def add_service_account_to_bucket(client, bucket_name, service_account, role):
"""Add service account to the gcr.io images bucket."""
iam_policy = storage.get_bucket_iam_policy(client, bucket_name)
if not iam_policy:
return
binding = storage.get_or_create_bucket_iam_binding(iam_policy, role)
member = 'serviceAccount:' + service_account['email']
if member in binding['members']:
# No changes required.
return
binding['members'].append(member)
storage.set_bucket_iam_policy(client, bucket_name, iam_policy)
def _set_bucket_service_account(service_account, client, bucket_name,
iam_policy):
"""Set service account for a bucket."""
# Add service account as objectAdmin.
binding = storage.get_or_create_bucket_iam_binding(iam_policy,
OBJECT_ADMIN_IAM_ROLE)
members = ['serviceAccount:' + service_account['email']]
if members == binding['members']:
# No changes required.
return iam_policy
binding['members'] = members
return storage.set_bucket_iam_policy(client, bucket_name, iam_policy)
def _add_users_to_bucket(info, client, bucket_name, iam_policy):
"""Add user account to bucket."""
ccs = sorted([
'user:'******'members'] = sorted(list(set(binding['members'])))
if binding['members'] == ccs:
return iam_policy
filtered_members = [
member for member in binding['members'] if member in ccs
]
if len(filtered_members) != len(binding['members']):
# Remove old members.
binding['members'] = filtered_members
iam_policy = storage.set_bucket_iam_policy(client, bucket_name,
iam_policy)
# We might have no binding either from start or after filtering members above.
# Create a new one in those cases.
binding = storage.get_or_create_bucket_iam_binding(iam_policy,
OBJECT_VIEWER_IAM_ROLE)
for cc in ccs:
if cc in binding['members']:
continue
logs.log('Adding %s to bucket IAM for %s' % (cc, bucket_name))
# Add CCs one at a time since the API does not work with invalid or
# non-Google emails.
modified_iam_policy = storage.add_single_bucket_iam(
client, iam_policy, OBJECT_VIEWER_IAM_ROLE, bucket_name, cc)
if modified_iam_policy:
iam_policy = modified_iam_policy
binding = storage.get_bucket_iam_binding(iam_policy,
OBJECT_VIEWER_IAM_ROLE)
if not binding['members']:
# Check that the final binding has members. Empty bindings are not valid.
storage.remove_bucket_iam_binding(iam_policy, OBJECT_VIEWER_IAM_ROLE)
return iam_policy
def create_data_bundle_bucket_and_iams(data_bundle_name, emails):
"""Creates a data bundle bucket and adds iams for access."""
bucket_name = get_data_bundle_bucket_name(data_bundle_name)
if not storage.create_bucket_if_needed(bucket_name):
return False
client = storage.create_discovery_storage_client()
iam_policy = storage.get_bucket_iam_policy(client, bucket_name)
if not iam_policy:
return False
members = []
# Add access for the domains allowed in project.
domains = local_config.AuthConfig().get('whitelisted_domains', default=[])
for domain in domains:
members.append('domain:%s' % domain)
# Add access for the emails provided in function arguments.
for email in emails:
members.append('user:%s' % email)
if not members:
# No members to add, bail out.
return True
binding = storage.get_bucket_iam_binding(iam_policy,
DATA_BUNDLE_DEFAULT_BUCKET_IAM_ROLE)
if binding:
binding['members'] = members
else:
binding = {
'role': DATA_BUNDLE_DEFAULT_BUCKET_IAM_ROLE,
'members': members,
}
iam_policy['bindings'].append(binding)
return bool(storage.set_bucket_iam_policy(client, bucket_name, iam_policy))
