def SetIamPolicy(self, organization_id, policy_file):
"""Sets the IAM policy for an organization.
Args:
organization_id: organization id.
policy_file: A JSON or YAML file containing the IAM policy.
Returns:
The output from the SetIamPolicy API call.
"""
policy = iam_util.ParsePolicyFile(policy_file, self.messages.Policy)
policy.version = iam_util.MAX_LIBRARY_IAM_SUPPORTED_VERSION
update_mask = iam_util.ConstructUpdateMaskFromPolicy(policy_file)
# To preserve the existing set-iam-policy behavior of always overwriting
# bindings and etag, add bindings and etag to update_mask.
if 'bindings' not in update_mask:
update_mask += ',bindings'
if 'etag' not in update_mask:
update_mask += ',etag'
set_iam_policy_request = self.messages.SetIamPolicyRequest(
policy=policy,
updateMask=update_mask)
policy_request = (
self.messages.CloudresourcemanagerOrganizationsSetIamPolicyRequest(
organizationsId=organization_id,
setIamPolicyRequest=set_iam_policy_request))
result = self.client.organizations.SetIamPolicy(policy_request)
iam_util.LogSetIamPolicy(organization_id, 'organization')
return result
def SetIamPolicy(models_client, model, policy_file):
model_ref = ParseModel(model)
policy = iam_util.ParsePolicyFile(policy_file,
models_client.messages.GoogleIamV1Policy)
update_mask = iam_util.ConstructUpdateMaskFromPolicy(policy_file)
iam_util.LogSetIamPolicy(model_ref.Name(), 'model')
return models_client.SetIamPolicy(model_ref, policy, update_mask)
def testConstructUpdateMaskFromPolicy(self):
json_str = encoding.MessageToJson(self.TEST_IAM_POLICY)
policy_file_path = self.Touch(files.TemporaryDirectory().path,
'good.json',
contents=json_str)
self.assertEqual(
'bindings,version',
iam_util.ConstructUpdateMaskFromPolicy(policy_file_path))
def Run(self, args):
messages = cloudkms_base.GetMessagesModule()
policy = iam_util.ParseYamlorJsonPolicyFile(args.policy_file,
messages.Policy)
update_mask = iam_util.ConstructUpdateMaskFromPolicy(args.policy_file)
keyring_ref = flags.ParseKeyRingName(args)
result = iam.SetKeyRingIamPolicy(keyring_ref, policy, update_mask)
iam_util.LogSetIamPolicy(keyring_ref.Name(), 'keyring')
return result
def Run(self, args):
messages = cloudkms_base.GetMessagesModule()
policy = iam_util.ParseJsonPolicyFile(args.policy_file,
messages.Policy)
update_mask = iam_util.ConstructUpdateMaskFromPolicy(args.policy_file)
crypto_key_ref = flags.ParseCryptoKeyName(args)
result = iam.SetCryptoKeyIamPolicy(crypto_key_ref, policy, update_mask)
iam_util.LogSetIamPolicy(crypto_key_ref.Name(), 'key')
return result
def SetIamPolicyFromFile(project_ref, policy_file):
"""Read projects IAM policy from a file, and set it."""
messages = projects_util.GetMessages()
policy = iam_util.ParsePolicyFile(policy_file, messages.Policy)
update_mask = iam_util.ConstructUpdateMaskFromPolicy(policy_file)
# To preserve the existing set-iam-policy behavior of always overwriting
# bindings and etag, add bindings and etag to update_mask.
if 'bindings' not in update_mask:
update_mask += ',bindings'
if 'etag' not in update_mask:
update_mask += ',etag'
return SetIamPolicy(project_ref, policy, update_mask)
def Run(self, args):
messages = folders.FoldersMessages()
policy = iam_util.ParsePolicyFile(args.policy_file, messages.Policy)
update_mask = iam_util.ConstructUpdateMaskFromPolicy(args.policy_file)
# To preserve the existing set-iam-policy behavior of always overwriting
# bindings and etag, add bindings and etag to update_mask.
if 'bindings' not in update_mask:
update_mask += ',bindings'
if 'etag' not in update_mask:
update_mask += ',etag'
result = folders.SetIamPolicy(args.id, policy, update_mask)
iam_util.LogSetIamPolicy(args.id, 'folder')
return result
def Run(self, args):
messages = self.OrganizationsMessages()
policy = iam_util.ParsePolicyFile(args.policy_file, messages.Policy)
update_mask = iam_util.ConstructUpdateMaskFromPolicy(args.policy_file)
# To preserve the existing set-iam-policy behavior of always overwriting
# bindings and etag, add bindings and etag to update_mask.
if 'bindings' not in update_mask:
update_mask += ',bindings'
if 'etag' not in update_mask:
update_mask += ',etag'
set_iam_policy_request = messages.SetIamPolicyRequest(
policy=policy, updateMask=update_mask)
policy_request = (
messages.CloudresourcemanagerOrganizationsSetIamPolicyRequest(
organizationsId=args.id,
setIamPolicyRequest=set_iam_policy_request))
return self.OrganizationsClient().SetIamPolicy(policy_request)
def testFailureConstructUpdateMaskFromPolicy(self):
policy_file_path = self.Touch(files.TemporaryDirectory().path,
'bad',
contents='{foo} bad {{foo}}')
with self.assertRaises(exceptions.Error):
iam_util.ConstructUpdateMaskFromPolicy(policy_file_path)
