def Run(self, args):
iam_client = apis.GetClientInstance('iam', 'v1')
messages = apis.GetMessagesModule('iam', 'v1')
role_name = iam_util.GetRoleName(args.organization, args.project,
args.role)
role = messages.Role()
if args.file:
if (args.title or args.description or args.stage
or args.permissions or args.add_permissions
or args.remove_permissions):
raise exceptions.ConflictingArgumentsException(
'file', 'others')
role = iam_util.ParseYamlToRole(args.file, messages.Role)
if not role.etag:
msg = ('The specified role does not contain an "etag" field '
'identifying a specific version to replace. Updating a '
'role without an "etag" can overwrite concurrent role '
'changes.')
console_io.PromptContinue(
message=msg,
prompt_string='Replace existing role',
cancel_on_no=True)
if not args.quiet:
self.WarnTestingPermissions(iam_client, messages,
role.includedPermissions,
args.project, args.organization)
try:
res = iam_client.organizations_roles.Patch(
messages.IamOrganizationsRolesPatchRequest(name=role_name,
role=role))
iam_util.SetRoleStageIfAlpha(res)
return res
except apitools_exceptions.HttpConflictError as e:
raise exceptions.HttpException(
e,
error_format=(
'Stale "etag": '
'Please use the etag from your latest describe '
'response. Or new changes have been made since '
'your latest describe operation. Please retry '
'the whole describe-update process. Or you can '
'leave the etag blank to overwrite concurrent '
'role changes.'))
except apitools_exceptions.HttpError as e:
raise exceptions.HttpException(e)
res = self.UpdateWithFlags(args, role_name, role, iam_client, messages)
iam_util.SetRoleStageIfAlpha(res)
return res
def Run(self, args):
role_name = iam_util.GetRoleName(args.organization, args.project, args.role)
client, messages = util.GetClientAndMessages()
res = client.organizations_roles.Get(
messages.IamOrganizationsRolesGetRequest(name=role_name))
iam_util.SetRoleStageIfAlpha(res)
return res
def Run(self, args):
iam_client = apis.GetClientInstance('iam', 'v1')
messages = apis.GetMessagesModule('iam', 'v1')
parent_name = iam_util.GetParentName(args.organization, args.project)
if args.file:
if args.title or args.description or args.stage or args.permissions:
raise exceptions.ConflictingArgumentsException('file', 'others')
role = iam_util.ParseYamlToRole(args.file, messages.Role)
role.name = None
role.etag = None
else:
role = messages.Role(title=args.title, description=args.description)
if args.permissions:
role.includedPermissions = args.permissions.split(',')
if args.stage:
role.stage = iam_util.StageTypeFromString(args.stage)
if not role.title:
role.title = args.role
if not args.quiet:
testing_permissions = util.GetTestingPermissions(
iam_client, messages,
iam_util.GetResourceReference(args.project, args.organization),
role.includedPermissions)
iam_util.TestingPermissionsWarning(testing_permissions)
result = iam_client.organizations_roles.Create(
messages.IamOrganizationsRolesCreateRequest(
createRoleRequest=messages.CreateRoleRequest(
role=role, roleId=args.role),
parent=parent_name))
log.CreatedResource(args.role, kind='role')
iam_util.SetRoleStageIfAlpha(result)
return result
def Run(self, args):
iam_client = apis.GetClientInstance('iam', 'v1')
messages = apis.GetMessagesModule('iam', 'v1')
role_name = iam_util.GetRoleName(args.organization, args.project, args.role)
res = iam_client.organizations_roles.Get(
messages.IamOrganizationsRolesGetRequest(name=role_name))
iam_util.SetRoleStageIfAlpha(res)
return res
def Run(self, args):
iam_client = apis.GetClientInstance('iam', 'v1')
messages = apis.GetMessagesModule('iam', 'v1')
if args.source is None:
raise RequiredArgumentException('source',
'the source role is required.')
if args.destination is None:
raise RequiredArgumentException(
'destination', 'the destination role is required.')
source_role_name = iam_util.GetRoleName(
args.source_organization,
args.source_project,
args.source,
attribute='the source custom role',
parameter_name='source')
dest_parent = iam_util.GetParentName(
args.dest_organization,
args.dest_project,
attribute='the destination custom role')
source_role = iam_client.organizations_roles.Get(
messages.IamOrganizationsRolesGetRequest(name=source_role_name))
new_role = messages.Role(title=source_role.title,
description=source_role.description)
permissions_helper = util.PermissionsHelper(
iam_client, messages,
iam_util.GetResourceReference(args.dest_project,
args.dest_organization),
source_role.includedPermissions)
not_supported_permissions = permissions_helper.GetNotSupportedPermissions(
)
if not_supported_permissions:
log.warning(
'Permissions don\'t support custom roles and won\'t be added: ['
+ ', '.join(not_supported_permissions) + '] \n')
not_applicable_permissions = permissions_helper.GetNotApplicablePermissions(
)
if not_applicable_permissions:
log.warning(
'Permissions not applicable to the current resource and won\'t'
' be added: [' + ', '.join(not_applicable_permissions) +
'] \n')
api_diabled_permissions = permissions_helper.GetApiDisabledPermissons()
iam_util.ApiDisabledPermissionsWarning(api_diabled_permissions)
testing_permissions = permissions_helper.GetTestingPermissions()
iam_util.TestingPermissionsWarning(testing_permissions)
valid_permissions = permissions_helper.GetValidPermissions()
new_role.includedPermissions = valid_permissions
result = iam_client.organizations_roles.Create(
messages.IamOrganizationsRolesCreateRequest(
createRoleRequest=messages.CreateRoleRequest(
role=new_role, roleId=args.destination),
parent=dest_parent))
iam_util.SetRoleStageIfAlpha(result)
return result
def Run(self, args):
iam_client = apis.GetClientInstance('iam', 'v1')
messages = apis.GetMessagesModule('iam', 'v1')
if args.source is None:
raise RequiredArgumentException('source',
'the source role is required.')
if args.destination is None:
raise RequiredArgumentException(
'destination', 'the destination role is required.')
source_role_name = iam_util.GetRoleName(
args.source_organization,
args.source_project,
args.source,
attribute='the source custom role',
parameter_name='source')
dest_parent = iam_util.GetParentName(
args.dest_organization,
args.dest_project,
attribute='the destination custom role')
source_role = iam_client.organizations_roles.Get(
messages.IamOrganizationsRolesGetRequest(name=source_role_name))
new_role = messages.Role(title=source_role.title,
description=source_role.description)
valid_permissions, testing_permissions = util.GetValidAndTestingPermissions(
iam_client, messages,
iam_util.GetResourceReference(args.dest_project,
args.dest_organization),
source_role.includedPermissions)
iam_util.TestingPermissionsWarning(testing_permissions)
new_role.includedPermissions = valid_permissions
result = iam_client.organizations_roles.Create(
messages.IamOrganizationsRolesCreateRequest(
createRoleRequest=messages.CreateRoleRequest(
role=new_role, roleId=args.destination),
parent=dest_parent))
iam_util.SetRoleStageIfAlpha(result)
return result
def Run(self, args):
client, messages = util.GetClientAndMessages()
parent_name = iam_util.GetParentName(args.organization, args.project)
if args.file:
role = iam_util.ParseYamlToRole(args.file, messages.Role)
role.name = None
role.etag = None
else:
role = messages.Role(title=args.title,
description=args.description)
if args.permissions:
role.includedPermissions = args.permissions.split(',')
if args.stage:
role.stage = iam_util.StageTypeFromString(args.stage)
if not role.title:
role.title = args.role
if not args.quiet:
permissions_helper = util.PermissionsHelper(
client, messages,
iam_util.GetResourceReference(args.project, args.organization),
role.includedPermissions)
api_diabled_permissions = permissions_helper.GetApiDisabledPermissons(
)
iam_util.ApiDisabledPermissionsWarning(api_diabled_permissions)
testing_permissions = permissions_helper.GetTestingPermissions()
iam_util.TestingPermissionsWarning(testing_permissions)
result = client.organizations_roles.Create(
messages.IamOrganizationsRolesCreateRequest(
createRoleRequest=messages.CreateRoleRequest(role=role,
roleId=args.role),
parent=parent_name))
log.CreatedResource(args.role, kind='role')
iam_util.SetRoleStageIfAlpha(result)
return result
def Run(self, args):
iam_client = apis.GetClientInstance('iam', 'v1')
messages = apis.GetMessagesModule('iam', 'v1')
if args.source is None:
raise RequiredArgumentException('source',
'the source role is required.')
if args.destination is None:
raise RequiredArgumentException(
'destination', 'the destination role is required.')
source_role_name = iam_util.GetRoleName(
args.source_organization,
args.source_project,
args.source,
attribute='the source custom role',
parameter_name='source')
dest_parent = iam_util.GetParentName(
args.dest_organization,
args.dest_project,
attribute='the destination custom role')
source_role = iam_client.organizations_roles.Get(
messages.IamOrganizationsRolesGetRequest(name=source_role_name))
new_role = messages.Role(
title=source_role.title,
description=source_role.description,
includedPermissions=source_role.includedPermissions)
if source_role.includedPermissions:
full_resource_name = '//cloudresourcemanager.googleapis.com/'
if args.dest_project:
full_resource_name += 'projects/{0}'.format(args.dest_project)
else:
full_resource_name += 'organizations/{0}'.format(
args.dest_organization)
valid_permissions = []
token = None
source_permissions = set(source_role.includedPermissions)
while len(
source_role.includedPermissions) != len(valid_permissions):
resp = iam_client.permissions.QueryTestablePermissions(
messages.QueryTestablePermissionsRequest(
fullResourceName=full_resource_name, pageToken=token))
for testable_permission in resp.permissions:
if (testable_permission.name in source_permissions and
(testable_permission.customRolesSupportLevel !=
messages.Permission.
CustomRolesSupportLevelValueValuesEnum.NOT_SUPPORTED)
):
valid_permissions.append(testable_permission.name)
token = resp.nextPageToken
if not token:
break
new_role.includedPermissions = valid_permissions
result = iam_client.organizations_roles.Create(
messages.IamOrganizationsRolesCreateRequest(
createRoleRequest=messages.CreateRoleRequest(
role=new_role, roleId=args.destination),
parent=dest_parent))
iam_util.SetRoleStageIfAlpha(result)
return result
