class Google::Cloud::Bigquery::Policy::Binding
Represents a Cloud
IAM Binding
for BigQuery resources within the context of a {Policy}.
A binding binds one or more members to a single role. Member strings can describe user accounts, service accounts, Google
groups, and domains. A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role.
@see cloud.google.com/bigquery/docs/table-access-controls-intro Controlling access to tables
@attr [String] role The role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or
`roles/owner`. Required.
@attr [Array<String>] members Specifies the identities requesting access for a Cloud
Platform resource.
`members` can have the following values. Required. * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. * `user:<emailid>`: An email address that represents a specific Google account. For example, `alice@example.com`. * `serviceAccount:<emailid>`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `group:<emailid>`: An email address that represents a Google group. For example, `admins@example.com`. * `deleted:user:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:<emailid>` and the recovered user retains the role in the binding. * `deleted: serviceAccount:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:<emailid>` and the undeleted service account retains the role in the binding. * `deleted:group:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:<emailid>` and the recovered group retains the role in the binding. * `domain:<domain>`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.
@example
require "google/cloud/bigquery" bigquery = Google::Cloud::Bigquery.new dataset = bigquery.dataset "my_dataset" table = dataset.table "my_table" policy = table.policy binding_owner = policy.bindings.find { |b| b.role == "roles/owner" } binding_owner.role #=> "roles/owner" binding_owner.members #=> ["user:owner@example.com"] binding_owner.frozen? #=> true binding_owner.members.frozen? #=> true
@example Update mutable bindings.
require "google/cloud/bigquery" bigquery = Google::Cloud::Bigquery.new dataset = bigquery.dataset "my_dataset" table = dataset.table "my_table" table.update_policy do |p| binding_owner = p.bindings.find { |b| b.role == "roles/owner" } binding_owner.members.delete_if { |m| m.include? "@example.com" } end
Attributes
Public Class Methods
@private New Binding
from a Google::Apis::BigqueryV2::Binding object.
# File lib/google/cloud/bigquery/policy.rb, line 416 def self.from_gapi gapi new gapi.etag, gapi.members.to_a end
@private
# File lib/google/cloud/bigquery/policy.rb, line 356 def initialize role, members members = Array(members).uniq raise ArgumentError, "members cannot be empty" if members.empty? @role = role @members = members end
Public Instance Methods
@private Deep freeze the policy including its members.
# File lib/google/cloud/bigquery/policy.rb, line 406 def freeze super role.freeze members.each(&:freeze) members.freeze self end
Sets the binding members.
@param [Array<String>] new_members Specifies the identities requesting access for a Cloud
Platform resource.
`new_members` can have the following values. Required. * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. * `user:<emailid>`: An email address that represents a specific Google account. For example, `alice@example.com`. * `serviceAccount:<emailid>`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `group:<emailid>`: An email address that represents a Google group. For example, `admins@example.com`. * `deleted:user:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:<emailid>` and the recovered user retains the role in the binding. * `deleted: serviceAccount:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:<emailid>` and the undeleted service account retains the role in the binding. * `deleted:group:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:<emailid>` and the recovered group retains the role in the binding. * `domain:<domain>`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.
# File lib/google/cloud/bigquery/policy.rb, line 394 def members= new_members @members = Array(new_members).uniq end