def test_policy_from_pb_w_non_empty():
from google.iam.v1 import policy_pb2
from google.cloud.bigtable.policy import BIGTABLE_ADMIN_ROLE
from google.cloud.bigtable.policy import Policy
ETAG = b"ETAG"
VERSION = 1
members = ["serviceAccount:[email protected]", "user:[email protected]"]
empty = frozenset()
message = policy_pb2.Policy(
etag=ETAG,
version=VERSION,
bindings=[{
"role": BIGTABLE_ADMIN_ROLE,
"members": members
}],
)
policy = Policy.from_pb(message)
assert policy.etag == ETAG
assert policy.version == VERSION
assert policy.bigtable_admins == set(members)
assert policy.bigtable_readers == empty
assert policy.bigtable_users == empty
assert policy.bigtable_viewers == empty
assert len(policy) == 1
assert dict(policy) == {BIGTABLE_ADMIN_ROLE: set(members)}
def set_iam_policy(self, policy):
"""Sets the access control policy on an instance resource. Replaces any
existing policy.
For more information about policy, please see documentation of
class `google.cloud.bigtable.policy.Policy`
For example:
.. literalinclude:: snippets.py
:start-after: [START bigtable_set_iam_policy]
:end-before: [END bigtable_set_iam_policy]
:type policy: :class:`google.cloud.bigtable.policy.Policy`
:param policy: A new IAM policy to replace the current IAM policy
of this instance
:rtype: :class:`google.cloud.bigtable.policy.Policy`
:returns: The current IAM policy of this instance.
"""
instance_admin_client = self._client.instance_admin_client
resp = instance_admin_client.set_iam_policy(
resource=self.name, policy=policy.to_pb()
)
return Policy.from_pb(resp)
def get_iam_policy(self, requested_policy_version=None):
"""Gets the access control policy for an instance resource.
For example:
.. literalinclude:: snippets.py
:start-after: [START bigtable_get_iam_policy]
:end-before: [END bigtable_get_iam_policy]
:type requested_policy_version: int or ``NoneType``
:param requested_policy_version: Optional. The version of IAM policies to request.
If a policy with a condition is requested without
setting this, the server will return an error.
This must be set to a value of 3 to retrieve IAM
policies containing conditions. This is to prevent
client code that isn't aware of IAM conditions from
interpreting and modifying policies incorrectly.
The service might return a policy with version lower
than the one that was requested, based on the
feature syntax in the policy fetched.
:rtype: :class:`google.cloud.bigtable.policy.Policy`
:returns: The current IAM policy of this instance
"""
args = {"resource": self.name}
if requested_policy_version is not None:
args["options_"] = options_pb2.GetPolicyOptions(
requested_policy_version=requested_policy_version)
instance_admin_client = self._client.instance_admin_client
resp = instance_admin_client.get_iam_policy(**args)
return Policy.from_pb(resp)
def set_iam_policy(self, policy):
"""Sets the access control policy on an instance resource. Replaces any
existing policy.
For more information about policy, please see documentation of
class `google.cloud.bigtable.policy.Policy`
For example:
.. literalinclude:: snippets.py
:start-after: [START bigtable_api_set_iam_policy]
:end-before: [END bigtable_api_set_iam_policy]
:dedent: 4
:type policy: :class:`google.cloud.bigtable.policy.Policy`
:param policy: A new IAM policy to replace the current IAM policy
of this instance
:rtype: :class:`google.cloud.bigtable.policy.Policy`
:returns: The current IAM policy of this instance.
"""
instance_admin_client = self._client.instance_admin_client
resp = instance_admin_client.set_iam_policy(request={
"resource": self.name,
"policy": policy.to_pb()
})
return Policy.from_pb(resp)
def get_iam_policy(self):
"""Gets the IAM access control policy for this backup.
:rtype: :class:`google.cloud.bigtable.policy.Policy`
:returns: The current IAM policy of this backup.
"""
table_api = self._instance._client.table_admin_client
response = table_api.get_iam_policy(request={"resource": self.name})
return Policy.from_pb(response)
def get_iam_policy(self):
"""Gets the access control policy for an instance resource.
For example:
.. literalinclude:: snippets.py
:start-after: [START bigtable_get_iam_policy]
:end-before: [END bigtable_get_iam_policy]
:rtype: :class:`google.cloud.bigtable.policy.Policy`
:returns: The current IAM policy of this instance
"""
instance_admin_client = self._client.instance_admin_client
resp = instance_admin_client.get_iam_policy(resource=self.name)
return Policy.from_pb(resp)
def get_iam_policy(self):
"""Gets the access control policy for an instance resource.
For example:
.. literalinclude:: snippets.py
:start-after: [START bigtable_get_iam_policy]
:end-before: [END bigtable_get_iam_policy]
:rtype: :class:`google.cloud.bigtable.policy.Policy`
:returns: The current IAM policy of this instance
"""
instance_admin_client = self._client.instance_admin_client
resp = instance_admin_client.get_iam_policy(resource=self.name)
return Policy.from_pb(resp)
def test_policy_from_pb_w_empty():
from google.iam.v1 import policy_pb2
from google.cloud.bigtable.policy import Policy
empty = frozenset()
message = policy_pb2.Policy()
policy = Policy.from_pb(message)
assert policy.etag == b""
assert policy.version == 0
assert policy.bigtable_admins == empty
assert policy.bigtable_readers == empty
assert policy.bigtable_users == empty
assert policy.bigtable_viewers == empty
assert len(policy) == 0
assert dict(policy) == {}
def set_iam_policy(self, policy):
"""Sets the IAM access control policy for this backup. Replaces any
existing policy.
For more information about policy, please see documentation of
class `google.cloud.bigtable.policy.Policy`
:type policy: :class:`google.cloud.bigtable.policy.Policy`
:param policy: A new IAM policy to replace the current IAM policy
of this backup.
:rtype: :class:`google.cloud.bigtable.policy.Policy`
:returns: The current IAM policy of this backup.
"""
table_api = self._instance._client.table_admin_client
response = table_api.set_iam_policy(resource=self.name,
policy=policy.to_pb())
return Policy.from_pb(response)
def test_policy_from_pb_w_condition():
import pytest
from google.iam.v1 import policy_pb2
from google.api_core.iam import InvalidOperationException, _DICT_ACCESS_MSG
from google.cloud.bigtable.policy import BIGTABLE_ADMIN_ROLE
from google.cloud.bigtable.policy import Policy
ETAG = b"ETAG"
VERSION = 3
members = ["serviceAccount:[email protected]", "user:[email protected]"]
BINDINGS = [{
"role": BIGTABLE_ADMIN_ROLE,
"members": members,
"condition": {
"title": "request_time",
"description": "Requests made before 2021-01-01T00:00:00Z",
"expression": 'request.time < timestamp("2021-01-01T00:00:00Z")',
},
}]
message = policy_pb2.Policy(
etag=ETAG,
version=VERSION,
bindings=BINDINGS,
)
policy = Policy.from_pb(message)
assert policy.etag == ETAG
assert policy.version == VERSION
assert policy.bindings[0]["role"] == BIGTABLE_ADMIN_ROLE
assert policy.bindings[0]["members"] == set(members)
assert policy.bindings[0]["condition"] == BINDINGS[0]["condition"]
with pytest.raises(InvalidOperationException, match=_DICT_ACCESS_MSG):
policy.bigtable_admins
with pytest.raises(InvalidOperationException, match=_DICT_ACCESS_MSG):
policy.bigtable_readers
with pytest.raises(InvalidOperationException, match=_DICT_ACCESS_MSG):
policy.bigtable_users
with pytest.raises(InvalidOperationException, match=_DICT_ACCESS_MSG):
policy.bigtable_viewers
with pytest.raises(InvalidOperationException, match=_DICT_ACCESS_MSG):
len(policy)
def set_iam_policy(self, policy):
"""Sets the IAM access control policy for this table. Replaces any
existing policy.
For more information about policy, please see documentation of
class `google.cloud.bigtable.policy.Policy`
For example:
.. literalinclude:: snippets_table.py
:start-after: [START bigtable_table_set_iam_policy]
:end-before: [END bigtable_table_set_iam_policy]
:type policy: :class:`google.cloud.bigtable.policy.Policy`
:param policy: A new IAM policy to replace the current IAM policy
of this table.
:rtype: :class:`google.cloud.bigtable.policy.Policy`
:returns: The current IAM policy of this table.
"""
table_client = self._instance._client.table_admin_client
resp = table_client.set_iam_policy(resource=self.name, policy=policy.to_pb())
return Policy.from_pb(resp)
