feat(spanner): fine-grained access control #9669
Conversation
Introduce `spanner::SessionCreatorRoleOption`, which can be passed to `spanner::MakeConnection()` to set the `session_template.creator_role` used when creating sessions for the connection. Add integration test for creating and listing roles. Add samples: - spanner_add_and_drop_database_roles - spanner_read_data_with_database_role - spanner_list_database_roles - spanner_enable_fine_grained_access
|
Here is the summary of changes. You are about to add 4 region tags.
This comment is generated by snippet-bot.
|
|
Google Cloud Build Logs
ℹ️ NOTE: Kokoro logs are linked from "Details" below. |
Codecov Report
@@ Coverage Diff @@
## main #9669 +/- ##
==========================================
- Coverage 94.33% 94.29% -0.05%
==========================================
Files 1494 1494
Lines 138952 139040 +88
==========================================
+ Hits 131086 131104 +18
- Misses 7866 7936 +70
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
|
Google Cloud Build Logs
ℹ️ NOTE: Kokoro logs are linked from "Details" below. |
| @@ -84,6 +84,14 @@ using SpannerPolicyOptionList = | |||
| OptionList<spanner::SpannerRetryPolicyOption, SpannerBackoffPolicyOption, | |||
| SpannerPollingPolicyOption>; | |||
|
|
|||
| /** | |||
| * Option for `google::cloud::Options` to set the database role used for | |||
| * session creation. | |||
There was a problem hiding this comment.
Consider a link to the spanner documentation explaining what these what these roles are for.
There was a problem hiding this comment.
I'm afraid I'm unaware of, and cannot discover, any released documentation. We can, of course, add something as it becomes available.
| client.SetIamPolicy(database.FullName(), *std::move(policy)); | ||
| if (!new_policy) throw std::runtime_error(new_policy.status().message()); | ||
| std::cout << "Enabled fine-grained access in IAM. New policy has version " | ||
| << new_policy->version() << "\n"; |
There was a problem hiding this comment.
I do not think that version is what you think it is. It is more like a code revision tracker than a state change tracker. You want something like the etag field.
There was a problem hiding this comment.
I don't think I think it is anything in particular. It doesn't seem, at least, that the sample implies that it isn't a code-revision tracker.
That said, the shape of the output is defined by the internal "Fine Grained Access Control Samples" document, which is followed by all the other languages, so I'm not sure I'm in a position to change anything.
There was a problem hiding this comment.
You could try to talk the team into changing this example. As it is, it will print either 1 or 3 for the version.
There was a problem hiding this comment.
Please merge as-is though, we can implement (or not) both my suggestions at a later time.
There was a problem hiding this comment.
You could try to talk the team into changing this example.
I can certainly do that. I'm not sure what I would write other than your comment verbatim however, so I'm also happy to point you at the doc. Let me know offline.
As it is, it will print either 1 or 3 for the version.
I thought it would always print (at least) 3, given that's what we raised the minimum version to above.
Introduce
spanner::SessionCreatorRoleOption, which can be passed tospanner::MakeConnection()to set thesession_template.creator_roleused when creating sessions for the connection.
Add integration test for creating and listing roles.
Add samples:
This change is