class Google::Cloud::Storage::PolicyV3
A subclass of {Google::Cloud::Storage::Policy} that supports access to {#bindings} and {version=}. Attempts to call {#roles} and relate helpers will raise a runtime error. This class may be used to update the Policy
version and add bindings with a newer syntax. To obtain instances of this class, call {Google::Cloud::Storage::Bucket#policy} with `requested_policy_version: 3`.
@attr [Bindings] bindings Returns the Policy's bindings object that associate roles with
an array of members. Conditions can be configured on the {Binding} object. See [Understanding Roles](https://cloud.google.com/iam/docs/understanding-roles) for a listing of primitive and curated roles. See [Buckets: setIamPolicy](https://cloud.google.com/storage/docs/json_api/v1/buckets/setIamPolicy) for a listing of values and patterns for members.
@example Updating Policy
version 1 to version 3:
require "google/cloud/storage" storage = Google::Cloud::Storage.new bucket = storage.bucket "my-bucket" bucket.uniform_bucket_level_access = true bucket.policy requested_policy_version: 3 do |p| p.version # the value is 1 p.version = 3 expr = "resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")" p.bindings.insert({ role: "roles/storage.admin", members: ["user:owner@example.com"], condition: { title: "my-condition", description: "description of condition", expression: expr } }) end
@example Using Policy
version 3:
require "google/cloud/storage" storage = Google::Cloud::Storage.new bucket = storage.bucket "my-bucket" bucket.uniform_bucket_level_access? # true bucket.policy requested_policy_version: 3 do |p| p.version = 3 # Must be explicitly set to opt-in to support for conditions. expr = "resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")" p.bindings.insert({ role: "roles/storage.admin", members: ["user:owner@example.com"], condition: { title: "my-condition", description: "description of condition", expression: expr } }) end
Attributes
Public Class Methods
@private New Policy
from a Google::Apis::StorageV1::Policy object.
# File lib/google/cloud/storage/policy.rb, line 457 def self.from_gapi gapi new gapi.etag, gapi.version, Array(gapi.bindings).map(&:to_h) end
@private Creates a PolicyV3
object.
Google::Cloud::Storage::Policy::new
# File lib/google/cloud/storage/policy.rb, line 340 def initialize etag, version, bindings super etag, version @bindings = Bindings.new @bindings.insert(*bindings) end
Public Instance Methods
@private Illegal operation in PolicyV3
. Use {#bindings} instead.
@raise [RuntimeError] If called on this class.
# File lib/google/cloud/storage/policy.rb, line 412 def add(*) raise "Illegal operation when using PolicyV1. Use Policy#bindings instead." end
@private Illegal operation in PolicyV3
. Use {#bindings} instead.
@raise [RuntimeError] If called on this class.
# File lib/google/cloud/storage/policy.rb, line 421 def remove(*) raise "Illegal operation when using PolicyV1. Use Policy#bindings instead." end
@private Illegal operation in PolicyV3
. Use {#bindings} instead.
@raise [RuntimeError] If called on this class.
# File lib/google/cloud/storage/policy.rb, line 430 def role(*) raise "Illegal operation when using PolicyV1. Use Policy#bindings instead." end
@private Illegal operation in PolicyV3
. Use {#bindings} instead.
@raise [RuntimeError] If called on this class.
# File lib/google/cloud/storage/policy.rb, line 403 def roles raise "Illegal operation when using PolicyV1. Use Policy#bindings instead." end
Updates the syntax schema version of the policy. Each version of the policy contains a specific syntax schema that can be used by bindings. The newer version may contain role bindings with the newer syntax schema that is unsupported by earlier versions. This field is not intended to be used for any purposes other than policy syntax schema control.
The following policy versions are valid:
-
1 - The first version of
Cloud
IAM policy schema. Supports binding one role to one or more members. Does not support conditional bindings. -
3 - Introduces the condition field in the role binding, which further constrains the role binding via context-based and attribute-based rules. See [Understanding policies](cloud.google.com/iam/docs/policies) and [Overview of
Cloud
IAM Conditions](cloud.google.com/iam/docs/conditions-overview) for more information.
@param [Integer] new_version The syntax schema version of the policy.
@see cloud.google.com/iam/docs/policies#versions Policy
versions
@example Updating Policy
version 1 to version 3:
require "google/cloud/storage" storage = Google::Cloud::Storage.new bucket = storage.bucket "my-bucket" bucket.uniform_bucket_level_access = true bucket.policy requested_policy_version: 3 do |p| p.version # the value is 1 p.version = 3 expr = "resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")" p.bindings.insert({ role: "roles/storage.admin", members: ["user:owner@example.com"], condition: { title: "my-condition", description: "description of condition", expression: expr } }) end
# File lib/google/cloud/storage/policy.rb, line 391 def version= new_version if new_version < version raise "new_version (#{new_version}) cannot be less than the current version (#{version})." end @version = new_version end