def test_policy_from_pb_w_non_empty(): from google.iam.v1 import policy_pb2 from google.cloud.bigtable.policy import BIGTABLE_ADMIN_ROLE from google.cloud.bigtable.policy import Policy ETAG = b"ETAG" VERSION = 1 members = ["serviceAccount:[email protected]", "user:[email protected]"] empty = frozenset() message = policy_pb2.Policy( etag=ETAG, version=VERSION, bindings=[{ "role": BIGTABLE_ADMIN_ROLE, "members": members }], ) policy = Policy.from_pb(message) assert policy.etag == ETAG assert policy.version == VERSION assert policy.bigtable_admins == set(members) assert policy.bigtable_readers == empty assert policy.bigtable_users == empty assert policy.bigtable_viewers == empty assert len(policy) == 1 assert dict(policy) == {BIGTABLE_ADMIN_ROLE: set(members)}
def set_iam_policy(self, policy): """Sets the access control policy on an instance resource. Replaces any existing policy. For more information about policy, please see documentation of class `google.cloud.bigtable.policy.Policy` For example: .. literalinclude:: snippets.py :start-after: [START bigtable_set_iam_policy] :end-before: [END bigtable_set_iam_policy] :type policy: :class:`google.cloud.bigtable.policy.Policy` :param policy: A new IAM policy to replace the current IAM policy of this instance :rtype: :class:`google.cloud.bigtable.policy.Policy` :returns: The current IAM policy of this instance. """ instance_admin_client = self._client.instance_admin_client resp = instance_admin_client.set_iam_policy( resource=self.name, policy=policy.to_pb() ) return Policy.from_pb(resp)
def get_iam_policy(self, requested_policy_version=None): """Gets the access control policy for an instance resource. For example: .. literalinclude:: snippets.py :start-after: [START bigtable_get_iam_policy] :end-before: [END bigtable_get_iam_policy] :type requested_policy_version: int or ``NoneType`` :param requested_policy_version: Optional. The version of IAM policies to request. If a policy with a condition is requested without setting this, the server will return an error. This must be set to a value of 3 to retrieve IAM policies containing conditions. This is to prevent client code that isn't aware of IAM conditions from interpreting and modifying policies incorrectly. The service might return a policy with version lower than the one that was requested, based on the feature syntax in the policy fetched. :rtype: :class:`google.cloud.bigtable.policy.Policy` :returns: The current IAM policy of this instance """ args = {"resource": self.name} if requested_policy_version is not None: args["options_"] = options_pb2.GetPolicyOptions( requested_policy_version=requested_policy_version) instance_admin_client = self._client.instance_admin_client resp = instance_admin_client.get_iam_policy(**args) return Policy.from_pb(resp)
def set_iam_policy(self, policy): """Sets the access control policy on an instance resource. Replaces any existing policy. For more information about policy, please see documentation of class `google.cloud.bigtable.policy.Policy` For example: .. literalinclude:: snippets.py :start-after: [START bigtable_api_set_iam_policy] :end-before: [END bigtable_api_set_iam_policy] :dedent: 4 :type policy: :class:`google.cloud.bigtable.policy.Policy` :param policy: A new IAM policy to replace the current IAM policy of this instance :rtype: :class:`google.cloud.bigtable.policy.Policy` :returns: The current IAM policy of this instance. """ instance_admin_client = self._client.instance_admin_client resp = instance_admin_client.set_iam_policy(request={ "resource": self.name, "policy": policy.to_pb() }) return Policy.from_pb(resp)
def get_iam_policy(self): """Gets the IAM access control policy for this backup. :rtype: :class:`google.cloud.bigtable.policy.Policy` :returns: The current IAM policy of this backup. """ table_api = self._instance._client.table_admin_client response = table_api.get_iam_policy(request={"resource": self.name}) return Policy.from_pb(response)
def get_iam_policy(self): """Gets the access control policy for an instance resource. For example: .. literalinclude:: snippets.py :start-after: [START bigtable_get_iam_policy] :end-before: [END bigtable_get_iam_policy] :rtype: :class:`google.cloud.bigtable.policy.Policy` :returns: The current IAM policy of this instance """ instance_admin_client = self._client.instance_admin_client resp = instance_admin_client.get_iam_policy(resource=self.name) return Policy.from_pb(resp)
def test_policy_from_pb_w_empty(): from google.iam.v1 import policy_pb2 from google.cloud.bigtable.policy import Policy empty = frozenset() message = policy_pb2.Policy() policy = Policy.from_pb(message) assert policy.etag == b"" assert policy.version == 0 assert policy.bigtable_admins == empty assert policy.bigtable_readers == empty assert policy.bigtable_users == empty assert policy.bigtable_viewers == empty assert len(policy) == 0 assert dict(policy) == {}
def set_iam_policy(self, policy): """Sets the IAM access control policy for this backup. Replaces any existing policy. For more information about policy, please see documentation of class `google.cloud.bigtable.policy.Policy` :type policy: :class:`google.cloud.bigtable.policy.Policy` :param policy: A new IAM policy to replace the current IAM policy of this backup. :rtype: :class:`google.cloud.bigtable.policy.Policy` :returns: The current IAM policy of this backup. """ table_api = self._instance._client.table_admin_client response = table_api.set_iam_policy(resource=self.name, policy=policy.to_pb()) return Policy.from_pb(response)
def test_policy_from_pb_w_condition(): import pytest from google.iam.v1 import policy_pb2 from google.api_core.iam import InvalidOperationException, _DICT_ACCESS_MSG from google.cloud.bigtable.policy import BIGTABLE_ADMIN_ROLE from google.cloud.bigtable.policy import Policy ETAG = b"ETAG" VERSION = 3 members = ["serviceAccount:[email protected]", "user:[email protected]"] BINDINGS = [{ "role": BIGTABLE_ADMIN_ROLE, "members": members, "condition": { "title": "request_time", "description": "Requests made before 2021-01-01T00:00:00Z", "expression": 'request.time < timestamp("2021-01-01T00:00:00Z")', }, }] message = policy_pb2.Policy( etag=ETAG, version=VERSION, bindings=BINDINGS, ) policy = Policy.from_pb(message) assert policy.etag == ETAG assert policy.version == VERSION assert policy.bindings[0]["role"] == BIGTABLE_ADMIN_ROLE assert policy.bindings[0]["members"] == set(members) assert policy.bindings[0]["condition"] == BINDINGS[0]["condition"] with pytest.raises(InvalidOperationException, match=_DICT_ACCESS_MSG): policy.bigtable_admins with pytest.raises(InvalidOperationException, match=_DICT_ACCESS_MSG): policy.bigtable_readers with pytest.raises(InvalidOperationException, match=_DICT_ACCESS_MSG): policy.bigtable_users with pytest.raises(InvalidOperationException, match=_DICT_ACCESS_MSG): policy.bigtable_viewers with pytest.raises(InvalidOperationException, match=_DICT_ACCESS_MSG): len(policy)
def set_iam_policy(self, policy): """Sets the IAM access control policy for this table. Replaces any existing policy. For more information about policy, please see documentation of class `google.cloud.bigtable.policy.Policy` For example: .. literalinclude:: snippets_table.py :start-after: [START bigtable_table_set_iam_policy] :end-before: [END bigtable_table_set_iam_policy] :type policy: :class:`google.cloud.bigtable.policy.Policy` :param policy: A new IAM policy to replace the current IAM policy of this table. :rtype: :class:`google.cloud.bigtable.policy.Policy` :returns: The current IAM policy of this table. """ table_client = self._instance._client.table_admin_client resp = table_client.set_iam_policy(resource=self.name, policy=policy.to_pb()) return Policy.from_pb(resp)