diff --git a/google/cloud/network_security_v1beta1/services/network_security/async_client.py b/google/cloud/network_security_v1beta1/services/network_security/async_client.py index b8676ff..dec6a3c 100644 --- a/google/cloud/network_security_v1beta1/services/network_security/async_client.py +++ b/google/cloud/network_security_v1beta1/services/network_security/async_client.py @@ -57,7 +57,10 @@ class NetworkSecurityAsyncClient: - """""" + """Network Security API provides resources to configure + authentication and authorization policies. Refer to per API + resource documentation for more information. + """ _client: NetworkSecurityClient diff --git a/google/cloud/network_security_v1beta1/services/network_security/client.py b/google/cloud/network_security_v1beta1/services/network_security/client.py index ef1e2b4..e4b7887 100644 --- a/google/cloud/network_security_v1beta1/services/network_security/client.py +++ b/google/cloud/network_security_v1beta1/services/network_security/client.py @@ -93,7 +93,10 @@ def get_transport_class(cls, label: str = None,) -> Type[NetworkSecurityTranspor class NetworkSecurityClient(metaclass=NetworkSecurityClientMeta): - """""" + """Network Security API provides resources to configure + authentication and authorization policies. Refer to per API + resource documentation for more information. + """ @staticmethod def _get_default_mtls_endpoint(api_endpoint): diff --git a/google/cloud/network_security_v1beta1/services/network_security/transports/grpc.py b/google/cloud/network_security_v1beta1/services/network_security/transports/grpc.py index ccaf47e..b833483 100644 --- a/google/cloud/network_security_v1beta1/services/network_security/transports/grpc.py +++ b/google/cloud/network_security_v1beta1/services/network_security/transports/grpc.py @@ -44,6 +44,10 @@ class NetworkSecurityGrpcTransport(NetworkSecurityTransport): """gRPC backend transport for NetworkSecurity. + Network Security API provides resources to configure + authentication and authorization policies. Refer to per API + resource documentation for more information. + This class defines the same methods as the primary client, so the primary client can load the underlying transport implementation and call it. diff --git a/google/cloud/network_security_v1beta1/services/network_security/transports/grpc_asyncio.py b/google/cloud/network_security_v1beta1/services/network_security/transports/grpc_asyncio.py index ec6afdc..a181589 100644 --- a/google/cloud/network_security_v1beta1/services/network_security/transports/grpc_asyncio.py +++ b/google/cloud/network_security_v1beta1/services/network_security/transports/grpc_asyncio.py @@ -45,6 +45,10 @@ class NetworkSecurityGrpcAsyncIOTransport(NetworkSecurityTransport): """gRPC AsyncIO backend transport for NetworkSecurity. + Network Security API provides resources to configure + authentication and authorization policies. Refer to per API + resource documentation for more information. + This class defines the same methods as the primary client, so the primary client can load the underlying transport implementation and call it. diff --git a/google/cloud/network_security_v1beta1/types/authorization_policy.py b/google/cloud/network_security_v1beta1/types/authorization_policy.py index ddb98c7..108d042 100644 --- a/google/cloud/network_security_v1beta1/types/authorization_policy.py +++ b/google/cloud/network_security_v1beta1/types/authorization_policy.py @@ -104,12 +104,18 @@ class Source(proto.Message): authorization. At least one principal should match. Each peer can be an exact match, or a prefix match (example, "namespace/*") or a suffix match (example, // - */service-account") or a presence match "*". + */service-account") or a presence match "*". Authorization + based on the principal name without certificate validation + (configured by ServerTlsPolicy resource) is considered + insecure. ip_blocks (Sequence[str]): Optional. List of CIDR ranges to match based on source IP address. At least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR (e.g., "1.2.3.0/24") are supported. + Authorization based on source IP alone should be + avoided. The IP addresses of any load balancers + or proxies should be considered untrusted. """ principals = proto.RepeatedField(proto.STRING, number=1,) @@ -120,11 +126,11 @@ class Destination(proto.Message): Attributes: hosts (Sequence[str]): - Required. List of host names to match. Matched against HOST - header in http requests. At least one host should match. - Each host can be an exact match, or a prefix match (example - "mydomain.*") or a suffix match (example // *.myorg.com") or - a presence(any) match "*". + Required. List of host names to match. Matched against the + ":authority" header in http requests. At least one host + should match. Each host can be an exact match, or a prefix + match (example "mydomain.*") or a suffix match (example // + *.myorg.com") or a presence(any) match "*". ports (Sequence[int]): Required. List of destination ports to match. At least one port should match. @@ -136,7 +142,11 @@ class Destination(proto.Message): Optional. Match against key:value pair in http header. Provides a flexible match based on HTTP headers, for potentially advanced use - cases. At least one header should match. + cases. At least one header should match. Avoid + using header matches to make authorization + decisions unless there is a strong guarantee + that requests arrive through a trusted client or + proxy. """ class HttpHeaderMatch(proto.Message): diff --git a/google/cloud/network_security_v1beta1/types/server_tls_policy.py b/google/cloud/network_security_v1beta1/types/server_tls_policy.py index 74fa5e0..89c5468 100644 --- a/google/cloud/network_security_v1beta1/types/server_tls_policy.py +++ b/google/cloud/network_security_v1beta1/types/server_tls_policy.py @@ -46,8 +46,7 @@ class ServerTlsPolicy(proto.Message): the pattern ``projects/*/locations/{location}/serverTlsPolicies/{server_tls_policy}`` description (str): - Optional. Free-text description of the - resource. + Free-text description of the resource. create_time (google.protobuf.timestamp_pb2.Timestamp): Output only. The timestamp when the resource was created. @@ -55,28 +54,28 @@ class ServerTlsPolicy(proto.Message): Output only. The timestamp when the resource was updated. labels (Sequence[google.cloud.network_security_v1beta1.types.ServerTlsPolicy.LabelsEntry]): - Optional. Set of label tags associated with - the resource. + Set of label tags associated with the + resource. allow_open (bool): - Optional. Determines if server allows plaintext connections. - If set to true, server allows plain text connections. By - default, it is set to false. This setting is not exclusive - of other encryption modes. For example, if allow_open and - mtls_policy are set, server allows both plain text and mTLS - connections. See documentation of other encryption modes to - confirm compatibility. + Determines if server allows plaintext connections. If set to + true, server allows plain text connections. By default, it + is set to false. This setting is not exclusive of other + encryption modes. For example, if ``allow_open`` and + ``mtls_policy`` are set, server allows both plain text and + mTLS connections. See documentation of other encryption + modes to confirm compatibility. server_certificate (google.cloud.network_security_v1beta1.types.CertificateProvider): - Optional. Defines a mechanism to provision server identity - (public and private keys). Cannot be combined with - allow_open as a permissive mode that allows both plain text - and TLS is not supported. + Defines a mechanism to provision server identity (public and + private keys). Cannot be combined with ``allow_open`` as a + permissive mode that allows both plain text and TLS is not + supported. mtls_policy (google.cloud.network_security_v1beta1.types.ServerTlsPolicy.MTLSPolicy): - Optional. Defines a mechanism to provision peer validation + Defines a mechanism to provision peer validation certificates for peer to peer authentication (Mutual TLS - mTLS). If not specified, client certificate will not be requested. The connection is treated as TLS and not mTLS. If - allow_open and mtls_policy are set, server allows both plain - text and mTLS connections. + ``allow_open`` and ``mtls_policy`` are set, server allows + both plain text and mTLS connections. """ class MTLSPolicy(proto.Message): @@ -84,7 +83,7 @@ class MTLSPolicy(proto.Message): Attributes: client_validation_ca (Sequence[google.cloud.network_security_v1beta1.types.ValidationCA]): - Required. Defines the mechanism to obtain the + Defines the mechanism to obtain the Certificate Authority certificate to validate the client certificate. """