diff --git a/README.md b/README.md index 0d9d73b..ae04aac 100644 --- a/README.md +++ b/README.md @@ -109,7 +109,7 @@ integrationcli connectors create -n name-of-the-connector -f ./test/pub_sub_conn **NOTES:** * This command assumes the token is cached, otherwise pass the token via `-t` -* For PubSub, `integrationcli` adds the IAM permissions for the service account to publish to the topic +* For PubSub & BigQuery, `integrationcli` adds the IAM permissions for the service account to the resource ### Third Party Applications diff --git a/apiclient/iam.go b/apiclient/iam.go index 5114af0..3e89550 100644 --- a/apiclient/iam.go +++ b/apiclient/iam.go @@ -133,3 +133,51 @@ func SetPubSubIAMPermission(project string, topic string, memberName string) (er const role = "roles/pubsub.publisher" return setIAMPermission(endpoint, topic, memberName, role, memberType) } + +func SetBigQueryIAMPermission(project string, datasetid string, memberName string) (err error) { + var endpoint = fmt.Sprintf("https://bigquery.googleapis.com/bigquery/v2/projects/%s/datasets/%s", project, datasetid) + const role = "WRITER" + var content []byte + + //first fetch the information + respBody, err := HttpClient(false, endpoint) + if err != nil { + return err + } + + type accessType struct { + Role string `json:"role,omitempty"` + IamMember *string `json:"iamMember,omitempty"` + UserByEmail *string `json:"userByEmail,omitempty"` + SpecialGroup *string `json:"specialGroup,omitempty"` + GroupByEmail *string `json:"groupByEmail,omitempty"` + } + + type datasetType struct { + Access []accessType `json:"access,omitempty"` + } + + dataset := datasetType{} + if err = json.Unmarshal(respBody, &dataset); err != nil { + return err + } + + access := accessType{} + access.Role = role + access.UserByEmail = new(string) + *access.UserByEmail = memberName + + //merge the updates + dataset.Access = append(dataset.Access, access) + + if content, err = json.Marshal(dataset); err != nil { + return err + } + + //patch the update + if _, err = HttpClient(false, endpoint, string(content), "PATCH"); err != nil { + return err + } + + return nil +} diff --git a/client/connections/connectors.go b/client/connections/connectors.go index 39d1a1e..6c44c88 100644 --- a/client/connections/connectors.go +++ b/client/connections/connectors.go @@ -138,9 +138,11 @@ func Create(name string, content []byte, grantPermission bool) (respBody []byte, // check if permissions need to be set if grantPermission && *c.ServiceAccount != "" { + var projectId string + switch c.ConnectorDetails.Name { case "pubsub": - var projectId, topicName string + var topicName string for _, configVar := range *c.ConfigVariables { if configVar.Key == "project_id" { @@ -159,7 +161,27 @@ func Create(name string, content []byte, grantPermission bool) (respBody []byte, clilog.Warning.Printf("Unable to update permissions for the service account: %v\n", err) } case "bigquery": - clilog.Warning.Println("Updating service account permissions for BQ is not supported") + var datasetId string + + for _, configVar := range *c.ConfigVariables { + if configVar.Key == "project_id" { + projectId = *configVar.StringValue + } + if configVar.Key == "dataset_id" { + datasetId = *configVar.StringValue + } + } + if projectId == "" || datasetId == "" { + return nil, fmt.Errorf("projectId or datasetId was not set") + } + + if err = apiclient.SetBigQueryIAMPermission(projectId, datasetId, *c.ServiceAccount); err != nil { + clilog.Warning.Printf("Unable to update permissions for the service account: %v\n", err) + } + case "gcs": + clilog.Warning.Println("Updating SA permissions for GCS is not currently supported") + case "cloudsql-postgresql": + clilog.Warning.Println("Updating SA permissions for cloudsql-postgresql is not currently supported") } }