google.cloud.forseti.services.explain.explainer module

Explain API.

class Explainer(config)[source]

Bases: object

Implements the Explain API.

check_iam_policy(model_name, resource, permission, identity)[source]

Checks access according to IAM policy for the resource.

Parameters:
  • model_name (str) – Model to operate on.
  • resource (str) – Resource to check
  • permission (str) – Permission to check
  • identity (str) – Member to check
Returns:

whether such access is allowed

Return type:

bool

explain_denied(model_name, member, resources, permissions, roles)[source]

Provides information on granting a member access to a resource.

Parameters:
  • model_name (str) – Model to operate on.
  • member (str) – Member to query
  • resources (list) – Resources to query
  • permissions (list) – Permissions to query
  • roles (list) – Roles to query
Returns:

list of tuples, (overgranting,[(role_name,member_name,resource_name)])

Return type:

list

explain_granted(model_name, member, resource, role, permission)[source]

Provides information on why a member has access to a resource.

Parameters:
  • model_name (str) – Model to operate on.
  • member (str) – Member to query
  • resource (str) – Resource to query
  • role (str) – Role to query
  • permission (str) – Permission to query
Returns:

(bindings, member_graph, resource_type_names) bindings, the bindings to grant the access member_graph, the graph to have member included in the binding resource_type_names, the resource tree

Return type:

tuples

get_access_by_members(model_name, member_name, permission_names, expand_resources)[source]

Returns access to resources for the provided member.

Parameters:
  • model_name (str) – Model to operate on.
  • member_name (str) – Member name to query
  • permission_names (list) – Permission names to query for.
  • expand_resources (bool) – Whether to expand resources.
Yields:

tuple – Generator for (role, resources).

get_access_by_permissions(model_name, role_name, permission_name, expand_groups, expand_resources)[source]

Returns access tuples satisfying the permission or role.

Parameters:
  • model_name (str) – Model to operate on.
  • role_name (str) – Role name to query for.
  • permission_name (str) – Permission name to query for.
  • expand_groups (bool) – Whether to expand groups in policies.
  • expand_resources (bool) – Whether to expand resources.
Yields:

tuple – Generator for (role, resource, members).

get_access_by_resources(model_name, resource_name, permission_names, expand_groups)[source]

Returns members who have access to the given resource.

Parameters:
  • model_name (str) – Model to operate on.
  • resource_name (str) – Resource name to query for.
  • permission_names (list) – Permission names to query for.
  • expand_groups (bool) – Whether to expand groups in policies.
Returns:

role_member_mapping, <”role_name”, “member_names”>

Return type:

dict

get_iam_policy(model_name, resource)[source]

Gets the IAM policy for the resource.

Parameters:
  • model_name (str) – Model to operate on.
  • resource (str) – Resource to query
Returns:

the IAM policy

Return type:

dict

get_permissions_by_roles(model_name, role_names, role_prefixes)[source]

Returns the permissions associated with the specified roles.

Parameters:
  • model_name (str) – Model to operate on.
  • role_names (list) – Role names to query for.
  • role_prefixes (list) – Role name prefixes to query for
Yields:

tuple – Generator for (Role, Permission).

list_group_members(model_name, member_name_prefix)[source]

Lists a member from the model.

Parameters:
  • model_name (str) – Model to operate on.
  • member_name_prefix (str) – the prefix of the member_name
Returns:

list of Members that match the query

Return type:

list

list_resources(model_name, full_resource_name_prefix)[source]

Lists resources by resource name prefix.

Parameters:
  • model_name (str) – Model to operate on.
  • full_resource_name_prefix (ste) – the prefix of the resource name
Returns:

list of Resources match the query

Return type:

list

list_roles(model_name, role_name_prefix)[source]

Lists the role in the model matching the prefix.

Parameters:
  • model_name (str) – Model to operate on.
  • role_name_prefix (str) – prefix of the role_name
Returns:

list of role_names that match the query

Return type:

list