8000 Implement Table-level IAM Policy controls. by alexoneill · Pull Request #6293 · googleapis/google-cloud-java · GitHub
[go: up one dir, main page]
Skip to content

Implement Table-level IAM Policy controls. #6293

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kolea2 merged 6 commits into from
Sep 27, 2019
Merged

Implement Table-level IAM Policy controls. #6293

kolea2 merged 6 commits into from
Sep 27, 2019

Conversation

@alexoneill
Copy link
@alexoneill alexoneill commented Sep 18, 2019

No description provided.

@googlebot googlebot added the cla: yes This human has signed the Contributor License Agreement. label Sep 18, 2019
@codecov
Copy link
codecov bot commented Sep 18, 2019
edited
Loading

Codecov Report

Merging #6293 into master will decrease coverage by <.01%.
The diff coverage is 0%.

Impacted file tree graph

@@             Coverage Diff              @@
##             master    #6293      +/-   ##
============================================
- Coverage     47.11%    47.1%   -0.01%     
  Complexity    27378    27378              
============================================
  Files          2524     2524              
  Lines        277617   277653      +36     
  Branches      31984    31984              
============================================
  Hits         130786   130786              
- Misses       137056   137092      +36     
  Partials       9775     9775
Impacted Files Coverage Δ Complexity Δ
...ud/bigtable/admin/v2/BigtableTableAdminClient.java 60.92% <0%> (-19.08%) 27 <0> (ø)
...va/com/google/cloud/compute/v1/InstanceClient.java 55.09% <0%> (ø) 147% <0%> (ø) ⬇️
.../com/google/cloud/compute/v1/RegionDiskClient.java 53.89% <0%> (ø) 43% <0%> (ø) ⬇️
...ava/com/google/cloud/compute/v1/ProjectClient.java 57.07% <0%> (ø) 55% <0%> (ø) ⬇️
...ava/com/google/cloud/compute/v1/NetworkClient.java 54.9% <0%> (ø) 39% <0%> (ø) ⬇️
...ava/com/google/cloud/compute/v1/LicenseClient.java 56.19% <0%> (ø) 31% <0%> (ø) ⬇️
...va/com/google/cloud/compute/v1/SnapshotClient.java 55.73% <0%> (ø) 31% <0%> (ø) ⬇️
.../java/com/google/cloud/compute/v1/ImageClient.java 54.77% <0%> (ø) 43% <0%> (ø) ⬇️
.../google/cloud/compute/v1/TargetSslProxyClient.java 54.28% <0%> (ø) 35% <0%> (ø) ⬇️
.../google/cloud/compute/v1/SecurityPolicyClient.java 53.79% <0%> (ø) 39% <0%> (ø) ⬇️
... and 174 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 445076a...b766a6b. Read the comment docs.

@kolea2 kolea2 added the do not merge Indicates a pull request not ready for merge, due to either quality or timing. label Sep 23, 2019
@kolea2 kolea2 removed the do not merge Indicates a pull request not ready for merge, due to either quality or timing. label Sep 26, 2019
@kolea2
Copy link
Contributor
kolea2 commented Sep 26, 2019

LGTM, will merge unless @igorbernstein2 has any additional comments

@kolea2 kolea2 merged commit bec495f into googleapis:master Sep 27, 2019
@rahulKQL
Copy link
rahulKQL commented Sep 27, 2019

@kolea2, @igorbernstein2 Sorry for pointing this now, But I think these methods are available in BigtableInstanceAdminClient already

google-cloud-java/google-cloud-clients/google-cloud-bigtable/src/main/java/com/google/cloud/bigtable/admin/v2/BigtableInstanceAdminClient.java

Lines 1077 to 1304 in 8177abd

/**
* Gets the IAM access control policy for the specified instance.
*
* <p>Sample code:
*
* <pre>{@code
* Policy policy = client.getIamPolicy("my-instance");
* for(Map.Entry<Role, Set<Identity>> entry : policy.getBindings().entrySet()) {
* System.out.printf("Role: %s Identities: %s\n", entry.getKey(), entry.getValue());
* }
* }</pre>
*
* @see <a
* href="https://cloud.google.com/bigtable/docs/access-control#iam-management-instance">Instance-level
* IAM management</a>
*/
@SuppressWarnings("WeakerAccess")
public Policy getIamPolicy(String instanceId) {
return ApiExceptions.callAndTranslateApiException(getIamPolicyAsync(instanceId));
}
/**
* Asynchronously gets the IAM access control policy for the specified instance.
*
* <p>Sample code:
*
* <pre>{@code
* ApiFuture<Policy> policyFuture = client.getIamPolicyAsync("my-instance");
*
* ApiFutures.addCallback(policyFuture,
* new ApiFutureCallback<Policy>() {
* public void onSuccess(Policy policy) {
* for (Entry<Role, Set<Identity>> entry : policy.getBindings().entrySet()) {
* System.out.printf("Role: %s Identities: %s\n", entry.getKey(), entry.getValue());
* }
* }
*
* public void onFailure(Throwable t) {
* t.printStackTrace();
* }
* },
* MoreExecutors.directExecutor());
* }</pre>
*
* @see <a
* href="https://cloud.google.com/bigtable/docs/access-control#iam-management-instance">Instance-level
* IAM management</a>
*/
@SuppressWarnings("WeakerAccess")
public ApiFuture<Policy> getIamPolicyAsync(String instanceId) {
String name = NameUtil.formatInstanceName(projectId, instanceId);
GetIamPolicyRequest request = GetIamPolicyRequest.newBuilder().setResource(name).build();
final IamPolicyMarshaller marshaller = new IamPolicyMarshaller();
return ApiFutures.transform(
stub.getIamPolicyCallable().futureCall(request),
new ApiFunction<com.google.iam.v1.Policy, Policy>() {
@Override
public Policy apply(com.google.iam.v1.Policy proto) {
return marshaller.fromPb(proto);
}
},
MoreExecutors.directExecutor());
}
/**
* Replaces the IAM policy associated with the specified instance.
*
* <p>Sample code:
*
* <pre>{@code
* Policy newPolicy = client.setIamPolicy("my-instance",
* Policy.newBuilder()
* .addIdentity(Role.of("bigtable.user"), Identity.user("someone@example.com"))
* .addIdentity(Role.of("bigtable.admin"), Identity.group("admins@example.com"))
* .build());
* }</pre>
*
* @see <a
* href="https://cloud.google.com/bigtable/docs/access-control#iam-management-instance">Instance-level
* IAM management</a>
*/
@SuppressWarnings("WeakerAccess")
public Policy setIamPolicy(String instanceId, Policy policy) {
return ApiExceptions.callAndTranslateApiException(setIamPolicyAsync(instanceId, policy));
}
/**
* Asynchronously replaces the IAM policy associated with the specified instance.
*
* <p>Sample code:
*
* <pre>{@code
* ApiFuture<Policy> newPolicyFuture = client.setIamPolicyAsync("my-instance",
* Policy.newBuilder()
* .addIdentity(Role.of("bigtable.user"), Identity.user("someone@example.com"))
* .addIdentity(Role.of("bigtable.admin"), Identity.group("admins@example.com"))
* .build());
*
* ApiFutures.addCallback(policyFuture,
* new ApiFutureCallback<Policy>() {
* public void onSuccess(Policy policy) {
* for (Entry<Role, Set<Identity>> entry : policy.getBindings().entrySet()) {
* System.out.printf("Role: %s Identities: %s\n", entry.getKey(), entry.getValue());
* }
* }
*
* public void onFailure(Throwable t) {
* t.printStackTrace();
* }
* },
* MoreExecutors.directExecutor());
* }</pre>
*
* @see <a
* href="https://cloud.google.com/bigtable/docs/access-control#iam-management-instance">Instance-level
* IAM management</a>
*/
@SuppressWarnings("WeakerAccess")
public ApiFuture<Policy> setIamPolicyAsync(String instanceId, Policy policy) {
String name = NameUtil.formatInstanceName(projectId, instanceId);
final IamPolicyMarshaller marshaller = new IamPolicyMarshaller();
SetIamPolicyRequest request =
SetIamPolicyRequest.newBuilder()
.setResource(name)
.setPolicy(marshaller.toPb(policy))
.build();
return ApiFutures.transform(
stub.setIamPolicyCallable().futureCall(request),
new ApiFunction<com.google.iam.v1.Policy, Policy>() {
@Override
public Policy apply(com.google.iam.v1.Policy proto) {
return marshaller.fromPb(proto);
}
},
MoreExecutors.directExecutor());
}
/**
* Tests whether the caller has the given permissions for the specified instance. Returns a subset
* of the specified permissions that the caller has.
*
* <p>Sample code:
*
* <pre>{@code
* List<String> grantedPermissions = client.testIamPermission("my-instance",
* "bigtable.tables.readRows", "bigtable.tables.mutateRows");
* }</pre>
*
* System.out.println("Has read access: " +
* grantedPermissions.contains("bigtable.tables.readRows")); System.out.println("Has write access:
* " + grantedPermissions.contains("bigtable.tables.mutateRows"));
*
* @see <a href="https://cloud.google.com/bigtable/docs/access-control#permissions">Cloud Bigtable
* permissions</a>
*/
@SuppressWarnings({"WeakerAccess"})
public List<String> testIamPermission(String instanceId, String... permissions) {
return ApiExceptions.callAndTranslateApiException(
testIamPermissionAsync(instanceId, permissions));
}
/**
* Asynchronously tests whether the caller has the given permissions for the specified instance.
* Returns a subset of the specified permissions that the caller has.
*
* <p>Sample code:
*
* <pre>{@code
* ApiFuture<List<String>> grantedPermissionsFuture = client.testIamPermissionAsync("my-instance",
* "bigtable.tables.readRows", "bigtable.tables.mutateRows");
*
* ApiFutures.addCallback(grantedPermissionsFuture,
* new ApiFutureCallback<List<String>>() {
* public void onSuccess(List<String> grantedPermissions) {
* System.out.println("Has read access: " + grantedPermissions.contains("bigtable.tables.readRows"));
* System.out.println("Has write access: " + grantedPermissions.contains("bigtable.tables.mutateRows"));
* }
*
* public void onFailure(Throwable t) {
* t.printStackTrace();
* }
* },
* MoreExecutors.directExecutor());
* }</pre>
*
* @see <a href="https://cloud.google.com/bigtable/docs/access-control#permissions">Cloud Bigtable
* permissions</a>
*/
@SuppressWarnings({"WeakerAccess"})
public ApiFuture<List<String>> testIamPermissionAsync(String instanceId, String... permissions) {
TestIamPermissionsRequest request =
TestIamPermissionsRequest.newBuilder()
.setResource(NameUtil.formatInstanceName(projectId, instanceId))
.addAllPermissions(Arrays.asList(permissions))
.build();
return ApiFutures.transform(
stub.testIamPermissionsCallable().futureCall(request),
new ApiFunction<TestIamPermissionsResponse, List<String>>() {
@Override
public List<String> apply(TestIamPermissionsResponse input) {
return input.getPermissionsList();
}
},
MoreExecutors.directExecutor());
}
/**
* Simple adapter to expose {@link DefaultMarshaller} to this class. It enables this client to
* convert to/from IAM wrappers and protobufs.
*/
private static class IamPolicyMarshaller extends DefaultMarshaller {
@Override
public Policy fromPb(com.google.iam.v1.Policy policyPb) {
return super.fromPb(policyPb);
}
@Override
public com.google.iam.v1.Policy toPb(Policy policy) {
return super.toPb(policy);
}
}
}

I might have missed checking the open PRs till now.

@igorbernstein2
Copy link
igorbernstein2 commented Sep 30, 2019

They need to be duplicated because one set is for instances and the other for tables

@chingor13 chingor13 mentioned this pull request Oct 2, 2019
Merged
@codyoss codyoss mentioned this pull request Nov 6, 2019
Closed
This was referenced Nov 15, 2019
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@kolea2 kolea2 kolea2 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cla: yes This human has signed the Contributor License Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@alexoneill @kolea2 @rahulKQL @igorbernstein2 @googlebot
0