Class: Gcloud::ResourceManager::Policy

Inherits:

Object

• Object
• Gcloud::ResourceManager::Policy

Defined in:

lib/gcloud/resource_manager/policy.rb

Overview

# Policy

Represents a Cloud IAM Policy for the Resource Manager service.

A common pattern for updating a resource’s metadata, such as its Policy, is to read the current data from the service, update the data locally, and then send the modified data for writing. This pattern may result in a conflict if two or more processes attempt the sequence simultaneously. IAM solves this problem with the #etag property, which is used to verify whether the policy has changed since the last request. When you make a request to with an ‘etag` value, Cloud IAM compares the `etag` value in the request with the existing `etag` value associated with the policy. It writes the policy only if the `etag` values match.

When you update a policy, first read the policy (and its current ‘etag`) from the service, then modify the policy locally, and then write the modified policy to the service. See Gcloud::ResourceManager::Project#policy and Gcloud::ResourceManager::Project#policy=.

Examples:

require "gcloud"

gcloud = Gcloud.new
resource_manager = gcloud.resource_manager
project = resource_manager.project "tokyo-rain-123"

policy = project.policy # API call

policy.remove "roles/owner", "user:owner@example.com" # Local call
policy.add "roles/owner", "user:newowner@example.com" # Local call
policy.roles["roles/viewer"] = ["allUsers"] # Local call

project.policy = policy # API call

See Also:

• Managing policies
• projects.setIamPolicy

Constant Summary

API =

Alias to the Google Client API module

Google::Apis::CloudresourcemanagerV1

Instance Attribute Summary

• #etag ⇒ String

  Used to verify whether the policy has changed since the last request.

• #roles ⇒ Hash{String => Array<String>}

  The bindings that associate roles with an array of members.

Class Method Summary

• .from_gapi(gapi) ⇒ Object

  Google::Apis::CloudresourcemanagerV1::Policy object.

Instance Method Summary

• #add(role_name, member) ⇒ Object

  Convenience method for adding a member to a binding on this policy.

• #deep_dup ⇒ Policy

  Returns a deep copy of the policy.

• #initialize(etag, roles) ⇒ Policy constructor

  A new instance of Policy.

• #remove(role_name, member) ⇒ Object

  Convenience method for removing a member from a binding on this policy.

• #role(role_name) ⇒ Array<String>

  Convenience method returning the array of members bound to a role in this policy, or an empty array if no value is present for the role in #roles.

• #to_gapi ⇒ Object

  Google::Apis::CloudresourcemanagerV1::Policy.

Constructor Details

#initialize(etag, roles) ⇒ Policy

Returns a new instance of Policy.

# File 'lib/gcloud/resource_manager/policy.rb', line 81

def initialize etag, roles
  @etag = etag
  @roles = roles
end

Instance Attribute Details

#etag ⇒ String

Used to verify whether the policy has changed since the last request. The policy will be written only if the ‘etag` values match.

Returns:

• (String) —

  the current value of etag

# File 'lib/gcloud/resource_manager/policy.rb', line 72

def etag
  @etag
end

#roles ⇒ Hash{String => Array<String>}

The bindings that associate roles with an array of members. See [Understanding Roles](cloud.google.com/iam/docs/understanding-roles) for a listing of primitive and curated roles. See [Binding](cloud.google.com/resource-manager/reference/rpc/google.iam.v1#binding) for a listing of values and patterns for members.

Returns:

• (Hash{String => Array<String>}) —

  the current value of roles

# File 'lib/gcloud/resource_manager/policy.rb', line 72

def roles
  @roles
end

Class Method Details

.from_gapi(gapi) ⇒ Object

Google::Apis::CloudresourcemanagerV1::Policy object.

# File 'lib/gcloud/resource_manager/policy.rb', line 203

def self.from_gapi gapi
  roles = gapi.bindings.each_with_object({}) do |binding, memo|
    memo[binding.role] = binding.members.to_a
  end
  new gapi.etag, roles
end

Instance Method Details

#add(role_name, member) ⇒ Object

Convenience method for adding a member to a binding on this policy. See [Understanding Roles](cloud.google.com/iam/docs/understanding-roles) for a listing of primitive and curated roles. See [Binding](cloud.google.com/resource-manager/reference/rpc/google.iam.v1#binding) for a listing of values and patterns for members.

Examples:

require "gcloud"

gcloud = Gcloud.new
resource_manager = gcloud.resource_manager
project = resource_manager.project "tokyo-rain-123"

policy = project.policy # API call

policy.add "roles/owner", "user:newowner@example.com" # Local call

project.policy = policy # API call

Parameters:

• role_name (String) —

  A Cloud IAM role, such as ‘“roles/owner”`.

• member (String) —

  A Cloud IAM identity, such as ‘“user:owner@example.com”`.

# File 'lib/gcloud/resource_manager/policy.rb', line 111

def add role_name, member
  role(role_name) << member
end

#deep_dup ⇒ Policy

Returns a deep copy of the policy.

Returns:

• (Policy)

# File 'lib/gcloud/resource_manager/policy.rb', line 175

def deep_dup
  dup.tap do |p|
    roles_dup = p.roles.each_with_object({}) do |(k, v), memo|
      memo[k] = v.dup rescue value
    end
    p.instance_variable_set "@roles", roles_dup
  end
end

#remove(role_name, member) ⇒ Object

Convenience method for removing a member from a binding on this policy. See [Understanding Roles](cloud.google.com/iam/docs/understanding-roles) for a listing of primitive and curated roles. See [Binding](cloud.google.com/resource-manager/reference/rpc/google.iam.v1#binding) for a listing of values and patterns for members.

Examples:

require "gcloud"

gcloud = Gcloud.new
resource_manager = gcloud.resource_manager
project = resource_manager.project "tokyo-rain-123"

policy = project.policy # API call

policy.remove "roles/owner", "user:owner@example.com" # Local call

project.policy = policy # API call

Parameters:

• role_name (String) —

  A Cloud IAM role, such as ‘“roles/owner”`.

• member (String) —

  A Cloud IAM identity, such as ‘“user:owner@example.com”`.

# File 'lib/gcloud/resource_manager/policy.rb', line 140

def remove role_name, member
  role(role_name).delete member
end

#role(role_name) ⇒ Array<String>

Convenience method returning the array of members bound to a role in this policy, or an empty array if no value is present for the role in #roles. See [Understanding Roles](cloud.google.com/iam/docs/understanding-roles) for a listing of primitive and curated roles. See [Binding](cloud.google.com/resource-manager/reference/rpc/google.iam.v1#binding) for a listing of values and patterns for members.

Examples:

require "gcloud"

gcloud = Gcloud.new
resource_manager = gcloud.resource_manager
project = resource_manager.project "tokyo-rain-123"

policy = project.policy

policy.role("roles/viewer") << "user:viewer@example.com"

Returns:

• (Array<String>) —

  The members strings, or an empty array.

# File 'lib/gcloud/resource_manager/policy.rb', line 166

def role role_name
  roles[role_name] ||= []
end

#to_gapi ⇒ Object

Google::Apis::CloudresourcemanagerV1::Policy.

# File 'lib/gcloud/resource_manager/policy.rb', line 187

def to_gapi
  API::Policy.new(
    etag: etag,
    bindings: roles.keys.map do |role_name|
      next if roles[role_name].empty?
      API::Binding.new(
        role: role_name,
        members: roles[role_name]
      )
    end
  )
end