Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement an OCC loop to update IAM policy bindings #539

Open
coryan opened this issue Dec 24, 2024 · 0 comments
Open

Implement an OCC loop to update IAM policy bindings #539

coryan opened this issue Dec 24, 2024 · 0 comments
Labels
priority: p3 Desirable enhancement or fix. May not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@coryan
Copy link
Contributor

coryan commented Dec 24, 2024

When working with IAM policies, applications typically want to do something like "add this member to that role". Because the IAM only support "change all the policies", applications need make multiple RPCs, something like:

  1. Call get_iam_policy(...) to get the current IAM policy
  2. Update the local copy of the policy
  3. Apply the change with set_iam_policy(...).

The IAM policy may change between steps 1 and 3, without some pre-condition that sequence of steps may overwrite the other changes. So the code becomes:

  1. Call get_iam_policy(..) to get the current IAM policy
  2. Update the local copy of the policy.
  3. Apply the change with set_iam_policy(...) and with the etag obtained in (1) to avoid overwrites
  4. If it succeeds: 🎉 we are done.
  5. If it fails with ABORTED that indicates a separate change, go back to step (1)
  6. If it fails with a different error, return this error.
@coryan coryan added type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. priority: p3 Desirable enhancement or fix. May not be included in next release. labels Dec 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority: p3 Desirable enhancement or fix. May not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@coryan