23
23
import com .google .cloud .spanner .DatabaseAdminClient ;
24
24
import com .google .cloud .spanner .Spanner ;
25
25
import com .google .cloud .spanner .SpannerOptions ;
26
+ import com .google .common .collect .ImmutableList ;
27
+
26
28
import java .util .ArrayList ;
27
29
import java .util .List ;
28
30
@@ -34,8 +36,8 @@ static void enableFineGrainedAccess() {
34
36
String instanceId = "my-instance" ;
35
37
String databaseId = "my-database" ;
36
38
String iamMember =
"user:[email protected] " ;
37
- String role = "new-parent " ;
38
- String title = "my condition title" ;
39
+ String role = "my-role " ;
40
+ String title = "my- condition- title" ;
39
41
enableFineGrainedAccess (projectId , instanceId , databaseId , iamMember , title , role );
40
42
}
41
43
@@ -47,44 +49,50 @@ static void enableFineGrainedAccess(
47
49
String title ,
48
50
String role ) {
49
51
try (Spanner spanner =
50
- SpannerOptions .newBuilder ().setProjectId (projectId ).build ().getService ()) {
52
+ SpannerOptions .newBuilder ()
53
+ .setProjectId (projectId )
54
+ .build ()
55
+ .getService ()) {
51
56
final DatabaseAdminClient adminClient = spanner .getDatabaseAdminClient ();
52
57
Policy policy = adminClient .getDatabaseIAMPolicy (instanceId , databaseId , 3 );
53
58
int policyVersion = policy .getVersion ();
54
- /* getDatabaseIAMPolicy returns the IAM policy for the given database
55
- *
56
- * The policy in the response might use the policy version that you specified, or it might use
57
- * a lower policy version. For example, if you specify version 3, but the policy has no
58
- * conditional role bindings, the response uses version 1. Valid values are 0, 1, and 3.
59
- *
60
- */
59
+ // The policy in the response from getDatabaseIAMPolicy might use the policy version
60
+ // that you specified, or it might use a lower policy version. For example, if you
61
+ // specify version 3, but the policy has no conditional role bindings, the response
62
+ // uses version 1. Valid values are 0, 1, and 3.
61
63
if (policy .getVersion () < 3 ) {
62
64
// conditional role bindings work with policy version 3
63
65
policyVersion = 3 ;
64
66
}
67
+
65
68
List <String > members = new ArrayList <>();
66
69
members .add (iamMember );
67
- List <Binding > bindings = new ArrayList <>(policy .getBindingsList ());
68
-
69
- bindings .add (
70
+ Binding binding1 =
70
71
Binding .newBuilder ()
71
72
.setRole ("roles/spanner.fineGrainedAccessUser" )
72
73
.setMembers (members )
73
- .build ()) ;
74
+ .build ();
74
75
75
- bindings . add (
76
+ Binding binding2 =
76
77
Binding .newBuilder ()
77
78
.setRole ("roles/spanner.databaseRoleUser" )
78
79
.setCondition (
79
80
Condition .newBuilder ()
80
81
.setDescription (title )
81
82
.setExpression (
82
- String .format ("resource.name.endsWith(\" /databaseRoles/%s\" )" , role ))
83
+ String .format (
84
+ "resource.type == \" spanner.googleapis.com/DatabaseRole\" && resource.name.endsWith(\" /databaseRoles/%s\" )" ,
85
+ role ))
83
86
.setTitle (title )
84
87
.build ())
85
88
.setMembers (members )
86
- .build ());
87
-
89
+ .build ();
90
+ ImmutableList <Binding > bindings =
91
+ ImmutableList .<Binding >builder ()
92
+ .addAll (policy .getBindingsList ())
93
+ .add (binding1 )
94
+ .add (binding2 )
95
+ .build ();
88
96
Policy policyWithConditions =
89
97
Policy .newBuilder ()
90
98
.setVersion (policyVersion )
0 commit comments