iam¶
Contents¶
-
Services
-
Messages
IAMService¶
IAM service provides APIs to interact with the IAM role bindings.
CreateIAM¶
rpc CreateIAM(CreateIAMRequest) IAM
CreateIAM API creates a new IAM role-binding.
GrantIAM¶
rpc GrantIAM(GrantIAMRequest) GrantIAMResponse
GrantIAM API creates new IAM role-binding at Tenant (Organization), project and account level.
RevokeIAM¶
rpc RevokeIAM(RevokeIAMRequest) RevokeIAMResponse
RevokeIAM API delete IAM role-binding at Tenant (Organization), project and account level.
GetIAM¶
rpc GetIAM(GetIAMRequest) IAM
GetIAM API returns the info about IAM for given IAM id.
ListIAMPermissions¶
rpc ListIAMPermissions(ListIAMPermissionsRequest) ListIAMPermissionsResponse
ListIAMPermissions API list permissions for Roles in IAM.
UpdateIAM¶
rpc UpdateIAM(UpdateIAMRequest) IAM
UpdateIAM API updates IAM with the new set of role bindings. The request replaces the existing set of bindings.
DeleteIAM¶
rpc DeleteIAM(DeleteIAMRequest) .google.protobuf.Empty
DeleteIAM API delete IAM, currently required only for name.
ListIAM¶
rpc ListIAM(ListIAMRequest) ListIAMResponse
ListIAM API lists the role bindings.
Messages¶
AccessPolicy¶
Access Policy controls access to control plane resources. With IAM, one can centrally manage permissions that control which resources users can access.
| Field | Type | Description |
|---|---|---|
| global_scope | repeated string | Global scope represents the global role names. |
| account | repeated string | Account represents the account role names. |
| tenant | repeated RoleBinding | Tenant (Organization) represents the Organization level role bindings and resource IDs. |
| project | repeated RoleBinding | Project represents the project level role bindings and resource IDS. |
| namespace | repeated RoleBinding | Namespace represents the namespace level role bindings and resource IDS. |
Config¶
Config represents the details of the data for IAM across different levels.
| Field | Type | Description |
|---|---|---|
| actor_id | string | Actor ID for the associated actor. |
| actor_type | string | Actor Type gives the actor type for the concerned actor_id. |
| actor_email | string | Actor email for actorType USER. |
| access_policy | AccessPolicy | Created/updated IAM. |
CreateIAMRequest¶
CreateIAMRequest to create a role binding.
| Field | Type | Description |
|---|---|---|
| iam | IAM | IAM to be created |
DeleteIAMRequest¶
DeleteIAMRequest is the request message to DeleteIAM API.
| Field | Type | Description |
|---|---|---|
| actor_id | string | Actor ID for which the IAM should be deleted. |
GetIAMRequest¶
GetIAMRequest is the request message to GetIAM API.
| Field | Type | Description |
|---|---|---|
| actor_id | string | Actor ID for which the details need to be fetched. |
GrantIAMRequest¶
GrantIAMRequest to grant add a new role in the IAM for Tenant (Organization), project or account.
| Field | Type | Description |
|---|---|---|
| oneof resource_id.account_id | string | Account UID under which user wants to add role binding. |
| oneof resource_id.tenant_id | string | Tenant (Organization) UID under which user wants to add role binding. |
| oneof resource_id.project_id | string | Project UID under which user wants to add role binding. |
| actor_id | string | actorId is UID of user/serviceAccount for we want to add new role in the IAM |
| access_policy | AccessPolicy | Describes roles that needs to be added |
GrantIAMResponse¶
GrantIAMResponse is response for GrantIAM API.
| Field | Type | Description |
|---|---|---|
| message | string | Any error or success message to show for GrantIAM response. |
IAM¶
IAM returns the created IAM for given data.
| Field | Type | Description |
|---|---|---|
| meta | public.portworx.common.v1.Meta | Metadata for IAM. |
| config | Config | Desired configuration of the IAM. |
ListIAMPermissionsRequest¶
ListIAMPermissionsRequest is the request to fetch user's permissions.
| Field | Type | Description |
|---|---|---|
| tenant_id | string | Tenant (Organization) ID in context to which the permissions of the user to be listed. (-- api-linter: core::0132::response-unknown-fields=disabled aip.dev/not-precedent: We really need this field to list permissions for roles in IAM. --) |
| project_id | string | permission request is to list the permissions of the user on given project. (-- api-linter: core::0132::response-unknown-fields=disabled aip.dev/not-precedent: We really need this field to list permissions for roles in IAM. --) |
ListIAMPermissionsResponse¶
ListIAMPermissionsResponse is response which contains permission for actor.
| Field | Type | Description |
|---|---|---|
| permissions | repeated string | permissions is list of permissions. (-- api-linter: core::0132::response-unknown-fields=disabled aip.dev/not-precedent: We really need this field to list permissions for roles in IAM. --) |
ListIAMRequest¶
ListIAMRequest is an empty request to the ListIAM API.
| Field | Type | Description |
|---|---|---|
| actor_id | string | Actor ID for which the IAM should be listed. |
| oneof resource_id.account_id | string | Account UID for which the IAM should be listed. |
| oneof resource_id.tenant_id | string | Tenant (Organization) UID for which the IAM should be listed. |
| oneof resource_id.project_id | string | Project UID for which the IAM should be listed. |
| sort | Sort | Sorting details using which requested list of iams to be sorted. |
| pagination | public.portworx.common.v1.PageBasedPaginationRequest | Pagination parameters for listing IAM. |
| tenant_uid | string | Tenant (Organization) UID for which the IAM should be listed. |
| project_uid | string | Project UID for which the IAM should be listed. |
ListIAMResponse¶
ListIAMResponse is the response to the ListIAM API and contains the list of IAMs visible to the caller.
| Field | Type | Description |
|---|---|---|
| iam | repeated IAM | the list of IAMs. |
| pagination | public.portworx.common.v1.PageBasedPaginationResponse | (-- api-linter: core::0132::response-unknown-fields=disabled aip.dev/not-precedent: We need this field for pagination. --) Pagination metadata for this response. |
RevokeIAMRequest¶
RevokeIAMRequest to revoke/delete a role binding at Tenant (Organization), project or account.
| Field | Type | Description |
|---|---|---|
| oneof resource_id.account_id | string | Account UID under which user wants to delete role . |
| oneof resource_id.tenant_id | string | Tenant (Organization) UID under which user wants to delete role . |
| oneof resource_id.project_id | string | Project UID under which user wants to delete role . |
| actor_id | string | actorId is UID of user/serviceAccount for we want to revoke role in the IAM |
| access_policy | AccessPolicy | Describes roles that needs to be revoke |
RevokeIAMResponse¶
GrantIAMResponse is response for GrantIAM API.
| Field | Type | Description |
|---|---|---|
| message | string | Any error or success message to show for GrantIAM response. |
RoleBinding¶
RoleBinding represents the Tenant (Organization)/project/namespace level role bindings and resource IDS.
| Field | Type | Description |
|---|---|---|
| role_name | string | Role name represents the role for a Tenant (Organization)/project/namespace. |
| resource_ids | repeated string | Resource IDs represent the IDs bounded for the given role. |
Sort¶
The details of the attribute for which the requested list of IAM to be sorted.
| Field | Type | Description |
|---|---|---|
| sort_by | SortBy.Field | Name of the attribute to sort results by. |
| sort_order | public.portworx.common.v1.SortOrder.Value | Order of sorting to be applied on requested list. If sort_by having some value and sort_order is not provided, by default ascending order will be used to sort the list. |
SortBy¶
Supported fields for sorting the requested list of IAMs.
UpdateIAMRequest¶
UpdateIAMRequest replaces the existing role binding.
| Field | Type | Description |
|---|---|---|
| iam | IAM | IAM to be updated. |
Enums¶
SortBy.Field¶
Field names for sorting the list of IAMs.
| Name | Number | Description |
|---|---|---|
| FIELD_UNSPECIFIED | 0 | Unspecified, do not use. |
| 1 | Sorting based on the email of the iam. |