Class AuthzPolicy (0.94.0)

AuthzPolicy is a resource that allows to forward traffic to a callout backend designed to scan the traffic for security purposes.

Protobuf type google.cloud.networksecurity.v1.AuthzPolicy

Optional. Set of labels associated with the AuthzPolicy resource.

The format must comply with the following requirements.

map<string, string> labels = 5 [(.google.api.field_behavior) = OPTIONAL];

Required. Can be one of ALLOW, DENY, CUSTOM.

When the action is CUSTOM, customProvider must be specified.

When the action is ALLOW, only requests matching the policy will be allowed.

When the action is DENY, only requests matching the policy will be denied.

When a request arrives, the policies are evaluated in the following order:

1. If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request.

2. If there are any DENY policies that match the request, the request is denied.

3. If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed.

4. Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request.

.google.cloud.networksecurity.v1.AuthzPolicy.AuthzAction action = 8 [(.google.api.field_behavior) = REQUIRED];

Required. Can be one of ALLOW, DENY, CUSTOM.

When the action is CUSTOM, customProvider must be specified.

When the action is ALLOW, only requests matching the policy will be allowed.

When the action is DENY, only requests matching the policy will be denied.

When a request arrives, the policies are evaluated in the following order:

1. If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request.

2. If there are any DENY policies that match the request, the request is denied.

3. If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed.

4. Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request.

.google.cloud.networksecurity.v1.AuthzPolicy.AuthzAction action = 8 [(.google.api.field_behavior) = REQUIRED];

Output only. The timestamp when the resource was created.

.google.protobuf.Timestamp create_time = 2 [(.google.api.field_behavior) = OUTPUT_ONLY];

Output only. The timestamp when the resource was created.

.google.protobuf.Timestamp create_time = 2 [(.google.api.field_behavior) = OUTPUT_ONLY];

Optional. Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One of cloudIap or authzExtension must be specified.

.google.cloud.networksecurity.v1.AuthzPolicy.CustomProvider custom_provider = 10 [(.google.api.field_behavior) = OPTIONAL];

Optional. Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One of cloudIap or authzExtension must be specified.

.google.cloud.networksecurity.v1.AuthzPolicy.CustomProvider custom_provider = 10 [(.google.api.field_behavior) = OPTIONAL];

Optional. A human-readable description of the resource.

string description = 4 [(.google.api.field_behavior) = OPTIONAL];

Optional. A human-readable description of the resource.

string description = 4 [(.google.api.field_behavior) = OPTIONAL];

Optional. A list of authorization HTTP rules to match against the incoming request. A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules.

repeated .google.cloud.networksecurity.v1.AuthzPolicy.AuthzRule http_rules = 7 [(.google.api.field_behavior) = OPTIONAL];

Optional. A list of authorization HTTP rules to match against the incoming request. A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules.

repeated .google.cloud.networksecurity.v1.AuthzPolicy.AuthzRule http_rules = 7 [(.google.api.field_behavior) = OPTIONAL];

Optional. A list of authorization HTTP rules to match against the incoming request. A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules.

repeated .google.cloud.networksecurity.v1.AuthzPolicy.AuthzRule http_rules = 7 [(.google.api.field_behavior) = OPTIONAL];

Optional. A list of authorization HTTP rules to match against the incoming request. A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules.

repeated .google.cloud.networksecurity.v1.AuthzPolicy.AuthzRule http_rules = 7 [(.google.api.field_behavior) = OPTIONAL];

Optional. A list of authorization HTTP rules to match against the incoming request. A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules.

repeated .google.cloud.networksecurity.v1.AuthzPolicy.AuthzRule http_rules = 7 [(.google.api.field_behavior) = OPTIONAL];

Use #getLabelsMap() instead.

Optional. Set of labels associated with the AuthzPolicy resource.

The format must comply with the following requirements.

map<string, string> labels = 5 [(.google.api.field_behavior) = OPTIONAL];

Optional. Set of labels associated with the AuthzPolicy resource.

The format must comply with the following requirements.

map<string, string> labels = 5 [(.google.api.field_behavior) = OPTIONAL];

Optional. Set of labels associated with the AuthzPolicy resource.

The format must comply with the following requirements.

map<string, string> labels = 5 [(.google.api.field_behavior) = OPTIONAL];

Optional. Set of labels associated with the AuthzPolicy resource.

The format must comply with the following requirements.

map<string, string> labels = 5 [(.google.api.field_behavior) = OPTIONAL];

Required. Identifier. Name of the AuthzPolicy resource in the following format: projects/{project}/locations/{location}/authzPolicies/{authz_policy}.

string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.field_behavior) = IDENTIFIER];

Required. Identifier. Name of the AuthzPolicy resource in the following format: projects/{project}/locations/{location}/authzPolicies/{authz_policy}.

string name = 1 [(.google.api.field_behavior) = REQUIRED, (.google.api.field_behavior) = IDENTIFIER];

Optional. Immutable. Defines the type of authorization being performed. If not specified, REQUEST_AUTHZ is applied. This field cannot be changed once AuthzPolicy is created.

.google.cloud.networksecurity.v1.AuthzPolicy.PolicyProfile policy_profile = 11 [(.google.api.field_behavior) = OPTIONAL, (.google.api.field_behavior) = IMMUTABLE];

Optional. Immutable. Defines the type of authorization being performed. If not specified, REQUEST_AUTHZ is applied. This field cannot be changed once AuthzPolicy is created.

.google.cloud.networksecurity.v1.AuthzPolicy.PolicyProfile policy_profile = 11 [(.google.api.field_behavior) = OPTIONAL, (.google.api.field_behavior) = IMMUTABLE];

Required. Specifies the set of resources to which this policy should be applied to.

.google.cloud.networksecurity.v1.AuthzPolicy.Target target = 6 [(.google.api.field_behavior) = REQUIRED];

Required. Specifies the set of resources to which this policy should be applied to.

.google.cloud.networksecurity.v1.AuthzPolicy.Target target = 6 [(.google.api.field_behavior) = REQUIRED];

Output only. The timestamp when the resource was updated.

.google.protobuf.Timestamp update_time = 3 [(.google.api.field_behavior) = OUTPUT_ONLY];

Output only. The timestamp when the resource was updated.

.google.protobuf.Timestamp update_time = 3 [(.google.api.field_behavior) = OUTPUT_ONLY];

Output only. The timestamp when the resource was created.

.google.protobuf.Timestamp create_time = 2 [(.google.api.field_behavior) = OUTPUT_ONLY];

Optional. Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One of cloudIap or authzExtension must be specified.

.google.cloud.networksecurity.v1.AuthzPolicy.CustomProvider custom_provider = 10 [(.google.api.field_behavior) = OPTIONAL];

Required. Specifies the set of resources to which this policy should be applied to.

.google.cloud.networksecurity.v1.AuthzPolicy.Target target = 6 [(.google.api.field_behavior) = REQUIRED];

Output only. The timestamp when the resource was updated.

.google.protobuf.Timestamp update_time = 3 [(.google.api.field_behavior) = OUTPUT_ONLY];