1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.bigquery.datapolicies.v1; 18 19import "google/api/annotations.proto"; 20import "google/api/client.proto"; 21import "google/api/field_behavior.proto"; 22import "google/api/resource.proto"; 23import "google/iam/v1/iam_policy.proto"; 24import "google/iam/v1/policy.proto"; 25import "google/protobuf/empty.proto"; 26import "google/protobuf/field_mask.proto"; 27 28option csharp_namespace = "Google.Cloud.BigQuery.DataPolicies.V1"; 29option go_package = "cloud.google.com/go/bigquery/datapolicies/apiv1/datapoliciespb;datapoliciespb"; 30option java_multiple_files = true; 31option java_outer_classname = "DataPolicyProto"; 32option java_package = "com.google.cloud.bigquery.datapolicies.v1"; 33option php_namespace = "Google\\Cloud\\BigQuery\\DataPolicies\\V1"; 34option ruby_package = "Google::Cloud::Bigquery::DataPolicies::V1"; 35 36// Data Policy Service provides APIs for managing the label-policy bindings. 37service DataPolicyService { 38 option (google.api.default_host) = "bigquerydatapolicy.googleapis.com"; 39 option (google.api.oauth_scopes) = 40 "https://www.googleapis.com/auth/bigquery," 41 "https://www.googleapis.com/auth/cloud-platform"; 42 43 // Creates a new data policy under a project with the given `dataPolicyId` 44 // (used as the display name), policy tag, and data policy type. 45 rpc CreateDataPolicy(CreateDataPolicyRequest) returns (DataPolicy) { 46 option (google.api.http) = { 47 post: "/v1/{parent=projects/*/locations/*}/dataPolicies" 48 body: "data_policy" 49 }; 50 option (google.api.method_signature) = "parent,data_policy"; 51 } 52 53 // Updates the metadata for an existing data policy. The target data policy 54 // can be specified by the resource name. 55 rpc UpdateDataPolicy(UpdateDataPolicyRequest) returns (DataPolicy) { 56 option (google.api.http) = { 57 patch: "/v1/{data_policy.name=projects/*/locations/*/dataPolicies/*}" 58 body: "data_policy" 59 }; 60 option (google.api.method_signature) = "data_policy,update_mask"; 61 } 62 63 // Renames the id (display name) of the specified data policy. 64 rpc RenameDataPolicy(RenameDataPolicyRequest) returns (DataPolicy) { 65 option (google.api.http) = { 66 post: "/v1/{name=projects/*/locations/*/dataPolicies/*}:rename" 67 body: "*" 68 }; 69 option (google.api.method_signature) = "name,new_data_policy_id"; 70 } 71 72 // Deletes the data policy specified by its resource name. 73 rpc DeleteDataPolicy(DeleteDataPolicyRequest) 74 returns (google.protobuf.Empty) { 75 option (google.api.http) = { 76 delete: "/v1/{name=projects/*/locations/*/dataPolicies/*}" 77 }; 78 option (google.api.method_signature) = "name"; 79 } 80 81 // Gets the data policy specified by its resource name. 82 rpc GetDataPolicy(GetDataPolicyRequest) returns (DataPolicy) { 83 option (google.api.http) = { 84 get: "/v1/{name=projects/*/locations/*/dataPolicies/*}" 85 }; 86 option (google.api.method_signature) = "name"; 87 } 88 89 // List all of the data policies in the specified parent project. 90 rpc ListDataPolicies(ListDataPoliciesRequest) 91 returns (ListDataPoliciesResponse) { 92 option (google.api.http) = { 93 get: "/v1/{parent=projects/*/locations/*}/dataPolicies" 94 }; 95 option (google.api.method_signature) = "parent"; 96 } 97 98 // Gets the IAM policy for the specified data policy. 99 rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) 100 returns (google.iam.v1.Policy) { 101 option (google.api.http) = { 102 post: "/v1/{resource=projects/*/locations/*/dataPolicies/*}:getIamPolicy" 103 body: "*" 104 }; 105 } 106 107 // Sets the IAM policy for the specified data policy. 108 rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) 109 returns (google.iam.v1.Policy) { 110 option (google.api.http) = { 111 post: "/v1/{resource=projects/*/locations/*/dataPolicies/*}:setIamPolicy" 112 body: "*" 113 }; 114 } 115 116 // Returns the caller's permission on the specified data policy resource. 117 rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) 118 returns (google.iam.v1.TestIamPermissionsResponse) { 119 option (google.api.http) = { 120 post: "/v1/{resource=projects/*/locations/*/dataPolicies/*}:testIamPermissions" 121 body: "*" 122 }; 123 } 124} 125 126// Request message for the CreateDataPolicy method. 127message CreateDataPolicyRequest { 128 // Required. Resource name of the project that the data policy will belong to. 129 // The format is `projects/{project_number}/locations/{location_id}`. 130 string parent = 1 [ 131 (google.api.field_behavior) = REQUIRED, 132 (google.api.resource_reference) = { 133 child_type: "bigquerydatapolicy.googleapis.com/DataPolicy" 134 } 135 ]; 136 137 // Required. The data policy to create. The `name` field does not need to be 138 // provided for the data policy creation. 139 DataPolicy data_policy = 2 [(google.api.field_behavior) = REQUIRED]; 140} 141 142// Response message for the UpdateDataPolicy method. 143message UpdateDataPolicyRequest { 144 // Required. Update the data policy's metadata. 145 // 146 // The target data policy is determined by the `name` field. 147 // Other fields are updated to the specified values based on the field masks. 148 DataPolicy data_policy = 1 [(google.api.field_behavior) = REQUIRED]; 149 150 // The update mask applies to the resource. For the `FieldMask` definition, 151 // see 152 // https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask 153 // If not set, defaults to all of the fields that are allowed to update. 154 // 155 // Updates to the `name` and `dataPolicyId` fields are not allowed. 156 google.protobuf.FieldMask update_mask = 2; 157} 158 159// Request message for the RenameDataPolicy method. 160message RenameDataPolicyRequest { 161 // Required. Resource name of the data policy to rename. The format is 162 // `projects/{project_number}/locations/{location_id}/dataPolicies/{data_policy_id}` 163 string name = 1 [(google.api.field_behavior) = REQUIRED]; 164 165 // Required. The new data policy id. 166 string new_data_policy_id = 2 [(google.api.field_behavior) = REQUIRED]; 167} 168 169// Request message for the DeleteDataPolicy method. 170message DeleteDataPolicyRequest { 171 // Required. Resource name of the data policy to delete. Format is 172 // `projects/{project_number}/locations/{location_id}/dataPolicies/{data_policy_id}`. 173 string name = 1 [ 174 (google.api.field_behavior) = REQUIRED, 175 (google.api.resource_reference) = { 176 type: "bigquerydatapolicy.googleapis.com/DataPolicy" 177 } 178 ]; 179} 180 181// Request message for the GetDataPolicy method. 182message GetDataPolicyRequest { 183 // Required. Resource name of the requested data policy. Format is 184 // `projects/{project_number}/locations/{location_id}/dataPolicies/{data_policy_id}`. 185 string name = 1 [ 186 (google.api.field_behavior) = REQUIRED, 187 (google.api.resource_reference) = { 188 type: "bigquerydatapolicy.googleapis.com/DataPolicy" 189 } 190 ]; 191} 192 193// Request message for the ListDataPolicies method. 194message ListDataPoliciesRequest { 195 // Required. Resource name of the project for which to list data policies. 196 // Format is `projects/{project_number}/locations/{location_id}`. 197 string parent = 1 [ 198 (google.api.field_behavior) = REQUIRED, 199 (google.api.resource_reference) = { 200 child_type: "bigquerydatapolicy.googleapis.com/DataPolicy" 201 } 202 ]; 203 204 // The maximum number of data policies to return. Must be a value between 1 205 // and 1000. 206 // If not set, defaults to 50. 207 int32 page_size = 2; 208 209 // The `nextPageToken` value returned from a previous list request, if any. If 210 // not set, defaults to an empty string. 211 string page_token = 3; 212 213 // Filters the data policies by policy tags that they 214 // are associated with. Currently filter only supports 215 // "policy<span></span>_tag" based filtering and OR based predicates. Sample 216 // filter can be "policy<span></span>_tag: 217 // projects/1/locations/us/taxonomies/2/policyTags/3". 218 // You may also use wildcard such as "policy<span></span>_tag: 219 // projects/1/locations/us/taxonomies/2*". Please note that OR predicates 220 // cannot be used with wildcard filters. 221 string filter = 4; 222} 223 224// Response message for the ListDataPolicies method. 225message ListDataPoliciesResponse { 226 // Data policies that belong to the requested project. 227 repeated DataPolicy data_policies = 1; 228 229 // Token used to retrieve the next page of results, or empty if there are no 230 // more results. 231 string next_page_token = 2; 232} 233 234// Represents the label-policy binding. 235message DataPolicy { 236 option (google.api.resource) = { 237 type: "bigquerydatapolicy.googleapis.com/DataPolicy" 238 pattern: "projects/{project}/locations/{location}/dataPolicies/{data_policy}" 239 }; 240 241 // A list of supported data policy types. 242 enum DataPolicyType { 243 // Default value for the data policy type. This should not be used. 244 DATA_POLICY_TYPE_UNSPECIFIED = 0; 245 246 // Used to create a data policy for column-level security, without data 247 // masking. 248 COLUMN_LEVEL_SECURITY_POLICY = 3; 249 250 // Used to create a data policy for data masking. 251 DATA_MASKING_POLICY = 2; 252 } 253 254 // Label that is bound to this data policy. 255 oneof matching_label { 256 // Policy tag resource name, in the format of 257 // `projects/{project_number}/locations/{location_id}/taxonomies/{taxonomy_id}/policyTags/{policyTag_id}`. 258 string policy_tag = 4; 259 } 260 261 // The policy that is bound to this data policy. 262 oneof policy { 263 // The data masking policy that specifies the data masking rule to use. 264 DataMaskingPolicy data_masking_policy = 5; 265 } 266 267 // Output only. Resource name of this data policy, in the format of 268 // `projects/{project_number}/locations/{location_id}/dataPolicies/{data_policy_id}`. 269 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 270 271 // Type of data policy. 272 DataPolicyType data_policy_type = 2; 273 274 // User-assigned (human readable) ID of the data policy that needs to be 275 // unique within a project. Used as {data_policy_id} in part of the resource 276 // name. 277 string data_policy_id = 3; 278} 279 280// The data masking policy that is used to specify data masking rule. 281message DataMaskingPolicy { 282 // The available masking rules. Learn more here: 283 // https://cloud.google.com/bigquery/docs/column-data-masking-intro#masking_options. 284 enum PredefinedExpression { 285 // Default, unspecified predefined expression. No masking will take place 286 // since no expression is specified. 287 PREDEFINED_EXPRESSION_UNSPECIFIED = 0; 288 289 // Masking expression to replace data with SHA-256 hash. 290 SHA256 = 3; 291 292 // Masking expression to replace data with NULLs. 293 ALWAYS_NULL = 5; 294 295 // Masking expression to replace data with their default masking values. 296 // The default masking values for each type listed as below: 297 // 298 // * STRING: "" 299 // * BYTES: b'' 300 // * INTEGER: 0 301 // * FLOAT: 0.0 302 // * NUMERIC: 0 303 // * BOOLEAN: FALSE 304 // * TIMESTAMP: 1970-01-01 00:00:00 UTC 305 // * DATE: 1970-01-01 306 // * TIME: 00:00:00 307 // * DATETIME: 1970-01-01T00:00:00 308 // * GEOGRAPHY: POINT(0 0) 309 // * BIGNUMERIC: 0 310 // * ARRAY: [] 311 // * STRUCT: NOT_APPLICABLE 312 // * JSON: NULL 313 DEFAULT_MASKING_VALUE = 7; 314 315 // Masking expression shows the last four characters of text. 316 // The masking behavior is as follows: 317 // 318 // * If text length > 4 characters: Replace text with XXXXX, append last 319 // four characters of original text. 320 // * If text length <= 4 characters: Apply SHA-256 hash. 321 LAST_FOUR_CHARACTERS = 9; 322 323 // Masking expression shows the first four characters of text. 324 // The masking behavior is as follows: 325 // 326 // * If text length > 4 characters: Replace text with XXXXX, prepend first 327 // four characters of original text. 328 // * If text length <= 4 characters: Apply SHA-256 hash. 329 FIRST_FOUR_CHARACTERS = 10; 330 331 // Masking expression for email addresses. 332 // The masking behavior is as follows: 333 // 334 // * Syntax-valid email address: Replace username with XXXXX. For example, 335 // [email protected] becomes [email protected]. 336 // * Syntax-invalid email address: Apply SHA-256 hash. 337 // 338 // For more information, see [Email 339 // mask](https://cloud.google.com/bigquery/docs/column-data-masking-intro#masking_options). 340 EMAIL_MASK = 12; 341 342 // Masking expression to only show the year of `Date`, 343 // `DateTime` and `TimeStamp`. For example, with the 344 // year 2076: 345 // 346 // * DATE : 2076-01-01 347 // * DATETIME : 2076-01-01T00:00:00 348 // * TIMESTAMP : 2076-01-01 00:00:00 UTC 349 // 350 // Truncation occurs according to the UTC time zone. To change this, adjust 351 // the default time zone using the `time_zone` system variable. 352 // For more information, see the <a 353 // href="https://cloud.google.com/bigquery/docs/reference/system-variables">System 354 // variables reference</a>. 355 DATE_YEAR_MASK = 13; 356 } 357 358 // A masking expression to bind to the data masking rule. 359 oneof masking_expression { 360 // A predefined masking expression. 361 PredefinedExpression predefined_expression = 1; 362 363 // The name of the BigQuery routine that contains the custom masking 364 // routine, in the format of 365 // `projects/{project_number}/datasets/{dataset_id}/routines/{routine_id}`. 366 string routine = 3; 367 } 368} 369