New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
all: define a meta-interface for IAM #340
Comments
The way the IAM methods are factored into a separate service that takes an arbitrary resource name makes it easy for service implementors, but not so much for users. We probably don't want to expose that directly, because specifying a resource name correctly can be a challenge. I think that for clients that represent each entity as a separate type, like pubsub, each such type (e.g. pubsub.Topic) should have its own set of methods:
The resource name will be handled entirely by the client. Other clients may add a string field to those methods denoting a suffix of the full resource name. For example, the new logging client uses logIDs (not full log resource names), so it could have IAM methods that take log IDs. We may want to wrap the Policy proto and put it in a package like cloud.google.com/go/iam, or we may just want to leave it as a proto. It translates into a pretty straightforward Go type. |
Instead of adding those methods to each type, could we have a central IAM package which can deal with arbitrary types? That would keep the signatures for these basic types much less polluted. I imagine we could do something like:
That's a very, very rough sketch – would something like that work? |
One interesting thing which might influence the design: IIUC the IAM service has it's own endpoint with specific scopes (https://iam.googleapis.com/v1/* and iam.*) – that might indicate we need a separate |
Yes, I realized that we probably need another While from a user's point of view, I'd love to see a simple and straightforward interface like what @jba mentioned. Maybe we can have an |
The Each API has its own methods for IAM operations. I'm a bit biased, but I liked what I did with the storage package. Something like
This way, we don't have three+ (more in future) methods for IAM for each resource in our packages. |
I like @broady's idea because it's clear which things have IAM policies. We could also consider a variant of @okdave's idea:
We'd repeat this in each client. There is no additional user-visible surface for each type that supports IAM, but the IAM calls are checked at compile-time. The downside is that you'd have to read the docs to know which types are IAMers. We already have precedent for this: the bigquery Copy method, and Source and Destination interfaces. |
FYI you're also going to have to implement testIAMPermissions and queryGrantableRoles as they are part of the IAM meta interface. Although they aren't super important right now they will be come very important once Custom Roles drop Soon (TM). |
This is now a priority for early Q4 so let's find a design we can agree on. I know @pongad is also thinking about this. I think @broady has the best idea so far: each IAM-enabled resource has one additional method, IAM, which returns a value that handles all IAM functionality for that resource. Pros:
|
One complication: it looks like QueryGrantableRoles is defined on the IAM API itself, not the per-resource meta-API. That means we'll need a separate client for that RPC. |
Here is where the design now stands. Unfortunately, it has a significant problem. The design follows the split built in to IAM, which separates common per-resource operations that are implemented by each Google API (Get/Set Policy and TestPermissions) from administrative actions supported by a separate IAM service.
The problem is that both IAM packages refer to As I see it, we have these options:
|
I vote for #1. If we do not have a hand-written client for service-account-IAM b/c of lack of a use case, I don't see a need to support service-account-IAM in any other hand-written clients. We should make the decision to incorporate or not incorporate service accounts in hand-written IAM packages across the board. |
I'm OK with (1), but one correction: we would only implement one handwritten client for service accounts: the IAM admin client. All service accounts are managed from that one API. |
Oh ok, I misunderstood then.
and the question is whether or not we need to have support for service account IAM in (3). Is that correct? |
Not quite. We are doing (2) and (3), but your (1) is my original (4) -- in other words, it's a possibility, but not definite (and is actually my least favorite choice). |
Ok. So when you say "we would only implement one handwritten client for service accounts" in your last comment, what does that mean if not my (1)? |
I was responding to your " I don't see a need to support service-account-IAM in any other hand-written clients." I was pointing out that if we supported service-account IAM, we would do so by writing only one handwritten client, the one for IAM admin. In other words, I was correcting your impression of multiple service-account clients, when there would be only one. I wasn't saying we would actually write it. |
Oh! Sorry for the confusion. Ok, I'm still for (1) then until we get user requests for something better. |
@adams-sarah @jba 2. is a little tricky. Our generator is built around protobuf messages, and so making it refer to hand-written code in this way might require some dark magic. Another solution is to tell the generator to not generate code for the 3 methods that refers to |
The cyborg idea is something we've discussed before, in the abstract. It could definitely work here. @pongad, can you generate such a client and mail me the CL? I'll take it from there. |
@jba googleapis/gapic-generator#599 should provide the support needed to do this kind of stuff. I'll work on this after the PR lands. If you want it sooner, please let me know. |
This commit disable iam admin's GetIamPolicy, SetIamPolicy, and TestIamPermissions. These methods are to be handwritten later. Update googleapis/google-cloud-go#340
Introduces iam.Handle, which will be returned by the IAM method of all resources that support IAM. Currently we support only the standard IAM methods Get, Set and TestPermissions. We can consider adding convenience methods like AddMemberToRole, but that is quite easy to write: h := pubsubTopic.IAM() policy, err := h.Policy(ctx) if err != nil { ... } policy.Add(iam.AllUsers, iam.Viewer) if err := ph.SetPolicy(ctx, policy); err != nil { ... } That code includes an ETag check. We don't attempt to support QueryGrantableRoles here. Although it's per-resource, it's actually part of the admin API, which has its own service. It's ultimately cleaner to keep them separate. Issue #340 Change-Id: I688a39c69c0ccffc46f0d506b2105f2bdbf4dfe3 Reviewed-on: https://code-review.googlesource.com/8130 Reviewed-by: Chris Broadfoot <cbro@google.com> Reviewed-by: Ross Light <light@google.com>
This commit disable iam admin's GetIamPolicy, SetIamPolicy, and TestIamPermissions. These methods are to be handwritten later. Update googleapis/google-cloud-go#340
Update: https://code-review.googlesource.com/#/c/8491/ has landed. The IAM admin should be ready to get cyborgified now. |
This particular issue was addressed in fc7a628. |
Many APIs (pubsub and storage are probably the most prominent) need to modify IAM roles.
Someone needs to define a meta-interface so that the IAM functionality is consistent across packages.
Maybe something similar to
storage.ACLHandle
?The text was updated successfully, but these errors were encountered: