google.cloud.forseti.services.inventory.base.iam_helpers module

Helper functions for handling IAM policies.

_split_member(member)[source]

Splits an IAM member into type and optional value.

Parameters:member (str) – The IAM member to split.
Returns:The member type and optionally member value.
Return type:tuple
convert_bigquery_policy_to_iam(access_policy, project_id)[source]

Convert a bigquery Access Policy to IAM policy.

This is used to enable IAM explain for legacy bigquery policies.

Parameters:
  • access_policy (list) – A list of bigquery access policies.
  • project_id (str) – The project id for the project the dataset is under.
Returns:

An iam policy object.

Return type:

dict

convert_iam_to_bigquery_policy(iam_policy)[source]

Converts an IAM policy to a bigquery Access Policy.

This is used for backwards compatibility between data returned from live API and the data stored in CAI. Once the live API returns IAM policies instead, this can be deprecated.

Parameters:iam_policy (dict) – The BigQuery dataset IAM policy.
Returns:A list of access policies.

An example return value:

[
{‘role’: ‘WRITER’, ‘specialGroup’: ‘projectWriters’}, {‘role’: ‘OWNER’, ‘specialGroup’: ‘projectOwners’}, {‘role’: ‘OWNER’, ‘userByEmail’: ‘user@domain.com’}, {‘role’: ‘READER’, ‘specialGroup’: ‘projectReaders’}

]

Return type:list
convert_iam_to_bucket_acls(iam_policy, bucket, project_id, project_number)[source]

Converts an IAM policy to Bucket Access Controls.

The is used for backwards compatibility between data returned from live API and the data stored in CAI. Once acls are removed from cloud storage, this can be deprecated.

Parameters:
  • iam_policy (dict) – The Storage Bucket IAM policy.
  • bucket (str) – The Storage Bucket name.
  • project_id (str) – The project id for the project the bucket is under.
  • project_number (str) – The project number for the project the bucket is under.
Returns:

A list of access policies.

An example return value:

[
{

“bucket”: “my-bucket”, “id”: “my-bucket/project-owners-12345”, “entity”: “project-owners-12345”, “projectTeam”: {“projectNumber”: “12345”, “team”: “owners”}, “role”: “OWNER”

}, {

”bucket”: “my-bucket”, “id”: “my-bucket/project-editors-12345”, “entity”: “project-editors-12345”, “projectTeam”: {“projectNumber”: “12345”, “team”: “editors”}, “role”: “OWNER”

}, {

”bucket”: “my-bucket”, “id”: “my-bucket/project-viewers-12345”, “entity”: “project-viewers-12345”, “projectTeam”: {“projectNumber”: “12345”, “team”: “viewers”}, “role”: “READER”

}, {

”bucket”: “my-bucket”, “id”: “my-bucket/domain-forseti.test”, “domain”: “forseti.test”, “entity”: “domain-forseti.test”, “role”: “READER”

}, {

”bucket”: “my-bucket”, “id”: “my-bucket/group-my-group@forseti.test”, “email”: “my-group@forseti.test”, “entity”: “group-my-group@forseti.test”, “role”: “WRITER”

}, {

”bucket”: “my-bucket”, “id”: “my-bucket/user-12345-compute@developer.gserviceaccount.com”, “email”: “12345-compute@developer.gserviceaccount.com”, “entity”: “user-12345-compute@developer.gserviceaccount.com”, “role”: “WRITER”

}, {

”bucket”: “my-bucket”, “id”: “my-bucket/allAuthenticatedUsers”, “entity”: “allAuthenticatedUsers”, “role”: “READER”

}, {

”bucket”: “my-bucket”, “id”: “my-bucket/allUsers”, “entity”: “allUsers”, “role”: “READER”

}

]

Return type:

list