Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings
This repository was archived by the owner on Mar 15, 2025. It is now read-only.

Commitc6efc56

Browse files
ci: resolve issue where protos are not updating (#123)
* ci: resolve issue where protos are not updating* clean up google/iam directory* 🦉 Updates from OwlBot post-processorSeehttps://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md* address review feedback---------Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
1 parent9007e8a commitc6efc56

File tree

5 files changed

+2484
-67
lines changed

5 files changed

+2484
-67
lines changed

‎google/cloud/audit/audit_log.proto‎

Lines changed: 103 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
// Copyright2020 Google LLC
1+
// Copyright2024 Google LLC
22
//
33
// Licensed under the Apache License, Version 2.0 (the "License");
44
// you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@ syntax = "proto3";
1616

1717
packagegoogle.cloud.audit;
1818

19+
import"google/api/field_behavior.proto";
1920
import"google/protobuf/any.proto";
2021
import"google/protobuf/struct.proto";
2122
import"google/rpc/context/attribute_context.proto";
@@ -30,23 +31,23 @@ option java_package = "com.google.cloud.audit";
3031
// Common audit log format for Google Cloud Platform API operations.
3132
messageAuditLog {
3233
// The name of the API service performing the operation. For example,
33-
// `"datastore.googleapis.com"`.
34+
// `"compute.googleapis.com"`.
3435
stringservice_name=7;
3536

3637
// The name of the service method or operation.
3738
// For API calls, this should be the name of the API method.
3839
// For example,
3940
//
40-
// "google.datastore.v1.Datastore.RunQuery"
41-
// "google.logging.v1.LoggingService.DeleteLog"
41+
// "google.cloud.bigquery.v2.TableService.InsertTable"
42+
// "google.logging.v2.ConfigServiceV2.CreateSink"
4243
stringmethod_name=8;
4344

4445
// The resource or collection that is the target of the operation.
4546
// The name is a scheme-less URI, not including the API service name.
4647
// For example:
4748
//
48-
// "shelves/SHELF_ID/books"
49-
// "shelves/SHELF_ID/books/BOOK_ID"
49+
// "projects/PROJECT_ID/zones/us-central1-a/instances"
50+
// "projects/PROJECT_ID/datasets/DATASET_ID"
5051
stringresource_name=11;
5152

5253
// The resource location information.
@@ -76,6 +77,11 @@ message AuditLog {
7677
// one AuthorizationInfo element for each {resource, permission} tuple.
7778
repeatedAuthorizationInfoauthorization_info=9;
7879

80+
// Indicates the policy violations for this request. If the request
81+
// is denied by the policy, violation information will be logged
82+
// here.
83+
PolicyViolationInfopolicy_violation_info=25;
84+
7985
// Metadata about the operation.
8086
RequestMetadatarequest_metadata=4;
8187

@@ -99,18 +105,20 @@ message AuditLog {
99105
// information associated with the current audited event.
100106
google.protobuf.Structmetadata=18;
101107

102-
// Deprecated, use `metadata` field instead.
108+
// Deprecated. Use the `metadata` field instead.
103109
// Other service-specific data about the request, response, and other
104110
// activities.
105-
google.protobuf.Anyservice_data=15;
111+
google.protobuf.Anyservice_data=15 [deprecated =true];
106112
}
107113

108114
// Authentication information for the operation.
109115
messageAuthenticationInfo {
110116
// The email address of the authenticated user (or service account on behalf
111-
// of third party principal) making the request. For privacy reasons, the
112-
// principal email address is redacted for all read-only operations that fail
113-
// with a "permission denied" error.
117+
// of third party principal) making the request. For third party identity
118+
// callers, the `principal_subject` field is populated instead of this field.
119+
// For privacy reasons, the principal email address is sometimes redacted.
120+
// For more information, see [Caller identities in audit
121+
// logs](https://cloud.google.com/logging/docs/audit#user-id).
114122
stringprincipal_email=1;
115123

116124
// The authority selector specified by the requestor, if any.
@@ -144,9 +152,12 @@ message AuthenticationInfo {
144152

145153
// Authorization information for the operation.
146154
messageAuthorizationInfo {
147-
// The resource being accessed, as a REST-style string. For example:
155+
// The resource being accessed, as a REST-style or cloud resource string.
156+
// For example:
148157
//
149158
// bigquery.googleapis.com/projects/PROJECTID/datasets/DATASETID
159+
// or
160+
// projects/PROJECTID/datasets/DATASETID
150161
stringresource=1;
151162

152163
// The required IAM permission.
@@ -168,14 +179,16 @@ message AuthorizationInfo {
168179
// Metadata about the request.
169180
messageRequestMetadata {
170181
// The IP address of the caller.
171-
// For caller from internet, this will be public IPv4 or IPv6 address.
172-
// For caller from a Compute Engine VM with external IP address, this
173-
// will be the VM's external IP address. For caller from a Compute
174-
// Engine VM without external IP address, if the VM is in the same
175-
// organization (or project) as the accessed resource, `caller_ip` will
176-
// be the VM's internal IPv4 address, otherwise the `caller_ip` will be
177-
// redacted to "gce-internal-ip".
178-
// See https://cloud.google.com/compute/docs/vpc/ for more information.
182+
// For a caller from the internet, this will be the public IPv4 or IPv6
183+
// address. For calls made from inside Google's internal production network
184+
// from one GCP service to another, `caller_ip` will be redacted to "private".
185+
// For a caller from a Compute Engine VM with a external IP address,
186+
// `caller_ip` will be the VM's external IP address. For a caller from a
187+
// Compute Engine VM without a external IP address, if the VM is in the same
188+
// organization (or project) as the accessed resource, `caller_ip` will be the
189+
// VM's internal IPv4 address, otherwise `caller_ip` will be redacted to
190+
// "gce-internal-ip". See https://cloud.google.com/compute/docs/vpc/ for more
191+
// information.
179192
stringcaller_ip=1;
180193

181194
// The user agent of the caller.
@@ -258,6 +271,14 @@ message ServiceAccountDelegationInfo {
258271
google.protobuf.Structthird_party_claims=1;
259272
}
260273

274+
// A string representing the principal_subject associated with the identity.
275+
// For most identities, the format will be
276+
// `principal://iam.googleapis.com/{identity pool name}/subject/{subject)`
277+
// except for some GKE identities (GKE_WORKLOAD, FREEFORM, GKE_HUB_WORKLOAD)
278+
// that are still in the legacy format `serviceAccount:{identity pool
279+
// name}[{subject}]`
280+
stringprincipal_subject=3;
281+
261282
// Entity that creates credentials for service account and assumes its
262283
// identity for authentication.
263284
oneofAuthority {
@@ -268,3 +289,65 @@ message ServiceAccountDelegationInfo {
268289
ThirdPartyPrincipalthird_party_principal=2;
269290
}
270291
}
292+
293+
// Information related to policy violations for this request.
294+
messagePolicyViolationInfo {
295+
// Indicates the orgpolicy violations for this resource.
296+
OrgPolicyViolationInfoorg_policy_violation_info=1;
297+
}
298+
299+
// Represents OrgPolicy Violation information.
300+
messageOrgPolicyViolationInfo {
301+
// Optional. Resource payload that is currently in scope and is subjected to orgpolicy
302+
// conditions. This payload may be the subset of the actual Resource that may
303+
// come in the request. This payload should not contain any core content.
304+
google.protobuf.Structpayload=1 [(google.api.field_behavior) =OPTIONAL];
305+
306+
// Optional. Resource type that the orgpolicy is checked against.
307+
// Example: compute.googleapis.com/Instance, store.googleapis.com/bucket
308+
stringresource_type=2 [(google.api.field_behavior) =OPTIONAL];
309+
310+
// Optional. Tags referenced on the resource at the time of evaluation. These also
311+
// include the federated tags, if they are supplied in the CheckOrgPolicy
312+
// or CheckCustomConstraints Requests.
313+
//
314+
// Optional field as of now. These tags are the Cloud tags that are
315+
// available on the resource during the policy evaluation and will
316+
// be available as part of the OrgPolicy check response for logging purposes.
317+
map<string,string>resource_tags=3 [(google.api.field_behavior) =OPTIONAL];
318+
319+
// Optional. Policy violations
320+
repeatedViolationInfoviolation_info=4 [(google.api.field_behavior) =OPTIONAL];
321+
}
322+
323+
// Provides information about the Policy violation info for this request.
324+
messageViolationInfo {
325+
// Policy Type enum
326+
enumPolicyType {
327+
// Default value. This value should not be used.
328+
POLICY_TYPE_UNSPECIFIED=0;
329+
330+
// Indicates boolean policy constraint
331+
BOOLEAN_CONSTRAINT=1;
332+
333+
// Indicates list policy constraint
334+
LIST_CONSTRAINT=2;
335+
336+
// Indicates custom policy constraint
337+
CUSTOM_CONSTRAINT=3;
338+
}
339+
340+
// Optional. Constraint name
341+
stringconstraint=1 [(google.api.field_behavior) =OPTIONAL];
342+
343+
// Optional. Error message that policy is indicating.
344+
stringerror_message=2 [(google.api.field_behavior) =OPTIONAL];
345+
346+
// Optional. Value that is being checked for the policy.
347+
// This could be in encrypted form (if pii sensitive).
348+
// This field will only be emitted in LIST_POLICY types
349+
stringchecked_value=3 [(google.api.field_behavior) =OPTIONAL];
350+
351+
// Optional. Indicates the type of the policy.
352+
PolicyTypepolicy_type=4 [(google.api.field_behavior) =OPTIONAL];
353+
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp