×

GET /v1/debug/authz/trace

Stream authorization traces for all incoming requests.

Description

Parameters

Content Type

  • application/json

Responses

Table 1. HTTP Response Codes
Code Message Datatype

200

A successful response.(streaming responses)

Stream_result_of_v1AuthorizationTraceResponse

0

An unexpected error response.

RuntimeError

Samples

Common object reference

AuthorizationTraceResponseResponseStatus

Enum Values

UNKNOWN_STATUS

SUCCESS

FAILURE

AuthorizationTraceResponseTrace

Field Name Required Nullable Type Description Format

scopeCheckerType

String

builtIn

TraceBuiltInAuthorizer

AuthorizationTraceResponseUserRole

Field Name Required Nullable Type Description Format

name

String

permissions

Map of StorageAccess

accessScopeName

String

accessScope

SimpleAccessScopeRules

ProtobufAny

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++.

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java.

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
Example 3: Pack and unpack a message in Python.
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...
Example 4: Pack and unpack a message in Go
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

JSON representation

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example:

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]):

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Field Name Required Nullable Type Description Format

typeUrl

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

value

byte[]

Must be a valid serialized protocol buffer of the above specified type.

byte

RuntimeError

Field Name Required Nullable Type Description Format

error

String

code

Integer

int32

message

String

details

List of ProtobufAny

RuntimeStreamError

Field Name Required Nullable Type Description Format

grpcCode

Integer

int32

httpCode

Integer

int32

message

String

httpStatus

String

details

List of ProtobufAny

SimpleAccessScopeRules

Each element of any repeated field is an individual rule. Rules are joined by logical OR: if there exists a rule allowing resource x, x is in the access scope.

Field Name Required Nullable Type Description Format

includedClusters

List of string

includedNamespaces

List of SimpleAccessScopeRulesNamespace

clusterLabelSelectors

List of StorageSetBasedLabelSelector

namespaceLabelSelectors

List of StorageSetBasedLabelSelector

SimpleAccessScopeRulesNamespace

Field Name Required Nullable Type Description Format

clusterName

String

Both fields must be set.

namespaceName

String

StorageAccess

Enum Values

NO_ACCESS

READ_ACCESS

READ_WRITE_ACCESS

StorageSetBasedLabelSelector

SetBasedLabelSelector only allows set-based label requirements.

Next available tag: 3

Field Name Required Nullable Type Description Format

requirements

List of StorageSetBasedLabelSelectorRequirement

StorageSetBasedLabelSelectorOperator

Enum Values

UNKNOWN

IN

NOT_IN

EXISTS

NOT_EXISTS

StorageSetBasedLabelSelectorRequirement

Next available tag: 4
Field Name Required Nullable Type Description Format

key

String

op

StorageSetBasedLabelSelectorOperator

UNKNOWN, IN, NOT_IN, EXISTS, NOT_EXISTS,

values

List of string

StreamResultOfV1AuthorizationTraceResponse

Stream result of v1AuthorizationTraceResponse
Field Name Required Nullable Type Description Format

result

V1AuthorizationTraceResponse

error

RuntimeStreamError

TraceBuiltInAuthorizer

Field Name Required Nullable Type Description Format

clustersTotalNum

Integer

int32

namespacesTotalNum

Integer

int32

deniedAuthzDecisions

Map of integer

int32

allowedAuthzDecisions

Map of integer

int32

effectiveAccessScopes

Map of string

V1AuthorizationTraceResponse

Field Name Required Nullable Type Description Format

arrivedAt

Date

date-time

processedAt

Date

date-time

request

V1AuthorizationTraceResponseRequest

response

V1AuthorizationTraceResponseResponse

user

V1AuthorizationTraceResponseUser

trace

AuthorizationTraceResponseTrace

V1AuthorizationTraceResponseRequest

Field Name Required Nullable Type Description Format

endpoint

String

method

String

V1AuthorizationTraceResponseResponse

Field Name Required Nullable Type Description Format

status

AuthorizationTraceResponseResponseStatus

UNKNOWN_STATUS, SUCCESS, FAILURE,

error

String

V1AuthorizationTraceResponseUser

Field Name Required Nullable Type Description Format

username

String

friendlyName

String

aggregatedPermissions

Map of StorageAccess

roles

List of AuthorizationTraceResponseUserRole