Scott Baker | e7144bc | 2019-10-01 14:16:47 -0700 | [diff] [blame] | 1 | /* |
| 2 | Copyright The Kubernetes Authors. |
| 3 | |
| 4 | Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | you may not use this file except in compliance with the License. |
| 6 | You may obtain a copy of the License at |
| 7 | |
| 8 | http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | |
| 10 | Unless required by applicable law or agreed to in writing, software |
| 11 | distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | See the License for the specific language governing permissions and |
| 14 | limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | |
| 18 | // This file was autogenerated by go-to-protobuf. Do not edit it manually! |
| 19 | |
| 20 | syntax = 'proto2'; |
| 21 | |
| 22 | package k8s.io.api.authorization.v1; |
| 23 | |
| 24 | import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto"; |
| 25 | import "k8s.io/apimachinery/pkg/runtime/generated.proto"; |
| 26 | import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto"; |
| 27 | |
| 28 | // Package-wide variables from generator "generated". |
| 29 | option go_package = "v1"; |
| 30 | |
| 31 | // ExtraValue masks the value so protobuf can generate |
| 32 | // +protobuf.nullable=true |
| 33 | // +protobuf.options.(gogoproto.goproto_stringer)=false |
| 34 | message ExtraValue { |
| 35 | // items, if empty, will result in an empty slice |
| 36 | |
| 37 | repeated string items = 1; |
| 38 | } |
| 39 | |
| 40 | // LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. |
| 41 | // Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions |
| 42 | // checking. |
| 43 | message LocalSubjectAccessReview { |
| 44 | // +optional |
| 45 | optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; |
| 46 | |
| 47 | // Spec holds information about the request being evaluated. spec.namespace must be equal to the namespace |
| 48 | // you made the request against. If empty, it is defaulted. |
| 49 | optional SubjectAccessReviewSpec spec = 2; |
| 50 | |
| 51 | // Status is filled in by the server and indicates whether the request is allowed or not |
| 52 | // +optional |
| 53 | optional SubjectAccessReviewStatus status = 3; |
| 54 | } |
| 55 | |
| 56 | // NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface |
| 57 | message NonResourceAttributes { |
| 58 | // Path is the URL path of the request |
| 59 | // +optional |
| 60 | optional string path = 1; |
| 61 | |
| 62 | // Verb is the standard HTTP verb |
| 63 | // +optional |
| 64 | optional string verb = 2; |
| 65 | } |
| 66 | |
| 67 | // NonResourceRule holds information that describes a rule for the non-resource |
| 68 | message NonResourceRule { |
| 69 | // Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all. |
| 70 | repeated string verbs = 1; |
| 71 | |
| 72 | // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, |
| 73 | // final step in the path. "*" means all. |
| 74 | // +optional |
| 75 | repeated string nonResourceURLs = 2; |
| 76 | } |
| 77 | |
| 78 | // ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface |
| 79 | message ResourceAttributes { |
| 80 | // Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces |
| 81 | // "" (empty) is defaulted for LocalSubjectAccessReviews |
| 82 | // "" (empty) is empty for cluster-scoped resources |
| 83 | // "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview |
| 84 | // +optional |
| 85 | optional string namespace = 1; |
| 86 | |
| 87 | // Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. "*" means all. |
| 88 | // +optional |
| 89 | optional string verb = 2; |
| 90 | |
| 91 | // Group is the API Group of the Resource. "*" means all. |
| 92 | // +optional |
| 93 | optional string group = 3; |
| 94 | |
| 95 | // Version is the API Version of the Resource. "*" means all. |
| 96 | // +optional |
| 97 | optional string version = 4; |
| 98 | |
| 99 | // Resource is one of the existing resource types. "*" means all. |
| 100 | // +optional |
| 101 | optional string resource = 5; |
| 102 | |
| 103 | // Subresource is one of the existing resource types. "" means none. |
| 104 | // +optional |
| 105 | optional string subresource = 6; |
| 106 | |
| 107 | // Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all. |
| 108 | // +optional |
| 109 | optional string name = 7; |
| 110 | } |
| 111 | |
| 112 | // ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, |
| 113 | // may contain duplicates, and possibly be incomplete. |
| 114 | message ResourceRule { |
| 115 | // Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all. |
| 116 | repeated string verbs = 1; |
| 117 | |
| 118 | // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of |
| 119 | // the enumerated resources in any API group will be allowed. "*" means all. |
| 120 | // +optional |
| 121 | repeated string apiGroups = 2; |
| 122 | |
| 123 | // Resources is a list of resources this rule applies to. "*" means all in the specified apiGroups. |
| 124 | // "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups. |
| 125 | // +optional |
| 126 | repeated string resources = 3; |
| 127 | |
| 128 | // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all. |
| 129 | // +optional |
| 130 | repeated string resourceNames = 4; |
| 131 | } |
| 132 | |
| 133 | // SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a |
| 134 | // spec.namespace means "in all namespaces". Self is a special case, because users should always be able |
| 135 | // to check whether they can perform an action |
| 136 | message SelfSubjectAccessReview { |
| 137 | // +optional |
| 138 | optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; |
| 139 | |
| 140 | // Spec holds information about the request being evaluated. user and groups must be empty |
| 141 | optional SelfSubjectAccessReviewSpec spec = 2; |
| 142 | |
| 143 | // Status is filled in by the server and indicates whether the request is allowed or not |
| 144 | // +optional |
| 145 | optional SubjectAccessReviewStatus status = 3; |
| 146 | } |
| 147 | |
| 148 | // SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes |
| 149 | // and NonResourceAuthorizationAttributes must be set |
| 150 | message SelfSubjectAccessReviewSpec { |
| 151 | // ResourceAuthorizationAttributes describes information for a resource access request |
| 152 | // +optional |
| 153 | optional ResourceAttributes resourceAttributes = 1; |
| 154 | |
| 155 | // NonResourceAttributes describes information for a non-resource access request |
| 156 | // +optional |
| 157 | optional NonResourceAttributes nonResourceAttributes = 2; |
| 158 | } |
| 159 | |
| 160 | // SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. |
| 161 | // The returned list of actions may be incomplete depending on the server's authorization mode, |
| 162 | // and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, |
| 163 | // or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to |
| 164 | // drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. |
| 165 | // SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server. |
| 166 | message SelfSubjectRulesReview { |
| 167 | // +optional |
| 168 | optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; |
| 169 | |
| 170 | // Spec holds information about the request being evaluated. |
| 171 | optional SelfSubjectRulesReviewSpec spec = 2; |
| 172 | |
| 173 | // Status is filled in by the server and indicates the set of actions a user can perform. |
| 174 | // +optional |
| 175 | optional SubjectRulesReviewStatus status = 3; |
| 176 | } |
| 177 | |
| 178 | message SelfSubjectRulesReviewSpec { |
| 179 | // Namespace to evaluate rules for. Required. |
| 180 | optional string namespace = 1; |
| 181 | } |
| 182 | |
| 183 | // SubjectAccessReview checks whether or not a user or group can perform an action. |
| 184 | message SubjectAccessReview { |
| 185 | // +optional |
| 186 | optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; |
| 187 | |
| 188 | // Spec holds information about the request being evaluated |
| 189 | optional SubjectAccessReviewSpec spec = 2; |
| 190 | |
| 191 | // Status is filled in by the server and indicates whether the request is allowed or not |
| 192 | // +optional |
| 193 | optional SubjectAccessReviewStatus status = 3; |
| 194 | } |
| 195 | |
| 196 | // SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes |
| 197 | // and NonResourceAuthorizationAttributes must be set |
| 198 | message SubjectAccessReviewSpec { |
| 199 | // ResourceAuthorizationAttributes describes information for a resource access request |
| 200 | // +optional |
| 201 | optional ResourceAttributes resourceAttributes = 1; |
| 202 | |
| 203 | // NonResourceAttributes describes information for a non-resource access request |
| 204 | // +optional |
| 205 | optional NonResourceAttributes nonResourceAttributes = 2; |
| 206 | |
| 207 | // User is the user you're testing for. |
| 208 | // If you specify "User" but not "Groups", then is it interpreted as "What if User were not a member of any groups |
| 209 | // +optional |
| 210 | optional string user = 3; |
| 211 | |
| 212 | // Groups is the groups you're testing for. |
| 213 | // +optional |
| 214 | repeated string groups = 4; |
| 215 | |
| 216 | // Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer |
| 217 | // it needs a reflection here. |
| 218 | // +optional |
| 219 | map<string, ExtraValue> extra = 5; |
| 220 | |
| 221 | // UID information about the requesting user. |
| 222 | // +optional |
| 223 | optional string uid = 6; |
| 224 | } |
| 225 | |
| 226 | // SubjectAccessReviewStatus |
| 227 | message SubjectAccessReviewStatus { |
| 228 | // Allowed is required. True if the action would be allowed, false otherwise. |
| 229 | optional bool allowed = 1; |
| 230 | |
| 231 | // Denied is optional. True if the action would be denied, otherwise |
| 232 | // false. If both allowed is false and denied is false, then the |
| 233 | // authorizer has no opinion on whether to authorize the action. Denied |
| 234 | // may not be true if Allowed is true. |
| 235 | // +optional |
| 236 | optional bool denied = 4; |
| 237 | |
| 238 | // Reason is optional. It indicates why a request was allowed or denied. |
| 239 | // +optional |
| 240 | optional string reason = 2; |
| 241 | |
| 242 | // EvaluationError is an indication that some error occurred during the authorization check. |
| 243 | // It is entirely possible to get an error and be able to continue determine authorization status in spite of it. |
| 244 | // For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request. |
| 245 | // +optional |
| 246 | optional string evaluationError = 3; |
| 247 | } |
| 248 | |
| 249 | // SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on |
| 250 | // the set of authorizers the server is configured with and any errors experienced during evaluation. |
| 251 | // Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, |
| 252 | // even if that list is incomplete. |
| 253 | message SubjectRulesReviewStatus { |
| 254 | // ResourceRules is the list of actions the subject is allowed to perform on resources. |
| 255 | // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. |
| 256 | repeated ResourceRule resourceRules = 1; |
| 257 | |
| 258 | // NonResourceRules is the list of actions the subject is allowed to perform on non-resources. |
| 259 | // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. |
| 260 | repeated NonResourceRule nonResourceRules = 2; |
| 261 | |
| 262 | // Incomplete is true when the rules returned by this call are incomplete. This is most commonly |
| 263 | // encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation. |
| 264 | optional bool incomplete = 3; |
| 265 | |
| 266 | // EvaluationError can appear in combination with Rules. It indicates an error occurred during |
| 267 | // rule evaluation, such as an authorizer that doesn't support rule evaluation, and that |
| 268 | // ResourceRules and/or NonResourceRules may be incomplete. |
| 269 | // +optional |
| 270 | optional string evaluationError = 4; |
| 271 | } |
| 272 | |