oneof status.last_error | string | none |
| Field | Type | Description |
|---|---|---|
| scrape_url | string | none |
| global_url | string | none |
| last_error | string | none |
| last_scrape | google.protobuf.Timestamp | none |
| health | GetStatusResponse.Target.Health | none |
| Field | Type | Description |
|---|---|---|
| instances | repeated Instances.Instance | none |
| Field | Type | Description |
|---|---|---|
| component | Component | none |
| id | string | ID that should be used in requests for metrics |
| name | string | human readable instance name |
| Field | Type | Description |
|---|---|---|
| labels | map Labels.LabelsEntry | none |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | string | none |
| Field | Type | Description |
|---|---|---|
| series | repeated TimeSeries | none |
| Field | Type | Description |
|---|---|---|
| start | google.protobuf.Timestamp | Start time |
| end | google.protobuf.Timestamp | End time |
| step | google.protobuf.Duration | Max time between two slices within [start:end] |
RouteMatcher may be used to query data for multiple routes
| Field | Type | Description |
|---|---|---|
| oneof matcher.route_id | string | route database ID |
| oneof matcher.namespace_id | string | namespace ID |
Used to request a particular metric change within a given period of time
| Field | Type | Description |
|---|---|---|
| matcher | RouteMatcher | route to match |
| metric | Metric | metric to retrieve |
| start | google.protobuf.Timestamp | Start time |
| end | google.protobuf.Timestamp | End time |
request route-specific metric time series histogram
| Field | Type | Description |
|---|---|---|
| matcher | RouteMatcher | route to match |
| metric | Metric | metric to retrieve |
| range | Range | time range and sampling step |
| percentile | double | if data for the metric was precomputed as histogram, the data may be requested within a certain percentile |
request route-specific metric time series
| Field | Type | Description |
|---|---|---|
| matcher | RouteMatcher | route to match |
| metric | Metric | metric to retrieve |
| range | Range | time range and sampling step |
| Field | Type | Description |
|---|---|---|
| labels | map Sample.LabelsEntry | none |
| value | Scalar | none |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | string | none |
| Field | Type | Description |
|---|---|---|
| value | double | none |
| ts | google.protobuf.Timestamp | none |
returns histogram values
| Field | Type | Description |
|---|---|---|
| buckets | repeated ScalarBuckets.Bucket | none |
| Field | Type | Description |
|---|---|---|
| less_or_equal_than | double | bucket identifier |
| count | int64 | occurences for the given bucket |
| Field | Type | Description |
|---|---|---|
| component | Component | none |
| instance_id | string | none |
| metric | Metric | metric to retrieve |
| Field | Type | Description |
|---|---|---|
| metric | Metric | metric to retrieve |
| range | Range | time range and sampling step |
| percentile | double | if data for the metric was precomputed as histogram, the data may be requested within a certain percentile |
| component | Component | server component and instance ID |
| instance_id | string | none |
| Field | Type | Description |
|---|---|---|
| value | string | none |
| ts | google.protobuf.Timestamp | none |
| Field | Type | Description |
|---|---|---|
| labels | map TimeSeries.LabelsEntry | none |
| series | repeated Scalar | none |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | string | none |
TimeSeries response returns
| Field | Type | Description |
|---|---|---|
| rate | Rate | provided for time-sampled values - i.e. requests |
| series | repeated Scalar | series are (timestamp,value) data points |
Multiple time series response
| Field | Type | Description |
|---|---|---|
| rate | Rate | none |
| series | repeated TimeSeries | none |
uptime info for all pomerium services for a given period of time
| Field | Type | Description |
|---|---|---|
| start | google.protobuf.Timestamp | none |
| end | google.protobuf.Timestamp | none |
| component | Component | none |
| instance_id | string | none |
service uptime is calculated based on liveness probe published by each component it is delivered as 2-level hierarchical periods to make it simple for the UI consumer it does not provide statistics as data representation makes it trivial to calculate depending on the UI requirements
| Field | Type | Description |
|---|---|---|
| intervals | repeated UptimeResponse.Summary | none |
summary provides a higher level information re health of the component
| Field | Type | Description |
|---|---|---|
| start | google.protobuf.Timestamp | none |
| end | google.protobuf.Timestamp | none |
| status | UptimeResponse.Status | aggregate status of the system |
| Field | Type | Description |
|---|---|---|
| samples | repeated Sample | none |
| Name | Number | Description |
|---|---|---|
| UNKNOWN_DO_NOT_USE | 0 | none |
| AUTHENTICATE | 1 | none |
| AUTHORIZE | 2 | none |
| DATABROKER | 3 | none |
| CONSOLE | 4 | none |
| PROXY | 5 | none |
| ALL_IN_ONE | 6 | used when all components are running in the all-in-one mode |
| PROXY_ENVOY | 7 | Proxy envoy is always reported separately |
| PROMETHEUS | 8 | none |
| Name | Number | Description |
|---|---|---|
| TARGET_HEALTH_UNKNOWN | 0 | none |
| TARGET_HEALTH_UP | 1 | none |
| TARGET_HEALTH_DOWN | 2 | none |
see https://www.envoyproxy.io/docs/envoy/latest/configuration/upstream/cluster_manager/cluster_stats
| Name | Number | Description |
|---|---|---|
| UNDEFINED_METRIC_DO_NOT_USE | 0 | none |
| REQUESTS | 1 | request counter |
| REQUESTS_RATE | 2 | request rate (per second) |
| REQUESTS_DURATION_MS | 3 | duration of the request in milliseconds - this is a histogram counter and requires percentile |
| RESPONSE_CODES | 4 | returns distribution of response codes |
| AUTHZ_OK | 20 | Total responses from the authz filter (note that does not imply that requests were allowed to pass thru) |
| AUTHZ_DENIED | 21 | Total responses from the authorizations service that were to deny the traffic. |
| AUTHZ_ERROR | 22 | Total errors contacting the external service. |
| AUTHZ_DISABLED | 23 | Total requests that are allowed without calling external services due to the filter is disabled. |
| AUTHZ_FAILURE_MODE_ALLOWED | 24 | Total requests that were error(s) but were allowed through because of failure_mode_allow set to true. |
| MEMBERSHIP_HEALTHY | 30 | Current cluster healthy total (inclusive of both health checking and outlier detection) |
| MEMBERSHIP_DEGRADED | 31 | Current cluster degraded total |
| MEMBERSHIP_EXCLUDED | 32 | Current cluster excluded total |
| MEMBERSHIP_TOTAL | 33 | Current cluster membership total |
| RX_BYTES | 40 | bytes received - upstream_cx_rx_bytes_total |
| TX_BYTES | 41 | bytes sent - upstream_cx_tx_bytes_total |
| TOTAL_BYTES | 42 | total of rx + tx bytes |
| MEMORY_ALLOCATED | 51 | system metrics |
| CPU_USAGE | 52 | none |
| IDP_LAST_REFRESH_TIMESTAMP | 60 | identity provider specific |
| CONFIG_LAST_RELOAD_SUCCESS_TIMESTAMP | 70 | configuration related |
| BUILD_INFO | 71 | none |
| CONFIG_CHECKSUM_LOCAL | 72 | none |
| CONFIG_CHECKSUM_DATABROKER | 73 | none |
| CONFIG_VERSION | 74 | none |
| CONFIG_ERRORS | 75 | none |
| CONFIG_CONSOLE_VERSION | 76 | none |
| PROMETHEUS_STORAGE_BYTES | 80 | prometheus metrics |
Rate defines time-sampled values
| Name | Number | Description |
|---|---|---|
| NONE | 0 | undefined means this is an actual value that is not sampled |
| PER_SECOND | 1 | value represents per second |
| Name | Number | Description |
|---|---|---|
| UNDEFINED_STATUS_DO_NOT_USE | 0 | none |
| LIVE | 1 | fully operational |
| NO_DATA | 2 | no data is available for the period in the prometheus |
| DOWN | 3 | prometheus is up but the scraping instance is down |
PomeriumServiceAccountService manages service accounts for use with the pomerium console API
rpc AddPomeriumServiceAccount(AddPomeriumServiceAccountRequest) AddPomeriumServiceAccountResponse
AddPomeriumServiceAccount creates a new service account
rpc DeletePomeriumServiceAccount(DeletePomeriumServiceAccountRequest) DeletePomeriumServiceAccountResponse
DeletePomeriumServiceAccount removes an existing service account
rpc GetPomeriumServiceAccount(GetPomeriumServiceAccountRequest) GetPomeriumServiceAccountResponse
GetPomeriumServiceAccount retrieves an existing service account
rpc ListPomeriumServiceAccounts(ListPomeriumServiceAccountsRequest) ListPomeriumServiceAccountsResponse
ListPomeriumServiceAccounts lists service accounts based on the parameters in ListPomeriumServiceAccountsRequest
PomeriumSessionService manages user sessions inside the databroker
rpc DeletePomeriumSession(DeletePomeriumSessionRequest) DeletePomeriumSessionResponse
DeletePomeriumSession clears an existing user session
rpc GetPomeriumSession(GetPomeriumSessionRequest) GetPomeriumSessionResponse
GetPomeriumSession retrieves information about an existing user session
rpc Impersonate(ImpersonateRequest) ImpersonateResponse
Impersonate updates an existing session to impersonate another identity
rpc ListPomeriumSessions(ListPomeriumSessionsRequest) ListPomeriumSessionsResponse
ListPomeriumSessions lists existing sessions based on the parameters of ListPomeriumSessionsRequest
UserService supports querying directory data from the databroker
rpc GetUserInfo(GetUserInfoRequest) GetUserInfoResponse
GetUserInfo retrieves identity information and permission mappings for a user
rpc QueryGroups(QueryGroupsRequest) QueryGroupsResponse
QueryGroups retrieves groups from the databroker based on QueryGroupsRequest parameters
rpc QueryUsers(QueryUsersRequest) QueryUsersResponse
QueryUsers retrieves users from the databroker based on QueryUsersRequest parameters
| Field | Type | Description |
|---|---|---|
| service_account | PomeriumServiceAccount | none |
| Field | Type | Description |
|---|---|---|
| service_account | PomeriumServiceAccount | none |
| JWT | string | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| service_account | PomeriumServiceAccount | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| session | PomeriumSession | none |
| Field | Type | Description |
|---|---|---|
| oneof _user_id.user_id | optional string | none |
| Field | Type | Description |
|---|---|---|
| user_info | UserInfo | none |
GroupInfo defines a directory group in the databroker
| Field | Type | Description |
|---|---|---|
| id | string | none |
| name | string | none |
ImpersonateRequest defines the identity information to impersonate
| Field | Type | Description |
|---|---|---|
| session_id | string | none |
ListPomeriumServiceAccountsRequest specifies the service accounts to list
| Field | Type | Description |
|---|---|---|
| namespace | string | none |
ListPomeriumServiceAccountsResponse is the list of service accounts found for a ListPomeriumServiceAccountsRequest
| Field | Type | Description |
|---|---|---|
| service_accounts | repeated PomeriumServiceAccount | none |
ListPomeriumSessionsRequest specifies the sessions to list
| Field | Type | Description |
|---|---|---|
| oneof _query.query | optional string | list Sessions with any fields that contain the query string |
| oneof _offset.offset | optional int64 | list Sessions starting from an offset in the total list |
| oneof _limit.limit | optional int64 | limit the number of Session entries returned |
| oneof _order_by.order_by | optional string | sort the Sessions by newest, oldest or name |
| oneof _user_id.user_id | optional string | none |
ListPomeriumSessionsResponse is the sessions found for a ListPomeriumSessionsRequest
| Field | Type | Description |
|---|---|---|
| sessions | repeated PomeriumSession | none |
| total_count | int64 | none |
PomeriumServiceAccount defines the identity properties of a service account
| Field | Type | Description |
|---|---|---|
| id | string | none |
| oneof _namespace_id.namespace_id | optional string | none |
| user_id | string | none |
| expires_at | google.protobuf.Timestamp | none |
| issued_at | google.protobuf.Timestamp | none |
PomeriumSession defines a user session from the databroker
| Field | Type | Description |
|---|---|---|
| id | string | none |
| user | PomeriumSession.User | none |
| groups | repeated PomeriumSession.Group | none |
| issuer | string | none |
| issued_at | google.protobuf.Timestamp | none |
| expires_at | google.protobuf.Timestamp | none |
| audience | repeated string | none |
| claims | map PomeriumSession.ClaimsEntry | none |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | google.protobuf.ListValue | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| name | string | none |
| string | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| name | string | none |
| string | none |
QueryGroupsRequest defines the groups to retrieve
| Field | Type | Description |
|---|---|---|
| query | string | none |
| offset | int64 | none |
| limit | int64 | none |
QueryGroupsResponse is the list of groups retrieved from a QueryGroupsRequest
| Field | Type | Description |
|---|---|---|
| groups | repeated GroupInfo | none |
| total_count | int64 | none |
QueryUsersRequest defines the users to retrieve
| Field | Type | Description |
|---|---|---|
| query | string | list Users with any fields that match the query |
| offset | int64 | list Users starting from an offset in the total list |
| limit | int64 | limit the number of User entries returned |
QueryUsersResponse is the list of users retrieved from a QueryUsersRequest
| Field | Type | Description |
|---|---|---|
| users | repeated UserInfo | none |
| total_count | int64 | none |
RecoveryToken is a recovery account for logging into the console without a functioning Pomerium proxy
| Field | Type | Description |
|---|---|---|
| id | string | none |
| namespace | string | none |
| created_at | google.protobuf.Timestamp | none |
| modified_at | google.protobuf.Timestamp | none |
| expires_at | google.protobuf.Timestamp | none |
| public_key | string | none |
UserInfo defines the metadata for a directory user in the databroker
| Field | Type | Description |
|---|---|---|
| id | string | none |
| name | string | none |
| string | none | |
| groups | repeated string | none |
| namespace_roles | map UserInfo.NamespaceRolesEntry | none |
| picture_url | string | none |
| is_impersonated | bool | none |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | string | none |
| .proto Type | Notes | C++ Type | Java Type | Python Type |
|---|---|---|---|---|
double |
double | double | float | |
float |
float | float | float | |
int32 |
Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead. | int32 | int | int |
int64 |
Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead. | int64 | long | int/long |
uint32 |
Uses variable-length encoding. | uint32 | int | int/long |
uint64 |
Uses variable-length encoding. | uint64 | long | int/long |
sint32 |
Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. | int32 | int | int |
sint64 |
Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s. | int64 | long | int/long |
fixed32 |
Always four bytes. More efficient than uint32 if values are often greater than 2^28. | uint32 | int | int |
fixed64 |
Always eight bytes. More efficient than uint64 if values are often greater than 2^56. | uint64 | long | int/long |
sfixed32 |
Always four bytes. | int32 | int | int |
sfixed64 |
Always eight bytes. | int64 | long | int/long |
bool |
bool | boolean | boolean | |
string |
A string must always contain UTF-8 encoded or 7-bit ASCII text. | string | String | str/unicode |
bytes |
May contain any arbitrary sequence of bytes. | string | ByteString | str |