Tetrate Service BridgeVersion: next

Approvals Service

Service to manage centralized approval policies.

Approvals

The Approvals service exposes methods for working with approval policies. $hide_from_yaml

SetPolicy

rpc SetPolicy (tetrateio.api.tsb.q.v2.ApprovalPolicy) returns (google.protobuf.Empty)

Requires CreateApprovalPolicy, WriteApprovalPolicy

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

GetPolicy

rpc GetPolicy (tetrateio.api.tsb.q.v2.GetPolicyRequest) returns (tetrateio.api.tsb.q.v2.ApprovalPolicy)

Requires ReadApprovalPolicy

GetPolicy returns the approval policy for the given resource.

QueryPolicies

rpc QueryPolicies (tetrateio.api.tsb.q.v2.QueryPoliciesRequest) returns (tetrateio.api.tsb.q.v2.QueryPoliciesResponse)

DeletePolicy

rpc DeletePolicy (tetrateio.api.tsb.q.v2.DeletePolicyRequest) returns (google.protobuf.Empty)

Requires DeleteApprovalPolicy

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

AddAccessRequest

rpc AddAccessRequest (tetrateio.api.tsb.q.v2.AccessRequest) returns (google.protobuf.Empty)

Requires CreateApprovalPolicyAccessRequest, WriteApprovalPolicyAccessRequest

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

DeleteAccessRequest

rpc DeleteAccessRequest (tetrateio.api.tsb.q.v2.ResourceAndSubject) returns (google.protobuf.Empty)

Requires DeleteApprovalPolicyAccessRequest

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

ApproveAccessRequest

rpc ApproveAccessRequest (tetrateio.api.tsb.q.v2.AccessRequest) returns (google.protobuf.Empty)

Requires WriteApprovalPolicyApproveAccess

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

AddApprovedAccess

rpc AddApprovedAccess (tetrateio.api.tsb.q.v2.AccessRequest) returns (google.protobuf.Empty)

Requires CreateApprovalPolicyApprovedAccess, WriteApprovalPolicyApprovedAccess

AddApprovedAccess adds a new entry in the approved access list for the given resource.

DeleteApprovedAccess

rpc DeleteApprovedAccess (tetrateio.api.tsb.q.v2.ResourceAndSubject) returns (google.protobuf.Empty)

Requires DeleteApprovalPolicyApprovedAccess

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

Access

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

Field	Description	Validation Rule
subject	string REQUIRED Subject is the subject that is requested to access the resource.	string = { min_len: `1` }
permissions	List of string REQUIRED Permissions is a list of permissions that the subject is allowed to use.	repeated = { min_items: `1` items: `{string:{min_len:1}}` }
metadata	tetrateio.api.tsb.q.v2.Metadata Metadata is additional information about this Access entity.	–

AccessRequest

AccessRequest is a request used for requesting or approving access to a resource.

Example: AccessRequest { Resource: "organizations/demo/tenants/demo/applications/target", Access: []Access{{ Subject: "organizations/demo/tenants/demo/applications/calling-app", Permissions: []string{"GET", "POST"} }} }

Field	Description	Validation Rule
resource	string REQUIRED Resource for which the access request is made.	string = { min_len: `1` }
access	tetrateio.api.tsb.q.v2.Access REQUIRED Access is the subject and permissions for the access request.	–

ApprovalPolicy

ApprovalPolicy is a set of authorization rules that define access to a resource. When applied to a resource, the rules enforce access to the resource based on the permission set.

Example: ApprovalPolicy { Mode: ApprovalPolicy_REQUIRE_APPROVAL, Resource: "organizations/demo/tenants/demo/applications/target-app", Approved: []Access {{ Subject: "organizations/demo/tenants/demo/applications/calling-app", Permissions: []string{"GET", "POST"} }} }

Field	Description	Validation Rule
mode	tetrateio.api.tsb.q.v2.ApprovalPolicy.Mode REQUIRED Mode indicates how access to the resource is configured.	enum = { defined_only: `true` }
resource	string REQUIRED Resource is a fully qualified name of the resource that the policy applies to.	string = { min_len: `1` }
requested	List of tetrateio.api.tsb.q.v2.Access Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.	–
approved	List of tetrateio.api.tsb.q.v2.Access Approved is a list of subjects that are approved to access the resource.	–
metadata	tetrateio.api.tsb.q.v2.Metadata Metadata is additional information about this Policy and the resource it applies to.	–

DeletePolicyRequest

DeletePolicyRequest is the request message for DeletePolicy.

Example: DeletePolicyRequest { Resource: "organizations/demo/tenants/demo/applications/target-app" }

Field	Description	Validation Rule
resource	string REQUIRED Resource is the fully qualified name of the policy delete being requested.	string = { min_len: `1` }
force	bool Force the deletion of internal resources even if they are protected against deletion.	–

GetPolicyRequest

GetPolicyRequest is the request message for GetPolicy.

Example: GetPolicyRequest { Resource: "organizations/demo/tenants/demo/applications/example" }

Field	Description	Validation Rule
resource	string REQUIRED Resource is the fully qualified name of the policy being requested.	string = { min_len: `1` }

Metadata

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

Field	Description	Validation Rule
details	tetrateio.api.tsb.q.v2.Metadata.Details Details includes details about the resource or subject.	–
rules	List of tetrateio.api.tsb.rbac.v2.Role.Rule Permissions includes permissions for which an authenticated user is allowed to perform. This applies to ApprovalPolicy or Access entities respectively.	–

Details

Details is additional information about a resource.

Field	Description	Validation Rule
name	string Name is the resources name.	–
description	string Description is the resources description.	–

QueryPoliciesRequest

QueryPoliciesRequest is the request message for QueryPolicies.

Example: QueryPoliciesRequest { Parent: "organizations/demo/tenants/demo", Types: []string{"applications"}, IncludeDetails: true, IncludePermissions: true, }

Field	Description	Validation Rule
parent	string REQUIRED Parent is the resource where the query will collect ApprovalPolicy for the children that match the specified types.	string = { min_len: `1` }
types	List of string REQUIRED Type is the type of the resources to query for policies.	repeated = { min_items: `1` items: `{string:{min_len:1}}` }
includeDetails	bool IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.	–
includePermissions	bool IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.	–

QueryPoliciesResponse

QueryPoliciesResponse is the response message for QueryPolicies.

Field	Description	Validation Rule
policies	List of tetrateio.api.tsb.q.v2.ApprovalPolicy Policies is a list of policies that match the query.	–

ResourceAndSubject

ResourceAndSubject is a resource and subject pair used for approval and deletion operations.

Example: ResourceAndSubject { Resource: "organizations/demo/tenants/demo/applications/target", Subject: "organizations/demo/tenants/demo/applications/caller" }

Field	Description	Validation Rule
resource	string REQUIRED Resource for which the access request is made.	string = { min_len: `1` }
subject	string REQUIRED Subject for which the access request is made.	string = { min_len: `1` }

Mode

Field	Number	Description
UNRESTRICTED	0	Allows all subjects in the same policy class to access the resource.
ALLOW_REQUESTED	1	Allows only the subjects in the request and approved list to access the resource.
REQUIRE_APPROVAL	2	Allows only the subjects in the approved list to access the resource.

Approvals​

SetPolicy​

GetPolicy​

QueryPolicies​

DeletePolicy​

AddAccessRequest​

DeleteAccessRequest​

ApproveAccessRequest​

AddApprovedAccess​

DeleteApprovedAccess​

Access​

AccessRequest​

ApprovalPolicy​

DeletePolicyRequest​

GetPolicyRequest​

Metadata​

Details​

QueryPoliciesRequest​

QueryPoliciesResponse​

ResourceAndSubject​

Mode​