Class: Google::Cloud::Bigquery::Policy

Inherits:

Object

• Object
• Google::Cloud::Bigquery::Policy

Defined in:

lib/google/cloud/bigquery/policy.rb

Overview

Policy

Represents a Cloud IAM Policy for BigQuery resources.

A Policy is a collection of bindings. A Binding binds one or more members to a single role. Member strings can describe user accounts, service accounts, Google groups, and domains. A role string represents a named list of permissions; each role can be an IAM predefined role or a user-created custom role.

Examples:

require "google/cloud/bigquery"

bigquery = Google::Cloud::Bigquery.new
dataset = bigquery.dataset "my_dataset"
table = dataset.table "my_table"
policy = table.policy

policy.frozen? #=> true
binding_owner = policy.bindings.find { |b| b.role == "roles/owner" }

binding_owner.role #=> "roles/owner"
binding_owner.members #=> ["user:owner@example.com"]
binding_owner.frozen? #=> true
binding_owner.members.frozen? #=> true

Update mutable bindings in the policy.

require "google/cloud/bigquery"

bigquery = Google::Cloud::Bigquery.new
dataset = bigquery.dataset "my_dataset"
table = dataset.table "my_table"

table.update_policy do |p|
  p.grant role: "roles/viewer", members: "user:viewer@example.com"
  p.revoke role: "roles/editor", members: "user:editor@example.com"
  p.revoke role: "roles/owner"
end

Iterate over frozen bindings.

require "google/cloud/bigquery"

bigquery = Google::Cloud::Bigquery.new
dataset = bigquery.dataset "my_dataset"
table = dataset.table "my_table"
policy = table.policy

policy.frozen? #=> true
policy.bindings.each do |b|
  puts b.role
  puts b.members
end

Update mutable bindings.

require "google/cloud/bigquery"

bigquery = Google::Cloud::Bigquery.new
dataset = bigquery.dataset "my_dataset"
table = dataset.table "my_table"

table.update_policy do |p|
  p.bindings.each do |b|
    b.members.delete_if { |m| m.include? "@example.com" }
  end
end

See Also:

• Managing Policies
• Controlling access to tables

Defined Under Namespace

Classes: Binding

Instance Attribute Summary

• #bindings ⇒ Array<Binding>

  The bindings in the policy, which may be mutable or frozen depending on the context.

• #etag ⇒ String

  Used to check if the policy has changed since the last request.

Instance Method Summary

• #grant(role:, members:) ⇒ nil

  Convenience method adding or updating a binding in the policy.

• #revoke(role: nil, members: nil) ⇒ nil

  Convenience method for removing a binding or bindings from the policy.

Instance Attribute Details

#bindings ⇒ Array<Binding>

The bindings in the policy, which may be mutable or frozen depending on the context. See Understanding Roles for a list of primitive and curated roles. See BigQuery Table ACL permissions for a list of values and patterns for members.

Returns:

• (Array<Binding>) —

  the current value of bindings

# File 'lib/google/cloud/bigquery/policy.rb', line 98

def bindings
  @bindings
end

#etag ⇒ String

Used to check if the policy has changed since the last request. When you make a request with an etag value, Cloud IAM compares the etag value in the request with the existing etag value associated with the policy. It writes the policy only if the etag values match.

Returns:

• (String) —

  the current value of etag

# File 'lib/google/cloud/bigquery/policy.rb', line 98

def etag
  @etag
end

Instance Method Details

#grant(role:, members:) ⇒ nil

Convenience method adding or updating a binding in the policy. See Understanding Roles for a list of primitive and curated roles. See BigQuery Table ACL permissions for a list of values and patterns for members.

Examples:

Grant a role to a member.

require "google/cloud/bigquery"

bigquery = Google::Cloud::Bigquery.new
dataset = bigquery.dataset "my_dataset"
table = dataset.table "my_table"

table.update_policy do |p|
  p.grant role: "roles/viewer", members: "user:viewer@example.com"
end

Parameters:

• role (String) —

  The role that is bound to members in the binding. For example, roles/viewer, roles/editor, or roles/owner. Required.

• members (String, Array<String>) —

  Specifies the identities requesting access for a Cloud Platform resource. members can have the following values. Required.

  • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • user:<emailid>: An email address that represents a specific Google account. For example, alice@example.com.
  • serviceAccount:<emailid>: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • group:<emailid>: An email address that represents a Google group. For example, admins@example.com.
  • deleted:user:<emailid>?uid=<uniqueid>: An email address (plus unique identifier) representing a user that has been recently deleted. For example, alice@example.com?uid=123456789012345678901. If the user is recovered, this value reverts to user:<emailid> and the recovered user retains the role in the binding.
  • deleted: serviceAccount:<emailid>?uid=<uniqueid>: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901. If the service account is undeleted, this value reverts to serviceAccount:<emailid> and the undeleted service account retains the role in the binding.
  • deleted:group:<emailid>?uid=<uniqueid>: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, admins@example.com?uid=123456789012345678901. If the group is recovered, this value reverts to group:<emailid> and the recovered group retains the role in the binding.
  • domain:<domain>: The G Suite domain (primary) that represents all the users of that domain. For example, google.com or example.com.

Returns:

• (nil)

# File 'lib/google/cloud/bigquery/policy.rb', line 158

def grant role:, members:
  existing_binding = bindings.find { |b| b.role == role }
  if existing_binding
    existing_binding.members.concat Array(members)
    existing_binding.members.uniq!
  else
    bindings << Binding.new(role, members)
  end
  nil
end

#revoke(role: nil, members: nil) ⇒ nil

Convenience method for removing a binding or bindings from the policy. See Understanding Roles for a list of primitive and curated roles. See BigQuery Table ACL permissions for a list of values and patterns for members.

Examples:

Revoke a role for a member or members.

require "google/cloud/bigquery"

bigquery = Google::Cloud::Bigquery.new
dataset = bigquery.dataset "my_dataset"
table = dataset.table "my_table"

table.update_policy do |p|
  p.revoke role: "roles/viewer", members: "user:viewer@example.com"
end

Revoke a role for all members.

require "google/cloud/bigquery"

bigquery = Google::Cloud::Bigquery.new
dataset = bigquery.dataset "my_dataset"
table = dataset.table "my_table"

table.update_policy do |p|
  p.revoke role: "roles/viewer"
end

Revoke all roles for a member or members.

require "google/cloud/bigquery"

bigquery = Google::Cloud::Bigquery.new
dataset = bigquery.dataset "my_dataset"
table = dataset.table "my_table"

table.update_policy do |p|
  p.revoke members: ["user:viewer@example.com", "user:editor@example.com"]
end

Parameters:

• role (String) (defaults to: nil) —

  A role that is bound to members in the policy. For example, roles/viewer, roles/editor, or roles/owner. Optional.

• members (String, Array<String>) (defaults to: nil) —

  Specifies the identities receiving access for a Cloud Platform resource. members can have the following values. Optional.

  • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • user:<emailid>: An email address that represents a specific Google account. For example, alice@example.com.
  • serviceAccount:<emailid>: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • group:<emailid>: An email address that represents a Google group. For example, admins@example.com.
  • deleted:user:<emailid>?uid=<uniqueid>: An email address (plus unique identifier) representing a user that has been recently deleted. For example, alice@example.com?uid=123456789012345678901. If the user is recovered, this value reverts to user:<emailid> and the recovered user retains the role in the binding.
  • deleted: serviceAccount:<emailid>?uid=<uniqueid>: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901. If the service account is undeleted, this value reverts to serviceAccount:<emailid> and the undeleted service account retains the role in the binding.
  • deleted:group:<emailid>?uid=<uniqueid>: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, admins@example.com?uid=123456789012345678901. If the group is recovered, this value reverts to group:<emailid> and the recovered group retains the role in the binding.
  • domain:<domain>: The G Suite domain (primary) that represents all the users of that domain. For example, google.com or example.com.

Returns:

• (nil)

# File 'lib/google/cloud/bigquery/policy.rb', line 241

def revoke role: nil, members: nil
  bindings_for_role = role ? bindings.select { |b| b.role == role } : bindings
  bindings_for_role.each do |b|
    if members
      b.members -= Array(members)
      bindings.delete b if b.members.empty?
    else
      bindings.delete b
    end
  end
  nil
end