def AddIamPolicyBinding(self, service_ref, members=None, role=None):
"""Add the given IAM policy binding to the provided service.
If no members or role are provided, set the IAM policy to the current IAM
policy. This is useful for checking whether the authenticated user has
the appropriate permissions for setting policies.
Args:
service_ref: str, The service to which to add the IAM policy.
members: [str], The users for which the binding applies.
role: str, The role to grant the provided members.
Returns:
A google.iam.v1.TestIamPermissionsResponse.
"""
messages = self._messages_module
oneplatform_service = resource_name_conversion.K8sToOnePlatform(
service_ref, self._region)
policy = self._GetIamPolicy(oneplatform_service)
if members and role:
policy.bindings.append(messages.Binding(members=members,
role=role))
request = messages.RunProjectsLocationsServicesSetIamPolicyRequest(
resource=str(oneplatform_service),
setIamPolicyRequest=messages.SetIamPolicyRequest(policy=policy))
result = self._op_client.projects_locations_services.SetIamPolicy(
request)
return result
def AddOrRemoveIamPolicyBinding(self, service_ref, add_binding=True,
member=None, role=None):
"""Add or remove the given IAM policy binding to the provided service.
If no members or role are provided, set the IAM policy to the current IAM
policy. This is useful for checking whether the authenticated user has
the appropriate permissions for setting policies.
Args:
service_ref: str, The service to which to add the IAM policy.
add_binding: bool, Whether to add to or remove from the IAM policy.
member: str, One of the users for which the binding applies.
role: str, The role to grant the provided members.
Returns:
A google.iam.v1.TestIamPermissionsResponse.
"""
messages = self.messages_module
oneplatform_service = resource_name_conversion.K8sToOnePlatform(
service_ref, self._region)
policy = self._GetIamPolicy(oneplatform_service)
# Don't modify bindings if not member or roles provided
if member and role:
if add_binding:
iam_util.AddBindingToIamPolicy(messages.Binding, policy, member, role)
elif iam_util.BindingInPolicy(policy, member, role):
iam_util.RemoveBindingFromIamPolicy(policy, member, role)
request = messages.RunProjectsLocationsServicesSetIamPolicyRequest(
resource=six.text_type(oneplatform_service),
setIamPolicyRequest=messages.SetIamPolicyRequest(policy=policy))
result = self._op_client.projects_locations_services.SetIamPolicy(request)
return result
def CanSetIamPolicyBinding(self, service_ref):
"""Check if user has permission to set the iam policy on the service."""
messages = self.messages_module
oneplatform_service = resource_name_conversion.K8sToOnePlatform(
service_ref, self._region)
request = messages.RunProjectsLocationsServicesTestIamPermissionsRequest(
resource=six.text_type(oneplatform_service),
testIamPermissionsRequest=messages.TestIamPermissionsRequest(
permissions=NEEDED_IAM_PERMISSIONS))
response = self._op_client.projects_locations_services.TestIamPermissions(
request)
return set(NEEDED_IAM_PERMISSIONS).issubset(set(response.permissions))
