ActivityLogService tracks historical changes to configuration made through Pomerium Enterprise
rpc GetActivityLogEntry(GetActivityLogEntryRequest) GetActivityLogEntryResponse
GetActivityLogEntry retrieves a specific activity log entry
rpc ListActivityLogEntries(ListActivityLogEntriesRequest) ListActivityLogEntriesResponse
ListActivityLogEntries lists activity log entries based on paramters in the ListActivityLogEntriesRequest
ActivityLogEntry contains context associated with a change in the deployment history
| Field | Type | Description |
|---|---|---|
| id | string | none |
| name | string | none |
| activity_type | string | DELETE or SET |
| created_at | google.protobuf.Timestamp | none |
| namespace_id | string | none |
| namespace_name | string | none |
| user_id | string | none |
| user_name | string | none |
| user_email | string | none |
| entity_type | string | route |
| entity_id | string | none |
| entity_data | string | none |
| diff_summary | ActivityLogEntry.DiffSummary | none |
| db_version | uint64 | databroker version this change synced to |
| session_id | string | none |
| service_account_id | string | none |
| impersonate_user_id | string | none |
| impersonate_user_name | string | none |
| impersonate_user_email | string | none |
| impersonate_user_groups | repeated string | none |
| Field | Type | Description |
|---|---|---|
| added | int64 | number of lines added |
| removed | int64 | number of lines removed |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| entry | ActivityLogEntry | none |
| oneof _previous_entry_id.previous_entry_id | optional string | none |
| oneof _next_entry_id.next_entry_id | optional string | none |
ListActivityLogEntriesRequest defines the types of Activity Log entries to list
| Field | Type | Description |
|---|---|---|
| oneof _activity_type.activity_type | optional string | DELETE |
| oneof _namespace_id.namespace_id | optional string | none |
| oneof _user_id.user_id | optional string | none |
| oneof _entity_type.entity_type | optional string | route |
| oneof _entity_id.entity_id | optional string | none |
| oneof _query.query | optional string | newest |
| oneof _offset.offset | optional int64 | list entries starting from an offset in the total list |
| oneof _limit.limit | optional int64 | limit the number of entries returned |
| db_versions | repeated uint64 | databroker versions of the change |
| oneof _recurse_namespace.recurse_namespace | optional bool | if true, show activity for the namespace and any child namespaces |
| entities | repeated ListActivityLogEntriesRequest.Entity | the entities are a list of entities to retrieve the activity log for |
| oneof _sort.sort | optional ListActivityLogEntriesRequest.Sort | none |
| date_filter | ListActivityLogEntriesRequest.DateFilter | none |
| string_filter | ListActivityLogEntriesRequest.StringFilter | none |
filter for dates
| Field | Type | Description |
|---|---|---|
| operator | string | = |
| date | google.protobuf.Timestamp | none |
an entity is a single entity (route, policy, etc.)
| Field | Type | Description |
|---|---|---|
| type | string | none |
| id | string | none |
used to sort the db query
| Field | Type | Description |
|---|---|---|
| column | string | activity_type |
| direction | string | ASC |
filter for strings
| Field | Type | Description |
|---|---|---|
| fieldName | string | none |
| operator | string | contains |
| value | string | none |
ListActivityLogEntriesResponse is a list of Activity Log entries found from a ListActivityLogEntriesRequest
| Field | Type | Description |
|---|---|---|
| entries | repeated ActivityLogEntry | Activity Log entries |
| total_count | int64 | none |
rpc ListDataBrokerRecords(ListDataBrokerRecordsRequest) ListDataBrokerRecordsResponse
rpc ListDataBrokerRecordTypes(.google.protobuf.Empty) ListDataBrokerRecordTypesResponse
rpc QueryDataBrokerRecords(QueryDataBrokerRecordsRequest) QueryDataBrokerRecordsResponse
| Field | Type | Description |
|---|---|---|
| record_types | repeated string | none |
| Field | Type | Description |
|---|---|---|
| record_type | string | none |
| Field | Type | Description |
|---|---|---|
| records | repeated databroker.Record | none |
| Field | Type | Description |
|---|---|---|
| record_type | string | none |
| query | string | look up records with any fields that match the query |
| offset | int64 | list records starting from an offset in the total list |
| limit | int64 | list records up to a limit |
| Field | Type | Description |
|---|---|---|
| records | repeated Record | Maps record IDs to record properties |
| total_count | int64 | none |
| Field | Type | Description |
|---|---|---|
| id | string | Record ID |
| properties | google.protobuf.Struct | Record properties |
PolicyService manages policy creation and definition
rpc DeletePolicy(DeletePolicyRequest) DeletePolicyResponse
DeletePolicy deletes an existing policy
rpc GetPolicy(GetPolicyRequest) GetPolicyResponse
GetPolicy retrieves an existing policy
rpc ListPolicies(ListPoliciesRequest) ListPoliciesResponse
ListPolicies lists existing policies based on the ListPoliciesRequest parameters
rpc SetPolicy(SetPolicyRequest) SetPolicyResponse
SetPolicy creates a new policy or, if the id is specified, updates an existing policy
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| policy | Policy | none |
ListPoliciesRequest specifies the policies to list
| Field | Type | Description |
|---|---|---|
| namespace | string | none |
| oneof _query.query | optional string | list Policies whose name contains the query string |
| oneof _offset.offset | optional int64 | list Policies starting from an offset in the total list |
| oneof _limit.limit | optional int64 | limit the number of entries returned |
| oneof _order_by.order_by | optional string | sort the Policies by newest, oldest or name |
ListPoliciesResponse is the list of policies found for a ListPoliciesRequest
| Field | Type | Description |
|---|---|---|
| policies | repeated Policy | none |
| total_count | int64 | none |
Policy defines an authorization policy which can be applied to a route or routes
| Field | Type | Description |
|---|---|---|
| id | string | none |
| namespace_id | string | none |
| created_at | google.protobuf.Timestamp | none |
| modified_at | google.protobuf.Timestamp | none |
| deleted_at | google.protobuf.Timestamp | none |
| name | string | none |
| description | string | none |
| allowed_users | repeated string | none |
| allowed_domains | repeated string | none |
| allowed_idp_claims | map Policy.AllowedIdpClaimsEntry | none |
| rego | repeated string | custom rego definition in string format |
| ppl | string | PPL definition in JSON format |
| enforced | bool | policy is automatically applied to all routes in namespace_id and child namespaces |
| explanation | string | none |
| remediation | string | none |
| originator_id | string | none |
| routes | map Policy.RoutesEntry | computed |
route id => name | | namespace_name | string | computed |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | google.protobuf.ListValue | none |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | string | none |
| Field | Type | Description |
|---|---|---|
| policy | Policy | none |
| Field | Type | Description |
|---|---|---|
| policy | Policy | none |
RouteService manages proxy route definitions
rpc DeleteRoute(DeleteRouteRequest) DeleteRouteResponse
DeleteRoute removes an existing route
rpc DeleteRoutes(DeleteRoutesRequest) DeleteRoutesResponse
DeleteRoutes removes existing routes.
rpc GetRoute(GetRouteRequest) GetRouteResponse
GetRoute retrieves an existing route
rpc ListRoutes(ListRoutesRequest) ListRoutesResponse
ListRoutes lists routes based on ListRoutesRequest
rpc LoadRoutes(LoadRoutesRequest) LoadRoutesResponse
LoadRoutes imports routes from an existing OSS configuration
rpc SetRoute(SetRouteRequest) SetRouteResponse
SetRoute creates or, if id is defined, updates an existing route
rpc SetRoutes(SetRoutesRequest) SetRoutesResponse
SetRoutes creates or, if id is defined, updates existing routes
rpc MoveRoutes(MoveRoutesRequest) MoveRoutesResponse
MoveRoutes takes an array of routeIds and moves them to a new namespace
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| ids | repeated string | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| route | Route | none |
| Field | Type | Description |
|---|---|---|
| groups | repeated string | Explicit list of group IDs/names to include. |
| oneof _infer_from_ppl.infer_from_ppl | optional bool | Infer group IDs/names based on PPL groups criteria. (Not yet implemented.) |
ListRoutesRequest defines the routes to list
| Field | Type | Description |
|---|---|---|
| namespace | string | none |
| oneof _query.query | optional string | list Routes who's name, from or to contains the query string |
| oneof _offset.offset | optional int64 | list Routes starting from an offset in the total list |
| oneof _limit.limit | optional int64 | limit the number of Route entries returned |
| oneof _order_by.order_by | optional string | sort the Routes by newest, oldest, name or from |
ListRoutesResponse is the list of routes found for a ListRoutesRequest
| Field | Type | Description |
|---|---|---|
| routes | repeated Route | none |
| total_count | int64 | none |
LoadRoutesRequest creates a route based on a yaml payload
| Field | Type | Description |
|---|---|---|
| name | string | none |
| contents | bytes | OSS pomerium policy block |
LoadRoutesResponse contains the routes and policies crated from a LoadRoutesRequest
| Field | Type | Description |
|---|---|---|
| routes | repeated RouteWithPolicies | none |
| Field | Type | Description |
|---|---|---|
| route_ids | repeated string | none |
| new_namespace_id | string | none |
Route defines a proxy route's settings and policy associations Next ID: 67
| Field | Type | Description |
|---|---|---|
| id | string | none |
| namespace_id | string | none |
| created_at | google.protobuf.Timestamp | none |
| modified_at | google.protobuf.Timestamp | none |
| deleted_at | google.protobuf.Timestamp | none |
| name | string | none |
| oneof _description.description | optional string | none |
| oneof _logo_url.logo_url | optional string | none |
| stat_name | string | name for prometheus stats, computed on first save |
| from | string | none |
| to | repeated string | none |
| redirect | envoy.config.route.v3.RedirectAction | none |
| response | RouteDirectResponse | none |
| oneof _prefix.prefix | optional string | none |
| oneof _path.path | optional string | none |
| oneof _regex.regex | optional string | none |
| oneof _prefix_rewrite.prefix_rewrite | optional string | none |
| oneof _regex_rewrite_pattern.regex_rewrite_pattern | optional string | none |
| oneof _regex_rewrite_substitution.regex_rewrite_substitution | optional string | none |
| oneof _host_rewrite.host_rewrite | optional string | none |
| oneof _host_rewrite_header.host_rewrite_header | optional string | none |
| oneof _host_path_regex_rewrite_pattern.host_path_regex_rewrite_pattern | optional string | none |
| oneof _host_path_regex_rewrite_substitution.host_path_regex_rewrite_substitution | optional string | none |
| oneof _regex_priority_order.regex_priority_order | optional int64 | none |
| oneof _timeout.timeout | optional google.protobuf.Duration | none |
| oneof _idle_timeout.idle_timeout | optional google.protobuf.Duration | none |
| oneof _allow_websockets.allow_websockets | optional bool | none |
| oneof _allow_spdy.allow_spdy | optional bool | none |
| oneof _tls_skip_verify.tls_skip_verify | optional bool | none |
| oneof _tls_upstream_server_name.tls_upstream_server_name | optional string | none |
| oneof _tls_downstream_server_name.tls_downstream_server_name | optional string | none |
| oneof _tls_custom_ca_key_pair_id.tls_custom_ca_key_pair_id | optional string | none |
| oneof _tls_client_key_pair_id.tls_client_key_pair_id | optional string | none |
| oneof _tls_downstream_client_ca_key_pair_id.tls_downstream_client_ca_key_pair_id | optional string | none |
| oneof _tls_upstream_allow_renegotiation.tls_upstream_allow_renegotiation | optional bool | none |
| set_request_headers | map Route.SetRequestHeadersEntry | none |
| remove_request_headers | repeated string | none |
| set_response_headers | map Route.SetResponseHeadersEntry | none |
| rewrite_response_headers | repeated RouteRewriteHeader | none |
| oneof _preserve_host_header.preserve_host_header | optional bool | none |
| oneof _pass_identity_headers.pass_identity_headers | optional bool | none |
| oneof _kubernetes_service_account_token.kubernetes_service_account_token | optional string | none |
| oneof _kubernetes_service_account_token_file.kubernetes_service_account_token_file | optional string | none |
| envoy_opts | envoy.config.cluster.v3.Cluster | none |
| enable_google_cloud_serverless_authentication | bool | none |
| jwt_issuer_format | IssuerFormat | none |
| jwt_groups_filter | JwtGroupsFilter | none |
| oneof _idp_client_id.idp_client_id | optional string | none |
| oneof _idp_client_secret.idp_client_secret | optional string | none |
| show_error_details | bool | none |
| originator_id | string | none |
| policy_ids | repeated string | policies applied to this route |
| policy_names | repeated string | computed properties (may be nil) |
| namespace_name | string | computed |
| enforced_policy_ids | repeated string | computed |
| enforced_policy_names | repeated string | none |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | string | none |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | string | none |
| Field | Type | Description |
|---|---|---|
| status | uint32 | none |
| body | string | none |
| Field | Type | Description |
|---|---|---|
| header | string | none |
| oneof matcher.prefix | string | none |
| value | string | none |
RouteWithPolicies contains automatically created routes and policies from a LoadRoutesRequest
| Field | Type | Description |
|---|---|---|
| route | Route | none |
| policies | repeated Policy | none |
| Field | Type | Description |
|---|---|---|
| route | Route | none |
| Field | Type | Description |
|---|---|---|
| route | Route | none |
| Field | Type | Description |
|---|---|---|
| routes | repeated Route | none |
| Field | Type | Description |
|---|---|---|
| routes | repeated Route | none |
| Name | Number | Description |
|---|---|---|
| IssuerHostOnly | 0 | Issuer strings will be the hostname of the route, with no scheme or trailing slash. |
| IssuerURI | 1 | Issuer strings will be a complete URI, including the scheme and ending with a trailing slash. |
SettingsService manages global pomerium settings
rpc GetSettings(GetSettingsRequest) GetSettingsResponse
GetSettings retrieves the currently applied settings
rpc SetSettings(SetSettingsRequest) SetSettingsResponse
SetSettings applies new global settings
rpc GetBrandingSettings(GetSettingsRequest) GetSettingsResponse
GetBrandingSettings retrieves just the branding part of the settings
rpc GetConsoleSettings(GetConsoleSettingsRequest) GetConsoleSettingsResponse
GetConsoleSettings retrieves the console settings.
| Field | Type | Description |
|---|---|---|
| enable_feedback_widget | bool | none |
| use_changesets | bool | none |
| Field | Type | Description |
|---|---|---|
| console_settings | ConsoleSettings | none |
| Field | Type | Description |
|---|---|---|
| settings | Settings | none |
| Field | Type | Description |
|---|---|---|
| settings | Settings | none |
| Field | Type | Description |
|---|---|---|
| settings | Settings | none |
Settings defines the global pomerium settings Next id: 88.
| Field | Type | Description |
|---|---|---|
| modified_at | google.protobuf.Timestamp | none |
| oneof _installation_id.installation_id | optional string | none |
| oneof _log_level.log_level | optional string | none |
| oneof _proxy_log_level.proxy_log_level | optional string | none |
| oneof _shared_secret.shared_secret | optional string | none |
| oneof _services.services | optional string | none |
| oneof _address.address | optional string | none |
| oneof _insecure_server.insecure_server | optional bool | none |
| oneof _dns_lookup_family.dns_lookup_family | optional string | none |
| certificates | repeated Settings.Certificate | none |
| oneof _http_redirect_addr.http_redirect_addr | optional string | none |
| oneof _timeout_read.timeout_read | optional google.protobuf.Duration | none |
| oneof _timeout_write.timeout_write | optional google.protobuf.Duration | none |
| oneof _timeout_idle.timeout_idle | optional google.protobuf.Duration | none |
| oneof _authenticate_service_url.authenticate_service_url | optional string | none |
| oneof _authenticate_callback_path.authenticate_callback_path | optional string | none |
| oneof _cookie_name.cookie_name | optional string | none |
| oneof _cookie_secret.cookie_secret | optional string | none |
| oneof _cookie_domain.cookie_domain | optional string | none |
| oneof _cookie_secure.cookie_secure | optional bool | none |
| oneof _cookie_http_only.cookie_http_only | optional bool | none |
| oneof _cookie_same_site.cookie_same_site | optional string | none |
| oneof _cookie_expire.cookie_expire | optional google.protobuf.Duration | none |
| oneof _idp_client_id.idp_client_id | optional string | none |
| oneof _idp_client_secret.idp_client_secret | optional string | none |
| oneof _idp_provider.idp_provider | optional string | none |
| oneof _idp_provider_url.idp_provider_url | optional string | none |
| scopes | repeated string | none |
| oneof _idp_service_account.idp_service_account | optional string | none |
| oneof _idp_refresh_directory_timeout.idp_refresh_directory_timeout | optional google.protobuf.Duration | none |
| oneof _idp_refresh_directory_interval.idp_refresh_directory_interval | optional google.protobuf.Duration | none |
| request_params | map Settings.RequestParamsEntry | none |
| oneof _authorize_service_url.authorize_service_url | optional string | none |
| oneof _certificate_authority.certificate_authority | optional string | none |
| oneof _certificate_authority_file.certificate_authority_file | optional string | none |
| oneof _certificate_authority_key_pair_id.certificate_authority_key_pair_id | optional string | none |
| set_response_headers | map Settings.SetResponseHeadersEntry | none |
| jwt_claims_headers | map Settings.JwtClaimsHeadersEntry | none |
| jwt_groups_filter | JwtGroupsFilter | none |
| oneof _default_upstream_timeout.default_upstream_timeout | optional google.protobuf.Duration | none |
| oneof _metrics_address.metrics_address | optional string | none |
| oneof _tracing_provider.tracing_provider | optional string | none |
| oneof _tracing_sample_rate.tracing_sample_rate | optional double | none |
| oneof _tracing_otlp_endpoint.tracing_otlp_endpoint | optional string | none |
| oneof _tracing_otlp_protocol.tracing_otlp_protocol | optional string | none |
| oneof _grpc_address.grpc_address | optional string | none |
| oneof _grpc_insecure.grpc_insecure | optional bool | none |
| oneof _cache_service_url.cache_service_url | optional string | none |
| oneof _databroker_service_url.databroker_service_url | optional string | none |
| oneof _client_ca.client_ca | optional string | none |
| oneof _client_ca_file.client_ca_file | optional string | none |
| oneof _client_ca_key_pair_id.client_ca_key_pair_id | optional string | none |
| oneof _google_cloud_serverless_authentication_service_account.google_cloud_serverless_authentication_service_account | optional string | none |
| oneof _autocert.autocert | optional bool | none |
| oneof _autocert_use_staging.autocert_use_staging | optional bool | none |
| oneof _autocert_must_staple.autocert_must_staple | optional bool | none |
| oneof _autocert_dir.autocert_dir | optional string | none |
| oneof _skip_xff_append.skip_xff_append | optional bool | none |
| oneof _primary_color.primary_color | optional string | none |
| oneof _secondary_color.secondary_color | optional string | none |
| oneof _darkmode_primary_color.darkmode_primary_color | optional string | none |
| oneof _darkmode_secondary_color.darkmode_secondary_color | optional string | none |
| oneof _logo_url.logo_url | optional string | none |
| oneof _favicon_url.favicon_url | optional string | none |
| oneof _error_message_first_paragraph.error_message_first_paragraph | optional string | none |
| oneof _identity_provider.identity_provider | optional string | none |
| oneof _identity_provider_options.identity_provider_options | optional google.protobuf.Struct | none |
| oneof _identity_provider_refresh_interval.identity_provider_refresh_interval | optional google.protobuf.Duration | none |
| oneof _identity_provider_refresh_timeout.identity_provider_refresh_timeout | optional google.protobuf.Duration | none |
| oneof _access_log_fields.access_log_fields | optional Settings.StringList | none |
| oneof _authorize_log_fields.authorize_log_fields | optional Settings.StringList | none |
| oneof _pass_identity_headers.pass_identity_headers | optional bool | none |
| Field | Type | Description |
|---|---|---|
| cert_bytes | bytes | none |
| key_bytes | bytes | none |
| key_pair_id | string | none |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | string | none |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | string | none |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | string | none |
| Field | Type | Description |
|---|---|---|
| values | repeated string | none |
NamespacePermissionService manages permissions set on namespaces
rpc DeleteNamespacePermission(DeleteNamespacePermissionRequest) DeleteNamespacePermissionResponse
DeleteNamespacePermission removes an existing permission definition
rpc GetNamespacePermission(GetNamespacePermissionRequest) GetNamespacePermissionResponse
GetNamespacePermission retrieves an existing permission definition
rpc ListNamespacePermissions(ListNamespacePermissionsRequest) ListNamespacePermissionsResponse
ListNamespacePermissions retrieves existing permissions for all namespaces
rpc ListNamespacePermissionGroups(ListNamespacePermissionGroupsRequest) ListNamespacePermissionGroupsResponse
ListNamespacePermissionGroups retrieves existing group based permissions on a namespace
rpc ListNamespacePermissionUsers(ListNamespacePermissionUsersRequest) ListNamespacePermissionUsersResponse
ListNamespacePermissionUsers retrieves existing user based permissions on a namespace
rpc SetNamespacePermission(SetNamespacePermissionRequest) SetNamespacePermissionResponse
SetNamespacePermission set a new permission definition on a namespace
NamespaceService manages namespaces
rpc DeleteNamespace(DeleteNamespaceRequest) DeleteNamespaceResponse
DeleteNamespace deletes a namespace
rpc GetNamespace(GetNamespaceRequest) GetNamespaceResponse
GetNamespace retrieves a namespace
rpc ListNamespaces(ListNamespacesRequest) ListNamespacesResponse
ListNamespaces lists all namespaces
rpc ListNamespaceResources(ListNamespaceResourcesRequest) ListNamespaceResourcesResponse
ListNamespaceResources lists all the resources for a namespace.
rpc SetNamespace(SetNamespaceRequest) SetNamespaceResponse
SetNamespace creates a namespace or, if the id is specified, updates an existing namespace
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| namespace_permission | NamespacePermission | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| namespace | Namespace | none |
| Field | Type | Description |
|---|---|---|
| namespace_id | string | none |
| Field | Type | Description |
|---|---|---|
| groups | repeated NamespacePermissionGroup | none |
| Field | Type | Description |
|---|---|---|
| namespace_id | string | none |
| Field | Type | Description |
|---|---|---|
| users | repeated NamespacePermissionUser | none |
| Field | Type | Description |
|---|---|---|
| namespace_permissions | repeated NamespacePermission | none |
| Field | Type | Description |
|---|---|---|
| ids | repeated string | none |
| Field | Type | Description |
|---|---|---|
| resources | repeated ListNamespaceResourcesResponse.Resource | none |
| Field | Type | Description |
|---|---|---|
| type | string | none |
| id | string | none |
| name | string | none |
| Field | Type | Description |
|---|---|---|
| namespaces | repeated Namespace | none |
Namespace defines a namespace
| Field | Type | Description |
|---|---|---|
| id | string | none |
| parent_id | string | none |
| created_at | google.protobuf.Timestamp | none |
| modified_at | google.protobuf.Timestamp | none |
| deleted_at | google.protobuf.Timestamp | none |
| name | string | none |
| originator_id | string | none |
| route_count | int64 | computed |
| policy_count | int64 | computed |
NamespacePermission defines a permission binding to an identity
| Field | Type | Description |
|---|---|---|
| id | string | none |
| created_at | google.protobuf.Timestamp | none |
| modified_at | google.protobuf.Timestamp | none |
| namespace_id | string | none |
| namespace_name | string | none |
| subject_type | string | none |
| subject_id | string | none |
| role | string | none |
NamespacePermissionGroup defines a permission binding to a group identity
| Field | Type | Description |
|---|---|---|
| group_id | string | none |
| group_name | string | none |
| group_email | string | none |
| namespace_id | string | none |
| namespace_name | string | none |
| role | string | none |
NamespacePermissionUser defines a permission binding to a user identity
| Field | Type | Description |
|---|---|---|
| user_id | string | none |
| user_name | string | none |
| user_email | string | none |
| group_ids | repeated string | none |
| namespace_id | string | none |
| namespace_name | string | none |
| role | string | none |
| Field | Type | Description |
|---|---|---|
| namespace_permission | NamespacePermission | none |
| Field | Type | Description |
|---|---|---|
| namespace_permission | NamespacePermission | none |
| Field | Type | Description |
|---|---|---|
| namespace | Namespace | none |
| Field | Type | Description |
|---|---|---|
| namespace | Namespace | none |
PomeriumServiceAccountService manages service accounts for use with the pomerium console API
rpc AddPomeriumServiceAccount(AddPomeriumServiceAccountRequest) AddPomeriumServiceAccountResponse
AddPomeriumServiceAccount creates a new service account
rpc DeletePomeriumServiceAccount(DeletePomeriumServiceAccountRequest) DeletePomeriumServiceAccountResponse
DeletePomeriumServiceAccount removes an existing service account
rpc GetPomeriumServiceAccount(GetPomeriumServiceAccountRequest) GetPomeriumServiceAccountResponse
GetPomeriumServiceAccount retrieves an existing service account
rpc ListPomeriumServiceAccounts(ListPomeriumServiceAccountsRequest) ListPomeriumServiceAccountsResponse
ListPomeriumServiceAccounts lists service accounts based on the parameters in ListPomeriumServiceAccountsRequest
rpc SetPomeriumServiceAccount(SetPomeriumServiceAccountRequest) SetPomeriumServiceAccountResponse
PomeriumSessionService manages user sessions inside the databroker
rpc DeletePomeriumSession(DeletePomeriumSessionRequest) DeletePomeriumSessionResponse
DeletePomeriumSession clears an existing user session
rpc GetPomeriumSession(GetPomeriumSessionRequest) GetPomeriumSessionResponse
GetPomeriumSession retrieves information about an existing user session
rpc Impersonate(ImpersonateRequest) ImpersonateResponse
Impersonate updates an existing session to impersonate another identity
rpc ListPomeriumSessions(ListPomeriumSessionsRequest) ListPomeriumSessionsResponse
ListPomeriumSessions lists existing sessions based on the parameters of ListPomeriumSessionsRequest
UserService supports querying directory data from the databroker
rpc GetUserInfo(GetUserInfoRequest) GetUserInfoResponse
GetUserInfo retrieves identity information and permission mappings for a user
rpc QueryGroups(QueryGroupsRequest) QueryGroupsResponse
QueryGroups retrieves groups from the databroker based on QueryGroupsRequest parameters
rpc QueryUsers(QueryUsersRequest) QueryUsersResponse
QueryUsers retrieves users from the databroker based on QueryUsersRequest parameters
| Field | Type | Description |
|---|---|---|
| service_account | PomeriumServiceAccount | none |
| Field | Type | Description |
|---|---|---|
| service_account | PomeriumServiceAccount | none |
| JWT | string | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| service_account | PomeriumServiceAccount | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| session | PomeriumSession | none |
| associated_sessions | repeated PomeriumSession | none |
| Field | Type | Description |
|---|---|---|
| oneof _user_id.user_id | optional string | none |
| Field | Type | Description |
|---|---|---|
| user_info | UserInfo | none |
GroupInfo defines a directory group in the databroker
| Field | Type | Description |
|---|---|---|
| id | string | none |
| name | string | none |
ImpersonateRequest defines the identity information to impersonate
| Field | Type | Description |
|---|---|---|
| session_id | string | none |
ListPomeriumServiceAccountsRequest specifies the service accounts to list
| Field | Type | Description |
|---|---|---|
| namespace | string | none |
ListPomeriumServiceAccountsResponse is the list of service accounts found for a ListPomeriumServiceAccountsRequest
| Field | Type | Description |
|---|---|---|
| service_accounts | repeated PomeriumServiceAccount | none |
ListPomeriumSessionsRequest specifies the sessions to list
| Field | Type | Description |
|---|---|---|
| oneof _query.query | optional string | list Sessions with any fields that contain the query string |
| oneof _offset.offset | optional int64 | list Sessions starting from an offset in the total list |
| oneof _limit.limit | optional int64 | limit the number of Session entries returned |
| oneof _order_by.order_by | optional string | sort the Sessions by newest, oldest or name |
| oneof _user_id.user_id | optional string | none |
ListPomeriumSessionsResponse is the sessions found for a ListPomeriumSessionsRequest
| Field | Type | Description |
|---|---|---|
| sessions | repeated PomeriumSession | none |
| total_count | int64 | none |
PomeriumServiceAccount defines the identity properties of a service account
| Field | Type | Description |
|---|---|---|
| id | string | none |
| oneof _namespace_id.namespace_id | optional string | none |
| oneof _description.description | optional string | none |
| user_id | string | none |
| accessed_at | google.protobuf.Timestamp | none |
| expires_at | google.protobuf.Timestamp | none |
| issued_at | google.protobuf.Timestamp | none |
PomeriumSession defines a user session from the databroker
| Field | Type | Description |
|---|---|---|
| id | string | none |
| user | PomeriumSession.User | none |
| groups | repeated PomeriumSession.Group | none |
| issuer | string | none |
| accessed_at | google.protobuf.Timestamp | none |
| issued_at | google.protobuf.Timestamp | none |
| expires_at | google.protobuf.Timestamp | none |
| audience | repeated string | none |
| claims | map PomeriumSession.ClaimsEntry | none |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | google.protobuf.ListValue | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| name | string | none |
| string | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| name | string | none |
| string | none |
QueryGroupsRequest defines the groups to retrieve
| Field | Type | Description |
|---|---|---|
| query | string | none |
| offset | int64 | none |
| limit | int64 | none |
QueryGroupsResponse is the list of groups retrieved from a QueryGroupsRequest
| Field | Type | Description |
|---|---|---|
| groups | repeated GroupInfo | none |
| total_count | int64 | none |
QueryUsersRequest defines the users to retrieve
| Field | Type | Description |
|---|---|---|
| query | string | list Users with any fields that match the query |
| offset | int64 | list Users starting from an offset in the total list |
| limit | int64 | limit the number of User entries returned |
QueryUsersResponse is the list of users retrieved from a QueryUsersRequest
| Field | Type | Description |
|---|---|---|
| users | repeated UserInfo | none |
| total_count | int64 | none |
RecoveryToken is a recovery account for logging into the console without a functioning Pomerium proxy
| Field | Type | Description |
|---|---|---|
| id | string | none |
| namespace | string | none |
| created_at | google.protobuf.Timestamp | none |
| modified_at | google.protobuf.Timestamp | none |
| expires_at | google.protobuf.Timestamp | none |
| public_key | string | none |
| Field | Type | Description |
|---|---|---|
| service_account | PomeriumServiceAccount | none |
| Field | Type | Description |
|---|---|---|
| service_account | PomeriumServiceAccount | none |
UserInfo defines the metadata for a directory user in the databroker
| Field | Type | Description |
|---|---|---|
| id | string | none |
| name | string | none |
| string | none | |
| groups | repeated string | none |
| namespace_roles | map UserInfo.NamespaceRolesEntry | none |
| picture_url | string | none |
| is_impersonated | bool | none |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | string | none |
KeyChainService manages and store TLS Certificates, Keys and CAs, known as Key Pairs
rpc DeleteKeyPair(DeleteKeyPairRequest) DeleteKeyPairResponse
DeleteKeyPair remove an x509 key pair based on a DeleteKeyPairRequest
rpc GetKeyPair(GetKeyPairRequest) GetKeyPairResponse
GetKeyPair retrieves an existing key pair
rpc ListKeyPairs(ListKeyPairsRequest) ListKeyPairsResponse
ListKeyPairs lists existing key pairs based on parameters in ListKeyPairsRequest
rpc CreateKeyPair(CreateKeyPairRequest) CreateKeyPairResponse
CreateKeyPair creates a new key pair
rpc UpdateKeyPair(UpdateKeyPairRequest) UpdateKeyPairResponse
CreateKeyPair creates a new key pair
CertificateInfo is a .proto reflection of https://golang.org/pkg/crypto/x509/#Certificate
| Field | Type | Description |
|---|---|---|
| version | int64 | none |
| serial | string | none |
| issuer | Name | none |
| subject | Name | none |
| not_before | google.protobuf.Timestamp | none |
| not_after | google.protobuf.Timestamp | none |
| key_usage | KeyUsage | none |
| dns_names | repeated string | none |
| email_addresses | repeated string | none |
| ip_addresses | repeated string | none |
| uris | repeated string | none |
| permitted_dns_domains_critical | bool | none |
| permitted_dns_domains | repeated string | none |
| excluded_dns_domains | repeated string | none |
| permitted_ip_ranges | repeated string | none |
| excluded_ip_ranges | repeated string | none |
| permitted_email_addresses | repeated string | none |
| excluded_email_addresses | repeated string | none |
| permitted_uri_domains | repeated string | none |
| excluded_uri_domains | repeated string | none |
CreateKeyPairRequest defines a Key Pair to create
| Field | Type | Description |
|---|---|---|
| name | string | none |
| namespace_id | string | none |
| format | Format | encoding format of data |
| certificate | bytes | public certificate data |
| key | bytes | private key data |
| Field | Type | Description |
|---|---|---|
| key_pair | KeyPairRecord | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| key_pair | KeyPairRecord | none |
KeyPair represents raw Key Pair data for internal usage
| Field | Type | Description |
|---|---|---|
| id | string | none |
| name | string | none |
| namespace_id | string | none |
| created_at | google.protobuf.Timestamp | none |
| modified_at | google.protobuf.Timestamp | none |
| certificate | bytes | public certificate data |
| key | bytes | private key data |
KeyPairRecord provides existing Key Pair metadata
| Field | Type | Description |
|---|---|---|
| id | string | none |
| name | string | none |
| namespace_id | string | none |
| created_at | google.protobuf.Timestamp | database record creation time |
| modified_at | google.protobuf.Timestamp | database record modification time |
| cert_info | CertificateInfo | information about the public certificate |
| has_private_key | bool | Key Pair has a private key attached |
| certificate | bytes | public certificate data |
KeyUsage specifies the usage flags set on a signed TLS certificate
| Field | Type | Description |
|---|---|---|
| digital_signature | bool | standard key usages |
| content_commitment | bool | none |
| key_encipherment | bool | none |
| data_encipherment | bool | none |
| key_agreement | bool | none |
| cert_sign | bool | certificate authority |
| crl_sign | bool | none |
| encipher_only | bool | none |
| decipher_only | bool | none |
| server_auth | bool | extensions derived from x509.ExtKeyUsage server certificate |
| client_auth | bool | client certificate |
ListKeyPairsRequest defines the types of key pairs to list
| Field | Type | Description |
|---|---|---|
| namespace_id | string | none |
| oneof _query.query | optional string | list Key Pairs whose name contains the query string |
| oneof _offset.offset | optional int64 | list Key Pairs starting from an offset in the total list |
| oneof _limit.limit | optional int64 | limit the number of entries returned |
| oneof _order_by.order_by | optional string | newest, oldest, name, from |
| oneof _domain.domain | optional string | return key pairs that match the given domain |
ListKeyPairsResponse is the list of Key Pairs found from a ListKeyPairsRequest
| Field | Type | Description |
|---|---|---|
| key_pairs | repeated KeyPairRecord | Key Pairs found |
| total_count | int64 | none |
Name defines the x509 identity
| Field | Type | Description |
|---|---|---|
| country | repeated string | none |
| organization | repeated string | none |
| organizational_unit | repeated string | none |
| locality | repeated string | none |
| province | repeated string | none |
| street_address | repeated string | none |
| postal_code | repeated string | none |
| serial_number | string | none |
| common_name | string | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| oneof _name.name | optional string | none |
| oneof _format.format | optional Format | encoding format of data |
| oneof _certificate.certificate | optional bytes | public certificate data |
| oneof _key.key | optional bytes | private key data |
| Field | Type | Description |
|---|---|---|
| key_pair | KeyPairRecord | none |
Format specifies the encoding format of a certificate or key
| Name | Number | Description |
|---|---|---|
| FORMAT_UNDEFINED_DO_NOT_USE | 0 | none |
| PEM | 1 | none |
PublicKeyAlgorithm is the algorithm of a public key
| Name | Number | Description |
|---|---|---|
| PKA_UNKNOWN_DO_NOT_USE | 0 | none |
| RSA | 1 | none |
| DSA | 2 | none |
| ECDSA | 3 | none |
| ED25519 | 4 | none |
| Field | Type | Description |
|---|---|---|
| key_pairs | repeated KeyPair | none |
| namespaces | repeated Namespace | none |
| policies | repeated Policy | none |
| routes | repeated Route | none |
| settings | Settings | none |
rpc PolicyReport(PolicyReportRequest) PolicyReportResponse
PolicyReport generates a policy report
PolicyReportRequest may either specify a list of routes, or request to report all routes of the namespace
| Field | Type | Description |
|---|---|---|
| route_ids | repeated string | none |
| namespace_id | string | none |
| Field | Type | Description |
|---|---|---|
| routes | repeated Route | none |
| policies | repeated Policy | none |
DeviceService manages device credentials, enrollments and types
rpc ApproveDevice(ApproveDeviceRequest) .google.protobuf.Empty
rpc CreateDeviceEnrollment(CreateDeviceEnrollmentRequest) CreateDeviceEnrollmentResponse
rpc SetDeviceType(SetDeviceTypeRequest) SetDeviceTypeResponse
rpc DeleteDevice(DeleteDeviceRequest) .google.protobuf.Empty
rpc DeleteDeviceType(DeleteDeviceTypeRequest) .google.protobuf.Empty
rpc ListDevices(ListDevicesRequest) ListDevicesResponse
rpc ListDeviceTypes(.google.protobuf.Empty) ListDeviceTypesResponse
| Field | Type | Description |
|---|---|---|
| oneof id.credential_id | string | none |
| oneof id.enrollment_id | string | none |
| Field | Type | Description |
|---|---|---|
| enrollment | DeviceEnrollment | none |
| route_url | string | none |
| redirect_url | string | none |
| Field | Type | Description |
|---|---|---|
| enrollment | DeviceEnrollment | none |
| enrollment_url | string | none |
| Field | Type | Description |
|---|---|---|
| oneof id.credential_id | string | none |
| oneof id.enrollment_id | string | none |
| Field | Type | Description |
|---|---|---|
| type_id | string | none |
A DeviceCredential is a user's device-specific credential.
| Field | Type | Description |
|---|---|---|
| id | string | none |
| created_at | google.protobuf.Timestamp | none |
| modified_at | google.protobuf.Timestamp | none |
| deleted_at | google.protobuf.Timestamp | none |
| device_type_id | string | none |
| device_enrollment_id | string | none |
| user_id | string | none |
| oneof specifier.webauthn | DeviceCredential.WebAuthn | none |
| Field | Type | Description |
|---|---|---|
| id | bytes | none |
| public_key | bytes | none |
| register_options | bytes | the options that were used to do initial registration |
| register_response | bytes | the response returned from initial registration |
| authenticate_response | repeated bytes | subsequent authenticate responses |
A DeviceEnrollment is used to approve a user's device.
| Field | Type | Description |
|---|---|---|
| id | string | none |
| created_at | google.protobuf.Timestamp | none |
| modified_at | google.protobuf.Timestamp | none |
| deleted_at | google.protobuf.Timestamp | none |
| device_type_id | string | none |
| device_credential_id | string | none |
| user_id | string | none |
| approved_at | google.protobuf.Timestamp | none |
| approved_by_user_id | string | none |
| enrolled_at | google.protobuf.Timestamp | none |
| user_agent | string | none |
| ip_address | string | none |
A DeviceOwnerCredentialRecord is used to track credential owners to prevent credential re-use.
| Field | Type | Description |
|---|---|---|
| id | bytes | none |
| owner_id | bytes | none |
| public_key | bytes | none |
A DeviceType constrains which kinds of devices are allowed to be registered.
| Field | Type | Description |
|---|---|---|
| id | string | none |
| created_at | google.protobuf.Timestamp | none |
| modified_at | google.protobuf.Timestamp | none |
| deleted_at | google.protobuf.Timestamp | none |
| name | string | none |
| oneof specifier.webauthn | DeviceType.WebAuthn | none |
| Field | Type | Description |
|---|---|---|
| options | WebAuthnOptions | none |
| Field | Type | Description |
|---|---|---|
| types | repeated DeviceType | none |
| Field | Type | Description |
|---|---|---|
| oneof _type_id.type_id | optional string | none |
| oneof _user_id.user_id | optional string | none |
| oneof _approved_by.approved_by | optional string | none |
| Field | Type | Description |
|---|---|---|
| devices | repeated ListDevicesResponse.Device | none |
| Field | Type | Description |
|---|---|---|
| type | DeviceType | none |
| credential | DeviceCredential | none |
| enrollment | DeviceEnrollment | none |
| kind | DeviceKind | none |
| user_name | string | none |
| approved_by_user_name | string | none |
| Field | Type | Description |
|---|---|---|
| type | DeviceType | none |
| Field | Type | Description |
|---|---|---|
| type | DeviceType | none |
| Field | Type | Description |
|---|---|---|
| oneof _attestation.attestation | optional WebAuthnOptions.AttestationConveyancePreference | none |
| oneof _authenticator_selection.authenticator_selection | optional WebAuthnOptions.AuthenticatorSelectionCriteria | none |
| pub_key_cred_params | repeated WebAuthnOptions.PublicKeyCredentialParameters | none |
| Field | Type | Description |
|---|---|---|
| oneof _authenticator_attachment.authenticator_attachment | optional WebAuthnOptions.AuthenticatorAttachment | none |
| oneof _require_resident_key.require_resident_key | optional bool | none |
| oneof _resident_key_requirement.resident_key_requirement | optional WebAuthnOptions.ResidentKeyRequirement | none |
| oneof _user_verification.user_verification | optional WebAuthnOptions.UserVerificationRequirement | none |
| Field | Type | Description |
|---|---|---|
| alg | int64 | none |
| type | WebAuthnOptions.PublicKeyCredentialType | none |
| Name | Number | Description |
|---|---|---|
| UNKNOWN | 0 | none |
| FIDO_U2F | 1 | none |
| ANDROID | 2 | none |
| APPLE | 3 | none |
| TPM | 4 | none |
| WINDOWS | 5 | none |
| Name | Number | Description |
|---|---|---|
| NONE | 0 | none |
| INDIRECT | 1 | none |
| DIRECT | 2 | none |
| ENTERPRISE | 3 | none |
| Name | Number | Description |
|---|---|---|
| PLATFORM | 0 | none |
| CROSS_PLATFORM | 2 | none |
| Name | Number | Description |
|---|---|---|
| PUBLIC_KEY | 0 | none |
| Name | Number | Description |
|---|---|---|
| RESIDENT_KEY_DISCOURAGED | 0 | none |
| RESIDENT_KEY_PREFERRED | 1 | none |
| RESIDENT_KEY_REQUIRED | 2 | none |
| Name | Number | Description |
|---|---|---|
| USER_VERIFICATION_DISCOURAGED | 0 | none |
| USER_VERIFICATION_PREFERRED | 1 | none |
| USER_VERIFICATION_REQUIRED | 2 | none |
rpc DeleteExternalDataSource(DeleteExternalDataSourceRequest) .google.protobuf.Empty
rpc GetExternalDataSource(GetExternalDataSourceRequest) GetExternalDataSourceResponse
rpc ListExternalDataSources(ListExternalDataSourcesRequest) ListExternalDataSourcesResponse
rpc ListExternalDataSourceRecordTypes(ListExternalDataSourceRecordTypesRequest) ListExternalDataSourceRecordTypesResponse
rpc ListExternalDataSourceRecordFields(ListExternalDataSourceRecordFieldsRequest) ListExternalDataSourceRecordFieldsResponse
rpc SetExternalDataSource(SetExternalDataSourceRequest) SetExternalDataSourceResponse
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| created_at | google.protobuf.Timestamp | none |
| modified_at | google.protobuf.Timestamp | none |
| deleted_at | google.protobuf.Timestamp | none |
| url | string | Url is the URL to query for data. |
| record_type | string | RecordType is how the queried records will be stored in the databroker. |
| foreign_key | string | ForeignKey is the key referenced for policy evaluation. E.g. user.id. |
| headers | map ExternalDataSource.HeadersEntry | Headers are request headers sent to the external data source. |
| oneof _allow_insecure_tls.allow_insecure_tls | optional bool | AllowInsecureTls ignores TLS errors from the external data source. |
| oneof _client_tls_key_id.client_tls_key_id | optional string | ClientTlsKeyId is the key pair used for TLS to the external data source. |
| oneof _polling_min_delay.polling_min_delay | optional google.protobuf.Duration | PollingMinDelay is the minimum amount of time to wait before polling again. |
| oneof _polling_max_delay.polling_max_delay | optional google.protobuf.Duration | PollingMaxDelay is the maximum amount of time to wait before polling again. |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | string | none |
| Field | Type | Description |
|---|---|---|
| id | string | none |
| Field | Type | Description |
|---|---|---|
| external_data_source | ExternalDataSource | none |
| Field | Type | Description |
|---|---|---|
| record_type | string | none |
| Field | Type | Description |
|---|---|---|
| record_fields | repeated string | none |
| Field | Type | Description |
|---|---|---|
| record_types | repeated string | none |
| Field | Type | Description |
|---|---|---|
| external_data_sources | repeated ExternalDataSource | none |
| Field | Type | Description |
|---|---|---|
| external_data_source | ExternalDataSource | none |
| Field | Type | Description |
|---|---|---|
| external_data_source | ExternalDataSource | none |
TimeSeriesDB is a generic service that is meant to be able to query for historical metrics and should provide a sufficient abstraction between the UI and underlying time series service, would it be Prometheus, embedded TSDB or other 3rd party provider
rpc GetRouteMetricChange(RouteMetricChangeRequest) Scalar
returns metric change for a period of time
rpc GetRouteMetricChangeHistogram(RouteMetricChangeRequest) ScalarBuckets
returns buckets of values for a given metric
rpc GetRouteMetricSeries(RouteMetricSeriesRequest) TimeSeriesResponse
returns metric change as time series
rpc GetRouteMetricSeriesHistogram(RouteMetricSeriesHistogramRequest) TimeSeriesResponse
returns metric change as time series
rpc GetRouteMetricSeriesMulti(RouteMetricSeriesRequest) TimeSeriesResponseMulti
returns multiple annotated time series
rpc GetUptime(UptimeRequest) UptimeResponse
returns service uptime statistics
rpc GetInstances(GetInstancesRequest) Instances
returns list of system services with metrics
rpc GetServerMetricSeries(ServerMetricSeriesRequest) TimeSeriesResponse
returns server queries
rpc GetServerMetric(ServerMetricRequest) Sample
returns current metric value
rpc GetStatus(GetStatusRequest) GetStatusResponse
returns current status of scraping targets
rpc GetLastMetricError(LastErrorRequest) LastErrorResponse
returns last known error for a metric, if available
rpc GetUsageReport(UsageReportRequest) UsageReportResponse
returns usage report
| Field | Type | Description |
|---|---|---|
| metric | Metric | none |
Requests console metric time series
| Field | Type | Description |
|---|---|---|
| metric | Metric | metric to retrieve |
| start | google.protobuf.Timestamp | Start time |
| end | google.protobuf.Timestamp | End time |
| Field | Type | Description |
|---|---|---|
| component | Component | none |
| instance_id | string | none |
| Field | Type | Description |
|---|---|---|
| start | google.protobuf.Timestamp | none |
| end | google.protobuf.Timestamp | none |
| Field | Type | Description |
|---|---|---|
| targets | repeated GetStatusResponse.Target | none |
| oneof status.ok | bool | none |
| oneof status.last_error | string | none |
| Field | Type | Description |
|---|---|---|
| scrape_url | string | none |
| global_url | string | none |
| last_error | string | none |
| last_scrape | google.protobuf.Timestamp | none |
| health | GetStatusResponse.Target.Health | none |
| Field | Type | Description |
|---|---|---|
| instances | repeated Instances.Instance | none |
| Field | Type | Description |
|---|---|---|
| component | Component | none |
| id | string | ID that should be used in requests for metrics |
| name | string | human readable instance name |
| Field | Type | Description |
|---|---|---|
| labels | map Labels.LabelsEntry | none |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | string | none |
LastErrorRequest will fetch last known error for certain error-related metrics
| Field | Type | Description |
|---|---|---|
| metric | Metric | none |
LastErrorResponse returns last known error for certain error-related metrics
| Field | Type | Description |
|---|---|---|
| ts | google.protobuf.Timestamp | none |
| message | string | none |
| Field | Type | Description |
|---|---|---|
| series | repeated TimeSeries | none |
| Field | Type | Description |
|---|---|---|
| start | google.protobuf.Timestamp | Start time |
| end | google.protobuf.Timestamp | End time |
| step | google.protobuf.Duration | Max time between two slices within [start:end] |
RouteMatcher may be used to query data for multiple routes
| Field | Type | Description |
|---|---|---|
| oneof matcher.route_id | string | route database ID |
| oneof matcher.namespace_id | string | namespace ID |
| oneof matcher.ext_data_source_id | string | external data source database ID |
Used to request a particular metric change within a given period of time
| Field | Type | Description |
|---|---|---|
| matcher | RouteMatcher | route to match |
| metric | Metric | metric to retrieve |
| start | google.protobuf.Timestamp | Start time |
| end | google.protobuf.Timestamp | End time |
request route-specific metric time series histogram
| Field | Type | Description |
|---|---|---|
| matcher | RouteMatcher | route to match |
| metric | Metric | metric to retrieve |
| range | Range | time range and sampling step |
| percentile | double | if data for the metric was precomputed as histogram, the data may be requested within a certain percentile |
request route-specific metric time series
| Field | Type | Description |
|---|---|---|
| matcher | RouteMatcher | route to match |
| metric | Metric | metric to retrieve |
| range | Range | time range and sampling step |
| Field | Type | Description |
|---|---|---|
| labels | map Sample.LabelsEntry | none |
| value | Scalar | none |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | string | none |
| Field | Type | Description |
|---|---|---|
| value | double | none |
| ts | google.protobuf.Timestamp | none |
returns histogram values
| Field | Type | Description |
|---|---|---|
| buckets | repeated ScalarBuckets.Bucket | none |
| Field | Type | Description |
|---|---|---|
| less_or_equal_than | double | bucket identifier |
| count | int64 | occurences for the given bucket |
| Field | Type | Description |
|---|---|---|
| component | Component | none |
| instance_id | string | none |
| metric | Metric | metric to retrieve |
| Field | Type | Description |
|---|---|---|
| metric | Metric | metric to retrieve |
| range | Range | time range and sampling step |
| percentile | double | if data for the metric was precomputed as histogram, the data may be requested within a certain percentile |
| component | Component | server component and instance ID |
| instance_id | string | none |
| Field | Type | Description |
|---|---|---|
| value | string | none |
| ts | google.protobuf.Timestamp | none |
| Field | Type | Description |
|---|---|---|
| labels | map TimeSeries.LabelsEntry | none |
| series | repeated Scalar | none |
| Field | Type | Description |
|---|---|---|
| key | string | none |
| value | string | none |
TimeSeries response returns
| Field | Type | Description |
|---|---|---|
| rate | Rate | provided for time-sampled values - i.e. requests |
| series | repeated Scalar | series are (timestamp,value) data points |
Multiple time series response
| Field | Type | Description |
|---|---|---|
| rate | Rate | none |
| series | repeated TimeSeries | none |
uptime info for all pomerium services for a given period of time
| Field | Type | Description |
|---|---|---|
| start | google.protobuf.Timestamp | none |
| end | google.protobuf.Timestamp | none |
| component | Component | none |
| instance_id | string | none |
service uptime is calculated based on liveness probe published by each component it is delivered as 2-level hierarchical periods to make it simple for the UI consumer it does not provide statistics as data representation makes it trivial to calculate depending on the UI requirements
| Field | Type | Description |
|---|---|---|
| intervals | repeated UptimeResponse.Summary | none |
summary provides a higher level information re health of the component
| Field | Type | Description |
|---|---|---|
| start | google.protobuf.Timestamp | none |
| end | google.protobuf.Timestamp | none |
| status | UptimeResponse.Status | aggregate status of the system |
| Field | Type | Description |
|---|---|---|
| report | bytes | none |
| Field | Type | Description |
|---|---|---|
| samples | repeated Sample | none |
| Name | Number | Description |
|---|---|---|
| UNKNOWN_DO_NOT_USE | 0 | none |
| AUTHENTICATE | 1 | none |
| AUTHORIZE | 2 | none |
| DATABROKER | 3 | none |
| CONSOLE | 4 | none |
| PROXY | 5 | none |
| ALL_IN_ONE | 6 | used when all components are running in the all-in-one mode |
| PROXY_ENVOY | 7 | Proxy envoy is always reported separately |
| PROMETHEUS | 8 | none |
| Name | Number | Description |
|---|---|---|
| TARGET_HEALTH_UNKNOWN | 0 | none |
| TARGET_HEALTH_UP | 1 | none |
| TARGET_HEALTH_DOWN | 2 | none |
see https://www.envoyproxy.io/docs/envoy/latest/configuration/upstream/cluster_manager/cluster_stats
| Name | Number | Description |
|---|---|---|
| UNDEFINED_METRIC_DO_NOT_USE | 0 | none |
| REQUESTS | 1 | request counter |
| REQUESTS_RATE | 2 | request rate (per second) |
| REQUESTS_DURATION_MS | 3 | duration of the request in milliseconds - this is a histogram counter and requires percentile |
| RESPONSE_CODES | 4 | returns distribution of response codes |
| AUTHZ_OK | 20 | Total responses from the authz filter (note that does not imply that requests were allowed to pass thru) |
| AUTHZ_DENIED | 21 | Total responses from the authorizations service that were to deny the traffic. |
| AUTHZ_ERROR | 22 | Total errors contacting the external service. |
| AUTHZ_DISABLED | 23 | Total requests that are allowed without calling external services due to the filter is disabled. |
| AUTHZ_FAILURE_MODE_ALLOWED | 24 | Total requests that were error(s) but were allowed through because of failure_mode_allow set to true. |
| MEMBERSHIP_HEALTHY | 30 | Current cluster healthy total (inclusive of both health checking and outlier detection) |
| MEMBERSHIP_DEGRADED | 31 | Current cluster degraded total |
| MEMBERSHIP_EXCLUDED | 32 | Current cluster excluded total |
| MEMBERSHIP_TOTAL | 33 | Current cluster membership total |
| RX_BYTES | 40 | bytes received - upstream_cx_rx_bytes_total |
| TX_BYTES | 41 | bytes sent - upstream_cx_tx_bytes_total |
| TOTAL_BYTES | 42 | total of rx + tx bytes |
| MEMORY_ALLOCATED | 51 | system metrics |
| CPU_USAGE | 52 | none |
| IDP_LAST_REFRESH_TIMESTAMP | 60 | identity provider specific |
| IDP_LAST_USER_REFRESH_SUCCESS_TIMESTAMP | 100 | none |
| IDP_LAST_USER_REFRESH_ERROR_TIMESTAMP | 101 | none |
| IDP_LAST_USER_REFRESH_ERROR | 102 | none |
| IDP_LAST_USER_REFRESH_SUCCESS | 103 | none |
| IDP_LAST_USER_GROUP_REFRESH_SUCCESS_TIMESTAMP | 104 | none |
| IDP_LAST_USER_GROUP_REFRESH_ERROR_TIMESTAMP | 105 | none |
| IDP_LAST_USER_GROUP_REFRESH_ERROR | 106 | none |
| IDP_LAST_USER_GROUP_REFRESH_SUCCESS | 107 | none |
| IDP_LAST_SESSION_REFRESH_SUCCESS_TIMESTAMP | 108 | none |
| IDP_LAST_SESSION_REFRESH_ERROR_TIMESTAMP | 109 | none |
| IDP_LAST_SESSION_REFRESH_ERROR | 110 | none |
| IDP_LAST_SESSION_REFRESH_SUCCESS | 111 | none |
| CONFIG_LAST_RELOAD_SUCCESS_TIMESTAMP | 70 | configuration related |
| BUILD_INFO | 71 | none |
| CONFIG_CHECKSUM_LOCAL | 72 | none |
| CONFIG_CHECKSUM_DATABROKER | 73 | none |
| CONFIG_VERSION | 74 | none |
| CONFIG_ERRORS | 75 | none |
| CONFIG_CONSOLE_VERSION | 76 | none |
| PROMETHEUS_STORAGE_BYTES | 80 | prometheus metrics |
| MONTHLY_ACTIVE_USERS_THRESHOLD | 90 | console metrics |
| MONTHLY_ACTIVE_USERS | 91 | none |
| HTTP_REQUESTS_COMPLETED | 120 | http requests completed (not necessarily with code=200) |
| HTTP_REQUESTS_FAILED | 121 | http requests failed due to network or dns error |
| HTTP_REQUESTS_SUCCESS | 122 | http requests successfully completed (with code=200 or 304 (unchanged)) |
| HTTP_REQUESTS_ERROR | 123 | http requests either failed or having codes that are not 200 or 304 |
| HTTP_AVG_RESPONSE_SIZE_BYTES | 124 | http average response body size in bytes |
Rate defines time-sampled values
| Name | Number | Description |
|---|---|---|
| NONE | 0 | undefined means this is an actual value that is not sampled |
| PER_SECOND | 1 | value represents per second |
| Name | Number | Description |
|---|---|---|
| UNDEFINED_STATUS_DO_NOT_USE | 0 | none |
| LIVE | 1 | fully operational |
| NO_DATA | 2 | no data is available for the period in the prometheus |
| DOWN | 3 | prometheus is up but the scraping instance is down |
| .proto Type | Notes | C++ Type | Java Type | Python Type |
|---|---|---|---|---|
double |
double | double | float | |
float |
float | float | float | |
int32 |
Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead. | int32 | int | int |
int64 |
Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead. | int64 | long | int/long |
uint32 |
Uses variable-length encoding. | uint32 | int | int/long |
uint64 |
Uses variable-length encoding. | uint64 | long | int/long |
sint32 |
Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. | int32 | int | int |
sint64 |
Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s. | int64 | long | int/long |
fixed32 |
Always four bytes. More efficient than uint32 if values are often greater than 2^28. | uint32 | int | int |
fixed64 |
Always eight bytes. More efficient than uint64 if values are often greater than 2^56. | uint64 | long | int/long |
sfixed32 |
Always four bytes. | int32 | int | int |
sfixed64 |
Always eight bytes. | int64 | long | int/long |
bool |
bool | boolean | boolean | |
string |
A string must always contain UTF-8 encoded or 7-bit ASCII text. | string | String | str/unicode |
bytes |
May contain any arbitrary sequence of bytes. | string | ByteString | str |