def test_bigtable_set_iam_policy_then_get_iam_policy(): service_account_email = Config.CLIENT._credentials.service_account_email # [START bigtable_set_iam_policy] from google.cloud.bigtable import Client from google.cloud.bigtable.policy import Policy from google.cloud.bigtable.policy import BIGTABLE_ADMIN_ROLE client = Client(admin=True) instance = client.instance(INSTANCE_ID) instance.reload() new_policy = Policy() new_policy[BIGTABLE_ADMIN_ROLE] = [ Policy.service_account(service_account_email) ] policy_latest = instance.set_iam_policy(new_policy) # [END bigtable_set_iam_policy] assert len(policy_latest.bigtable_admins) > 0 # [START bigtable_get_iam_policy] from google.cloud.bigtable import Client client = Client(admin=True) instance = client.instance(INSTANCE_ID) policy = instance.get_iam_policy() # [END bigtable_get_iam_policy] assert len(policy.bigtable_admins) > 0
def test_set_iam_policy(self): from google.cloud.bigtable_admin_v2.gapic import ( bigtable_instance_admin_client) from google.iam.v1 import policy_pb2 from google.cloud.bigtable.policy import Policy from google.cloud.bigtable.policy import BIGTABLE_ADMIN_ROLE credentials = _make_credentials() client = self._make_client(project=self.PROJECT, credentials=credentials, admin=True) instance = self._make_one(self.INSTANCE_ID, client) version = 1 etag = b'etag_v1' members = [ 'serviceAccount:[email protected]', 'user:[email protected]', ] bindings = [{'role': BIGTABLE_ADMIN_ROLE, 'members': members}] iam_policy_pb = policy_pb2.Policy(version=version, etag=etag, bindings=bindings) # Patch the stub used by the API method. instance_api = mock.create_autospec( bigtable_instance_admin_client.BigtableInstanceAdminClient) instance_api.set_iam_policy.return_value = iam_policy_pb client._instance_admin_client = instance_api # Perform the method and check the result. iam_policy = Policy(etag=etag, version=version) iam_policy[BIGTABLE_ADMIN_ROLE] = [ Policy.user("*****@*****.**"), Policy.service_account("*****@*****.**"), ] result = instance.set_iam_policy(iam_policy) instance_api.set_iam_policy.assert_called_once_with( resource=instance.name, policy={ 'version': version, 'etag': etag, 'bindings': bindings, }, ) self.assertEqual(result.version, version) self.assertEqual(result.etag, etag) admins = result.bigtable_admins self.assertEqual(len(admins), len(members)) for found, expected in zip(sorted(admins), sorted(members)): self.assertEqual(found, expected)
def test_set_iam_policy(self): from google.cloud.bigtable.client import Client from google.cloud.bigtable_admin_v2.services.bigtable_table_admin import ( BigtableTableAdminClient, ) from google.iam.v1 import policy_pb2 from google.cloud.bigtable.policy import Policy from google.cloud.bigtable.policy import BIGTABLE_ADMIN_ROLE credentials = _make_credentials() client = Client(project=self.PROJECT_ID, credentials=credentials, admin=True) instance = client.instance(instance_id=self.INSTANCE_ID) backup = self._make_one(self.BACKUP_ID, instance, cluster_id=self.CLUSTER_ID) version = 1 etag = b"etag_v1" members = [ "serviceAccount:[email protected]", "user:[email protected]" ] bindings = [{"role": BIGTABLE_ADMIN_ROLE, "members": sorted(members)}] iam_policy_pb = policy_pb2.Policy(version=version, etag=etag, bindings=bindings) table_api = mock.create_autospec(BigtableTableAdminClient) client._table_admin_client = table_api table_api.set_iam_policy.return_value = iam_policy_pb iam_policy = Policy(etag=etag, version=version) iam_policy[BIGTABLE_ADMIN_ROLE] = [ Policy.user("*****@*****.**"), Policy.service_account("*****@*****.**"), ] result = backup.set_iam_policy(iam_policy) table_api.set_iam_policy.assert_called_once_with( request={ "resource": backup.name, "policy": iam_policy_pb }) self.assertEqual(result.version, version) self.assertEqual(result.etag, etag) admins = result.bigtable_admins self.assertEqual(len(admins), len(members)) for found, expected in zip(sorted(admins), sorted(members)): self.assertEqual(found, expected)
def get_iam_policy(self, requested_policy_version=None): """Gets the access control policy for an instance resource. For example: .. literalinclude:: snippets.py :start-after: [START bigtable_get_iam_policy] :end-before: [END bigtable_get_iam_policy] :type requested_policy_version: int or ``NoneType`` :param requested_policy_version: Optional. The version of IAM policies to request. If a policy with a condition is requested without setting this, the server will return an error. This must be set to a value of 3 to retrieve IAM policies containing conditions. This is to prevent client code that isn't aware of IAM conditions from interpreting and modifying policies incorrectly. The service might return a policy with version lower than the one that was requested, based on the feature syntax in the policy fetched. :rtype: :class:`google.cloud.bigtable.policy.Policy` :returns: The current IAM policy of this instance """ args = {"resource": self.name} if requested_policy_version is not None: args["options_"] = options_pb2.GetPolicyOptions( requested_policy_version=requested_policy_version) instance_admin_client = self._client.instance_admin_client resp = instance_admin_client.get_iam_policy(**args) return Policy.from_pb(resp)
def set_iam_policy(self, policy): """Sets the access control policy on an instance resource. Replaces any existing policy. For more information about policy, please see documentation of class `google.cloud.bigtable.policy.Policy` For example: .. literalinclude:: snippets.py :start-after: [START bigtable_api_set_iam_policy] :end-before: [END bigtable_api_set_iam_policy] :dedent: 4 :type policy: :class:`google.cloud.bigtable.policy.Policy` :param policy: A new IAM policy to replace the current IAM policy of this instance :rtype: :class:`google.cloud.bigtable.policy.Policy` :returns: The current IAM policy of this instance. """ instance_admin_client = self._client.instance_admin_client resp = instance_admin_client.set_iam_policy(request={ "resource": self.name, "policy": policy.to_pb() }) return Policy.from_pb(resp)
def test_policy_from_pb_w_non_empty(): from google.iam.v1 import policy_pb2 from google.cloud.bigtable.policy import BIGTABLE_ADMIN_ROLE from google.cloud.bigtable.policy import Policy ETAG = b"ETAG" VERSION = 1 members = ["serviceAccount:[email protected]", "user:[email protected]"] empty = frozenset() message = policy_pb2.Policy( etag=ETAG, version=VERSION, bindings=[{ "role": BIGTABLE_ADMIN_ROLE, "members": members }], ) policy = Policy.from_pb(message) assert policy.etag == ETAG assert policy.version == VERSION assert policy.bigtable_admins == set(members) assert policy.bigtable_readers == empty assert policy.bigtable_users == empty assert policy.bigtable_viewers == empty assert len(policy) == 1 assert dict(policy) == {BIGTABLE_ADMIN_ROLE: set(members)}
def set_iam_policy(self, policy): """Sets the access control policy on an instance resource. Replaces any existing policy. For more information about policy, please see documentation of class `google.cloud.bigtable.policy.Policy` For example: .. literalinclude:: snippets.py :start-after: [START bigtable_set_iam_policy] :end-before: [END bigtable_set_iam_policy] :type policy: :class:`google.cloud.bigtable.policy.Policy` :param policy: A new IAM policy to replace the current IAM policy of this instance :rtype: :class:`google.cloud.bigtable.policy.Policy` :returns: The current IAM policy of this instance. """ instance_admin_client = self._client.instance_admin_client resp = instance_admin_client.set_iam_policy( resource=self.name, policy=policy.to_pb() ) return Policy.from_pb(resp)
def test_set_iam_policy(self): self._skip_if_emulated("Method not implemented in bigtable emulator") temp_table_id = "test-set-iam-policy-table" temp_table = Config.INSTANCE_DATA.table(temp_table_id) temp_table.create() self.tables_to_delete.append(temp_table) new_policy = Policy() service_account_email = Config.CLIENT._credentials.service_account_email new_policy[BIGTABLE_ADMIN_ROLE] = [ Policy.service_account(service_account_email) ] policy_latest = temp_table.set_iam_policy(new_policy).to_api_repr() self.assertEqual(policy_latest["bindings"][0]["role"], "roles/bigtable.admin") self.assertIn(service_account_email, policy_latest["bindings"][0]["members"][0])
def test_bigtable_set_iam_policy_then_get_iam_policy(): # [START bigtable_set_iam_policy] from google.cloud.bigtable import Client from google.cloud.bigtable.policy import Policy from google.cloud.bigtable.policy import BIGTABLE_ADMIN_ROLE # [END bigtable_set_iam_policy] service_account_email = Config.CLIENT._credentials.service_account_email # [START bigtable_set_iam_policy] client = Client(admin=True) instance = client.instance(INSTANCE_ID) instance.reload() new_policy = Policy() new_policy[BIGTABLE_ADMIN_ROLE] = [Policy.service_account(service_account_email)] policy_latest = instance.set_iam_policy(new_policy) # [END bigtable_set_iam_policy] assert len(policy_latest.bigtable_admins) > 0 # [START bigtable_get_iam_policy] from google.cloud.bigtable import Client client = Client(admin=True) instance = client.instance(INSTANCE_ID) policy = instance.get_iam_policy() # [END bigtable_get_iam_policy] assert len(policy.bigtable_admins) > 0
def set_iam_policy(self, policy): """Sets the access control policy on an instance resource. Replaces any existing policy. For more information about policy, please see documentation of class `google.cloud.bigtable.policy.Policy` .. code-block:: python from google.cloud.bigtable.client import Client from google.cloud.bigtable.policy import Policy from google.cloud.bigtable.policy import BIGTABLE_ADMIN_ROLE client = Client(admin=True) instance = client.instance('[INSTANCE_ID]') ins_policy = instance.get_iam_policy() ins_policy[BIGTABLE_ADMIN_ROLE] = [ Policy.user("*****@*****.**"), Policy.service_account("*****@*****.**")] policy_latest = instance.set_iam_policy() print (policy_latest.bigtable_admins) :type policy: :class:`google.cloud.bigtable.policy.Policy` :param policy: A new IAM policy to replace the current IAM policy of this instance :rtype: :class:`google.cloud.bigtable.policy.Policy` :returns: The current IAM policy of this instance. """ instance_admin_client = self._client._instance_admin_client resp = instance_admin_client.set_iam_policy( resource=self.name, policy=policy.to_api_repr()) return Policy.from_api_repr(self._to_dict_from_policy_pb(resp))
def test_set_iam_policy(self): from google.cloud.bigtable_admin_v2.gapic import ( bigtable_instance_admin_client) from google.iam.v1 import iam_policy_pb2 from google.iam.v1 import policy_pb2 from google.cloud.bigtable.policy import Policy from google.cloud.bigtable.policy import BIGTABLE_ADMIN_ROLE credentials = _make_credentials() client = self._make_client(project=self.PROJECT, credentials=credentials, admin=True) instance = self._make_one(self.INSTANCE_ID, client) version = 1 etag = b'etag_v1' bindings = [{'role': BIGTABLE_ADMIN_ROLE, 'members': ['serviceAccount:[email protected]', 'user:[email protected]']}] expected_request_policy = policy_pb2.Policy(version=version, etag=etag, bindings=bindings) expected_request = iam_policy_pb2.SetIamPolicyRequest( resource=instance.name, policy=expected_request_policy ) # Patch the stub used by the API method. channel = ChannelStub(responses=[expected_request_policy]) instance_api = ( bigtable_instance_admin_client.BigtableInstanceAdminClient( channel=channel)) client._instance_admin_client = instance_api # Perform the method and check the result. policy_request = Policy(etag=etag, version=version) policy_request[BIGTABLE_ADMIN_ROLE] = [Policy.user("*****@*****.**"), Policy.service_account( "*****@*****.**")] result = instance.set_iam_policy(policy_request) actual_request = channel.requests[0][1] self.assertEqual(actual_request, expected_request) self.assertEqual(result.bigtable_admins, policy_request.bigtable_admins)
def test_bigtable_set_iam_policy(): # [START bigtable_set_iam_policy] from google.cloud.bigtable import Client from google.cloud.bigtable.policy import Policy from google.cloud.bigtable.policy import BIGTABLE_ADMIN_ROLE client = Client(admin=True) instance = client.instance(INSTANCE_ID) instance.reload() ins_policy = Policy() ins_policy[BIGTABLE_ADMIN_ROLE] = [ Policy.user("*****@*****.**"), Policy.service_account("*****@*****.**")] policy_latest = instance.set_iam_policy(ins_policy) # [END bigtable_set_iam_policy] assert len(policy_latest.bigtable_admins) is not 0
def get_iam_policy(self): """Gets the IAM access control policy for this backup. :rtype: :class:`google.cloud.bigtable.policy.Policy` :returns: The current IAM policy of this backup. """ table_api = self._instance._client.table_admin_client response = table_api.get_iam_policy(request={"resource": self.name}) return Policy.from_pb(response)
def test_set_iam_policy(self): from google.cloud.bigtable_admin_v2.gapic import bigtable_instance_admin_client from google.iam.v1 import policy_pb2 from google.cloud.bigtable.policy import Policy from google.cloud.bigtable.policy import BIGTABLE_ADMIN_ROLE credentials = _make_credentials() client = self._make_client( project=self.PROJECT, credentials=credentials, admin=True ) instance = self._make_one(self.INSTANCE_ID, client) version = 1 etag = b"etag_v1" members = ["serviceAccount:[email protected]", "user:[email protected]"] bindings = [{"role": BIGTABLE_ADMIN_ROLE, "members": members}] iam_policy_pb = policy_pb2.Policy(version=version, etag=etag, bindings=bindings) # Patch the stub used by the API method. instance_api = mock.create_autospec( bigtable_instance_admin_client.BigtableInstanceAdminClient ) instance_api.set_iam_policy.return_value = iam_policy_pb client._instance_admin_client = instance_api # Perform the method and check the result. iam_policy = Policy(etag=etag, version=version) iam_policy[BIGTABLE_ADMIN_ROLE] = [ Policy.user("*****@*****.**"), Policy.service_account("*****@*****.**"), ] result = instance.set_iam_policy(iam_policy) instance_api.set_iam_policy.assert_called_once_with( resource=instance.name, policy={"version": version, "etag": etag, "bindings": bindings}, ) self.assertEqual(result.version, version) self.assertEqual(result.etag, etag) admins = result.bigtable_admins self.assertEqual(len(admins), len(members)) for found, expected in zip(sorted(admins), sorted(members)): self.assertEqual(found, expected)
def test_table_set_iam_policy(service_account, data_instance_populated, tables_to_delete, skip_on_emulator): from google.cloud.bigtable.policy import BIGTABLE_ADMIN_ROLE from google.cloud.bigtable.policy import Policy temp_table_id = "test-set-iam-policy-table" temp_table = data_instance_populated.table(temp_table_id) temp_table.create() tables_to_delete.append(temp_table) new_policy = Policy() service_account_email = service_account.service_account_email new_policy[BIGTABLE_ADMIN_ROLE] = [ Policy.service_account(service_account_email) ] policy_latest = temp_table.set_iam_policy(new_policy).to_api_repr() assert policy_latest["bindings"][0]["role"] == BIGTABLE_ADMIN_ROLE assert service_account_email in policy_latest["bindings"][0]["members"][0]
def test_instance_set_iam_policy(): from google.iam.v1 import policy_pb2 from google.cloud.bigtable.policy import Policy from google.cloud.bigtable.policy import BIGTABLE_ADMIN_ROLE credentials = _make_credentials() client = _make_client(project=PROJECT, credentials=credentials, admin=True) instance = _make_instance(INSTANCE_ID, client) version = 1 etag = b"etag_v1" members = ["serviceAccount:[email protected]", "user:[email protected]"] bindings = [{"role": BIGTABLE_ADMIN_ROLE, "members": sorted(members)}] iam_policy_pb = policy_pb2.Policy(version=version, etag=etag, bindings=bindings) api = client._instance_admin_client = _make_instance_admin_api() api.set_iam_policy.return_value = iam_policy_pb iam_policy = Policy(etag=etag, version=version) iam_policy[BIGTABLE_ADMIN_ROLE] = [ Policy.user("*****@*****.**"), Policy.service_account("*****@*****.**"), ] result = instance.set_iam_policy(iam_policy) api.set_iam_policy.assert_called_once_with(request={ "resource": instance.name, "policy": iam_policy_pb }) assert result.version == version assert result.etag == etag admins = result.bigtable_admins assert len(admins) == len(members) for found, expected in zip(sorted(admins), sorted(members)): assert found == expected
def get_iam_policy(self): """Gets the access control policy for an instance resource. For example: .. literalinclude:: snippets.py :start-after: [START bigtable_get_iam_policy] :end-before: [END bigtable_get_iam_policy] :rtype: :class:`google.cloud.bigtable.policy.Policy` :returns: The current IAM policy of this instance """ instance_admin_client = self._client.instance_admin_client resp = instance_admin_client.get_iam_policy(resource=self.name) return Policy.from_pb(resp)
def test_policy_from_pb_w_empty(): from google.iam.v1 import policy_pb2 from google.cloud.bigtable.policy import Policy empty = frozenset() message = policy_pb2.Policy() policy = Policy.from_pb(message) assert policy.etag == b"" assert policy.version == 0 assert policy.bigtable_admins == empty assert policy.bigtable_readers == empty assert policy.bigtable_users == empty assert policy.bigtable_viewers == empty assert len(policy) == 0 assert dict(policy) == {}
def test_policy_from_api_repr_wo_etag(): from google.cloud.bigtable.policy import Policy VERSION = 1 empty = frozenset() resource = {"version": VERSION} policy = Policy.from_api_repr(resource) assert policy.etag is None assert policy.version == VERSION assert policy.bigtable_admins == empty assert policy.bigtable_readers == empty assert policy.bigtable_users == empty assert policy.bigtable_viewers == empty assert len(policy) == 0 assert dict(policy) == {}
def test_bigtable_viewers_policy(): # [START bigtable_viewers_policy] from google.cloud.bigtable import Client from google.cloud.bigtable.policy import Policy from google.cloud.bigtable.policy import BIGTABLE_VIEWER_ROLE # [END bigtable_viewers_policy] service_account_email = Config.CLIENT._credentials.service_account_email # [START bigtable_viewers_policy] client = Client(admin=True) instance = client.instance(INSTANCE_ID) instance.reload() new_policy = Policy() new_policy[BIGTABLE_VIEWER_ROLE] = [ Policy.service_account(service_account_email) ] policy_latest = instance.set_iam_policy(new_policy) policy = policy_latest.bigtable_viewers # [END bigtable_viewers_policy] assert len(policy) > 0
def test_policy_from_api_repr_w_etag(): import base64 from google.cloud.bigtable.policy import Policy ETAG = b"ETAG" empty = frozenset() resource = {"etag": base64.b64encode(ETAG).decode("ascii")} policy = Policy.from_api_repr(resource) assert policy.etag == ETAG assert policy.version is None assert policy.bigtable_admins == empty assert policy.bigtable_readers == empty assert policy.bigtable_users == empty assert policy.bigtable_viewers == empty assert len(policy) == 0 assert dict(policy) == {}
def set_iam_policy(self, policy): """Sets the IAM access control policy for this backup. Replaces any existing policy. For more information about policy, please see documentation of class `google.cloud.bigtable.policy.Policy` :type policy: :class:`google.cloud.bigtable.policy.Policy` :param policy: A new IAM policy to replace the current IAM policy of this backup. :rtype: :class:`google.cloud.bigtable.policy.Policy` :returns: The current IAM policy of this backup. """ table_api = self._instance._client.table_admin_client response = table_api.set_iam_policy(resource=self.name, policy=policy.to_pb()) return Policy.from_pb(response)
def test_bigtable_viewers_policy(): service_account_email = Config.CLIENT._credentials.service_account_email # [START bigtable_viewers_policy] from google.cloud.bigtable import Client from google.cloud.bigtable.policy import Policy from google.cloud.bigtable.policy import BIGTABLE_VIEWER_ROLE client = Client(admin=True) instance = client.instance(INSTANCE_ID) instance.reload() new_policy = Policy() new_policy[BIGTABLE_VIEWER_ROLE] = [Policy.service_account(service_account_email)] policy_latest = instance.set_iam_policy(new_policy) policy = policy_latest.bigtable_viewers # [END bigtable_viewers_policy] assert len(policy) > 0
def get_iam_policy(self): """Gets the access control policy for an instance resource. .. code-block:: python from google.cloud.bigtable.client import Client from google.cloud.bigtable.policy import Policy client = Client(admin=True) instance = client.instance('[INSTANCE_ID]') policy_latest = instance.get_iam_policy() print (policy_latest.bigtable_viewers) :rtype: :class:`google.cloud.bigtable.policy.Policy` :returns: The current IAM policy of this instance """ instance_admin_client = self._client._instance_admin_client resp = instance_admin_client.get_iam_policy(resource=self.name) return Policy.from_api_repr(self._to_dict_from_policy_pb(resp))
def test_policy_from_pb_w_condition(): import pytest from google.iam.v1 import policy_pb2 from google.api_core.iam import InvalidOperationException, _DICT_ACCESS_MSG from google.cloud.bigtable.policy import BIGTABLE_ADMIN_ROLE from google.cloud.bigtable.policy import Policy ETAG = b"ETAG" VERSION = 3 members = ["serviceAccount:[email protected]", "user:[email protected]"] BINDINGS = [{ "role": BIGTABLE_ADMIN_ROLE, "members": members, "condition": { "title": "request_time", "description": "Requests made before 2021-01-01T00:00:00Z", "expression": 'request.time < timestamp("2021-01-01T00:00:00Z")', }, }] message = policy_pb2.Policy( etag=ETAG, version=VERSION, bindings=BINDINGS, ) policy = Policy.from_pb(message) assert policy.etag == ETAG assert policy.version == VERSION assert policy.bindings[0]["role"] == BIGTABLE_ADMIN_ROLE assert policy.bindings[0]["members"] == set(members) assert policy.bindings[0]["condition"] == BINDINGS[0]["condition"] with pytest.raises(InvalidOperationException, match=_DICT_ACCESS_MSG): policy.bigtable_admins with pytest.raises(InvalidOperationException, match=_DICT_ACCESS_MSG): policy.bigtable_readers with pytest.raises(InvalidOperationException, match=_DICT_ACCESS_MSG): policy.bigtable_users with pytest.raises(InvalidOperationException, match=_DICT_ACCESS_MSG): policy.bigtable_viewers with pytest.raises(InvalidOperationException, match=_DICT_ACCESS_MSG): len(policy)
def set_iam_policy(self, policy): """Sets the IAM access control policy for this table. Replaces any existing policy. For more information about policy, please see documentation of class `google.cloud.bigtable.policy.Policy` For example: .. literalinclude:: snippets_table.py :start-after: [START bigtable_table_set_iam_policy] :end-before: [END bigtable_table_set_iam_policy] :type policy: :class:`google.cloud.bigtable.policy.Policy` :param policy: A new IAM policy to replace the current IAM policy of this table. :rtype: :class:`google.cloud.bigtable.policy.Policy` :returns: The current IAM policy of this table. """ table_client = self._instance._client.table_admin_client resp = table_client.set_iam_policy(resource=self.name, policy=policy.to_pb()) return Policy.from_pb(resp)
def _make_policy(*args, **kw): from google.cloud.bigtable.policy import Policy return Policy(*args, **kw)