class Google::Cloud::Storage::PolicyV3

A subclass of {Google::Cloud::Storage::Policy} that supports access to {#bindings} and {version=}. Attempts to call {#roles} and relate helpers will raise a runtime error. This class may be used to update the Policy version and add bindings with a newer syntax. To obtain instances of this class, call {Google::Cloud::Storage::Bucket#policy} with `requested_policy_version: 3`.

@attr [Bindings] bindings Returns the Policy's bindings object that associate roles with

an array of members. Conditions can be configured on the {Binding} object. See
[Understanding Roles](https://cloud.google.com/iam/docs/understanding-roles) for a
listing of primitive and curated roles. See [Buckets:
setIamPolicy](https://cloud.google.com/storage/docs/json_api/v1/buckets/setIamPolicy)
for a listing of values and patterns for members.

@example Updating Policy version 1 to version 3:

require "google/cloud/storage"

storage = Google::Cloud::Storage.new
bucket = storage.bucket "my-bucket"

bucket.uniform_bucket_level_access = true

bucket.policy requested_policy_version: 3 do |p|
  p.version # the value is 1
  p.version = 3

  expr = "resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")"
  p.bindings.insert({
                      role: "roles/storage.admin",
                      members: ["user:owner@example.com"],
                      condition: {
                        title: "my-condition",
                        description: "description of condition",
                        expression: expr
                      }
                    })
end

@example Using Policy version 3:

require "google/cloud/storage"

storage = Google::Cloud::Storage.new
bucket = storage.bucket "my-bucket"

bucket.uniform_bucket_level_access? # true

bucket.policy requested_policy_version: 3 do |p|
  p.version = 3 # Must be explicitly set to opt-in to support for conditions.

  expr = "resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")"
  p.bindings.insert({
                      role: "roles/storage.admin",
                      members: ["user:owner@example.com"],
                      condition: {
                        title: "my-condition",
                        description: "description of condition",
                        expression: expr
                      }
                    })
end

Attributes

bindings[R]

Public Class Methods

from_gapi(gapi) click to toggle source

@private New Policy from a Google::Apis::StorageV1::Policy object.

# File lib/google/cloud/storage/policy.rb, line 457
def self.from_gapi gapi
  new gapi.etag, gapi.version, Array(gapi.bindings).map(&:to_h)
end
new(etag, version, bindings) click to toggle source

@private Creates a PolicyV3 object.

Calls superclass method Google::Cloud::Storage::Policy::new
# File lib/google/cloud/storage/policy.rb, line 340
def initialize etag, version, bindings
  super etag, version
  @bindings = Bindings.new
  @bindings.insert(*bindings)
end

Public Instance Methods

add(*) click to toggle source

@private Illegal operation in PolicyV3. Use {#bindings} instead.

@raise [RuntimeError] If called on this class.

# File lib/google/cloud/storage/policy.rb, line 412
def add(*)
  raise "Illegal operation when using PolicyV1. Use Policy#bindings instead."
end
deep_dup() click to toggle source

@private Illegal operation in PolicyV3. Deprecated in PolicyV1.

@raise [RuntimeError] If called on this class.

# File lib/google/cloud/storage/policy.rb, line 439
def deep_dup
  raise "Illegal operation when using PolicyV3. Deprecated in PolicyV1."
end
remove(*) click to toggle source

@private Illegal operation in PolicyV3. Use {#bindings} instead.

@raise [RuntimeError] If called on this class.

# File lib/google/cloud/storage/policy.rb, line 421
def remove(*)
  raise "Illegal operation when using PolicyV1. Use Policy#bindings instead."
end
role(*) click to toggle source

@private Illegal operation in PolicyV3. Use {#bindings} instead.

@raise [RuntimeError] If called on this class.

# File lib/google/cloud/storage/policy.rb, line 430
def role(*)
  raise "Illegal operation when using PolicyV1. Use Policy#bindings instead."
end
roles() click to toggle source

@private Illegal operation in PolicyV3. Use {#bindings} instead.

@raise [RuntimeError] If called on this class.

# File lib/google/cloud/storage/policy.rb, line 403
def roles
  raise "Illegal operation when using PolicyV1. Use Policy#bindings instead."
end
to_gapi() click to toggle source

@private Convert the PolicyV3 to a Google::Apis::StorageV1::Policy.

# File lib/google/cloud/storage/policy.rb, line 446
def to_gapi
  Google::Apis::StorageV1::Policy.new(
    etag: etag,
    version: version,
    bindings: bindings.to_gapi
  )
end
version=(new_version) click to toggle source

Updates the syntax schema version of the policy. Each version of the policy contains a specific syntax schema that can be used by bindings. The newer version may contain role bindings with the newer syntax schema that is unsupported by earlier versions. This field is not intended to be used for any purposes other than policy syntax schema control.

The following policy versions are valid:

  • 1 - The first version of Cloud IAM policy schema. Supports binding one role to one or more members. Does not support conditional bindings.

  • 3 - Introduces the condition field in the role binding, which further constrains the role binding via context-based and attribute-based rules. See [Understanding policies](cloud.google.com/iam/docs/policies) and [Overview of Cloud IAM Conditions](cloud.google.com/iam/docs/conditions-overview) for more information.

@param [Integer] new_version The syntax schema version of the policy.

@see cloud.google.com/iam/docs/policies#versions Policy versions

@example Updating Policy version 1 to version 3:

require "google/cloud/storage"

storage = Google::Cloud::Storage.new
bucket = storage.bucket "my-bucket"

bucket.uniform_bucket_level_access = true

bucket.policy requested_policy_version: 3 do |p|
  p.version # the value is 1
  p.version = 3

  expr = "resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")"
  p.bindings.insert({
                      role: "roles/storage.admin",
                      members: ["user:owner@example.com"],
                      condition: {
                        title: "my-condition",
                        description: "description of condition",
                        expression: expr
                      }
                    })
end
# File lib/google/cloud/storage/policy.rb, line 391
def version= new_version
  if new_version < version
    raise "new_version (#{new_version}) cannot be less than the current version (#{version})."
  end
  @version = new_version
end