feat: Add TaskGroup.enable_oslogin to give the Batch job submitter the ability to run runnables as non-root controlled by IAM

Google APIs · copybara-github · commit 0f85c3942fab · 2023-11-21T02:06:20.000-08:00
docs: Update documentation for the network field of AllocationPolicy

PiperOrigin-RevId: 584258085
diff --git a/google/cloud/batch/v1alpha/job.proto b/google/cloud/batch/v1alpha/job.proto
@@ -600,6 +600,10 @@ message AllocationPolicy {
   map<string, string> labels = 6;
 
   // The network policy.
+  //
+  // If you define an instance template in the InstancePolicyOrTemplate field,
+  // Batch will use the network settings in the instance template instead of
+  // this field.
   NetworkPolicy network = 7;
 
   // The placement policy.
@@ -687,6 +691,17 @@ message TaskGroup {
   // When true, Batch will configure SSH to allow passwordless login between
   // VMs running the Batch tasks in the same TaskGroup.
   bool permissive_ssh = 12;
+
+  // Optional. When true, Batch will use the OS Login generated POSIX account to
+  // exeucute the runnables instead of the default root user.
+  //
+  // To control root or non-root privilege for runnable execution, the project \
+  // Admin user needs to configure IAM roles according to
+  // https://cloud.google.com/compute/docs/oslogin/set-up-oslogin#configure_users.
+  // Specifically, if a root execution is needed, the roles/compute.osAdminLogin
+  // should be granted to the Batch job submitter. Otherwise,
+  // roles/compute.osLogin should be granted to the Batch job submitter.
+  bool enable_oslogin = 13 [(google.api.field_behavior) = OPTIONAL];
 }
 
 // Carries information about a Google Cloud service account.
