def test_policy_to_pb_w_condition(): from google.iam.v1 import policy_pb2 from google.cloud.bigtable.policy import BIGTABLE_ADMIN_ROLE VERSION = 3 ETAG = b"ETAG" members = ["serviceAccount:[email protected]", "user:[email protected]"] condition = { "title": "request_time", "description": "Requests made before 2021-01-01T00:00:00Z", "expression": 'request.time < timestamp("2021-01-01T00:00:00Z")', } policy = _make_policy(ETAG, VERSION) policy.bindings = [{ "role": BIGTABLE_ADMIN_ROLE, "members": set(members), "condition": condition }] expected = policy_pb2.Policy( etag=ETAG, version=VERSION, bindings=[ policy_pb2.Binding( role=BIGTABLE_ADMIN_ROLE, members=sorted(members), condition=condition, ) ], ) assert policy.to_pb() == expected
def to_pb(self): """Render a protobuf message. Returns: google.iam.policy_pb2.Policy: a message to be passed to the ``set_iam_policy`` gRPC API. """ return policy_pb2.Policy( etag=self.etag, version=self.version or 0, bindings=[ policy_pb2.Binding(role=role, members=sorted(self[role])) for role in self ], )
def to_pb(self): """Render a protobuf message. Returns: google.iam.policy_pb2.Policy: a message to be passed to the ``set_iam_policy`` gRPC API. """ return policy_pb2.Policy( etag=self.etag, version=self.version or 0, bindings=[ policy_pb2.Binding( role=binding["role"], members=sorted(binding["members"]), condition=binding.get("condition"), ) for binding in self.bindings if binding["members"] ], )
def test_policy_to_pb_explicit(): from google.iam.v1 import policy_pb2 from google.cloud.bigtable.policy import BIGTABLE_ADMIN_ROLE VERSION = 1 ETAG = b"ETAG" members = ["serviceAccount:[email protected]", "user:[email protected]"] policy = _make_policy(ETAG, VERSION) policy[BIGTABLE_ADMIN_ROLE] = members expected = policy_pb2.Policy( etag=ETAG, version=VERSION, bindings=[ policy_pb2.Binding(role=BIGTABLE_ADMIN_ROLE, members=sorted(members)) ], ) assert policy.to_pb() == expected
def init_iam_policy(cls, metadata, context): role_mapping = { "READER": "roles/storage.legacyBucketReader", "WRITER": "roles/storage.legacyBucketWriter", "OWNER": "roles/storage.legacyBucketOwner", } bindings = [] for entry in metadata.acl: legacy_role = entry.role if legacy_role is None or entry.entity is None: utils.error.invalid("ACL entry", context) role = role_mapping.get(legacy_role) if role is None: utils.error.invalid("Legacy role %s" % legacy_role, context) bindings.append(policy_pb2.Binding(role=role, members=[entry.entity])) return policy_pb2.Policy( version=1, bindings=bindings, etag=datetime.datetime.now().isoformat().encode("utf-8"), )
def add_user_to_source(source_name): """Gives a user findingsEditor permission to the source.""" user_email = "*****@*****.**" # [START securitycenter_set_source_iam] from google.cloud import securitycenter from google.iam.v1 import policy_pb2 client = securitycenter.SecurityCenterClient() # source_name is the resource path for a source that has been # created previously (you can use list_sources to find a specific one). # Its format is: # source_name = "organizations/{organization_id}/sources/{source_id}" # e.g.: # source_name = "organizations/111122222444/sources/1234" # Get the old policy so we can do an incremental update. old_policy = client.get_iam_policy(request={"resource": source_name}) print("Old Policy: {}".format(old_policy)) # Setup a new IAM binding. binding = policy_pb2.Binding() binding.role = "roles/securitycenter.findingsEditor" # user_email is an e-mail address known to Cloud IAM (e.g. a gmail address). # user_mail = [email protected] binding.members.append("user:{}".format(user_email)) # Setting the e-tag avoids over-write existing policy updated = client.set_iam_policy( request={ "resource": source_name, "policy": { "etag": old_policy.etag, "bindings": [binding] }, }) print("Updated Policy: {}".format(updated)) # [END securitycenter_set_source_iam] return binding, updated