// This file was autogenerated by go-to-protobuf. Do not edit it manually!
syntax = 'proto2';
package github.com.openshift.origin.pkg.authorization.api.v1;
import "k8s.io/kubernetes/pkg/api/unversioned/generated.proto";
import "k8s.io/kubernetes/pkg/api/v1/generated.proto";
import "k8s.io/kubernetes/pkg/runtime/generated.proto";
import "k8s.io/kubernetes/pkg/util/intstr/generated.proto";
// Package-wide variables from generator "generated".
option go_package = "v1";
// Action describes a request to the API server
message Action {
// Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces
optional string namespace = 1;
// Verb is one of: get, list, watch, create, update, delete
optional string verb = 2;
// Group is the API group of the resource
// Serialized as resourceAPIGroup to avoid confusion with the 'groups' field when inlined
optional string resourceAPIGroup = 3;
// Version is the API version of the resource
// Serialized as resourceAPIVersion to avoid confusion with TypeMeta.apiVersion and ObjectMeta.resourceVersion when inlined
optional string resourceAPIVersion = 4;
// Resource is one of the existing resource types
optional string resource = 5;
// ResourceName is the name of the resource being requested for a "get" or deleted for a "delete"
optional string resourceName = 6;
// Content is the actual content of the request for create and update
optional k8s.io.kubernetes.pkg.runtime.RawExtension content = 7;
}
// ClusterPolicy is a object that holds all the ClusterRoles for a particular namespace. There is at most
// one ClusterPolicy document per namespace.
message ClusterPolicy {
// Standard object's metadata.
optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1;
// LastModified is the last time that any part of the ClusterPolicy was created, updated, or deleted
optional k8s.io.kubernetes.pkg.api.unversioned.Time lastModified = 2;
// Roles holds all the ClusterRoles held by this ClusterPolicy, mapped by ClusterRole.Name
repeated NamedClusterRole roles = 3;
}
// ClusterPolicyBinding is a object that holds all the ClusterRoleBindings for a particular namespace. There is
// one ClusterPolicyBinding document per referenced ClusterPolicy namespace
message ClusterPolicyBinding {
// Standard object's metadata.
optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1;
// LastModified is the last time that any part of the ClusterPolicyBinding was created, updated, or deleted
optional k8s.io.kubernetes.pkg.api.unversioned.Time lastModified = 2;
// PolicyRef is a reference to the ClusterPolicy that contains all the ClusterRoles that this ClusterPolicyBinding's RoleBindings may reference
optional k8s.io.kubernetes.pkg.api.v1.ObjectReference policyRef = 3;
// RoleBindings holds all the ClusterRoleBindings held by this ClusterPolicyBinding, mapped by ClusterRoleBinding.Name
repeated NamedClusterRoleBinding roleBindings = 4;
}
// ClusterPolicyBindingList is a collection of ClusterPolicyBindings
message ClusterPolicyBindingList {
// Standard object's metadata.
optional k8s.io.kubernetes.pkg.api.unversioned.ListMeta metadata = 1;
// Items is a list of ClusterPolicyBindings
repeated ClusterPolicyBinding items = 2;
}
// ClusterPolicyList is a collection of ClusterPolicies
message ClusterPolicyList {
// Standard object's metadata.
optional k8s.io.kubernetes.pkg.api.unversioned.ListMeta metadata = 1;
// Items is a list of ClusterPolicies
repeated ClusterPolicy items = 2;
}
// ClusterRole is a logical grouping of PolicyRules that can be referenced as a unit by ClusterRoleBindings.
message ClusterRole {
// Standard object's metadata.
optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1;
// Rules holds all the PolicyRules for this ClusterRole
repeated PolicyRule rules = 2;
}
// ClusterRoleBinding references a ClusterRole, but not contain it. It can reference any ClusterRole in the same namespace or in the global namespace.
// It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in.
// ClusterRoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).
message ClusterRoleBinding {
// Standard object's metadata.
optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1;
// UserNames holds all the usernames directly bound to the role.
// This field should only be specified when supporting legacy clients and servers.
// See Subjects for further details.
// +k8s:conversion-gen=false
optional OptionalNames userNames = 2;
// GroupNames holds all the groups directly bound to the role.
// This field should only be specified when supporting legacy clients and servers.
// See Subjects for further details.
// +k8s:conversion-gen=false
optional OptionalNames groupNames = 3;
// Subjects hold object references to authorize with this rule.
// This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers.
// Thus newer clients that do not need to support backwards compatibility should send
// only fully qualified Subjects and should omit the UserNames and GroupNames fields.
// Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames.
repeated k8s.io.kubernetes.pkg.api.v1.ObjectReference subjects = 4;
// RoleRef can only reference the current namespace and the global namespace.
// If the ClusterRoleRef cannot be resolved, the Authorizer must return an error.
// Since Policy is a singleton, this is sufficient knowledge to locate a role.
optional k8s.io.kubernetes.pkg.api.v1.ObjectReference roleRef = 5;
}
// ClusterRoleBindingList is a collection of ClusterRoleBindings
message ClusterRoleBindingList {
// Standard object's metadata.
optional k8s.io.kubernetes.pkg.api.unversioned.ListMeta metadata = 1;
// Items is a list of ClusterRoleBindings
repeated ClusterRoleBinding items = 2;
}
// ClusterRoleList is a collection of ClusterRoles
message ClusterRoleList {
// Standard object's metadata.
optional k8s.io.kubernetes.pkg.api.unversioned.ListMeta metadata = 1;
// Items is a list of ClusterRoles
repeated ClusterRole items = 2;
}
// GroupRestriction matches a group either by a string match on the group name
// or a label selector applied to group labels.
message GroupRestriction {
// Groups is a list of groups used to match against an individual user's
// groups. If the user is a member of one of the whitelisted groups, the user
// is allowed to be bound to a role.
repeated string groups = 1;
// Selectors specifies a list of label selectors over group labels.
repeated k8s.io.kubernetes.pkg.api.unversioned.LabelSelector labels = 2;
}
// IsPersonalSubjectAccessReview is a marker for PolicyRule.AttributeRestrictions that denotes that subjectaccessreviews on self should be allowed
message IsPersonalSubjectAccessReview {
}
// LocalResourceAccessReview is a means to request a list of which users and groups are authorized to perform the action specified by spec in a particular namespace
message LocalResourceAccessReview {
// Action describes the action being tested. The Namespace element is FORCED to the current namespace.
optional Action Action = 1;
}
// LocalSubjectAccessReview is an object for requesting information about whether a user or group can perform an action in a particular namespace
message LocalSubjectAccessReview {
// Action describes the action being tested. The Namespace element is FORCED to the current namespace.
optional Action Action = 1;
// User is optional. If both User and Groups are empty, the current authenticated user is used.
optional string user = 2;
// Groups is optional. Groups is the list of groups to which the User belongs.
// +k8s:conversion-gen=false
repeated string groups = 3;
// Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups".
// Nil for a self-SAR, means "use the scopes on this request".
// Nil for a regular SAR, means the same as empty.
optional OptionalScopes scopes = 4;
}
// NamedClusterRole relates a name with a cluster role
message NamedClusterRole {
// Name is the name of the cluster role
optional string name = 1;
// Role is the cluster role being named
optional ClusterRole role = 2;
}
// NamedClusterRoleBinding relates a name with a cluster role binding
message NamedClusterRoleBinding {
// Name is the name of the cluster role binding
optional string name = 1;
// RoleBinding is the cluster role binding being named
optional ClusterRoleBinding roleBinding = 2;
}
// NamedRole relates a Role with a name
message NamedRole {
// Name is the name of the role
optional string name = 1;
// Role is the role being named
optional Role role = 2;
}
// NamedRoleBinding relates a role binding with a name
message NamedRoleBinding {
// Name is the name of the role binding
optional string name = 1;
// RoleBinding is the role binding being named
optional RoleBinding roleBinding = 2;
}
// OptionalNames is an array that may also be left nil to distinguish between set and unset.
// +protobuf.nullable=true
// +protobuf.options.(gogoproto.goproto_stringer)=false
message OptionalNames {
// items, if empty, will result in an empty slice
repeated string items = 1;
}
// OptionalScopes is an array that may also be left nil to distinguish between set and unset.
// +protobuf.nullable=true
// +protobuf.options.(gogoproto.goproto_stringer)=false
message OptionalScopes {
// items, if empty, will result in an empty slice
repeated string items = 1;
}
// Policy is a object that holds all the Roles for a particular namespace. There is at most
// one Policy document per namespace.
message Policy {
// Standard object's metadata.
optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1;
// LastModified is the last time that any part of the Policy was created, updated, or deleted
optional k8s.io.kubernetes.pkg.api.unversioned.Time lastModified = 2;
// Roles holds all the Roles held by this Policy, mapped by Role.Name
repeated NamedRole roles = 3;
}
// PolicyBinding is a object that holds all the RoleBindings for a particular namespace. There is
// one PolicyBinding document per referenced Policy namespace
message PolicyBinding {
// Standard object's metadata.
optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1;
// LastModified is the last time that any part of the PolicyBinding was created, updated, or deleted
optional k8s.io.kubernetes.pkg.api.unversioned.Time lastModified = 2;
// PolicyRef is a reference to the Policy that contains all the Roles that this PolicyBinding's RoleBindings may reference
optional k8s.io.kubernetes.pkg.api.v1.ObjectReference policyRef = 3;
// RoleBindings holds all the RoleBindings held by this PolicyBinding, mapped by RoleBinding.Name
repeated NamedRoleBinding roleBindings = 4;
}
// PolicyBindingList is a collection of PolicyBindings
message PolicyBindingList {
// Standard object's metadata.
optional k8s.io.kubernetes.pkg.api.unversioned.ListMeta metadata = 1;
// Items is a list of PolicyBindings
repeated PolicyBinding items = 2;
}
// PolicyList is a collection of Policies
message PolicyList {
// Standard object's metadata.
optional k8s.io.kubernetes.pkg.api.unversioned.ListMeta metadata = 1;
// Items is a list of Policies
repeated Policy items = 2;
}
// PolicyRule holds information that describes a policy rule, but does not contain information
// about who the rule applies to or which namespace the rule applies to.
message PolicyRule {
// Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. VerbAll represents all kinds.
repeated string verbs = 1;
// AttributeRestrictions will vary depending on what the Authorizer/AuthorizationAttributeBuilder pair supports.
// If the Authorizer does not recognize how to handle the AttributeRestrictions, the Authorizer should report an error.
optional k8s.io.kubernetes.pkg.runtime.RawExtension attributeRestrictions = 2;
// APIGroups is the name of the APIGroup that contains the resources. If this field is empty, then both kubernetes and origin API groups are assumed.
// That means that if an action is requested against one of the enumerated resources in either the kubernetes or the origin API group, the request
// will be allowed
repeated string apiGroups = 3;
// Resources is a list of resources this rule applies to. ResourceAll represents all resources.
repeated string resources = 4;
// ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
repeated string resourceNames = 5;
// NonResourceURLsSlice is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path
// This name is intentionally different than the internal type so that the DefaultConvert works nicely and because the ordering may be different.
repeated string nonResourceURLs = 6;
}
// ResourceAccessReview is a means to request a list of which users and groups are authorized to perform the
// action specified by spec
message ResourceAccessReview {
// Action describes the action being tested.
optional Action Action = 1;
}
// ResourceAccessReviewResponse describes who can perform the action
message ResourceAccessReviewResponse {
// Namespace is the namespace used for the access review
optional string namespace = 1;
// UsersSlice is the list of users who can perform the action
// +k8s:conversion-gen=false
repeated string users = 2;
// GroupsSlice is the list of groups who can perform the action
// +k8s:conversion-gen=false
repeated string groups = 3;
// EvaluationError is an indication that some error occurred during resolution, but partial results can still be returned.
// It is entirely possible to get an error and be able to continue determine authorization status in spite of it. This is
// most common when a bound role is missing, but enough roles are still present and bound to reason about the request.
optional string evalutionError = 4;
}
// Role is a logical grouping of PolicyRules that can be referenced as a unit by RoleBindings.
message Role {
// Standard object's metadata.
optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1;
// Rules holds all the PolicyRules for this Role
repeated PolicyRule rules = 2;
}
// RoleBinding references a Role, but not contain it. It can reference any Role in the same namespace or in the global namespace.
// It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in.
// RoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).
message RoleBinding {
// Standard object's metadata.
optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1;
// UserNames holds all the usernames directly bound to the role.
// This field should only be specified when supporting legacy clients and servers.
// See Subjects for further details.
// +k8s:conversion-gen=false
optional OptionalNames userNames = 2;
// GroupNames holds all the groups directly bound to the role.
// This field should only be specified when supporting legacy clients and servers.
// See Subjects for further details.
// +k8s:conversion-gen=false
optional OptionalNames groupNames = 3;
// Subjects hold object references to authorize with this rule.
// This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers.
// Thus newer clients that do not need to support backwards compatibility should send
// only fully qualified Subjects and should omit the UserNames and GroupNames fields.
// Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames.
repeated k8s.io.kubernetes.pkg.api.v1.ObjectReference subjects = 4;
// RoleRef can only reference the current namespace and the global namespace.
// If the RoleRef cannot be resolved, the Authorizer must return an error.
// Since Policy is a singleton, this is sufficient knowledge to locate a role.
optional k8s.io.kubernetes.pkg.api.v1.ObjectReference roleRef = 5;
}
// RoleBindingList is a collection of RoleBindings
message RoleBindingList {
// Standard object's metadata.
optional k8s.io.kubernetes.pkg.api.unversioned.ListMeta metadata = 1;
// Items is a list of RoleBindings
repeated RoleBinding items = 2;
}
// RoleBindingRestriction is an object that can be matched against a subject
// (user, group, or service account) to determine whether rolebindings on that
// subject are allowed in the namespace to which the RoleBindingRestriction
// belongs. If any one of those RoleBindingRestriction objects matches
// a subject, rolebindings on that subject in the namespace are allowed.
message RoleBindingRestriction {
// Standard object's metadata.
optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1;
// Spec defines the matcher.
optional RoleBindingRestrictionSpec spec = 2;
}
// RoleBindingRestrictionList is a collection of RoleBindingRestriction objects.
message RoleBindingRestrictionList {
// Standard object's metadata.
optional k8s.io.kubernetes.pkg.api.unversioned.ListMeta metadata = 1;
// Items is a list of RoleBindingRestriction objects.
repeated RoleBindingRestriction items = 2;
}
// RoleBindingRestrictionSpec defines a rolebinding restriction. Exactly one
// field must be non-nil.
message RoleBindingRestrictionSpec {
// UserRestriction matches against user subjects.
optional UserRestriction userrestriction = 1;
// GroupRestriction matches against group subjects.
optional GroupRestriction grouprestriction = 2;
// ServiceAccountRestriction matches against service-account subjects.
optional ServiceAccountRestriction serviceaccountrestriction = 3;
}
// RoleList is a collection of Roles
message RoleList {
// Standard object's metadata.
optional k8s.io.kubernetes.pkg.api.unversioned.ListMeta metadata = 1;
// Items is a list of Roles
repeated Role items = 2;
}
// SelfSubjectRulesReview is a resource you can create to determine which actions you can perform in a namespace
message SelfSubjectRulesReview {
// Spec adds information about how to conduct the check
optional SelfSubjectRulesReviewSpec spec = 1;
// Status is completed by the server to tell which permissions you have
optional SubjectRulesReviewStatus status = 2;
}
// SelfSubjectRulesReviewSpec adds information about how to conduct the check
message SelfSubjectRulesReviewSpec {
// Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups".
// Nil means "use the scopes on this request".
optional OptionalScopes scopes = 1;
}
// ServiceAccountReference specifies a service account and namespace by their
// names.
message ServiceAccountReference {
// Name is the name of the service account.
optional string name = 1;
// Namespace is the namespace of the service account. Service accounts from
// inside the whitelisted namespaces are allowed to be bound to roles. If
// Namespace is empty, then the namespace of the RoleBindingRestriction in
// which the ServiceAccountReference is embedded is used.
optional string namespace = 2;
}
// ServiceAccountRestriction matches a service account by a string match on
// either the service-account name or the name of the service account's
// namespace.
message ServiceAccountRestriction {
// ServiceAccounts specifies a list of literal service-account names.
repeated ServiceAccountReference serviceaccounts = 1;
// Namespaces specifies a list of literal namespace names.
repeated string namespaces = 2;
}
// SubjectAccessReview is an object for requesting information about whether a user or group can perform an action
message SubjectAccessReview {
// Action describes the action being tested.
optional Action Action = 1;
// User is optional. If both User and Groups are empty, the current authenticated user is used.
optional string user = 2;
// GroupsSlice is optional. Groups is the list of groups to which the User belongs.
// +k8s:conversion-gen=false
repeated string groups = 3;
// Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups".
// Nil for a self-SAR, means "use the scopes on this request".
// Nil for a regular SAR, means the same as empty.
optional OptionalScopes scopes = 4;
}
// SubjectAccessReviewResponse describes whether or not a user or group can perform an action
message SubjectAccessReviewResponse {
// Namespace is the namespace used for the access review
optional string namespace = 1;
// Allowed is required. True if the action would be allowed, false otherwise.
optional bool allowed = 2;
// Reason is optional. It indicates why a request was allowed or denied.
optional string reason = 3;
// EvaluationError is an indication that some error occurred during the authorization check.
// It is entirely possible to get an error and be able to continue determine authorization status in spite of it. This is
// most common when a bound role is missing, but enough roles are still present and bound to reason about the request.
optional string evaluationError = 4;
}
// SubjectRulesReview is a resource you can create to determine which actions another user can perform in a namespace
message SubjectRulesReview {
// Spec adds information about how to conduct the check
optional SubjectRulesReviewSpec spec = 1;
// Status is completed by the server to tell which permissions you have
optional SubjectRulesReviewStatus status = 2;
}
// SubjectRulesReviewSpec adds information about how to conduct the check
message SubjectRulesReviewSpec {
// User is optional. At least one of User and Groups must be specified.
optional string user = 1;
// Groups is optional. Groups is the list of groups to which the User belongs. At least one of User and Groups must be specified.
repeated string groups = 2;
// Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups".
optional OptionalScopes scopes = 3;
}
// SubjectRulesReviewStatus is contains the result of a rules check
message SubjectRulesReviewStatus {
// Rules is the list of rules (no particular sort) that are allowed for the subject
repeated PolicyRule rules = 1;
// EvaluationError can appear in combination with Rules. It means some error happened during evaluation
// that may have prevented additional rules from being populated.
optional string evaluationError = 2;
}
// UserRestriction matches a user either by a string match on the user name,
// a string match on the name of a group to which the user belongs, or a label
// selector applied to the user labels.
message UserRestriction {
// Users specifies a list of literal user names.
repeated string users = 1;
// Groups specifies a list of literal group names.
repeated string groups = 2;
// Selectors specifies a list of label selectors over user labels.
repeated k8s.io.kubernetes.pkg.api.unversioned.LabelSelector labels = 3;
}