Skip to content

Commit 0f85c39

Browse files
Google APIscopybara-github
Google APIs
authored andcommitted
feat: Add TaskGroup.enable_oslogin to give the Batch job submitter the ability to run runnables as non-root controlled by IAM
docs: Update documentation for the network field of AllocationPolicy PiperOrigin-RevId: 584258085
1 parent 975f1d8 commit 0f85c39

File tree

1 file changed

+15
-0
lines changed

1 file changed

+15
-0
lines changed

google/cloud/batch/v1alpha/job.proto

+15
Original file line numberDiff line numberDiff line change
@@ -600,6 +600,10 @@ message AllocationPolicy {
600600
map<string, string> labels = 6;
601601

602602
// The network policy.
603+
//
604+
// If you define an instance template in the InstancePolicyOrTemplate field,
605+
// Batch will use the network settings in the instance template instead of
606+
// this field.
603607
NetworkPolicy network = 7;
604608

605609
// The placement policy.
@@ -687,6 +691,17 @@ message TaskGroup {
687691
// When true, Batch will configure SSH to allow passwordless login between
688692
// VMs running the Batch tasks in the same TaskGroup.
689693
bool permissive_ssh = 12;
694+
695+
// Optional. When true, Batch will use the OS Login generated POSIX account to
696+
// exeucute the runnables instead of the default root user.
697+
//
698+
// To control root or non-root privilege for runnable execution, the project \
699+
// Admin user needs to configure IAM roles according to
700+
// https://cloud.google.com/compute/docs/oslogin/set-up-oslogin#configure_users.
701+
// Specifically, if a root execution is needed, the roles/compute.osAdminLogin
702+
// should be granted to the Batch job submitter. Otherwise,
703+
// roles/compute.osLogin should be granted to the Batch job submitter.
704+
bool enable_oslogin = 13 [(google.api.field_behavior) = OPTIONAL];
690705
}
691706

692707
// Carries information about a Google Cloud service account.

0 commit comments

Comments
 (0)