Reference documentation and code samples for the BigQuery API class Google::Cloud::Bigquery::Policy.
Policy
Represents a Cloud IAM Policy for BigQuery resources.
A Policy is a collection of bindings. A Binding binds one or more members to a single role. Member strings can describe user accounts, service accounts, Google groups, and domains. A role string represents a named list of permissions; each role can be an IAM predefined role or a user-created custom role.
Inherits
- Object
Examples
require "google/cloud/bigquery" bigquery = Google::Cloud::Bigquery.new dataset = bigquery.dataset "my_dataset" table = dataset.table "my_table" policy = table.policy policy.frozen? #=> true binding_owner = policy.bindings.find { |b| b.role == "roles/owner" } binding_owner.role #=> "roles/owner" binding_owner.members #=> ["user:owner@example.com"] binding_owner.frozen? #=> true binding_owner.members.frozen? #=> true
Update mutable bindings in the policy.
require "google/cloud/bigquery" bigquery = Google::Cloud::Bigquery.new dataset = bigquery.dataset "my_dataset" table = dataset.table "my_table" table.update_policy do |p| p.grant role: "roles/viewer", members: "user:viewer@example.com" p.revoke role: "roles/editor", members: "user:editor@example.com" p.revoke role: "roles/owner" end
Iterate over frozen bindings.
require "google/cloud/bigquery" bigquery = Google::Cloud::Bigquery.new dataset = bigquery.dataset "my_dataset" table = dataset.table "my_table" policy = table.policy policy.frozen? #=> true policy.bindings.each do |b| puts b.role puts b.members end
Update mutable bindings.
require "google/cloud/bigquery" bigquery = Google::Cloud::Bigquery.new dataset = bigquery.dataset "my_dataset" table = dataset.table "my_table" table.update_policy do |p| p.bindings.each do |b| b.members.delete_if { |m| m.include? "@example.com" } end end
Methods
#bindings
def bindings() -> Array<Binding>
The bindings in the policy, which may be mutable or frozen depending on the context. See Understanding Roles for a list of primitive and curated roles. See BigQuery Table ACL permissions for a list of values and patterns for members.
- (Array<Binding>) — the current value of bindings
#bindings=
def bindings=(value) -> Array<Binding>
The bindings in the policy, which may be mutable or frozen depending on the context. See Understanding Roles for a list of primitive and curated roles. See BigQuery Table ACL permissions for a list of values and patterns for members.
- value (Array<Binding>) — the newly set value
- (Array<Binding>) — the newly set value
#etag
def etag() -> String
Used to check if the policy has changed since the last request. When you make a request with
an etag
value, Cloud IAM compares the etag
value in the request with the existing etag
value associated
with the policy. It writes the policy only if the etag
values match.
- (String) — the current value of etag
#etag=
def etag=(value) -> String
Used to check if the policy has changed since the last request. When you make a request with
an etag
value, Cloud IAM compares the etag
value in the request with the existing etag
value associated
with the policy. It writes the policy only if the etag
values match.
- value (String) — the newly set value
- (String) — the newly set value
#grant
def grant(role:, members:) -> nil
Convenience method adding or updating a binding in the policy. See Understanding Roles for a list of primitive and curated roles. See BigQuery Table ACL permissions for a list of values and patterns for members.
-
role (String) — The role that is bound to members in the binding. For example,
roles/viewer
,roles/editor
, orroles/owner
. Required. -
members (String, Array<String>) —
Specifies the identities requesting access for a Cloud Platform resource.
members
can have the following values. Required.allUsers
: A special identifier that represents anyone who is on the internet; with or without a Google account.allAuthenticatedUsers
: A special identifier that represents anyone who is authenticated with a Google account or a service account.user:<emailid>
: An email address that represents a specific Google account. For example,alice@example.com
.serviceAccount:<emailid>
: An email address that represents a service account. For example,my-other-app@appspot.gserviceaccount.com
.group:<emailid>
: An email address that represents a Google group. For example,admins@example.com
.deleted:user:<emailid>?uid=<uniqueid>
: An email address (plus unique identifier) representing a user that has been recently deleted. For example,alice@example.com?uid=123456789012345678901
. If the user is recovered, this value reverts touser:<emailid>
and the recovered user retains the role in the binding.deleted: serviceAccount:<emailid>?uid=<uniqueid>
: An email address (plus unique identifier) representing a service account that has been recently deleted. For example,my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901
. If the service account is undeleted, this value reverts toserviceAccount:<emailid>
and the undeleted service account retains the role in the binding.deleted:group:<emailid>?uid=<uniqueid>
: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example,admins@example.com?uid=123456789012345678901
. If the group is recovered, this value reverts togroup:<emailid>
and the recovered group retains the role in the binding.domain:<domain>
: The G Suite domain (primary) that represents all the users of that domain. For example,google.com
orexample.com
.
- (nil)
Grant a role to a member.
require "google/cloud/bigquery" bigquery = Google::Cloud::Bigquery.new dataset = bigquery.dataset "my_dataset" table = dataset.table "my_table" table.update_policy do |p| p.grant role: "roles/viewer", members: "user:viewer@example.com" end
#revoke
def revoke(role: nil, members: nil) -> nil
Convenience method for removing a binding or bindings from the policy. See Understanding Roles for a list of primitive and curated roles. See BigQuery Table ACL permissions for a list of values and patterns for members.
-
role (String) (defaults to: nil) — A role that is bound to members in the policy. For example,
roles/viewer
,roles/editor
, orroles/owner
. Optional. -
members (String, Array<String>) (defaults to: nil) —
Specifies the identities receiving access for a Cloud Platform resource.
members
can have the following values. Optional.allUsers
: A special identifier that represents anyone who is on the internet; with or without a Google account.allAuthenticatedUsers
: A special identifier that represents anyone who is authenticated with a Google account or a service account.user:<emailid>
: An email address that represents a specific Google account. For example,alice@example.com
.serviceAccount:<emailid>
: An email address that represents a service account. For example,my-other-app@appspot.gserviceaccount.com
.group:<emailid>
: An email address that represents a Google group. For example,admins@example.com
.deleted:user:<emailid>?uid=<uniqueid>
: An email address (plus unique identifier) representing a user that has been recently deleted. For example,alice@example.com?uid=123456789012345678901
. If the user is recovered, this value reverts touser:<emailid>
and the recovered user retains the role in the binding.deleted: serviceAccount:<emailid>?uid=<uniqueid>
: An email address (plus unique identifier) representing a service account that has been recently deleted. For example,my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901
. If the service account is undeleted, this value reverts toserviceAccount:<emailid>
and the undeleted service account retains the role in the binding.deleted:group:<emailid>?uid=<uniqueid>
: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example,admins@example.com?uid=123456789012345678901
. If the group is recovered, this value reverts togroup:<emailid>
and the recovered group retains the role in the binding.domain:<domain>
: The G Suite domain (primary) that represents all the users of that domain. For example,google.com
orexample.com
.
- (nil)
Revoke a role for a member or members.
require "google/cloud/bigquery" bigquery = Google::Cloud::Bigquery.new dataset = bigquery.dataset "my_dataset" table = dataset.table "my_table" table.update_policy do |p| p.revoke role: "roles/viewer", members: "user:viewer@example.com" end
Revoke a role for all members.
require "google/cloud/bigquery" bigquery = Google::Cloud::Bigquery.new dataset = bigquery.dataset "my_dataset" table = dataset.table "my_table" table.update_policy do |p| p.revoke role: "roles/viewer" end
Revoke all roles for a member or members.
require "google/cloud/bigquery" bigquery = Google::Cloud::Bigquery.new dataset = bigquery.dataset "my_dataset" table = dataset.table "my_table" table.update_policy do |p| p.revoke members: ["user:viewer@example.com", "user:editor@example.com"] end