File: //snap/google-cloud-cli/current/lib/surface/container/fleet/scopes/rbacrolebindings/update.py
# -*- coding: utf-8 -*- #
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Command to update fleet information."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.container.fleet import client
from googlecloudsdk.api_lib.container.fleet import util
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.container.fleet import resources
from googlecloudsdk.command_lib.util.args import labels_util
@base.DefaultUniverseOnly
class Update(base.UpdateCommand):
"""Update a fleet scope RBAC RoleBinding.
This command can fail for the following reasons:
* The RoleBinding does not exist in the project.
* The caller does not have permission to access the RoleBinding.
## EXAMPLES
To update the RBAC RoleBinding `RBRB` in scope `SCOPE` in the active
project to the `viewer` role:
$ {command} RBRB --scope=SCOPE --role=viewer
To update the RBAC RoleBinding `RBRB` in scope `SCOPE` in the active
project to the custom role `custom-role`:
$ {command} RBRB --scope=SCOPE --custom-role=custom-role
To update the RBAC RoleBinding `RBRB` in scope `SCOPE` in the active
project to the user `someone@google.com`:
$ {command} RBRB --scope=SCOPE --user=someone@google.com
"""
@classmethod
def Args(cls, parser):
resources.AddScopeRBACResourceArg(
parser,
api_version=util.VERSION_MAP[cls.ReleaseTrack()],
rbacrb_help=(
'Name of the RBAC RoleBinding to be updated. '
'Must comply with RFC 1123 (up to 63 characters, '
"alphanumeric and '-')"
),
)
group = parser.add_mutually_exclusive_group()
group.add_argument(
'--user',
type=str,
help='User for the RBACRoleBinding to update to.',
)
group.add_argument(
'--group',
type=str,
help='Group for the RBACRoleBinding to update to.',
)
roledef = parser.add_mutually_exclusive_group()
roledef.add_argument(
'--role',
choices=['admin', 'edit', 'view'],
help='Predefined role to assign to principal (admin, edit, view).',
)
roledef.add_argument(
'--custom-role',
type=str,
help='Custom role to assign to principal.',
)
labels_util.AddUpdateLabelsFlags(parser)
def Run(self, args):
fleetclient = client.FleetClient(release_track=self.ReleaseTrack())
mask = []
current_rbac_rolebinding = fleetclient.GetScopeRBACRoleBinding(
resources.RBACResourceName(args)
)
for flag in ['role', 'custom_role', 'user', 'group']:
if args.IsKnownAndSpecified(flag):
# Both the role and custom_role can be updated with the "role" mask.
if flag == 'role' or flag == 'custom_role':
mask.append('role')
else:
mask.append(flag)
# update GCP labels for namespace resource
labels_diff = labels_util.Diff.FromUpdateArgs(args)
new_labels = labels_diff.Apply(
fleetclient.messages.RBACRoleBinding.LabelsValue,
current_rbac_rolebinding.labels,
).GetOrNone()
if new_labels:
mask.append('labels')
# if there's nothing to update, then return
if not mask:
return
custom_role = args.custom_role
return fleetclient.UpdateScopeRBACRoleBinding(
resources.RBACResourceName(args),
user=args.user,
group=args.group,
role=args.role,
custom_role=custom_role,
labels=new_labels,
mask=','.join(mask),
)