Foo foo = ...; Any any; any.PackFrom(foo); ... if (any.UnpackTo(&foo)) { ... }
GET /v1/debug/authz/trace
Stream authorization traces for all incoming requests.
Code | Message | Datatype |
---|---|---|
200 |
A successful response.(streaming responses) |
|
0 |
An unexpected error response. |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
scopeCheckerType |
String |
||||
builtIn |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
name |
String |
||||
permissions |
Map of StorageAccess |
||||
accessScopeName |
String |
||||
accessScope |
Any
contains an arbitrary serialized protocol buffer message along with a
URL that describes the type of the serialized message.
Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.
Example 1: Pack and unpack a message in C++.
Foo foo = ...; Any any; any.PackFrom(foo); ... if (any.UnpackTo(&foo)) { ... }
Example 2: Pack and unpack a message in Java.
Foo foo = ...; Any any = Any.pack(foo); ... if (any.is(Foo.class)) { foo = any.unpack(Foo.class); } // or ... if (any.isSameTypeAs(Foo.getDefaultInstance())) { foo = any.unpack(Foo.getDefaultInstance()); }
Example 3: Pack and unpack a message in Python.
foo = Foo(...) any = Any() any.Pack(foo) ... if any.Is(Foo.DESCRIPTOR): any.Unpack(foo) ...
Example 4: Pack and unpack a message in Go
foo := &pb.Foo{...} any, err := anypb.New(foo) if err != nil { ... } ... foo := &pb.Foo{} if err := any.UnmarshalTo(foo); err != nil { ... }
The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".
The JSON representation of an Any
value uses the regular
representation of the deserialized, embedded message, with an
additional field @type
which contains the type URL. Example:
package google.profile; message Person { string first_name = 1; string last_name = 2; }
{ "@type": "type.googleapis.com/google.profile.Person", "firstName": <string>, "lastName": <string> }
If the embedded message type is well-known and has a custom JSON
representation, that representation will be embedded adding a field
value
which holds the custom JSON in addition to the @type
field. Example (for message [google.protobuf.Duration][]):
{ "@type": "type.googleapis.com/google.protobuf.Duration", "value": "1.212s" }
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
typeUrl |
String |
A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in |
|||
value |
byte[] |
Must be a valid serialized protocol buffer of the above specified type. |
byte |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
error |
String |
||||
code |
Integer |
int32 |
|||
message |
String |
||||
details |
List of ProtobufAny |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
grpcCode |
Integer |
int32 |
|||
httpCode |
Integer |
int32 |
|||
message |
String |
||||
httpStatus |
String |
||||
details |
List of ProtobufAny |
Each element of any repeated field is an individual rule. Rules are
joined by logical OR: if there exists a rule allowing resource x
,
x
is in the access scope.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
includedClusters |
List of |
||||
includedNamespaces |
List of SimpleAccessScopeRulesNamespace |
||||
clusterLabelSelectors |
List of StorageSetBasedLabelSelector |
||||
namespaceLabelSelectors |
List of StorageSetBasedLabelSelector |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
clusterName |
String |
Both fields must be set. |
|||
namespaceName |
String |
SetBasedLabelSelector only allows set-based label requirements.
Next available tag: 3
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
requirements |
Next available tag: 4
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
key |
String |
||||
op |
UNKNOWN, IN, NOT_IN, EXISTS, NOT_EXISTS, |
||||
values |
List of |
Stream result of v1AuthorizationTraceResponse
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
result |
|||||
error |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
clustersTotalNum |
Integer |
int32 |
|||
namespacesTotalNum |
Integer |
int32 |
|||
deniedAuthzDecisions |
Map of |
int32 |
|||
allowedAuthzDecisions |
Map of |
int32 |
|||
effectiveAccessScopes |
Map of |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
arrivedAt |
Date |
date-time |
|||
processedAt |
Date |
date-time |
|||
request |
|||||
response |
|||||
user |
|||||
trace |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
endpoint |
String |
||||
method |
String |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
status |
UNKNOWN_STATUS, SUCCESS, FAILURE, |
||||
error |
String |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
username |
String |
||||
friendlyName |
String |
||||
aggregatedPermissions |
Map of StorageAccess |
||||
roles |