xref: /aosp_15_r20/external/googleapis/google/cloud/bigquery/datapolicies/v1beta1/datapolicy.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9) 
1// Copyright 2022 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.cloud.bigquery.datapolicies.v1beta1;
18
19import "google/api/annotations.proto";
20import "google/api/client.proto";
21import "google/api/field_behavior.proto";
22import "google/api/resource.proto";
23import "google/iam/v1/iam_policy.proto";
24import "google/iam/v1/policy.proto";
25import "google/protobuf/empty.proto";
26import "google/protobuf/field_mask.proto";
27
28option csharp_namespace = "Google.Cloud.BigQuery.DataPolicies.V1Beta1";
29option go_package = "cloud.google.com/go/bigquery/datapolicies/apiv1beta1/datapoliciespb;datapoliciespb";
30option java_multiple_files = true;
31option java_outer_classname = "DataPolicyProto";
32option java_package = "com.google.cloud.bigquery.datapolicies.v1beta1";
33option php_namespace = "Google\\Cloud\\BigQuery\\DataPolicies\\V1beta1";
34option ruby_package = "Google::Cloud::Bigquery::DataPolicies::V1beta1";
35
36// Data Policy Service provides APIs for managing the label-policy bindings.
37service DataPolicyService {
38  option (google.api.default_host) = "bigquerydatapolicy.googleapis.com";
39  option (google.api.oauth_scopes) =
40      "https://www.googleapis.com/auth/bigquery,"
41      "https://www.googleapis.com/auth/cloud-platform";
42
43  // Creates a new data policy under a project with the given `dataPolicyId`
44  // (used as the display name), policy tag, and data policy type.
45  rpc CreateDataPolicy(CreateDataPolicyRequest) returns (DataPolicy) {
46    option (google.api.http) = {
47      post: "/v1beta1/{parent=projects/*/locations/*}/dataPolicies"
48      body: "data_policy"
49    };
50    option (google.api.method_signature) = "parent,data_policy";
51  }
52
53  // Updates the metadata for an existing data policy. The target data policy
54  // can be specified by the resource name.
55  rpc UpdateDataPolicy(UpdateDataPolicyRequest) returns (DataPolicy) {
56    option (google.api.http) = {
57      patch: "/v1beta1/{data_policy.name=projects/*/locations/*/dataPolicies/*}"
58      body: "data_policy"
59    };
60    option (google.api.method_signature) = "data_policy,update_mask";
61  }
62
63  // Deletes the data policy specified by its resource name.
64  rpc DeleteDataPolicy(DeleteDataPolicyRequest) returns (google.protobuf.Empty) {
65    option (google.api.http) = {
66      delete: "/v1beta1/{name=projects/*/locations/*/dataPolicies/*}"
67    };
68    option (google.api.method_signature) = "name";
69  }
70
71  // Gets the data policy specified by its resource name.
72  rpc GetDataPolicy(GetDataPolicyRequest) returns (DataPolicy) {
73    option (google.api.http) = {
74      get: "/v1beta1/{name=projects/*/locations/*/dataPolicies/*}"
75    };
76    option (google.api.method_signature) = "name";
77  }
78
79  // List all of the data policies in the specified parent project.
80  rpc ListDataPolicies(ListDataPoliciesRequest) returns (ListDataPoliciesResponse) {
81    option (google.api.http) = {
82      get: "/v1beta1/{parent=projects/*/locations/*}/dataPolicies"
83    };
84    option (google.api.method_signature) = "parent";
85  }
86
87  // Gets the IAM policy for the specified data policy.
88  rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) {
89    option (google.api.http) = {
90      post: "/v1beta1/{resource=projects/*/locations/*/dataPolicies/*}:getIamPolicy"
91      body: "*"
92    };
93  }
94
95  // Sets the IAM policy for the specified data policy.
96  rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) {
97    option (google.api.http) = {
98      post: "/v1beta1/{resource=projects/*/locations/*/dataPolicies/*}:setIamPolicy"
99      body: "*"
100    };
101  }
102
103  // Returns the caller's permission on the specified data policy resource.
104  rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) {
105    option (google.api.http) = {
106      post: "/v1beta1/{resource=projects/*/locations/*/dataPolicies/*}:testIamPermissions"
107      body: "*"
108    };
109  }
110}
111
112// Request message for the CreateDataPolicy method.
113message CreateDataPolicyRequest {
114  // Required. Resource name of the project that the data policy will belong to. The
115  // format is `projects/{project_number}/locations/{location_id}`.
116  string parent = 1 [
117    (google.api.field_behavior) = REQUIRED,
118    (google.api.resource_reference) = {
119      child_type: "bigquerydatapolicy.googleapis.com/DataPolicy"
120    }
121  ];
122
123  // Required. The data policy to create. The `name` field does not need to be
124  // provided for the data policy creation.
125  DataPolicy data_policy = 2 [(google.api.field_behavior) = REQUIRED];
126}
127
128// Response message for the UpdateDataPolicy method.
129message UpdateDataPolicyRequest {
130  // Required. Update the data policy's metadata.
131  //
132  // The target data policy is determined by the `name` field.
133  // Other fields are updated to the specified values based on the field masks.
134  DataPolicy data_policy = 1 [(google.api.field_behavior) = REQUIRED];
135
136  // The update mask applies to the resource. For the `FieldMask` definition,
137  // see
138  // https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask
139  // If not set, defaults to all of the fields that are allowed to update.
140  //
141  // Updates to the `name` and `dataPolicyId` fields are not allowed.
142  google.protobuf.FieldMask update_mask = 2;
143}
144
145// Request message for the DeleteDataPolicy method.
146message DeleteDataPolicyRequest {
147  // Required. Resource name of the data policy to delete. Format is
148  // `projects/{project_number}/locations/{location_id}/dataPolicies/{data_policy_id}`.
149  string name = 1 [
150    (google.api.field_behavior) = REQUIRED,
151    (google.api.resource_reference) = {
152      type: "bigquerydatapolicy.googleapis.com/DataPolicy"
153    }
154  ];
155}
156
157// Request message for the GetDataPolicy method.
158message GetDataPolicyRequest {
159  // Required. Resource name of the requested data policy. Format is
160  // `projects/{project_number}/locations/{location_id}/dataPolicies/{data_policy_id}`.
161  string name = 1 [
162    (google.api.field_behavior) = REQUIRED,
163    (google.api.resource_reference) = {
164      type: "bigquerydatapolicy.googleapis.com/DataPolicy"
165    }
166  ];
167}
168
169// Request message for the ListDataPolicies method.
170message ListDataPoliciesRequest {
171  // Required. Resource name of the project for which to list data policies. Format is
172  // `projects/{project_number}/locations/{location_id}`.
173  string parent = 1 [
174    (google.api.field_behavior) = REQUIRED,
175    (google.api.resource_reference) = {
176      child_type: "bigquerydatapolicy.googleapis.com/DataPolicy"
177    }
178  ];
179
180  // The maximum number of data policies to return. Must be a value between 1
181  // and 1000.
182  // If not set, defaults to 50.
183  int32 page_size = 2;
184
185  // The `nextPageToken` value returned from a previous list request, if any. If
186  // not set, defaults to an empty string.
187  string page_token = 3;
188}
189
190// Response message for the ListDataPolicies method.
191message ListDataPoliciesResponse {
192  // Data policies that belong to the requested project.
193  repeated DataPolicy data_policies = 1;
194
195  // Token used to retrieve the next page of results, or empty if there are no
196  // more results.
197  string next_page_token = 2;
198}
199
200// Represents the label-policy binding.
201message DataPolicy {
202  option (google.api.resource) = {
203    type: "bigquerydatapolicy.googleapis.com/DataPolicy"
204    pattern: "projects/{project}/locations/{location}/dataPolicies/{data_policy}"
205  };
206
207  // A list of supported data policy types.
208  enum DataPolicyType {
209    // Default value for the data policy type. This should not be used.
210    DATA_POLICY_TYPE_UNSPECIFIED = 0;
211
212    // Used to create a data policy for column-level security, without data
213    // masking.
214    COLUMN_LEVEL_SECURITY_POLICY = 3;
215
216    // Used to create a data policy for data masking.
217    DATA_MASKING_POLICY = 2;
218  }
219
220  // Label that is bound to this data policy.
221  oneof matching_label {
222    // Policy tag resource name, in the format of
223    // `projects/{project_number}/locations/{location_id}/taxonomies/{taxonomy_id}/policyTags/{policyTag_id}`.
224    string policy_tag = 4;
225  }
226
227  // The policy that is bound to this data policy.
228  oneof policy {
229    // The data masking policy that specifies the data masking rule to use.
230    DataMaskingPolicy data_masking_policy = 5;
231  }
232
233  // Output only. Resource name of this data policy, in the format of
234  // `projects/{project_number}/locations/{location_id}/dataPolicies/{data_policy_id}`.
235  string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
236
237  // Type of data policy.
238  DataPolicyType data_policy_type = 2;
239
240  // User-assigned (human readable) ID of the data policy that needs to be
241  // unique within a project. Used as {data_policy_id} in part of the resource
242  // name.
243  string data_policy_id = 3;
244}
245
246// The data masking policy that is used to specify data masking rule.
247message DataMaskingPolicy {
248  // The available masking rules. Learn more here:
249  // https://cloud.google.com/bigquery/docs/column-data-masking-intro#masking_options.
250  enum PredefinedExpression {
251    // Default, unspecified predefined expression. No masking will take place
252    // since no expression is specified.
253    PREDEFINED_EXPRESSION_UNSPECIFIED = 0;
254
255    // Masking expression to replace data with SHA-256 hash.
256    SHA256 = 3;
257
258    // Masking expression to replace data with NULLs.
259    ALWAYS_NULL = 5;
260
261    // Masking expression to replace data with their default masking values.
262    // The default masking values for each type listed as below:
263    //
264    // * STRING: ""
265    // * BYTES: b''
266    // * INTEGER: 0
267    // * FLOAT: 0.0
268    // * NUMERIC: 0
269    // * BOOLEAN: FALSE
270    // * TIMESTAMP: 0001-01-01 00:00:00 UTC
271    // * DATE: 0001-01-01
272    // * TIME: 00:00:00
273    // * DATETIME: 0001-01-01T00:00:00
274    // * GEOGRAPHY: POINT(0 0)
275    // * BIGNUMERIC: 0
276    // * ARRAY: []
277    // * STRUCT: NOT_APPLICABLE
278    // * JSON: NULL
279    DEFAULT_MASKING_VALUE = 7;
280  }
281
282  // A masking expression to bind to the data masking rule.
283  oneof masking_expression {
284    // A predefined masking expression.
285    PredefinedExpression predefined_expression = 1;
286  }
287}
288