Class: Google::Cloud::Spanner::Policy

Inherits:
Object
  • Object
show all
Defined in:
lib/google/cloud/spanner/policy.rb

Overview

# Policy

Represents a Cloud IAM Policy for the Spanner service.

A common pattern for updating a resource’s metadata, such as its Policy, is to read the current data from the service, update the data locally, and then send the modified data for writing. This pattern may result in a conflict if two or more processes attempt the sequence simultaneously. IAM solves this problem with the #etag property, which is used to verify whether the policy has changed since the last request. When you make a request to with an ‘etag` value, Cloud IAM compares the `etag` value in the request with the existing `etag` value associated with the policy. It writes the policy only if the `etag` values match.

When you update a policy, first read the policy (and its current ‘etag`) from the service, then modify the policy locally, and then write the modified policy to the service. See Instance#policy and Instance#policy= and Database#policy and Database#policy=.

Examples:

require "google/cloud/spanner"

spanner = Google::Cloud::Spanner.new
instance = spanner.instance "my-instance"

policy = instance.policy do |p|
  p.remove "roles/owner", "user:[email protected]"
  p.add "roles/owner", "user:[email protected]"
  p.roles["roles/viewer"] = ["allUsers"]
end

See Also:

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(etag, roles) ⇒ Policy

Returns a new instance of Policy.



77
78
79
80
 
# File 'lib/google/cloud/spanner/policy.rb', line 77

def initialize etag, roles
  @etag = etag
  @roles = roles
end

Instance Attribute Details

#etagString

Used to verify whether the policy has changed since the last request. The policy will be written only if the ‘etag` values match.

Returns:

  • (String)

    the current value of etag



72
73
74
 
# File 'lib/google/cloud/spanner/policy.rb', line 72

def etag
  @etag
end

#rolesHash{String => Array<String>}

The bindings that associate roles with an array of members. See [Understanding Roles](cloud.google.com/iam/docs/understanding-roles) for a listing of primitive and curated roles. See [Binding](cloud.google.com/spanner/reference/rpc/google.iam.v1#google.iam.v1.Binding) for a listing of values and patterns for members.

Returns:

  • (Hash{String => Array<String>})

    the current value of roles



72
73
74
 
# File 'lib/google/cloud/spanner/policy.rb', line 72

def roles
  @roles
end

Class Method Details

.from_grpc(grpc) ⇒ Object 



178
179
180
181
182
183
 
# File 'lib/google/cloud/spanner/policy.rb', line 178

def self.from_grpc grpc
  roles = grpc.bindings.each_with_object({}) do |binding, memo|
    memo[binding.role] = binding.members.to_a
  end
  new grpc.etag, roles
end

Instance Method Details

#add(role_name, member) ⇒ Object

Convenience method for adding a member to a binding on this policy. See [Understanding Roles](cloud.google.com/iam/docs/understanding-roles) for a listing of primitive and curated roles. See [Binding](cloud.google.com/spanner/reference/rpc/google.iam.v1#google.iam.v1.Binding) for a listing of values and patterns for members.

Examples:

require "google/cloud/spanner"

spanner = Google::Cloud::Spanner.new
instance = spanner.instance "my-instance"

policy = instance.policy do |p|
  p.add "roles/owner", "user:[email protected]"
end

Parameters:

  • role_name (String)

    A Cloud IAM role, such as ‘“roles/spanner.admin”`.

  • member (String)

    A Cloud IAM identity, such as ‘“user:[email protected]”`.



105
106
107
 
# File 'lib/google/cloud/spanner/policy.rb', line 105

def add role_name, member
  role(role_name) << member
end

#remove(role_name, member) ⇒ Object

Convenience method for removing a member from a binding on this policy. See [Understanding Roles](cloud.google.com/iam/docs/understanding-roles) for a listing of primitive and curated roles. See [Binding](cloud.google.com/spanner/reference/rpc/google.iam.v1#google.iam.v1.Binding) for a listing of values and patterns for members.

Examples:

require "google/cloud/spanner"

spanner = Google::Cloud::Spanner.new
instance = spanner.instance "my-instance"

policy = instance.policy do |p|
  p.remove "roles/owner", "user:[email protected]"
end

Parameters:

  • role_name (String)

    A Cloud IAM role, such as ‘“roles/spanner.admin”`.

  • member (String)

    A Cloud IAM identity, such as ‘“user:[email protected]”`.



132
133
134
 
# File 'lib/google/cloud/spanner/policy.rb', line 132

def remove role_name, member
  role(role_name).delete member
end

#role(role_name) ⇒ Array<String>

Convenience method returning the array of members bound to a role in this policy, or an empty array if no value is present for the role in #roles. See [Understanding Roles](cloud.google.com/iam/docs/understanding-roles) for a listing of primitive and curated roles. See [Binding](cloud.google.com/spanner/reference/rpc/google.iam.v1#google.iam.v1.Binding) for a listing of values and patterns for members.

Examples:

require "google/cloud/spanner"

spanner = Google::Cloud::Spanner.new
instance = spanner.instance "my-instance"

policy = instance.policy do |p|
  p.role("roles/viewer") << "user:[email protected]"
end

Returns:

  • (Array<String>)

    The members strings, or an empty array.



157
158
159
 
# File 'lib/google/cloud/spanner/policy.rb', line 157

def role role_name
  roles[role_name] ||= []
end

#to_grpcObject 



163
164
165
166
167
168
169
170
171
172
173
174
 
# File 'lib/google/cloud/spanner/policy.rb', line 163

def to_grpc
  Google::Iam::V1::Policy.new(
    etag: etag,
    bindings: roles.keys.map do |role_name|
      next if roles[role_name].empty?
      Google::Iam::V1::Binding.new(
        role: role_name,
        members: roles[role_name]
      )
    end
  )
end