feat: Add Squash Mode to Export Policy

Google APIs · copybara-github · commit 0a299a257825 · 2025-11-20T00:17:38.000-08:00
This change introduces squash mode options to the export policy rules. Squash mode determines how user and group IDs are mapped for NFS volume access.

The following squash modes are added:

*   **NO_ROOT_SQUASH** Root user retains full access.
*   **ROOT_SQUASH** Root user is mapped to the anonymous user ID.
*   **ALL_SQUASH** All users are mapped to the anonymous user ID.

A new field anon_uid is also added to specify the anonymous user ID when ALL_SQUASH is used.
The squash_mode field takes precedence over the existing has_root_access field, which will be deprecated in the future.

PiperOrigin-RevId: 834629780
diff --git a/google/cloud/netapp/v1/volume.proto b/google/cloud/netapp/v1/volume.proto
@@ -437,6 +437,25 @@ message ExportPolicy {
 
 // An export policy rule describing various export options.
 message SimpleExportPolicyRule {
+  // SquashMode defines how remote user privileges are restricted when accessing
+  // an NFS export. It controls how user identities (like root) are mapped to
+  // anonymous users to limit access and enforce security.
+  enum SquashMode {
+    // Defaults to NO_ROOT_SQUASH.
+    SQUASH_MODE_UNSPECIFIED = 0;
+
+    // The root user (UID 0) retains full access. Other users are
+    // unaffected.
+    NO_ROOT_SQUASH = 1;
+
+    // The root user (UID 0) is squashed to anonymous user ID. Other users are
+    // unaffected.
+    ROOT_SQUASH = 2;
+
+    // All users are squashed to anonymous user ID.
+    ALL_SQUASH = 3;
+  }
+
   // Comma separated list of allowed clients IP addresses
   optional string allowed_clients = 1;
 
@@ -484,6 +503,15 @@ message SimpleExportPolicyRule {
   // mount using 'privacy' kerberos security mode. The 'kerberos5pReadOnly'
   // value be ignored if this is enabled.
   optional bool kerberos_5p_read_write = 11;
+
+  // Optional. Defines how user identity squashing is applied for this export
+  // rule. This field is the preferred way to configure squashing behavior and
+  // takes precedence over `has_root_access` if both are provided.
+  optional SquashMode squash_mode = 12 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. An integer representing the anonymous user ID. Range is 0 to
+  // 4294967295. Required when squash_mode is ROOT_SQUASH or ALL_SQUASH.
+  optional int64 anon_uid = 13 [(google.api.field_behavior) = OPTIONAL];
 }
 
 // Snapshot Policy for a volume.
