xref: /aosp_15_r20/external/googleapis/google/rpc/context/attribute_context.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9) 
1// Copyright 2022 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.rpc.context;
18
19import "google/protobuf/any.proto";
20import "google/protobuf/duration.proto";
21import "google/protobuf/struct.proto";
22import "google/protobuf/timestamp.proto";
23
24option cc_enable_arenas = true;
25option go_package = "google.golang.org/genproto/googleapis/rpc/context/attribute_context;attribute_context";
26option java_multiple_files = true;
27option java_outer_classname = "AttributeContextProto";
28option java_package = "com.google.rpc.context";
29
30// This message defines the standard attribute vocabulary for Google APIs.
31//
32// An attribute is a piece of metadata that describes an activity on a network
33// service. For example, the size of an HTTP request, or the status code of
34// an HTTP response.
35//
36// Each attribute has a type and a name, which is logically defined as
37// a proto message field in `AttributeContext`. The field type becomes the
38// attribute type, and the field path becomes the attribute name. For example,
39// the attribute `source.ip` maps to field `AttributeContext.source.ip`.
40//
41// This message definition is guaranteed not to have any wire breaking change.
42// So you can use it directly for passing attributes across different systems.
43//
44// NOTE: Different system may generate different subset of attributes. Please
45// verify the system specification before relying on an attribute generated
46// a system.
47message AttributeContext {
48  // This message defines attributes for a node that handles a network request.
49  // The node can be either a service or an application that sends, forwards,
50  // or receives the request. Service peers should fill in
51  // `principal` and `labels` as appropriate.
52  message Peer {
53    // The IP address of the peer.
54    string ip = 1;
55
56    // The network port of the peer.
57    int64 port = 2;
58
59    // The labels associated with the peer.
60    map<string, string> labels = 6;
61
62    // The identity of this peer. Similar to `Request.auth.principal`, but
63    // relative to the peer instead of the request. For example, the
64    // identity associated with a load balancer that forwarded the request.
65    string principal = 7;
66
67    // The CLDR country/region code associated with the above IP address.
68    // If the IP address is private, the `region_code` should reflect the
69    // physical location where this peer is running.
70    string region_code = 8;
71  }
72
73  // This message defines attributes associated with API operations, such as
74  // a network API request. The terminology is based on the conventions used
75  // by Google APIs, Istio, and OpenAPI.
76  message Api {
77    // The API service name. It is a logical identifier for a networked API,
78    // such as "pubsub.googleapis.com". The naming syntax depends on the
79    // API management system being used for handling the request.
80    string service = 1;
81
82    // The API operation name. For gRPC requests, it is the fully qualified API
83    // method name, such as "google.pubsub.v1.Publisher.Publish". For OpenAPI
84    // requests, it is the `operationId`, such as "getPet".
85    string operation = 2;
86
87    // The API protocol used for sending the request, such as "http", "https",
88    // "grpc", or "internal".
89    string protocol = 3;
90
91    // The API version associated with the API operation above, such as "v1" or
92    // "v1alpha1".
93    string version = 4;
94  }
95
96  // This message defines request authentication attributes. Terminology is
97  // based on the JSON Web Token (JWT) standard, but the terms also
98  // correlate to concepts in other standards.
99  message Auth {
100    // The authenticated principal. Reflects the issuer (`iss`) and subject
101    // (`sub`) claims within a JWT. The issuer and subject should be `/`
102    // delimited, with `/` percent-encoded within the subject fragment. For
103    // Google accounts, the principal format is:
104    // "https://accounts.google.com/{id}"
105    string principal = 1;
106
107    // The intended audience(s) for this authentication information. Reflects
108    // the audience (`aud`) claim within a JWT. The audience
109    // value(s) depends on the `issuer`, but typically include one or more of
110    // the following pieces of information:
111    //
112    // *  The services intended to receive the credential. For example,
113    //    ["https://pubsub.googleapis.com/", "https://storage.googleapis.com/"].
114    // *  A set of service-based scopes. For example,
115    //    ["https://www.googleapis.com/auth/cloud-platform"].
116    // *  The client id of an app, such as the Firebase project id for JWTs
117    //    from Firebase Auth.
118    //
119    // Consult the documentation for the credential issuer to determine the
120    // information provided.
121    repeated string audiences = 2;
122
123    // The authorized presenter of the credential. Reflects the optional
124    // Authorized Presenter (`azp`) claim within a JWT or the
125    // OAuth client id. For example, a Google Cloud Platform client id looks
126    // as follows: "123456789012.apps.googleusercontent.com".
127    string presenter = 3;
128
129    // Structured claims presented with the credential. JWTs include
130    // `{key: value}` pairs for standard and private claims. The following
131    // is a subset of the standard required and optional claims that would
132    // typically be presented for a Google-based JWT:
133    //
134    //    {'iss': 'accounts.google.com',
135    //     'sub': '113289723416554971153',
136    //     'aud': ['123456789012', 'pubsub.googleapis.com'],
137    //     'azp': '123456789012.apps.googleusercontent.com',
138    //     'email': '[email protected]',
139    //     'iat': 1353601026,
140    //     'exp': 1353604926}
141    //
142    // SAML assertions are similarly specified, but with an identity provider
143    // dependent structure.
144    google.protobuf.Struct claims = 4;
145
146    // A list of access level resource names that allow resources to be
147    // accessed by authenticated requester. It is part of Secure GCP processing
148    // for the incoming request. An access level string has the format:
149    // "//{api_service_name}/accessPolicies/{policy_id}/accessLevels/{short_name}"
150    //
151    // Example:
152    // "//accesscontextmanager.googleapis.com/accessPolicies/MY_POLICY_ID/accessLevels/MY_LEVEL"
153    repeated string access_levels = 5;
154  }
155
156  // This message defines attributes for an HTTP request. If the actual
157  // request is not an HTTP request, the runtime system should try to map
158  // the actual request to an equivalent HTTP request.
159  message Request {
160    // The unique ID for a request, which can be propagated to downstream
161    // systems. The ID should have low probability of collision
162    // within a single day for a specific service.
163    string id = 1;
164
165    // The HTTP request method, such as `GET`, `POST`.
166    string method = 2;
167
168    // The HTTP request headers. If multiple headers share the same key, they
169    // must be merged according to the HTTP spec. All header keys must be
170    // lowercased, because HTTP header keys are case-insensitive.
171    map<string, string> headers = 3;
172
173    // The HTTP URL path, excluding the query parameters.
174    string path = 4;
175
176    // The HTTP request `Host` header value.
177    string host = 5;
178
179    // The HTTP URL scheme, such as `http` and `https`.
180    string scheme = 6;
181
182    // The HTTP URL query in the format of `name1=value1&name2=value2`, as it
183    // appears in the first line of the HTTP request. No decoding is performed.
184    string query = 7;
185
186    // The timestamp when the `destination` service receives the last byte of
187    // the request.
188    google.protobuf.Timestamp time = 9;
189
190    // The HTTP request size in bytes. If unknown, it must be -1.
191    int64 size = 10;
192
193    // The network protocol used with the request, such as "http/1.1",
194    // "spdy/3", "h2", "h2c", "webrtc", "tcp", "udp", "quic". See
195    // https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
196    // for details.
197    string protocol = 11;
198
199    // A special parameter for request reason. It is used by security systems
200    // to associate auditing information with a request.
201    string reason = 12;
202
203    // The request authentication. May be absent for unauthenticated requests.
204    // Derived from the HTTP request `Authorization` header or equivalent.
205    Auth auth = 13;
206  }
207
208  // This message defines attributes for a typical network response. It
209  // generally models semantics of an HTTP response.
210  message Response {
211    // The HTTP response status code, such as `200` and `404`.
212    int64 code = 1;
213
214    // The HTTP response size in bytes. If unknown, it must be -1.
215    int64 size = 2;
216
217    // The HTTP response headers. If multiple headers share the same key, they
218    // must be merged according to HTTP spec. All header keys must be
219    // lowercased, because HTTP header keys are case-insensitive.
220    map<string, string> headers = 3;
221
222    // The timestamp when the `destination` service sends the last byte of
223    // the response.
224    google.protobuf.Timestamp time = 4;
225
226    // The amount of time it takes the backend service to fully respond to a
227    // request. Measured from when the destination service starts to send the
228    // request to the backend until when the destination service receives the
229    // complete response from the backend.
230    google.protobuf.Duration backend_latency = 5;
231  }
232
233  // This message defines core attributes for a resource. A resource is an
234  // addressable (named) entity provided by the destination service. For
235  // example, a file stored on a network storage service.
236  message Resource {
237    // The name of the service that this resource belongs to, such as
238    // `pubsub.googleapis.com`. The service may be different from the DNS
239    // hostname that actually serves the request.
240    string service = 1;
241
242    // The stable identifier (name) of a resource on the `service`. A resource
243    // can be logically identified as "//{resource.service}/{resource.name}".
244    // The differences between a resource name and a URI are:
245    //
246    // *   Resource name is a logical identifier, independent of network
247    //     protocol and API version. For example,
248    //     `//pubsub.googleapis.com/projects/123/topics/news-feed`.
249    // *   URI often includes protocol and version information, so it can
250    //     be used directly by applications. For example,
251    //     `https://pubsub.googleapis.com/v1/projects/123/topics/news-feed`.
252    //
253    // See https://cloud.google.com/apis/design/resource_names for details.
254    string name = 2;
255
256    // The type of the resource. The syntax is platform-specific because
257    // different platforms define their resources differently.
258    //
259    // For Google APIs, the type format must be "{service}/{kind}", such as
260    // "pubsub.googleapis.com/Topic".
261    string type = 3;
262
263    // The labels or tags on the resource, such as AWS resource tags and
264    // Kubernetes resource labels.
265    map<string, string> labels = 4;
266
267    // The unique identifier of the resource. UID is unique in the time
268    // and space for this resource within the scope of the service. It is
269    // typically generated by the server on successful creation of a resource
270    // and must not be changed. UID is used to uniquely identify resources
271    // with resource name reuses. This should be a UUID4.
272    string uid = 5;
273
274    // Annotations is an unstructured key-value map stored with a resource that
275    // may be set by external tools to store and retrieve arbitrary metadata.
276    // They are not queryable and should be preserved when modifying objects.
277    //
278    // More info: https://kubernetes.io/docs/user-guide/annotations
279    map<string, string> annotations = 6;
280
281    // Mutable. The display name set by clients. Must be <= 63 characters.
282    string display_name = 7;
283
284    // Output only. The timestamp when the resource was created. This may
285    // be either the time creation was initiated or when it was completed.
286    google.protobuf.Timestamp create_time = 8;
287
288    // Output only. The timestamp when the resource was last updated. Any
289    // change to the resource made by users must refresh this value.
290    // Changes to a resource made by the service should refresh this value.
291    google.protobuf.Timestamp update_time = 9;
292
293    // Output only. The timestamp when the resource was deleted.
294    // If the resource is not deleted, this must be empty.
295    google.protobuf.Timestamp delete_time = 10;
296
297    // Output only. An opaque value that uniquely identifies a version or
298    // generation of a resource. It can be used to confirm that the client
299    // and server agree on the ordering of a resource being written.
300    string etag = 11;
301
302    // Immutable. The location of the resource. The location encoding is
303    // specific to the service provider, and new encoding may be introduced
304    // as the service evolves.
305    //
306    // For Google Cloud products, the encoding is what is used by Google Cloud
307    // APIs, such as `us-east1`, `aws-us-east-1`, and `azure-eastus2`. The
308    // semantics of `location` is identical to the
309    // `cloud.googleapis.com/location` label used by some Google Cloud APIs.
310    string location = 12;
311  }
312
313  // The origin of a network activity. In a multi hop network activity,
314  // the origin represents the sender of the first hop. For the first hop,
315  // the `source` and the `origin` must have the same content.
316  Peer origin = 7;
317
318  // The source of a network activity, such as starting a TCP connection.
319  // In a multi hop network activity, the source represents the sender of the
320  // last hop.
321  Peer source = 1;
322
323  // The destination of a network activity, such as accepting a TCP connection.
324  // In a multi hop network activity, the destination represents the receiver of
325  // the last hop.
326  Peer destination = 2;
327
328  // Represents a network request, such as an HTTP request.
329  Request request = 3;
330
331  // Represents a network response, such as an HTTP response.
332  Response response = 4;
333
334  // Represents a target resource that is involved with a network activity.
335  // If multiple resources are involved with an activity, this must be the
336  // primary one.
337  Resource resource = 5;
338
339  // Represents an API operation that is involved to a network activity.
340  Api api = 6;
341
342  // Supports extensions for advanced use cases, such as logs and metrics.
343  repeated google.protobuf.Any extensions = 8;
344}
345