Class: Gcloud::ResourceManager::Policy

Inherits:

Object

• Object
• Gcloud::ResourceManager::Policy

Defined in:

lib/gcloud/resource_manager/policy.rb

Overview

# Policy

Represents a Cloud IAM Policy for the Resource Manager service.

A common pattern for updating a resource’s metadata, such as its Policy, is to read the current data from the service, update the data locally, and then send the modified data for writing. This pattern may result in a conflict if two or more processes attempt the sequence simultaneously. IAM solves this problem with the #etag property, which is used to verify whether the policy has changed since the last request. When you make a request to with an etag value, Cloud IAM compares the etag value in the request with the existing etag value associated with the policy. It writes the policy only if the etag values match.

When you update a policy, first read the policy (and its current etag) from the service, then modify the policy locally, and then write the modified policy to the service. See Gcloud::ResourceManager::Project#policy and Gcloud::ResourceManager::Project#policy=.

Examples:

require "gcloud"

gcloud = Gcloud.new
resource_manager = gcloud.resource_manager
project = resource_manager.project "tokyo-rain-123"

policy = project.policy # API call

policy.remove "roles/owner", "user:owner@example.com" # Local call
policy.add "roles/owner", "user:newowner@example.com" # Local call
policy.roles["roles/viewer"] = ["allUsers"] # Local call

project.policy = policy # API call

See Also:

• Managing policies
• projects.setIamPolicy

Constant Summary

API =

Alias to the Google Client API module

Google::Apis::CloudresourcemanagerV1

Instance Attribute Summary

• #etag ⇒ String

  Used to verify whether the policy has changed since the last request.

• #roles ⇒ Hash{String => Array<String>}

  The bindings that associate roles with an array of members.

Class Method Summary

• .from_gapi(gapi) ⇒ Object

  Google::Apis::CloudresourcemanagerV1::Policy object.

Instance Method Summary

• #add(role_name, member) ⇒ Object

  Convenience method for adding a member to a binding on this policy.

• #deep_dup ⇒ Policy

  Returns a deep copy of the policy.

• #initialize(etag, roles) ⇒ Policy constructor

  A new instance of Policy.

• #remove(role_name, member) ⇒ Object

  Convenience method for removing a member from a binding on this policy.

• #role(role_name) ⇒ Array<String>

  Convenience method returning the array of members bound to a role in this policy, or an empty array if no value is present for the role in #roles.

• #to_gapi ⇒ Object

  Google::Apis::CloudresourcemanagerV1::Policy.

Constructor Details

#initialize(etag, roles) ⇒ Policy

Returns a new instance of Policy.

# File 'lib/gcloud/resource_manager/policy.rb', line 81

def initialize etag, roles
  @etag = etag
  @roles = roles
end

Instance Attribute Details

#etag ⇒ String

Used to verify whether the policy has changed since the last request. The policy will be written only if the etag values match.

Returns:

• (String) —

  the current value of etag

# File 'lib/gcloud/resource_manager/policy.rb', line 72

def etag
  @etag
end

#roles ⇒ Hash{String => Array<String>}

The bindings that associate roles with an array of members. See [Understanding Roles](cloud.google.com/iam/docs/understanding-roles) for a listing of primitive and curated roles. See [Binding](cloud.google.com/resource-manager/reference/rpc/google.iam.v1#binding) for a listing of values and patterns for members.

Returns:

• (Hash{String => Array<String>}) —

  the current value of roles

# File 'lib/gcloud/resource_manager/policy.rb', line 72

def roles
  @roles
end

Class Method Details

.from_gapi(gapi) ⇒ Object

Google::Apis::CloudresourcemanagerV1::Policy object.

# File 'lib/gcloud/resource_manager/policy.rb', line 203

def self.from_gapi gapi
  roles = gapi.bindings.each_with_object({}) do |binding, memo|
    memo[binding.role] = binding.members.to_a
  end
  new gapi.etag, roles
end

Instance Method Details

#add(role_name, member) ⇒ Object

Convenience method for adding a member to a binding on this policy. See [Understanding Roles](cloud.google.com/iam/docs/understanding-roles) for a listing of primitive and curated roles. See [Binding](cloud.google.com/resource-manager/reference/rpc/google.iam.v1#binding) for a listing of values and patterns for members.

Examples:

require "gcloud"

gcloud = Gcloud.new
resource_manager = gcloud.resource_manager
project = resource_manager.project "tokyo-rain-123"

policy = project.policy # API call

policy.add "roles/owner", "user:newowner@example.com" # Local call

project.policy = policy # API call

Parameters:

• role_name (String) —

  A Cloud IAM role, such as ‘“roles/owner”`.

• member (String) —

  A Cloud IAM identity, such as ‘“user:owner@example.com”`.

# File 'lib/gcloud/resource_manager/policy.rb', line 111

def add role_name, member
  role(role_name) << member
end

#deep_dup ⇒ Policy

Returns a deep copy of the policy.

Returns:

• (Policy)

# File 'lib/gcloud/resource_manager/policy.rb', line 175

def deep_dup
  dup.tap do |p|
    roles_dup = p.roles.each_with_object({}) do |(k, v), memo|
      memo[k] = v.dup rescue value
    end
    p.instance_variable_set "@roles", roles_dup
  end
end

#remove(role_name, member) ⇒ Object

Convenience method for removing a member from a binding on this policy. See [Understanding Roles](cloud.google.com/iam/docs/understanding-roles) for a listing of primitive and curated roles. See [Binding](cloud.google.com/resource-manager/reference/rpc/google.iam.v1#binding) for a listing of values and patterns for members.

Examples:

require "gcloud"

gcloud = Gcloud.new
resource_manager = gcloud.resource_manager
project = resource_manager.project "tokyo-rain-123"

policy = project.policy # API call

policy.remove "roles/owner", "user:owner@example.com" # Local call

project.policy = policy # API call

Parameters:

• role_name (String) —

  A Cloud IAM role, such as ‘“roles/owner”`.

• member (String) —

  A Cloud IAM identity, such as ‘“user:owner@example.com”`.

# File 'lib/gcloud/resource_manager/policy.rb', line 140

def remove role_name, member
  role(role_name).delete member
end

#role(role_name) ⇒ Array<String>

Convenience method returning the array of members bound to a role in this policy, or an empty array if no value is present for the role in #roles. See [Understanding Roles](cloud.google.com/iam/docs/understanding-roles) for a listing of primitive and curated roles. See [Binding](cloud.google.com/resource-manager/reference/rpc/google.iam.v1#binding) for a listing of values and patterns for members.

Examples:

require "gcloud"

gcloud = Gcloud.new
resource_manager = gcloud.resource_manager
project = resource_manager.project "tokyo-rain-123"

policy = project.policy

policy.role("roles/viewer") << "user:viewer@example.com"

Returns:

• (Array<String>) —

  The members strings, or an empty array.

# File 'lib/gcloud/resource_manager/policy.rb', line 166

def role role_name
  roles[role_name] ||= []
end

#to_gapi ⇒ Object

Google::Apis::CloudresourcemanagerV1::Policy.

# File 'lib/gcloud/resource_manager/policy.rb', line 187

def to_gapi
  API::Policy.new(
    etag: etag,
    bindings: roles.keys.map do |role_name|
      next if roles[role_name].empty?
      API::Binding.new(
        role: role_name,
        members: roles[role_name]
      )
    end
  )
end