def SetIamPolicy(self, organization_id, policy_file): """Sets the IAM policy for an organization. Args: organization_id: organization id. policy_file: A JSON or YAML file containing the IAM policy. Returns: The output from the SetIamPolicy API call. """ policy = iam_util.ParsePolicyFile(policy_file, self.messages.Policy) policy.version = iam_util.MAX_LIBRARY_IAM_SUPPORTED_VERSION update_mask = iam_util.ConstructUpdateMaskFromPolicy(policy_file) # To preserve the existing set-iam-policy behavior of always overwriting # bindings and etag, add bindings and etag to update_mask. if 'bindings' not in update_mask: update_mask += ',bindings' if 'etag' not in update_mask: update_mask += ',etag' set_iam_policy_request = self.messages.SetIamPolicyRequest( policy=policy, updateMask=update_mask) policy_request = ( self.messages.CloudresourcemanagerOrganizationsSetIamPolicyRequest( organizationsId=organization_id, setIamPolicyRequest=set_iam_policy_request)) result = self.client.organizations.SetIamPolicy(policy_request) iam_util.LogSetIamPolicy(organization_id, 'organization') return result
def SetIamPolicy(models_client, model, policy_file): model_ref = ParseModel(model) policy = iam_util.ParsePolicyFile(policy_file, models_client.messages.GoogleIamV1Policy) update_mask = iam_util.ConstructUpdateMaskFromPolicy(policy_file) iam_util.LogSetIamPolicy(model_ref.Name(), 'model') return models_client.SetIamPolicy(model_ref, policy, update_mask)
def testConstructUpdateMaskFromPolicy(self): json_str = encoding.MessageToJson(self.TEST_IAM_POLICY) policy_file_path = self.Touch(files.TemporaryDirectory().path, 'good.json', contents=json_str) self.assertEqual( 'bindings,version', iam_util.ConstructUpdateMaskFromPolicy(policy_file_path))
def Run(self, args): messages = cloudkms_base.GetMessagesModule() policy = iam_util.ParseYamlorJsonPolicyFile(args.policy_file, messages.Policy) update_mask = iam_util.ConstructUpdateMaskFromPolicy(args.policy_file) keyring_ref = flags.ParseKeyRingName(args) result = iam.SetKeyRingIamPolicy(keyring_ref, policy, update_mask) iam_util.LogSetIamPolicy(keyring_ref.Name(), 'keyring') return result
def Run(self, args): messages = cloudkms_base.GetMessagesModule() policy = iam_util.ParseJsonPolicyFile(args.policy_file, messages.Policy) update_mask = iam_util.ConstructUpdateMaskFromPolicy(args.policy_file) crypto_key_ref = flags.ParseCryptoKeyName(args) result = iam.SetCryptoKeyIamPolicy(crypto_key_ref, policy, update_mask) iam_util.LogSetIamPolicy(crypto_key_ref.Name(), 'key') return result
def SetIamPolicyFromFile(project_ref, policy_file): """Read projects IAM policy from a file, and set it.""" messages = projects_util.GetMessages() policy = iam_util.ParsePolicyFile(policy_file, messages.Policy) update_mask = iam_util.ConstructUpdateMaskFromPolicy(policy_file) # To preserve the existing set-iam-policy behavior of always overwriting # bindings and etag, add bindings and etag to update_mask. if 'bindings' not in update_mask: update_mask += ',bindings' if 'etag' not in update_mask: update_mask += ',etag' return SetIamPolicy(project_ref, policy, update_mask)
def Run(self, args): messages = folders.FoldersMessages() policy = iam_util.ParsePolicyFile(args.policy_file, messages.Policy) update_mask = iam_util.ConstructUpdateMaskFromPolicy(args.policy_file) # To preserve the existing set-iam-policy behavior of always overwriting # bindings and etag, add bindings and etag to update_mask. if 'bindings' not in update_mask: update_mask += ',bindings' if 'etag' not in update_mask: update_mask += ',etag' result = folders.SetIamPolicy(args.id, policy, update_mask) iam_util.LogSetIamPolicy(args.id, 'folder') return result
def Run(self, args): messages = self.OrganizationsMessages() policy = iam_util.ParsePolicyFile(args.policy_file, messages.Policy) update_mask = iam_util.ConstructUpdateMaskFromPolicy(args.policy_file) # To preserve the existing set-iam-policy behavior of always overwriting # bindings and etag, add bindings and etag to update_mask. if 'bindings' not in update_mask: update_mask += ',bindings' if 'etag' not in update_mask: update_mask += ',etag' set_iam_policy_request = messages.SetIamPolicyRequest( policy=policy, updateMask=update_mask) policy_request = ( messages.CloudresourcemanagerOrganizationsSetIamPolicyRequest( organizationsId=args.id, setIamPolicyRequest=set_iam_policy_request)) return self.OrganizationsClient().SetIamPolicy(policy_request)
def testFailureConstructUpdateMaskFromPolicy(self): policy_file_path = self.Touch(files.TemporaryDirectory().path, 'bad', contents='{foo} bad {{foo}}') with self.assertRaises(exceptions.Error): iam_util.ConstructUpdateMaskFromPolicy(policy_file_path)