use of com.google.api.services.notebooks.v1.model.SetIamPolicyRequest in project java-docs-samples by GoogleCloudPlatform.
the class Snippets method removeMemberFromKeyRingPolicy.
// [END kms_remove_member_from_cryptokey_policy]
// [START kms_remove_member_from_keyring_policy]
/**
* Removes the given member from the given policy.
*/
public static Policy removeMemberFromKeyRingPolicy(String projectId, String locationId, String keyRingId, String member, String role) throws IOException {
// Create the Cloud KMS client.
CloudKMS kms = createAuthorizedClient();
// The resource name of the cryptoKey
String cryptoKey = String.format("projects/%s/locations/%s/keyRings/%s", projectId, locationId, keyRingId);
// Get the current IAM policy and add the new account to it.
Policy iamPolicy = getKeyRingPolicy(projectId, locationId, keyRingId);
// Filter out the given member
for (Binding b : iamPolicy.getBindings()) {
if (role.equals(b.getRole()) && b.getMembers().contains(member)) {
b.getMembers().remove(member);
break;
}
}
// Set the new IAM Policy.
Policy newIamPolicy = kms.projects().locations().keyRings().setIamPolicy(cryptoKey, new SetIamPolicyRequest().setPolicy(iamPolicy)).execute();
System.out.println("Response: " + newIamPolicy);
return newIamPolicy;
}
use of com.google.api.services.notebooks.v1.model.SetIamPolicyRequest in project terra-workspace-manager by DataBiosphere.
the class NotebookCloudSyncStep method doStep.
@Override
public StepResult doStep(FlightContext flightContext) throws InterruptedException, RetryException {
FlightMap workingMap = flightContext.getWorkingMap();
FlightUtils.validateRequiredEntries(workingMap, ControlledResourceKeys.GCP_CLOUD_CONTEXT);
GcpCloudContext cloudContext = workingMap.get(ControlledResourceKeys.GCP_CLOUD_CONTEXT, GcpCloudContext.class);
List<Binding> newBindings = createBindings(cloudContext, flightContext.getWorkingMap());
AIPlatformNotebooksCow notebooks = crlService.getAIPlatformNotebooksCow();
InstanceName instanceName = resource.toInstanceName(cloudContext.getGcpProjectId());
try {
Policy policy = notebooks.instances().getIamPolicy(instanceName).execute();
// Duplicating bindings is harmless (e.g. on retry). GCP de-duplicates.
Optional.ofNullable(policy.getBindings()).ifPresent(newBindings::addAll);
policy.setBindings(newBindings);
notebooks.instances().setIamPolicy(instanceName, new SetIamPolicyRequest().setPolicy(policy)).execute();
} catch (IOException e) {
return new StepResult(StepStatus.STEP_RESULT_FAILURE_RETRY, e);
}
return StepResult.getStepResultSuccess();
}
use of com.google.api.services.notebooks.v1.model.SetIamPolicyRequest in project terra-workspace-manager by DataBiosphere.
the class PetSaService method enablePetServiceAccountImpersonationWithEtag.
/**
* Grant a user's proxy group permission to impersonate their pet service account in a given
* workspace. Unlike other operations, this does not run as a flight because it only requires one
* write operation. If the user's pet SA does not exist, this will create it. This operation is
* idempotent.
*
* <p>The provided workspace must have a GCP context.
*
* <p>This method does not authenticate that the user should have access to impersonate their pet
* SA, callers should validate this first.
*
* <p>userToEnableEmail is separate from token because of RevokePetUsagePermissionStep.undoStep().
* If User A removes B from workspace, userToEnableEmail is B and token is from A's userRequest.
*
* @param workspaceUuid ID of the workspace to enable pet SA in
* @param userToEnableEmail The user whose proxy group will be granted permission.
* @param userReq Auth info for calling SAM. Do not use userReq.getEmail() here; it will return
* the caller's email, but there's no guarantee whether that will be an end-user email or a
* pet SA email.
* @param eTag GCP eTag which must match the pet SA's current policy. If null, this is ignored.
* @return The new IAM policy on the user's pet service account, or empty if the eTag value
* provided is non-null and does not match current IAM policy on the pet SA.
*/
public Optional<Policy> enablePetServiceAccountImpersonationWithEtag(UUID workspaceUuid, String userToEnableEmail, AuthenticatedUserRequest userReq, @Nullable String eTag) {
String projectId = gcpCloudContextService.getRequiredGcpProject(workspaceUuid);
Optional<ServiceAccountName> maybePetSaName = getUserPetSa(projectId, userToEnableEmail, userReq);
// If the pet SA does not exist and no eTag is specified, create the pet SA and continue.
if (maybePetSaName.isEmpty()) {
if (eTag == null) {
String saEmail = SamRethrow.onInterrupted(() -> samService.getOrCreatePetSaEmail(gcpCloudContextService.getRequiredGcpProject(workspaceUuid), userReq.getRequiredToken()), "enablePet");
maybePetSaName = Optional.of(ServiceAccountName.builder().projectId(projectId).email(saEmail).build());
} else {
// so return empty optional.
return Optional.empty();
}
}
// Pet name is populated above, so it's always safe to unwrap here.
ServiceAccountName petSaName = maybePetSaName.get();
String proxyGroupEmail = SamRethrow.onInterrupted(() -> samService.getProxyGroupEmail(userToEnableEmail, userReq.getRequiredToken()), "enablePet");
String targetMember = "group:" + proxyGroupEmail;
try {
Policy saPolicy = crlService.getIamCow().projects().serviceAccounts().getIamPolicy(petSaName).execute();
// clobbering other changes.
if (eTag != null && !saPolicy.getEtag().equals(eTag)) {
logger.warn("GCP IAM policy eTag did not match expected value when granting pet SA access for user {} in workspace {}. This is normal for Step retries.", userToEnableEmail, workspaceUuid);
return Optional.empty();
}
// See if the user is already on the policy. If so, return the policy. This avoids
// calls to set the IAM policy that have a rate limit.
Optional<Binding> serviceAccountUserBinding = findServiceAccountUserBinding(saPolicy);
if (serviceAccountUserBinding.isPresent() && serviceAccountUserBinding.get().getMembers().contains(targetMember)) {
logger.info("user {} is already enabled on petSA {}", userToEnableEmail, petSaName.email());
return Optional.of(saPolicy);
} else if (serviceAccountUserBinding.isPresent()) {
// If a binding exists for the ServiceAccountUser role but the proxy group is not a member,
// add it.
serviceAccountUserBinding.get().getMembers().add(targetMember);
} else {
// Otherwise, create the ServiceAccountUser role binding.
Binding newBinding = new Binding().setRole(SERVICE_ACCOUNT_USER_ROLE).setMembers(ImmutableList.of(targetMember));
// If no bindings exist, getBindings() returns null instead of an empty list.
if (saPolicy.getBindings() != null) {
saPolicy.getBindings().add(newBinding);
} else {
List<Binding> bindingList = new ArrayList<>();
bindingList.add(newBinding);
saPolicy.setBindings(bindingList);
}
}
SetIamPolicyRequest request = new SetIamPolicyRequest().setPolicy(saPolicy);
return Optional.of(crlService.getIamCow().projects().serviceAccounts().setIamPolicy(petSaName, request).execute());
} catch (IOException e) {
return handleProxyUpdateError(e, "enabling");
}
}
use of com.google.api.services.notebooks.v1.model.SetIamPolicyRequest in project terra-workspace-manager by DataBiosphere.
the class PetSaService method disablePetServiceAccountImpersonationWithEtag.
/**
* Revoke the permission to impersonate a pet service account granted by {@code
* enablePetServiceAccountImpersonation}. Unlike other operations, this does not run in a flight
* because it only requires one write operation. This operation is idempotent.
*
* <p>This method requires a user's pet service account email as input. As a transitive
* dependency, this also means the provided workspace must have a GCP context.
*
* <p>This method does not authenticate that the user should have access to impersonate their pet
* SA, callers should validate this first.
*
* @param workspaceUuid ID of the workspace to disable pet SA in
* @param userToDisableEmail The user losing access to pet SA
* @param userRequest This request's token will be used to authenticate SAM requests
* @param eTag GCP eTag which must match the pet SA's current policy. If null, this is ignored.
*/
public Optional<Policy> disablePetServiceAccountImpersonationWithEtag(UUID workspaceUuid, String userToDisableEmail, AuthenticatedUserRequest userRequest, @Nullable String eTag) {
String proxyGroupEmail = SamRethrow.onInterrupted(() -> samService.getProxyGroupEmail(userToDisableEmail, userRequest.getRequiredToken()), "disablePet");
String targetMember = "group:" + proxyGroupEmail;
String projectId = gcpCloudContextService.getRequiredGcpProject(workspaceUuid);
try {
Optional<ServiceAccountName> userToDisablePetSA = getUserPetSa(projectId, userToDisableEmail, userRequest);
if (userToDisablePetSA.isEmpty()) {
return Optional.empty();
}
Policy saPolicy = crlService.getIamCow().projects().serviceAccounts().getIamPolicy(userToDisablePetSA.get()).execute();
// clobbering other changes.
if (eTag != null && !saPolicy.getEtag().equals(eTag)) {
logger.warn("GCP IAM policy eTag did not match expected value when revoking pet SA access for user {} in workspace {}. This is normal for Step retries.", userToDisableEmail, workspaceUuid);
return Optional.empty();
}
// If the member is already not on the policy, we are done
// This handles the case where there are no bindings at all, so we don't
// need to worry about null binding later in the logic.
Optional<Binding> bindingToModify = findServiceAccountUserBinding(saPolicy);
if (bindingToModify.isEmpty() || !bindingToModify.get().getMembers().contains(targetMember)) {
return Optional.empty();
}
bindingToModify.get().getMembers().remove(targetMember);
SetIamPolicyRequest request = new SetIamPolicyRequest().setPolicy(saPolicy);
return Optional.of(crlService.getIamCow().projects().serviceAccounts().setIamPolicy(userToDisablePetSA.get(), request).execute());
} catch (IOException e) {
return handleProxyUpdateError(e, "disabling");
}
}
use of com.google.api.services.notebooks.v1.model.SetIamPolicyRequest in project java-docs-samples by GoogleCloudPlatform.
the class DeviceRegistryExample method setIamPermissions.
// [END iot_get_iam_policy]
// [START iot_set_iam_policy]
/**
* Sets IAM permissions for the given registry.
*/
protected static void setIamPermissions(String projectId, String cloudRegion, String registryName, String member, String role) throws GeneralSecurityException, IOException {
GoogleCredentials credential = GoogleCredentials.getApplicationDefault().createScoped(CloudIotScopes.all());
JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();
HttpRequestInitializer init = new HttpCredentialsAdapter(credential);
final CloudIot service = new CloudIot.Builder(GoogleNetHttpTransport.newTrustedTransport(), jsonFactory, init).setApplicationName(APP_NAME).build();
final String registryPath = String.format("projects/%s/locations/%s/registries/%s", projectId, cloudRegion, registryName);
com.google.api.services.cloudiot.v1.model.Policy policy = service.projects().locations().registries().getIamPolicy(registryPath, new GetIamPolicyRequest()).execute();
List<com.google.api.services.cloudiot.v1.model.Binding> bindings = policy.getBindings();
boolean addNewRole = true;
if (bindings != null) {
for (com.google.api.services.cloudiot.v1.model.Binding binding : bindings) {
if (binding.getRole().equals(role)) {
List<String> members = binding.getMembers();
members.add(member);
binding.setMembers(members);
addNewRole = false;
}
}
} else {
bindings = new ArrayList<>();
}
if (addNewRole) {
com.google.api.services.cloudiot.v1.model.Binding bind = new com.google.api.services.cloudiot.v1.model.Binding();
bind.setRole(role);
List<String> members = new ArrayList<>();
members.add(member);
bind.setMembers(members);
bindings.add(bind);
}
policy.setBindings(bindings);
SetIamPolicyRequest req = new SetIamPolicyRequest().setPolicy(policy);
policy = service.projects().locations().registries().setIamPolicy(registryPath, req).execute();
System.out.println("Policy ETAG: " + policy.getEtag());
for (com.google.api.services.cloudiot.v1.model.Binding binding : policy.getBindings()) {
System.out.println(String.format("Role: %s", binding.getRole()));
System.out.println("Binding members: ");
for (String mem : binding.getMembers()) {
System.out.println(String.format("\t%s", mem));
}
}
}
Aggregations