// This file was autogenerated by go-to-protobuf. Do not edit it manually! syntax = 'proto2'; package github.com.openshift.origin.pkg.authorization.api.v1; import "k8s.io/kubernetes/pkg/api/unversioned/generated.proto"; import "k8s.io/kubernetes/pkg/api/v1/generated.proto"; import "k8s.io/kubernetes/pkg/runtime/generated.proto"; import "k8s.io/kubernetes/pkg/util/intstr/generated.proto"; // Package-wide variables from generator "generated". option go_package = "v1"; // Action describes a request to the API server message Action { // Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces optional string namespace = 1; // Verb is one of: get, list, watch, create, update, delete optional string verb = 2; // Group is the API group of the resource // Serialized as resourceAPIGroup to avoid confusion with the 'groups' field when inlined optional string resourceAPIGroup = 3; // Version is the API version of the resource // Serialized as resourceAPIVersion to avoid confusion with TypeMeta.apiVersion and ObjectMeta.resourceVersion when inlined optional string resourceAPIVersion = 4; // Resource is one of the existing resource types optional string resource = 5; // ResourceName is the name of the resource being requested for a "get" or deleted for a "delete" optional string resourceName = 6; // Content is the actual content of the request for create and update optional k8s.io.kubernetes.pkg.runtime.RawExtension content = 7; } // ClusterPolicy is a object that holds all the ClusterRoles for a particular namespace. There is at most // one ClusterPolicy document per namespace. message ClusterPolicy { // Standard object's metadata. optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1; // LastModified is the last time that any part of the ClusterPolicy was created, updated, or deleted optional k8s.io.kubernetes.pkg.api.unversioned.Time lastModified = 2; // Roles holds all the ClusterRoles held by this ClusterPolicy, mapped by ClusterRole.Name repeated NamedClusterRole roles = 3; } // ClusterPolicyBinding is a object that holds all the ClusterRoleBindings for a particular namespace. There is // one ClusterPolicyBinding document per referenced ClusterPolicy namespace message ClusterPolicyBinding { // Standard object's metadata. optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1; // LastModified is the last time that any part of the ClusterPolicyBinding was created, updated, or deleted optional k8s.io.kubernetes.pkg.api.unversioned.Time lastModified = 2; // PolicyRef is a reference to the ClusterPolicy that contains all the ClusterRoles that this ClusterPolicyBinding's RoleBindings may reference optional k8s.io.kubernetes.pkg.api.v1.ObjectReference policyRef = 3; // RoleBindings holds all the ClusterRoleBindings held by this ClusterPolicyBinding, mapped by ClusterRoleBinding.Name repeated NamedClusterRoleBinding roleBindings = 4; } // ClusterPolicyBindingList is a collection of ClusterPolicyBindings message ClusterPolicyBindingList { // Standard object's metadata. optional k8s.io.kubernetes.pkg.api.unversioned.ListMeta metadata = 1; // Items is a list of ClusterPolicyBindings repeated ClusterPolicyBinding items = 2; } // ClusterPolicyList is a collection of ClusterPolicies message ClusterPolicyList { // Standard object's metadata. optional k8s.io.kubernetes.pkg.api.unversioned.ListMeta metadata = 1; // Items is a list of ClusterPolicies repeated ClusterPolicy items = 2; } // ClusterRole is a logical grouping of PolicyRules that can be referenced as a unit by ClusterRoleBindings. message ClusterRole { // Standard object's metadata. optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1; // Rules holds all the PolicyRules for this ClusterRole repeated PolicyRule rules = 2; } // ClusterRoleBinding references a ClusterRole, but not contain it. It can reference any ClusterRole in the same namespace or in the global namespace. // It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in. // ClusterRoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces). message ClusterRoleBinding { // Standard object's metadata. optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1; // UserNames holds all the usernames directly bound to the role. // This field should only be specified when supporting legacy clients and servers. // See Subjects for further details. // +k8s:conversion-gen=false optional OptionalNames userNames = 2; // GroupNames holds all the groups directly bound to the role. // This field should only be specified when supporting legacy clients and servers. // See Subjects for further details. // +k8s:conversion-gen=false optional OptionalNames groupNames = 3; // Subjects hold object references to authorize with this rule. // This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers. // Thus newer clients that do not need to support backwards compatibility should send // only fully qualified Subjects and should omit the UserNames and GroupNames fields. // Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames. repeated k8s.io.kubernetes.pkg.api.v1.ObjectReference subjects = 4; // RoleRef can only reference the current namespace and the global namespace. // If the ClusterRoleRef cannot be resolved, the Authorizer must return an error. // Since Policy is a singleton, this is sufficient knowledge to locate a role. optional k8s.io.kubernetes.pkg.api.v1.ObjectReference roleRef = 5; } // ClusterRoleBindingList is a collection of ClusterRoleBindings message ClusterRoleBindingList { // Standard object's metadata. optional k8s.io.kubernetes.pkg.api.unversioned.ListMeta metadata = 1; // Items is a list of ClusterRoleBindings repeated ClusterRoleBinding items = 2; } // ClusterRoleList is a collection of ClusterRoles message ClusterRoleList { // Standard object's metadata. optional k8s.io.kubernetes.pkg.api.unversioned.ListMeta metadata = 1; // Items is a list of ClusterRoles repeated ClusterRole items = 2; } // GroupRestriction matches a group either by a string match on the group name // or a label selector applied to group labels. message GroupRestriction { // Groups is a list of groups used to match against an individual user's // groups. If the user is a member of one of the whitelisted groups, the user // is allowed to be bound to a role. repeated string groups = 1; // Selectors specifies a list of label selectors over group labels. repeated k8s.io.kubernetes.pkg.api.unversioned.LabelSelector labels = 2; } // IsPersonalSubjectAccessReview is a marker for PolicyRule.AttributeRestrictions that denotes that subjectaccessreviews on self should be allowed message IsPersonalSubjectAccessReview { } // LocalResourceAccessReview is a means to request a list of which users and groups are authorized to perform the action specified by spec in a particular namespace message LocalResourceAccessReview { // Action describes the action being tested. The Namespace element is FORCED to the current namespace. optional Action Action = 1; } // LocalSubjectAccessReview is an object for requesting information about whether a user or group can perform an action in a particular namespace message LocalSubjectAccessReview { // Action describes the action being tested. The Namespace element is FORCED to the current namespace. optional Action Action = 1; // User is optional. If both User and Groups are empty, the current authenticated user is used. optional string user = 2; // Groups is optional. Groups is the list of groups to which the User belongs. // +k8s:conversion-gen=false repeated string groups = 3; // Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups". // Nil for a self-SAR, means "use the scopes on this request". // Nil for a regular SAR, means the same as empty. optional OptionalScopes scopes = 4; } // NamedClusterRole relates a name with a cluster role message NamedClusterRole { // Name is the name of the cluster role optional string name = 1; // Role is the cluster role being named optional ClusterRole role = 2; } // NamedClusterRoleBinding relates a name with a cluster role binding message NamedClusterRoleBinding { // Name is the name of the cluster role binding optional string name = 1; // RoleBinding is the cluster role binding being named optional ClusterRoleBinding roleBinding = 2; } // NamedRole relates a Role with a name message NamedRole { // Name is the name of the role optional string name = 1; // Role is the role being named optional Role role = 2; } // NamedRoleBinding relates a role binding with a name message NamedRoleBinding { // Name is the name of the role binding optional string name = 1; // RoleBinding is the role binding being named optional RoleBinding roleBinding = 2; } // OptionalNames is an array that may also be left nil to distinguish between set and unset. // +protobuf.nullable=true // +protobuf.options.(gogoproto.goproto_stringer)=false message OptionalNames { // items, if empty, will result in an empty slice repeated string items = 1; } // OptionalScopes is an array that may also be left nil to distinguish between set and unset. // +protobuf.nullable=true // +protobuf.options.(gogoproto.goproto_stringer)=false message OptionalScopes { // items, if empty, will result in an empty slice repeated string items = 1; } // Policy is a object that holds all the Roles for a particular namespace. There is at most // one Policy document per namespace. message Policy { // Standard object's metadata. optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1; // LastModified is the last time that any part of the Policy was created, updated, or deleted optional k8s.io.kubernetes.pkg.api.unversioned.Time lastModified = 2; // Roles holds all the Roles held by this Policy, mapped by Role.Name repeated NamedRole roles = 3; } // PolicyBinding is a object that holds all the RoleBindings for a particular namespace. There is // one PolicyBinding document per referenced Policy namespace message PolicyBinding { // Standard object's metadata. optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1; // LastModified is the last time that any part of the PolicyBinding was created, updated, or deleted optional k8s.io.kubernetes.pkg.api.unversioned.Time lastModified = 2; // PolicyRef is a reference to the Policy that contains all the Roles that this PolicyBinding's RoleBindings may reference optional k8s.io.kubernetes.pkg.api.v1.ObjectReference policyRef = 3; // RoleBindings holds all the RoleBindings held by this PolicyBinding, mapped by RoleBinding.Name repeated NamedRoleBinding roleBindings = 4; } // PolicyBindingList is a collection of PolicyBindings message PolicyBindingList { // Standard object's metadata. optional k8s.io.kubernetes.pkg.api.unversioned.ListMeta metadata = 1; // Items is a list of PolicyBindings repeated PolicyBinding items = 2; } // PolicyList is a collection of Policies message PolicyList { // Standard object's metadata. optional k8s.io.kubernetes.pkg.api.unversioned.ListMeta metadata = 1; // Items is a list of Policies repeated Policy items = 2; } // PolicyRule holds information that describes a policy rule, but does not contain information // about who the rule applies to or which namespace the rule applies to. message PolicyRule { // Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. VerbAll represents all kinds. repeated string verbs = 1; // AttributeRestrictions will vary depending on what the Authorizer/AuthorizationAttributeBuilder pair supports. // If the Authorizer does not recognize how to handle the AttributeRestrictions, the Authorizer should report an error. optional k8s.io.kubernetes.pkg.runtime.RawExtension attributeRestrictions = 2; // APIGroups is the name of the APIGroup that contains the resources. If this field is empty, then both kubernetes and origin API groups are assumed. // That means that if an action is requested against one of the enumerated resources in either the kubernetes or the origin API group, the request // will be allowed repeated string apiGroups = 3; // Resources is a list of resources this rule applies to. ResourceAll represents all resources. repeated string resources = 4; // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. repeated string resourceNames = 5; // NonResourceURLsSlice is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path // This name is intentionally different than the internal type so that the DefaultConvert works nicely and because the ordering may be different. repeated string nonResourceURLs = 6; } // ResourceAccessReview is a means to request a list of which users and groups are authorized to perform the // action specified by spec message ResourceAccessReview { // Action describes the action being tested. optional Action Action = 1; } // ResourceAccessReviewResponse describes who can perform the action message ResourceAccessReviewResponse { // Namespace is the namespace used for the access review optional string namespace = 1; // UsersSlice is the list of users who can perform the action // +k8s:conversion-gen=false repeated string users = 2; // GroupsSlice is the list of groups who can perform the action // +k8s:conversion-gen=false repeated string groups = 3; // EvaluationError is an indication that some error occurred during resolution, but partial results can still be returned. // It is entirely possible to get an error and be able to continue determine authorization status in spite of it. This is // most common when a bound role is missing, but enough roles are still present and bound to reason about the request. optional string evalutionError = 4; } // Role is a logical grouping of PolicyRules that can be referenced as a unit by RoleBindings. message Role { // Standard object's metadata. optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1; // Rules holds all the PolicyRules for this Role repeated PolicyRule rules = 2; } // RoleBinding references a Role, but not contain it. It can reference any Role in the same namespace or in the global namespace. // It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in. // RoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces). message RoleBinding { // Standard object's metadata. optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1; // UserNames holds all the usernames directly bound to the role. // This field should only be specified when supporting legacy clients and servers. // See Subjects for further details. // +k8s:conversion-gen=false optional OptionalNames userNames = 2; // GroupNames holds all the groups directly bound to the role. // This field should only be specified when supporting legacy clients and servers. // See Subjects for further details. // +k8s:conversion-gen=false optional OptionalNames groupNames = 3; // Subjects hold object references to authorize with this rule. // This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers. // Thus newer clients that do not need to support backwards compatibility should send // only fully qualified Subjects and should omit the UserNames and GroupNames fields. // Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames. repeated k8s.io.kubernetes.pkg.api.v1.ObjectReference subjects = 4; // RoleRef can only reference the current namespace and the global namespace. // If the RoleRef cannot be resolved, the Authorizer must return an error. // Since Policy is a singleton, this is sufficient knowledge to locate a role. optional k8s.io.kubernetes.pkg.api.v1.ObjectReference roleRef = 5; } // RoleBindingList is a collection of RoleBindings message RoleBindingList { // Standard object's metadata. optional k8s.io.kubernetes.pkg.api.unversioned.ListMeta metadata = 1; // Items is a list of RoleBindings repeated RoleBinding items = 2; } // RoleBindingRestriction is an object that can be matched against a subject // (user, group, or service account) to determine whether rolebindings on that // subject are allowed in the namespace to which the RoleBindingRestriction // belongs. If any one of those RoleBindingRestriction objects matches // a subject, rolebindings on that subject in the namespace are allowed. message RoleBindingRestriction { // Standard object's metadata. optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1; // Spec defines the matcher. optional RoleBindingRestrictionSpec spec = 2; } // RoleBindingRestrictionList is a collection of RoleBindingRestriction objects. message RoleBindingRestrictionList { // Standard object's metadata. optional k8s.io.kubernetes.pkg.api.unversioned.ListMeta metadata = 1; // Items is a list of RoleBindingRestriction objects. repeated RoleBindingRestriction items = 2; } // RoleBindingRestrictionSpec defines a rolebinding restriction. Exactly one // field must be non-nil. message RoleBindingRestrictionSpec { // UserRestriction matches against user subjects. optional UserRestriction userrestriction = 1; // GroupRestriction matches against group subjects. optional GroupRestriction grouprestriction = 2; // ServiceAccountRestriction matches against service-account subjects. optional ServiceAccountRestriction serviceaccountrestriction = 3; } // RoleList is a collection of Roles message RoleList { // Standard object's metadata. optional k8s.io.kubernetes.pkg.api.unversioned.ListMeta metadata = 1; // Items is a list of Roles repeated Role items = 2; } // SelfSubjectRulesReview is a resource you can create to determine which actions you can perform in a namespace message SelfSubjectRulesReview { // Spec adds information about how to conduct the check optional SelfSubjectRulesReviewSpec spec = 1; // Status is completed by the server to tell which permissions you have optional SubjectRulesReviewStatus status = 2; } // SelfSubjectRulesReviewSpec adds information about how to conduct the check message SelfSubjectRulesReviewSpec { // Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups". // Nil means "use the scopes on this request". optional OptionalScopes scopes = 1; } // ServiceAccountReference specifies a service account and namespace by their // names. message ServiceAccountReference { // Name is the name of the service account. optional string name = 1; // Namespace is the namespace of the service account. Service accounts from // inside the whitelisted namespaces are allowed to be bound to roles. If // Namespace is empty, then the namespace of the RoleBindingRestriction in // which the ServiceAccountReference is embedded is used. optional string namespace = 2; } // ServiceAccountRestriction matches a service account by a string match on // either the service-account name or the name of the service account's // namespace. message ServiceAccountRestriction { // ServiceAccounts specifies a list of literal service-account names. repeated ServiceAccountReference serviceaccounts = 1; // Namespaces specifies a list of literal namespace names. repeated string namespaces = 2; } // SubjectAccessReview is an object for requesting information about whether a user or group can perform an action message SubjectAccessReview { // Action describes the action being tested. optional Action Action = 1; // User is optional. If both User and Groups are empty, the current authenticated user is used. optional string user = 2; // GroupsSlice is optional. Groups is the list of groups to which the User belongs. // +k8s:conversion-gen=false repeated string groups = 3; // Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups". // Nil for a self-SAR, means "use the scopes on this request". // Nil for a regular SAR, means the same as empty. optional OptionalScopes scopes = 4; } // SubjectAccessReviewResponse describes whether or not a user or group can perform an action message SubjectAccessReviewResponse { // Namespace is the namespace used for the access review optional string namespace = 1; // Allowed is required. True if the action would be allowed, false otherwise. optional bool allowed = 2; // Reason is optional. It indicates why a request was allowed or denied. optional string reason = 3; // EvaluationError is an indication that some error occurred during the authorization check. // It is entirely possible to get an error and be able to continue determine authorization status in spite of it. This is // most common when a bound role is missing, but enough roles are still present and bound to reason about the request. optional string evaluationError = 4; } // SubjectRulesReview is a resource you can create to determine which actions another user can perform in a namespace message SubjectRulesReview { // Spec adds information about how to conduct the check optional SubjectRulesReviewSpec spec = 1; // Status is completed by the server to tell which permissions you have optional SubjectRulesReviewStatus status = 2; } // SubjectRulesReviewSpec adds information about how to conduct the check message SubjectRulesReviewSpec { // User is optional. At least one of User and Groups must be specified. optional string user = 1; // Groups is optional. Groups is the list of groups to which the User belongs. At least one of User and Groups must be specified. repeated string groups = 2; // Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups". optional OptionalScopes scopes = 3; } // SubjectRulesReviewStatus is contains the result of a rules check message SubjectRulesReviewStatus { // Rules is the list of rules (no particular sort) that are allowed for the subject repeated PolicyRule rules = 1; // EvaluationError can appear in combination with Rules. It means some error happened during evaluation // that may have prevented additional rules from being populated. optional string evaluationError = 2; } // UserRestriction matches a user either by a string match on the user name, // a string match on the name of a group to which the user belongs, or a label // selector applied to the user labels. message UserRestriction { // Users specifies a list of literal user names. repeated string users = 1; // Groups specifies a list of literal group names. repeated string groups = 2; // Selectors specifies a list of label selectors over user labels. repeated k8s.io.kubernetes.pkg.api.unversioned.LabelSelector labels = 3; }