class Google::Cloud::Bigquery::Policy::Binding

# Policy::Binding

Represents a Cloud IAM Binding for BigQuery resources within the context of a {Policy}.

A binding binds one or more members to a single role. Member strings can describe user accounts, service accounts, Google groups, and domains. A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role.

@see cloud.google.com/bigquery/docs/table-access-controls-intro Controlling access to tables

@attr [String] role The role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or

`roles/owner`. Required.

@attr [Array<String>] members Specifies the identities requesting access for a Cloud Platform resource.

`members` can have the following values. Required.

* `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google
  account.
* `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google
  account or a service account.
* `user:<emailid>`: An email address that represents a specific Google account. For example,
  `alice@example.com`.
* `serviceAccount:<emailid>`: An email address that represents a service account. For example,
  `my-other-app@appspot.gserviceaccount.com`.
* `group:<emailid>`: An email address that represents a Google group. For example, `admins@example.com`.
* `deleted:user:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier) representing a user
  that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user
  is recovered, this value reverts to `user:<emailid>` and the recovered user retains the role in the
  binding.
* `deleted: serviceAccount:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier) representing
  a service account that has been recently deleted. For example,
  `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted,
  this value reverts to `serviceAccount:<emailid>` and the undeleted service account retains the role in
  the binding.
* `deleted:group:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier) representing a Google
  group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the
  group is recovered, this value reverts to `group:<emailid>` and the recovered group retains the role in
  the binding.
* `domain:<domain>`: The G Suite domain (primary) that represents all the users of that domain. For example,
  `google.com` or `example.com`.

@example

require "google/cloud/bigquery"

bigquery = Google::Cloud::Bigquery.new
dataset = bigquery.dataset "my_dataset"
table = dataset.table "my_table"

policy = table.policy
binding_owner = policy.bindings.find { |b| b.role == "roles/owner" }

binding_owner.role #=> "roles/owner"
binding_owner.members #=> ["user:owner@example.com"]

binding_owner.frozen? #=> true
binding_owner.members.frozen? #=> true

@example Update mutable bindings.

require "google/cloud/bigquery"

bigquery = Google::Cloud::Bigquery.new
dataset = bigquery.dataset "my_dataset"
table = dataset.table "my_table"

table.update_policy do |p|
  binding_owner = p.bindings.find { |b| b.role == "roles/owner" }
  binding_owner.members.delete_if { |m| m.include? "@example.com" }
end

Attributes

members[R]
role[RW]

Public Class Methods

from_gapi(gapi) click to toggle source

@private New Binding from a Google::Apis::BigqueryV2::Binding object.

# File lib/google/cloud/bigquery/policy.rb, line 416
def self.from_gapi gapi
  new gapi.etag, gapi.members.to_a
end
new(role, members) click to toggle source

@private

# File lib/google/cloud/bigquery/policy.rb, line 356
def initialize role, members
  members = Array(members).uniq
  raise ArgumentError, "members cannot be empty" if members.empty?
  @role = role
  @members = members
end

Public Instance Methods

freeze() click to toggle source

@private Deep freeze the policy including its members.

Calls superclass method
# File lib/google/cloud/bigquery/policy.rb, line 406
def freeze
  super
  role.freeze
  members.each(&:freeze)
  members.freeze
  self
end
members=(new_members) click to toggle source

Sets the binding members.

@param [Array<String>] new_members Specifies the identities requesting access for a Cloud Platform resource.

`new_members` can have the following values. Required.

* `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google
  account.
* `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google
  account or a service account.
* `user:<emailid>`: An email address that represents a specific Google account. For example,
  `alice@example.com`.
* `serviceAccount:<emailid>`: An email address that represents a service account. For example,
  `my-other-app@appspot.gserviceaccount.com`.
* `group:<emailid>`: An email address that represents a Google group. For example, `admins@example.com`.
* `deleted:user:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier) representing a user
  that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user
  is recovered, this value reverts to `user:<emailid>` and the recovered user retains the role in the
  binding.
* `deleted: serviceAccount:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier)
  representing a service account that has been recently deleted. For example,
  `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is
  undeleted, this value reverts to `serviceAccount:<emailid>` and the undeleted service account retains
  the role in the binding.
* `deleted:group:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier) representing a
  Google group that has been recently deleted. For example,
  `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to
  `group:<emailid>` and the recovered group retains the role in the binding.
* `domain:<domain>`: The G Suite domain (primary) that represents all the users of that domain. For
  example, `google.com` or `example.com`.
# File lib/google/cloud/bigquery/policy.rb, line 394
def members= new_members
  @members = Array(new_members).uniq
end
to_gapi() click to toggle source

@private Convert the Binding to a Google::Apis::BigqueryV2::Binding.

# File lib/google/cloud/bigquery/policy.rb, line 400
def to_gapi
  Google::Apis::BigqueryV2::Binding.new role: role, members: members
end