fix(bigquery): Update samples and tests related to Table or View

Author: hivanalejandro

bigquery/cloud-client/grantAccessToTableOrView.js

@@ -12,8 +12,6 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-'use strict';
-
 const {BigQuery} = require('@google-cloud/bigquery');
 
 /**
@@ -26,56 +24,70 @@ const {BigQuery} = require('@google-cloud/bigquery');
  * @param {string} role - Role to assign to the member
  * @returns {Promise<object[]>} The updated policy bindings
  */
-async function grantAccessToTableOrView({
+async function grantAccessToTableOrView(
   projectId,
   datasetId,
   resourceName,
   principalId,
-  role,
-}) {
+  role
+) {
   // [START bigquery_grant_access_to_table_or_view]
-  // Uncomment and update these variables:
-  // const projectId = 'my_project_id';
-  // const datasetId = 'my_dataset';
-  // const resourceName = 'my_table';
-  // const principalId = 'user:[email protected]';
-  // const role = 'roles/bigquery.dataViewer';
-
-  // Create a BigQuery client
-  const bigquery = new BigQuery();
-
-  // Get the dataset and table references
-  const dataset = bigquery.dataset(datasetId);
-  const table = dataset.table(resourceName);
+  // TODO(developer): Update and un-comment below lines
+
+  // Google Cloud Platform project.
+  // projectId = "my_project_id"
+
+  // Dataset where the table or view is.
+  // datasetId = "my_dataset"
+
+  // Table or view name to get the access policy.
+  // resourceName = "my_table"
 
-  try {
-    // Get the IAM access policy for the table or view
-    const [policy] = await table.iam.getPolicy();
+  // The principal requesting access to the table or view.
+  // Find more details about principal identifiers here:
+  // https://cloud.google.com/iam/docs/principal-identifiers
+  // principalId = "user:[email protected]"
 
-    // Create a new binding for the principal and role
-    const binding = {
-      role: role,
-      members: [principalId],
-    };
+  // Role to assign to the member.
+  // role = "roles/bigquery.dataViewer"
 
-    // Add the new binding to the policy
-    policy.bindings.push(binding);
+  // Instantiate a client.
+  const client = new BigQuery();
 
-    // Set the updated IAM access policy
-    const [updatedPolicy] = await table.iam.setPolicy(policy);
+  // Get the table reference.
+  const dataset = client.dataset(datasetId);
+  const table = dataset.table(resourceName);
 
-    console.log(
-      `Role '${role}' granted for principal '${principalId}' on resource '${projectId}.${datasetId}.${resourceName}'.`
-    );
+  // Get the IAM access policy for the table or view.
+  const [policy] = await table.getIamPolicy();
 
-    return updatedPolicy.bindings;
-  } catch (error) {
-    console.error('Error granting access:', error);
-    throw error;
+  // Initialize bindings if they do not exist
+  if (!policy.bindings) {
+    policy.bindings = [];
   }
+
+  // To grant access to a table or view.
+  // add bindings to the Table or View policy.
+  //
+  // Find more details about Policy and Binding objects here:
+  // https://cloud.google.com/security-command-center/docs/reference/rest/Shared.Types/Policy
+  // https://cloud.google.com/security-command-center/docs/reference/rest/Shared.Types/Binding
+  const binding = {
+    role: role,
+    members: [principalId],
+  };
+  policy.bindings.push(binding);
+
+  // Set the IAM access policy with updated bindings
+  const [updatedPolicy] = await table.setIamPolicy(policy);
+
+  // Show a success message.
+  console.log(
+    `Role '${role}' granted for principal '${principalId}' on resource '${datasetId}.${resourceName}'.`
+  );
   // [END bigquery_grant_access_to_table_or_view]
+
+  return updatedPolicy.bindings;
 }
 
-module.exports = {
-  grantAccessToTableOrView,
-};
+module.exports = {grantAccessToTableOrView};

bigquery/cloud-client/revokeTableOrViewAccess.js

@@ -12,94 +12,106 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-const {BigQuery} = require('@google-cloud/bigquery');
-
-// [START bigquery_revoke_access_to_table_or_view]
 /**
  * Revokes access to a BigQuery table or view
- * @param {Object} params - The parameters object
- * @param {string} params.projectId - The ID of the Google Cloud project
- * @param {string} params.datasetId - The ID of the dataset containing the table/view
- * @param {string} params.resourceId - The ID of the table or view
- * @param {string} [params.memberToRevoke] - Optional. Specific member to revoke access from (e.g., 'group:[email protected]')
- * @param {string} [params.roleToRevoke='roles/bigquery.dataViewer'] - Optional. Specific role to revoke
- * @returns {Promise<void>}
+ * @param {string} projectId - The ID of the Google Cloud project
+ * @param {string} datasetId - The ID of the dataset containing the table/view
+ * @param {string} resourceName - The ID of the table or view
+ * @param {string} [roleToRemove=null] - Optional. Specific role to revoke
+ * @param {string} [principalToRemove=null] - Optional. Specific principal to revoke access from
+ * @returns {Promise<Object>} The updated IAM policy
  */
-async function revokeTableOrViewAccess({
+async function revokeAccessToTableOrView(
   projectId,
   datasetId,
-  resourceId,
-  memberToRevoke,
-  roleToRevoke = 'roles/bigquery.dataViewer',
-}) {
-  // Validate required parameters
-  if (!projectId || !datasetId || !resourceId) {
-    throw new Error(
-      'projectId, datasetId and resourceID are required parameters'
-    );
+  resourceName,
+  roleToRemove = null,
+  principalToRemove = null
+) {
+  // [START bigquery_revoke_access_to_table_or_view]
+  // Imports the Google Cloud client library
+  const {BigQuery} = require('@google-cloud/bigquery');
+
+  // TODO (developer): Update and un-comment below lines
+  // Google Cloud Platform project.
+  // projectId = "my_project_id"
+
+  // Dataset where the table or view is.
+  // datasetId = "my_dataset"
+
+  // Table or view name to get the access policy.
+  // resourceName = "my_table"
+
+  // (Optional) Role to remove from the table or view.
+  // roleToRemove = "roles/bigquery.dataViewer"
+
+  // (Optional) Principal to remove from the table or view.
+  // principalToRemove = "user:[email protected]"
+
+  // Find more information about roles and principals (refered as members) here:
+  // https://cloud.google.com/security-command-center/docs/reference/rest/Shared.Types/Binding
+
+  // Instantiate a client.
+  const client = new BigQuery();
+
+  // Get the table reference.
+  const dataset = client.dataset(datasetId);
+  const table = dataset.table(resourceName);
+
+  // Get the IAM access policy for the table or view.
+  const [policy] = await table.getIamPolicy();
+
+  // Initialize bindings of they do not exist
+  if (!policy.bindings) {
+    policy.bindings = [];
   }
-  try {
-    // Create BigQuery client
-    const bigquery = new BigQuery({
-      projectId: projectId,
-    });
-
-    // Get reference to the table or view
-    const dataset = bigquery.dataset(datasetId);
-    const table = dataset.table(resourceId);
-
-    // Get current IAM policy
-    const [policy] = await table.iam.getPolicy();
-    console.log(
-      'Current IAM Policy:',
-      JSON.stringify(policy.bindings, null, 2)
-    );
 
-    // Filter bindings based on parameters
-    let newBindings = policy.bindings;
-
-    if (memberToRevoke && roleToRevoke) {
-      // Remove specific member from specific role
-      newBindings = policy.bindings
-        .map(binding => ({
-          ...binding,
-          members:
-            binding.role === roleToRevoke
-              ? binding.members.filter(member => member !== memberToRevoke)
-              : binding.members,
-        }))
-        .filter(binding => binding.members.length > 0);
-    } else if (!memberToRevoke && roleToRevoke) {
-      // Remove all bindings for the specified role
-      newBindings = policy.bindings.filter(
-        binding => binding.role !== roleToRevoke
-      );
-    } else {
-      // Keep the current binding as it is
-      newBindings = policy.bindings;
-    }
+  // To revoke access to a table or view,
+  // remove bindings from the Table or View policy.
+  //
+  // Find more details about Policy objects here:
+  // https://cloud.google.com/security-command-center/docs/reference/rest/Shared.Types/Policy
 
-    // Create new policy with updated bindings
-    const newPolicy = {
-      bindings: newBindings,
-    };
+  if (roleToRemove) {
+    // Filter out all bindings with the `roleToRemove`
+    // and assign a new list back to the policy bindings.
+    policy.bindings = policy.bindings.filter(b => b.role !== roleToRemove);
+  }
 
-    // Set the new IAM policy
-    await table.iam.setPolicy(newPolicy);
-    console.log(`Access revoked successfully for ${resourceId}`);
+  if (principalToRemove) {
+    // Create a copy to match original code structure.
+    const bindings = [...policy.bindings];
 
-    // Verify the changes
-    const [updatedPolicy] = await table.iam.getPolicy();
-    console.log(
-      'Updated IAM Policy:',
-      JSON.stringify(updatedPolicy.bindings, null, 2)
+    // Filter out the principal from each binding.
+    for (const binding of bindings) {
+      if (binding.members) {
+        binding.members = binding.members.filter(m => m !== principalToRemove);
+      }
+    }
+
+    // Filter out bindings with empty members
+    policy.bindings = bindings.filter(
+      binding => binding.members && binding.members.length > 0
     );
+  }
+
+  try {
+    // Set the IAM access policy with updated bindings
+    await table.setIamPolicy(policy);
+
+    // Get the policy again to confirm it's set correctly
+    const [verifiedPolicy] = await table.getIamPolicy();
+
+    if (verifiedPolicy && verifiedPolicy.bindings) {
+      return verifiedPolicy.bindings;
+    } else {
+      return [];
+    }
   } catch (error) {
-    console.error('Error revoking access:', error);
+    console.error('Error settings IAM policy:', error);
     throw error;
   }
+  // [END bigquery_revoke_access_to_table_or_view]
 }
 
-// [END bigquery_revoke_access_to_table_or_view]
-
-module.exports = {revokeTableOrViewAccess};
+module.exports = {revokeAccessToTableOrView};