sql/v1/cloud_sql_users.proto

// Copyright 2023 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.sql.v1;

import "google/api/annotations.proto";
import "google/api/client.proto";
import "google/api/field_behavior.proto";
import "google/cloud/sql/v1/cloud_sql_resources.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/timestamp.proto";

option go_package = "cloud.google.com/go/sql/apiv1/sqlpb;sqlpb";
option java_multiple_files = true;
option java_outer_classname = "CloudSqlUsersProto";
option java_package = "com.google.cloud.sql.v1";

// Cloud SQL users service.
service SqlUsersService {
  option (google.api.default_host) = "sqladmin.googleapis.com";
  option (google.api.oauth_scopes) =
      "https://www.googleapis.com/auth/cloud-platform,"
      "https://www.googleapis.com/auth/sqlservice.admin";

  // Deletes a user from a Cloud SQL instance.
  rpc Delete(SqlUsersDeleteRequest) returns (Operation) {
    option (google.api.http) = {
      delete: "/v1/projects/{project}/instances/{instance}/users"
    };
  }

  // Retrieves a resource containing information about a user.
  rpc Get(SqlUsersGetRequest) returns (User) {
    option (google.api.http) = {
      get: "/v1/projects/{project}/instances/{instance}/users/{name}"
    };
  }

  // Creates a new user in a Cloud SQL instance.
  rpc Insert(SqlUsersInsertRequest) returns (Operation) {
    option (google.api.http) = {
      post: "/v1/projects/{project}/instances/{instance}/users"
      body: "body"
    };
  }

  // Lists users in the specified Cloud SQL instance.
  rpc List(SqlUsersListRequest) returns (UsersListResponse) {
    option (google.api.http) = {
      get: "/v1/projects/{project}/instances/{instance}/users"
    };
  }

  // Updates an existing user in a Cloud SQL instance.
  rpc Update(SqlUsersUpdateRequest) returns (Operation) {
    option (google.api.http) = {
      put: "/v1/projects/{project}/instances/{instance}/users"
      body: "body"
    };
  }
}

message SqlUsersDeleteRequest {
  // Host of the user in the instance.
  string host = 1;

  // Database instance ID. This does not include the project ID.
  string instance = 2;

  // Name of the user in the instance.
  string name = 3;

  // Project ID of the project that contains the instance.
  string project = 4;
}

// Request message for Users Get RPC
message SqlUsersGetRequest {
  // Database instance ID. This does not include the project ID.
  string instance = 1;

  // User of the instance.
  string name = 2;

  // Project ID of the project that contains the instance.
  string project = 3;

  // Host of a user of the instance.
  string host = 4;
}

message SqlUsersInsertRequest {
  // Database instance ID. This does not include the project ID.
  string instance = 1;

  // Project ID of the project that contains the instance.
  string project = 2;

  User body = 100;
}

message SqlUsersListRequest {
  // Database instance ID. This does not include the project ID.
  string instance = 1;

  // Project ID of the project that contains the instance.
  string project = 2;
}

message SqlUsersUpdateRequest {
  // Optional. Host of the user in the instance.
  string host = 1 [(google.api.field_behavior) = OPTIONAL];

  // Database instance ID. This does not include the project ID.
  string instance = 2;

  // Name of the user in the instance.
  string name = 3;

  // Project ID of the project that contains the instance.
  string project = 4;

  User body = 100;
}

// User level password validation policy.
message UserPasswordValidationPolicy {
  // Number of failed login attempts allowed before user get locked.
  int32 allowed_failed_attempts = 1;

  // Expiration duration after password is updated.
  google.protobuf.Duration password_expiration_duration = 2;

  // If true, failed login attempts check will be enabled.
  bool enable_failed_attempts_check = 3;

  // Output only. Read-only password status.
  PasswordStatus status = 4 [(google.api.field_behavior) = OUTPUT_ONLY];

  // If true, the user must specify the current password before changing the
  // password. This flag is supported only for MySQL.
  bool enable_password_verification = 5;
}

// Read-only password status.
message PasswordStatus {
  // If true, user does not have login privileges.
  bool locked = 1;

  // The expiration time of the current password.
  google.protobuf.Timestamp password_expiration_time = 2;
}

// A Cloud SQL user resource.
message User {
  // The user type.
  enum SqlUserType {
    // The database's built-in user type.
    BUILT_IN = 0;

    // Cloud IAM user.
    CLOUD_IAM_USER = 1;

    // Cloud IAM service account.
    CLOUD_IAM_SERVICE_ACCOUNT = 2;

    // Cloud IAM group non-login user.
    CLOUD_IAM_GROUP = 3;

    // Cloud IAM group login user.
    CLOUD_IAM_GROUP_USER = 4;

    // Cloud IAM group login service account.
    CLOUD_IAM_GROUP_SERVICE_ACCOUNT = 5;
  }

  // The type of retained password.
  enum DualPasswordType {
    // The default value.
    DUAL_PASSWORD_TYPE_UNSPECIFIED = 0;

    // Do not update the user's dual password status.
    NO_MODIFY_DUAL_PASSWORD = 1;

    // No dual password usable for connecting using this user.
    NO_DUAL_PASSWORD = 2;

    // Dual password usable for connecting using this user.
    DUAL_PASSWORD = 3;
  }

  // This is always `sql#user`.
  string kind = 1;

  // The password for the user.
  string password = 2;

  // This field is deprecated and will be removed from a future version of the
  // API.
  string etag = 3;

  // The name of the user in the Cloud SQL instance. Can be omitted for
  // `update` because it is already specified in the URL.
  string name = 4;

  // Optional. The host from which the user can connect. For `insert`
  // operations, host defaults to an empty string. For `update`
  // operations, host is specified as part of the request URL. The host name
  // cannot be updated after insertion.  For a MySQL instance, it's required;
  // for a PostgreSQL or SQL Server instance, it's optional.
  string host = 5 [(google.api.field_behavior) = OPTIONAL];

  // The name of the Cloud SQL instance. This does not include the project ID.
  // Can be omitted for `update` because it is already specified on the
  // URL.
  string instance = 6;

  // The project ID of the project containing the Cloud SQL database. The Google
  // apps domain is prefixed if applicable. Can be omitted for `update` because
  // it is already specified on the URL.
  string project = 7;

  // The user type. It determines the method to authenticate the user during
  // login. The default is the database's built-in user type.
  SqlUserType type = 8;

  // User details for specific database type
  oneof user_details {
    SqlServerUserDetails sqlserver_user_details = 9;
  }

  // User level password validation policy.
  UserPasswordValidationPolicy password_policy = 12;

  // Dual password status for the user.
  optional DualPasswordType dual_password_type = 13;
}

// Represents a Sql Server user on the Cloud SQL instance.
message SqlServerUserDetails {
  // If the user has been disabled
  bool disabled = 1;

  // The server roles for this user
  repeated string server_roles = 2;
}

// User list response.
message UsersListResponse {
  // This is always `sql#usersList`.
  string kind = 1;

  // List of user resources in the instance.
  repeated User items = 2;

  // Unused.
  string next_page_token = 3 [deprecated = true];
}