BigQuery API - Class Google::Cloud::Bigquery::Policy (v1.40.0)

Reference documentation and code samples for the BigQuery API class Google::Cloud::Bigquery::Policy.

Policy

Represents a Cloud IAM Policy for BigQuery resources.

A Policy is a collection of bindings. A Binding binds one or more members to a single role. Member strings can describe user accounts, service accounts, Google groups, and domains. A role string represents a named list of permissions; each role can be an IAM predefined role or a user-created custom role.

Inherits

  • Object

Examples

require "google/cloud/bigquery"

bigquery = Google::Cloud::Bigquery.new
dataset = bigquery.dataset "my_dataset"
table = dataset.table "my_table"
policy = table.policy

policy.frozen? #=> true
binding_owner = policy.bindings.find { |b| b.role == "roles/owner" }

binding_owner.role #=> "roles/owner"
binding_owner.members #=> ["user:owner@example.com"]
binding_owner.frozen? #=> true
binding_owner.members.frozen? #=> true

Update mutable bindings in the policy.

require "google/cloud/bigquery"

bigquery = Google::Cloud::Bigquery.new
dataset = bigquery.dataset "my_dataset"
table = dataset.table "my_table"

table.update_policy do |p|
  p.grant role: "roles/viewer", members: "user:viewer@example.com"
  p.revoke role: "roles/editor", members: "user:editor@example.com"
  p.revoke role: "roles/owner"
end

Iterate over frozen bindings.

require "google/cloud/bigquery"

bigquery = Google::Cloud::Bigquery.new
dataset = bigquery.dataset "my_dataset"
table = dataset.table "my_table"
policy = table.policy

policy.frozen? #=> true
policy.bindings.each do |b|
  puts b.role
  puts b.members
end

Update mutable bindings.

require "google/cloud/bigquery"

bigquery = Google::Cloud::Bigquery.new
dataset = bigquery.dataset "my_dataset"
table = dataset.table "my_table"

table.update_policy do |p|
  p.bindings.each do |b|
    b.members.delete_if { |m| m.include? "@example.com" }
  end
end

Methods

#bindings

def bindings() -> Array<Binding>

The bindings in the policy, which may be mutable or frozen depending on the context. See Understanding Roles for a list of primitive and curated roles. See BigQuery Table ACL permissions for a list of values and patterns for members.

Returns
  • (Array<Binding>) — the current value of bindings

#bindings=

def bindings=(value) -> Array<Binding>

The bindings in the policy, which may be mutable or frozen depending on the context. See Understanding Roles for a list of primitive and curated roles. See BigQuery Table ACL permissions for a list of values and patterns for members.

Parameter
  • value (Array<Binding>) — the newly set value
Returns
  • (Array<Binding>) — the newly set value

#etag

def etag() -> String

Used to check if the policy has changed since the last request. When you make a request with an etag value, Cloud IAM compares the etag value in the request with the existing etag value associated with the policy. It writes the policy only if the etag values match.

Returns
  • (String) — the current value of etag

#etag=

def etag=(value) -> String

Used to check if the policy has changed since the last request. When you make a request with an etag value, Cloud IAM compares the etag value in the request with the existing etag value associated with the policy. It writes the policy only if the etag values match.

Parameter
  • value (String) — the newly set value
Returns
  • (String) — the newly set value

#grant

def grant(role:, members:) -> nil

Convenience method adding or updating a binding in the policy. See Understanding Roles for a list of primitive and curated roles. See BigQuery Table ACL permissions for a list of values and patterns for members.

Parameters
  • role (String) — The role that is bound to members in the binding. For example, roles/viewer, roles/editor, or roles/owner. Required.
  • members (String, Array<String>) —

    Specifies the identities requesting access for a Cloud Platform resource. members can have the following values. Required.

    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.
    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.
    • user:<emailid>: An email address that represents a specific Google account. For example, alice@example.com.
    • serviceAccount:<emailid>: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:<emailid>: An email address that represents a Google group. For example, admins@example.com.
    • deleted:user:<emailid>?uid=<uniqueid>: An email address (plus unique identifier) representing a user that has been recently deleted. For example, alice@example.com?uid=123456789012345678901. If the user is recovered, this value reverts to user:<emailid> and the recovered user retains the role in the binding.
    • deleted: serviceAccount:<emailid>?uid=<uniqueid>: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901. If the service account is undeleted, this value reverts to serviceAccount:<emailid> and the undeleted service account retains the role in the binding.
    • deleted:group:<emailid>?uid=<uniqueid>: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, admins@example.com?uid=123456789012345678901. If the group is recovered, this value reverts to group:<emailid> and the recovered group retains the role in the binding.
    • domain:<domain>: The G Suite domain (primary) that represents all the users of that domain. For example, google.com or example.com.
Returns
  • (nil)
Example

Grant a role to a member.

require "google/cloud/bigquery"

bigquery = Google::Cloud::Bigquery.new
dataset = bigquery.dataset "my_dataset"
table = dataset.table "my_table"

table.update_policy do |p|
  p.grant role: "roles/viewer", members: "user:viewer@example.com"
end

#revoke

def revoke(role: nil, members: nil) -> nil

Convenience method for removing a binding or bindings from the policy. See Understanding Roles for a list of primitive and curated roles. See BigQuery Table ACL permissions for a list of values and patterns for members.

Parameters
  • role (String) (defaults to: nil) — A role that is bound to members in the policy. For example, roles/viewer, roles/editor, or roles/owner. Optional.
  • members (String, Array<String>) (defaults to: nil)

    Specifies the identities receiving access for a Cloud Platform resource. members can have the following values. Optional.

    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.
    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.
    • user:<emailid>: An email address that represents a specific Google account. For example, alice@example.com.
    • serviceAccount:<emailid>: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:<emailid>: An email address that represents a Google group. For example, admins@example.com.
    • deleted:user:<emailid>?uid=<uniqueid>: An email address (plus unique identifier) representing a user that has been recently deleted. For example, alice@example.com?uid=123456789012345678901. If the user is recovered, this value reverts to user:<emailid> and the recovered user retains the role in the binding.
    • deleted: serviceAccount:<emailid>?uid=<uniqueid>: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901. If the service account is undeleted, this value reverts to serviceAccount:<emailid> and the undeleted service account retains the role in the binding.
    • deleted:group:<emailid>?uid=<uniqueid>: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, admins@example.com?uid=123456789012345678901. If the group is recovered, this value reverts to group:<emailid> and the recovered group retains the role in the binding.
    • domain:<domain>: The G Suite domain (primary) that represents all the users of that domain. For example, google.com or example.com.
Returns
  • (nil)
Examples

Revoke a role for a member or members.

require "google/cloud/bigquery"

bigquery = Google::Cloud::Bigquery.new
dataset = bigquery.dataset "my_dataset"
table = dataset.table "my_table"

table.update_policy do |p|
  p.revoke role: "roles/viewer", members: "user:viewer@example.com"
end

Revoke a role for all members.

require "google/cloud/bigquery"

bigquery = Google::Cloud::Bigquery.new
dataset = bigquery.dataset "my_dataset"
table = dataset.table "my_table"

table.update_policy do |p|
  p.revoke role: "roles/viewer"
end

Revoke all roles for a member or members.

require "google/cloud/bigquery"

bigquery = Google::Cloud::Bigquery.new
dataset = bigquery.dataset "my_dataset"
table = dataset.table "my_table"

table.update_policy do |p|
  p.revoke members: ["user:viewer@example.com", "user:editor@example.com"]
end