add fgac samples

googleapis · Jul 19, 2022 · c5ca7c2 · c5ca7c2
1 parent 54e803e
commit c5ca7c2
Show file tree

Hide file tree

Showing 14 changed files with 534 additions and 16 deletions.
diff --git a/google-cloud-spanner/clirr-ignored-differences.xml b/google-cloud-spanner/clirr-ignored-differences.xml
@@ -81,4 +81,49 @@
     <className>com/google/cloud/spanner/connection/Connection</className>
     <method>com.google.spanner.v1.ResultSetStats analyzeUpdate(com.google.cloud.spanner.Statement, com.google.cloud.spanner.ReadContext$QueryAnalyzeMode)</method>
   </difference>
+  <difference>
+    <differenceType>7012</differenceType>
+    <className>com/google/cloud/spanner/DatabaseAdminClient</className>
+    <method>com.google.api.gax.paging.Page listDatabaseRoles(java.lang.String, java.lang.String, com.google.cloud.spanner.Options$ListOption[])</method>
+  </difference>
+  <difference>
+    <differenceType>7012</differenceType>
+    <className>com/google/cloud/spanner/spi/v1/SpannerRpc</className>
+    <method>com.google.cloud.spanner.spi.v1.SpannerRpc$Paginated listDatabaseRoles(java.lang.String, int, java.lang.String)</method>
+  </difference>
+  <difference>
+    <differenceType>7004</differenceType>
+    <className>com/google/cloud/spanner/DatabaseAdminClient</className>
+    <method>com.google.cloud.Policy getDatabaseIAMPolicy(java.lang.String, java.lang.String)</method>
+  </difference>
+  <difference>
+    <differenceType>7004</differenceType>
+    <className>com/google/cloud/spanner/spi/v1/SpannerRpc</className>
+    <method>com.google.spanner.v1.Session createSession(java.lang.String, java.util.Map, java.util.Map)</method>
+  </difference>
+  <difference>
+    <differenceType>7004</differenceType>
+    <className>com/google/cloud/spanner/spi/v1/SpannerRpc</className>
+    <method>java.util.List batchCreateSessions(java.lang.String, int, java.util.Map, java.util.Map)</method>
+  </difference>
+  <difference>
+    <differenceType>7004</differenceType>
+    <className>com/google/cloud/spanner/spi/v1/SpannerRpc</className>
+    <method>com.google.iam.v1.Policy getDatabaseAdminIAMPolicy(java.lang.String)</method>
+  </difference>
+  <difference>
+    <differenceType>7004</differenceType>
+    <className>com/google/cloud/spanner/spi/v1/GapicSpannerRpc</className>
+    <method>com.google.spanner.v1.Session createSession(java.lang.String, java.util.Map, java.util.Map)</method>
+  </difference>
+  <difference>
+    <differenceType>7004</differenceType>
+    <className>com/google/cloud/spanner/spi/v1/GapicSpannerRpc</className>
+    <method>java.util.List batchCreateSessions(java.lang.String, int, java.util.Map, java.util.Map)</method>
+  </difference>
+  <difference>
+    <differenceType>7004</differenceType>
+    <className>com/google/cloud/spanner/spi/v1/GapicSpannerRpc</className>
+    <method>com.google.iam.v1.Policy getDatabaseAdminIAMPolicy(java.lang.String)</method>
+  </difference>
 </differences>
diff --git a/google-cloud-spanner/src/main/java/com/google/cloud/spanner/Database.java b/google-cloud-spanner/src/main/java/com/google/cloud/spanner/Database.java
@@ -145,7 +145,7 @@ public Page<Operation> listDatabaseOperations() {
 
   /** Returns the IAM {@link Policy} for this database. */
   public Policy getIAMPolicy() {
-    return dbClient.getDatabaseIAMPolicy(instance(), database());
+    return dbClient.getDatabaseIAMPolicy(instance(), database(), 1);
   }
 
   /**

diff --git a/google-cloud-spanner/src/main/java/com/google/cloud/spanner/DatabaseAdminClient.java b/google-cloud-spanner/src/main/java/com/google/cloud/spanner/DatabaseAdminClient.java
@@ -495,7 +495,7 @@ OperationFuture<Void, UpdateDatabaseDdlMetadata> updateDatabaseDdl(
   Operation getOperation(String name);
 
   /** Returns the IAM policy for the given database. */
-  Policy getDatabaseIAMPolicy(String instanceId, String databaseId);
+  Policy getDatabaseIAMPolicy(String instanceId, String databaseId, int version);
 
   /**
    * Updates the IAM policy for the given database and returns the resulting policy. It is highly

diff --git a/google-cloud-spanner/src/main/java/com/google/cloud/spanner/DatabaseAdminClientImpl.java b/google-cloud-spanner/src/main/java/com/google/cloud/spanner/DatabaseAdminClientImpl.java
@@ -29,6 +29,7 @@
 import com.google.cloud.spanner.spi.v1.SpannerRpc.Paginated;
 import com.google.common.base.MoreObjects;
 import com.google.common.base.Preconditions;
+import com.google.iam.v1.GetPolicyOptions;
 import com.google.longrunning.Operation;
 import com.google.protobuf.Empty;
 import com.google.protobuf.FieldMask;
@@ -500,9 +501,13 @@ public Operation getOperation(String name) {
   }
 
   @Override
-  public Policy getDatabaseIAMPolicy(String instanceId, String databaseId) {
+  public Policy getDatabaseIAMPolicy(String instanceId, String databaseId, int version) {
     final String databaseName = DatabaseId.of(projectId, instanceId, databaseId).getName();
-    return policyMarshaller.fromPb(rpc.getDatabaseAdminIAMPolicy(databaseName));
+    GetPolicyOptions options = null;
+    if (version > 0) {
+      options = GetPolicyOptions.newBuilder().setRequestedPolicyVersion(version).build();
+    }
+    return policyMarshaller.fromPb(rpc.getDatabaseAdminIAMPolicy(databaseName, options));
   }
 
   @Override
@@ -524,7 +529,7 @@ public Iterable<String> testDatabaseIAMPermissions(
   @Override
   public Policy getBackupIAMPolicy(String instanceId, String backupId) {
     final String databaseName = BackupId.of(projectId, instanceId, backupId).getName();
-    return policyMarshaller.fromPb(rpc.getDatabaseAdminIAMPolicy(databaseName));
+    return policyMarshaller.fromPb(rpc.getDatabaseAdminIAMPolicy(databaseName, null));
   }
 
   @Override

diff --git a/google-cloud-spanner/src/main/java/com/google/cloud/spanner/spi/v1/GapicSpannerRpc.java b/google-cloud-spanner/src/main/java/com/google/cloud/spanner/spi/v1/GapicSpannerRpc.java
@@ -89,6 +89,7 @@
 import com.google.common.util.concurrent.RateLimiter;
 import com.google.common.util.concurrent.ThreadFactoryBuilder;
 import com.google.iam.v1.GetIamPolicyRequest;
+import com.google.iam.v1.GetPolicyOptions;
 import com.google.iam.v1.Policy;
 import com.google.iam.v1.SetIamPolicyRequest;
 import com.google.iam.v1.TestIamPermissionsRequest;
@@ -1695,10 +1696,13 @@ public PartitionResponse partitionRead(
   }
 
   @Override
-  public Policy getDatabaseAdminIAMPolicy(String resource) {
+  public Policy getDatabaseAdminIAMPolicy(String resource, @Nullable GetPolicyOptions options) {
     acquireAdministrativeRequestsRateLimiter();
-    final GetIamPolicyRequest request =
-        GetIamPolicyRequest.newBuilder().setResource(resource).build();
+    GetIamPolicyRequest.Builder builder = GetIamPolicyRequest.newBuilder().setResource(resource);
+    if (options != null) {
+      builder.setOptions(options);
+    }
+    final GetIamPolicyRequest request = builder.build();
     final GrpcCallContext context =
         newCallContext(null, resource, request, DatabaseAdminGrpc.getGetIamPolicyMethod());
     return runWithRetryOnAdministrativeRequestsExceeded(

diff --git a/google-cloud-spanner/src/main/java/com/google/cloud/spanner/spi/v1/SpannerRpc.java b/google-cloud-spanner/src/main/java/com/google/cloud/spanner/spi/v1/SpannerRpc.java
@@ -28,6 +28,7 @@
 import com.google.cloud.spanner.admin.database.v1.stub.DatabaseAdminStub;
 import com.google.cloud.spanner.admin.instance.v1.stub.InstanceAdminStub;
 import com.google.common.collect.ImmutableList;
+import com.google.iam.v1.GetPolicyOptions;
 import com.google.iam.v1.Policy;
 import com.google.iam.v1.TestIamPermissionsResponse;
 import com.google.longrunning.Operation;
@@ -328,7 +329,7 @@ PartitionResponse partitionRead(PartitionReadRequest request, @Nullable Map<Opti
       throws SpannerException;
 
   /** Gets the IAM policy for the given resource using the {@link DatabaseAdminStub}. */
-  Policy getDatabaseAdminIAMPolicy(String resource);
+  Policy getDatabaseAdminIAMPolicy(String resource, @Nullable GetPolicyOptions options);
 
   /**
    * Updates the IAM policy for the given resource using the {@link DatabaseAdminStub}. It is highly

diff --git a/google-cloud-spanner/src/test/java/com/google/cloud/spanner/DatabaseAdminClientImplTest.java b/google-cloud-spanner/src/test/java/com/google/cloud/spanner/DatabaseAdminClientImplTest.java
@@ -358,7 +358,7 @@ public void listDatabaseRolesErrorWithToken() {
 
   @Test
   public void getDatabaseIAMPolicy() {
-    when(rpc.getDatabaseAdminIAMPolicy(DB_NAME))
+    when(rpc.getDatabaseAdminIAMPolicy(DB_NAME, null))
         .thenReturn(
             Policy.newBuilder()
                 .addBindings(
@@ -367,11 +367,11 @@ public void getDatabaseIAMPolicy() {
                         .setRole("roles/viewer")
                         .build())
                 .build());
-    com.google.cloud.Policy policy = client.getDatabaseIAMPolicy(INSTANCE_ID, DB_ID);
+    com.google.cloud.Policy policy = client.getDatabaseIAMPolicy(INSTANCE_ID, DB_ID, 1);
     assertThat(policy.getBindings())
         .containsExactly(Role.viewer(), Sets.newHashSet(Identity.user("[email protected]")));
 
-    when(rpc.getDatabaseAdminIAMPolicy(DB_NAME))
+    when(rpc.getDatabaseAdminIAMPolicy(DB_NAME, null))
         .thenReturn(
             Policy.newBuilder()
                 .addBindings(
@@ -380,7 +380,7 @@ public void getDatabaseIAMPolicy() {
                         .setRole("roles/viewer")
                         .build())
                 .build());
-    policy = client.getDatabaseIAMPolicy(INSTANCE_ID, DB_ID);
+    policy = client.getDatabaseIAMPolicy(INSTANCE_ID, DB_ID, 1);
     assertThat(policy.getBindings())
         .containsExactly(
             Role.viewer(),

diff --git a/google-cloud-spanner/src/test/java/com/google/cloud/spanner/DatabaseAdminClientTest.java b/google-cloud-spanner/src/test/java/com/google/cloud/spanner/DatabaseAdminClientTest.java
@@ -755,13 +755,13 @@ public void backupListBackupOperations()
 
   @Test
   public void getAndSetIAMPolicy() {
-    Policy policy = client.getDatabaseIAMPolicy(INSTANCE_ID, DB_ID);
+    Policy policy = client.getDatabaseIAMPolicy(INSTANCE_ID, DB_ID, 1);
     assertThat(policy).isEqualTo(Policy.newBuilder().build());
     Policy newPolicy =
         Policy.newBuilder().addIdentity(Role.editor(), Identity.user("[email protected]")).build();
     Policy returnedPolicy = client.setDatabaseIAMPolicy(INSTANCE_ID, DB_ID, newPolicy);
     assertThat(returnedPolicy).isEqualTo(newPolicy);
-    assertThat(client.getDatabaseIAMPolicy(INSTANCE_ID, DB_ID)).isEqualTo(newPolicy);
+    assertThat(client.getDatabaseIAMPolicy(INSTANCE_ID, DB_ID, 1)).isEqualTo(newPolicy);
   }
 
   @Test

diff --git a/google-cloud-spanner/src/test/java/com/google/cloud/spanner/DatabaseTest.java b/google-cloud-spanner/src/test/java/com/google/cloud/spanner/DatabaseTest.java
@@ -184,7 +184,7 @@ public void getIAMPolicy() {
         new Database(
             DatabaseId.of("test-project", "test-instance", "test-database"), State.READY, dbClient);
     database.getIAMPolicy();
-    verify(dbClient).getDatabaseIAMPolicy("test-instance", "test-database");
+    verify(dbClient).getDatabaseIAMPolicy("test-instance", "test-database", 1);
   }
 
   @Test

diff --git a/samples/snippets/src/main/java/com/example/spanner/AddNewRoleSample.java b/samples/snippets/src/main/java/com/example/spanner/AddNewRoleSample.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright 2022 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.example.spanner;
+
+// [START spanner_add_new_database_role]
+
+import com.google.api.gax.longrunning.OperationFuture;
+import com.google.cloud.spanner.DatabaseAdminClient;
+import com.google.cloud.spanner.Spanner;
+import com.google.cloud.spanner.SpannerOptions;
+import com.google.common.collect.ImmutableList;
+import com.google.spanner.admin.database.v1.UpdateDatabaseDdlMetadata;
+import java.util.concurrent.ExecutionException;
+
+public class AddNewRoleSample {
+  static void addNewRole() throws InterruptedException, ExecutionException {
+    // TODO(developer): Replace these variables before running the sample.
+    String projectId = "my-project";
+    String instanceId = "my-instance";
+    String databaseId = "my-database";
+    addNewRole(projectId, instanceId, databaseId);
+  }
+
+  static void addNewRole(String projectId, String instanceId, String databaseId)
+      throws InterruptedException, ExecutionException {
+    try (Spanner spanner =
+        SpannerOptions.newBuilder()
+            .setProjectId(projectId)
+            .build()
+            .getService()) {
+      final DatabaseAdminClient adminClient = spanner.getDatabaseAdminClient();
+      OperationFuture<Void, UpdateDatabaseDdlMetadata> operation =
+          adminClient.updateDatabaseDdl(
+              instanceId,
+              databaseId,
+              ImmutableList.of(
+                  "CREATE ROLE parent",
+                  "GRANT SELECT ON TABLE Albums TO ROLE parent",
+                  "CREATE ROLE child",
+                  "GRANT ROLE parent TO ROLE child"),
+              null);
+
+      // Wait for the operation to finish.
+      // This will throw an ExecutionException if the operation fails.
+      operation.get();
+      System.out.println("Successfully added parent and child roles");
+
+      // Delete role and membership.
+      operation =
+          adminClient.updateDatabaseDdl(
+              instanceId,
+              databaseId,
+              ImmutableList.of("REVOKE ROLE parent FROM ROLE child", "DROP ROLE child"),
+              null);
+      // Wait for the operation to finish.
+      // This will throw an ExecutionException if the operation fails.
+      operation.get();
+      System.out.println("Successfully deleted chile role");
+    }
+  }
+}
+// [END spanner_add_new_database_role]
diff --git a/samples/snippets/src/main/java/com/example/spanner/EnableFineGrainedAccess.java b/samples/snippets/src/main/java/com/example/spanner/EnableFineGrainedAccess.java
@@ -0,0 +1,101 @@
+/*
+ * Copyright 2022 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.example.spanner;
+
+// [START spanner_enable_fine_grained_access]
+
+import com.google.cloud.Binding;
+import com.google.cloud.Condition;
+import com.google.cloud.Policy;
+import com.google.cloud.spanner.DatabaseAdminClient;
+import com.google.cloud.spanner.Spanner;
+import com.google.cloud.spanner.SpannerOptions;
+import java.util.ArrayList;
+import java.util.List;
+
+public class EnableFineGrainedAccess {
+  static void enableFineGrainedAccess() {
+    // TODO(developer): Replace these variables before running the sample.
+    String projectId = "my-project";
+    String instanceId = "my-instance";
+    String databaseId = "my-database";
+    String iamMember = "my-member";
+    String databaseRole = "my-role";
+    String conditionTitle = "my-title";
+    enableFineGrainedAccess(
+        projectId, instanceId, databaseId, iamMember, databaseRole, conditionTitle);
+  }
+
+  static void enableFineGrainedAccess(
+      String projectId,
+      String instanceId,
+      String databaseId,
+      String iamMember,
+      String databaseRole,
+      String title) {
+    try (Spanner spanner =
+        SpannerOptions.newBuilder()
+            .setProjectId(projectId)
+            .build()
+            .getService()) {
+      final DatabaseAdminClient adminClient = spanner.getDatabaseAdminClient();
+      Policy policy = adminClient.getDatabaseIAMPolicy(instanceId, databaseId, 3);
+      int policyVersion = policy.getVersion();
+      if (policy.getVersion() < 3) {
+        policyVersion = 3;
+      }
+      List<String> members = new ArrayList<>();
+      members.add(iamMember);
+      List<Binding> bindings = new ArrayList<>();
+      bindings.addAll(policy.getBindingsList());
+
+      bindings.add(
+          Binding.newBuilder()
+              .setRole("roles/spanner.fineGrainedAccessUser")
+              .setMembers(members)
+              .build());
+
+      bindings.add(
+          Binding.newBuilder()
+              .setRole("roles/spanner.databaseRoleUser")
+              .setCondition(
+                  Condition.newBuilder()
+                      .setDescription(title)
+                      .setExpression(
+                          String.format(
+                              "resource.name.endsWith(\"/databaseRoles/%s\")", databaseRole))
+                      .setTitle(title)
+                      .build())
+              .setMembers(members)
+              .build());
+
+      Policy policyWithConditions =
+          Policy.newBuilder()
+              .setVersion(policyVersion)
+              .setEtag(policy.getEtag())
+              .setBindings(bindings)
+              .build();
+      Policy response =
+          adminClient.setDatabaseIAMPolicy(instanceId, databaseId, policyWithConditions);
+      System.out.println(
+          String.format(
+              "Successfully enabled fined grained access, created policy with version %d",
+              response.getVersion()));
+    }
+  }
+}
+// [END spanner_enable_fine_grained_access]