google-cloud-bigquery 1.24.0 → 1.25.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 32f4b672ccecbbd45bfb9790fc4110a22244a6459c459aa40bb1c1b4b77c1094
-  data.tar.gz: 2ac69379fefad5547aac47be509a50945af647d7fe7b61e1653fc4dd9c9ca865
+  metadata.gz: ae4b6e4d7c37a945f027fe56425698b19b430f5e75451ce82f2156f2dae96719
+  data.tar.gz: d50284a47bf96d5221b574590a60b3af0f77b3a8943d201fd473d78f41a46670
 SHA512:
-  metadata.gz: 9362e5d687de750ecdbdcbb131739116d3571c58db900fdf4748b6ce480f120670fce8901a8a9cfe83ddd53bbfd5e7866e396caff66e2151dc36a22dbabc3e7f
-  data.tar.gz: f08197d575142c5c5c16ba4c09e9d96af5ccb5e92fd9b0c11b87fe8431a0cac72bc2462e57ec6080a8c2d8c45b2f92b25a908cdbab35c3116e33f41b46b82559
+  metadata.gz: 56c0b2d3214b385efb3866e502faa0b0c28c2fffc0c3d2ca3c5e1ad05f4d69e0638e68d59d8310c68d01c26c3db55b42225944379bfb8f6ad7a57eec558ced3a
+  data.tar.gz: 0562b98e65e880a40d634f541285241823354a966f4d05a559463a23eacca54addf8843f89b32731d313a56d91dfe2984f6098630c4126d7dbc97033d3dc6a81

data/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Release History
 
+### 1.25.0 / 2020-11-16
+
+#### Features
+
+* Add routine (UDF) to Dataset::Access
+* Add support for Table ACLS (IAM Policy)
+  * feat(bigquery): Add support for Table ACLS
+  * Add Bigquery::Policy
+  * Add Table#policy
+  * Add Table#test_iam_permissions
+  * Add Table#update_policy
+
 ### 1.24.0 / 2020-10-29
 
 #### Features

data/lib/google/cloud/bigquery/dataset/access.rb

@@ -54,6 +54,7 @@ module Google
             "groupByEmail"   => :group_by_email,
             "iam_member"     => :iam_member,
             "iamMember"      => :iam_member,
+            "routine"        => :routine,
             "special"        => :special_group,
             "special_group"  => :special_group,
             "specialGroup"   => :special_group,
@@ -212,6 +213,33 @@ module Google
             add_access_role_scope_value :reader, :special, group
           end
 
+          ##
+          # Add access to a routine from a different dataset. Queries executed
+          # against that routine will have read access to views/tables/routines
+          # in this dataset. Only UDF is supported for now. The role field is
+          # not required when this field is set. If that routine is updated by
+          # any user, access to the routine needs to be granted again via an
+          # update operation.
+          #
+          # @param [Google::Cloud::Bigquery::Routine] routine A routine object.
+          #
+          # @example
+          #   require "google/cloud/bigquery"
+          #
+          #   bigquery = Google::Cloud::Bigquery.new
+          #   dataset = bigquery.dataset "my_dataset"
+          #   other_dataset = bigquery.dataset "my_other_dataset", skip_lookup: true
+          #
+          #   routine = other_dataset.routine "my_routine"
+          #
+          #   dataset.access do |access|
+          #     access.add_reader_routine routine
+          #   end
+          #
+          def add_reader_routine routine
+            add_access_routine routine
+          end
+
           ##
           # Add reader access to a view.
           #
@@ -227,9 +255,9 @@ module Google
           #
           #   bigquery = Google::Cloud::Bigquery.new
           #   dataset = bigquery.dataset "my_dataset"
-          #   other_dataset = bigquery.dataset "my_other_dataset"
+          #   other_dataset = bigquery.dataset "my_other_dataset", skip_lookup: true
           #
-          #   view = other_dataset.table "my_view"
+          #   view = other_dataset.table "my_view", skip_lookup: true
           #
           #   dataset.access do |access|
           #     access.add_reader_view view
@@ -533,6 +561,28 @@ module Google
             remove_access_role_scope_value :reader, :special, group
           end
 
+          ##
+          # Remove reader access from a routine from a different dataset.
+          #
+          # @param [Google::Cloud::Bigquery::Routine] routine A routine object.
+          #
+          # @example
+          #   require "google/cloud/bigquery"
+          #
+          #   bigquery = Google::Cloud::Bigquery.new
+          #   dataset = bigquery.dataset "my_dataset"
+          #   other_dataset = bigquery.dataset "my_other_dataset", skip_lookup: true
+          #
+          #   routine = other_dataset.routine "my_routine", skip_lookup: true
+          #
+          #   dataset.access do |access|
+          #     access.remove_reader_routine routine
+          #   end
+          #
+          def remove_reader_routine routine
+            remove_access_routine routine
+          end
+
           ##
           # Remove reader access from a view.
           #
@@ -548,9 +598,9 @@ module Google
           #
           #   bigquery = Google::Cloud::Bigquery.new
           #   dataset = bigquery.dataset "my_dataset"
-          #   other_dataset = bigquery.dataset "my_other_dataset"
+          #   other_dataset = bigquery.dataset "my_other_dataset", skip_lookup: true
           #
-          #   view = other_dataset.table "my_view"
+          #   view = other_dataset.table "my_view", skip_lookup: true
           #
           #   dataset.access do |access|
           #     access.remove_reader_view view
@@ -849,6 +899,32 @@ module Google
             lookup_access_role_scope_value :reader, :special, group
           end
 
+          ##
+          # Checks access for a routine from a different dataset. Queries executed
+          # against that routine will have read access to views/tables/routines
+          # in this dataset. Only UDF is supported for now. The role field is
+          # not required when this field is set. If that routine is updated by
+          # any user, access to the routine needs to be granted again via an
+          # update operation.
+          #
+          # @param [Google::Cloud::Bigquery::Routine] routine A routine object.
+          #
+          # @example
+          #   require "google/cloud/bigquery"
+          #
+          #   bigquery = Google::Cloud::Bigquery.new
+          #   dataset = bigquery.dataset "my_dataset"
+          #   other_dataset = bigquery.dataset "my_other_dataset", skip_lookup: true
+          #
+          #   routine = other_dataset.routine "my_routine", skip_lookup: true
+          #
+          #   access = dataset.access
+          #   access.reader_routine? routine #=> false
+          #
+          def reader_routine? routine
+            lookup_access_routine routine
+          end
+
           ##
           # Checks reader access for a view.
           #
@@ -864,9 +940,9 @@ module Google
           #
           #   bigquery = Google::Cloud::Bigquery.new
           #   dataset = bigquery.dataset "my_dataset"
-          #   other_dataset = bigquery.dataset "my_other_dataset"
+          #   other_dataset = bigquery.dataset "my_other_dataset", skip_lookup: true
           #
-          #   view = other_dataset.table "my_view"
+          #   view = other_dataset.table "my_view", skip_lookup: true
           #
           #   access = dataset.access
           #   access.reader_view? view #=> false
@@ -1121,12 +1197,22 @@ module Google
             @rules << Google::Apis::BigqueryV2::Dataset::Access.new(opts)
           end
 
+          # @private
+          def add_access_routine routine
+            value = routine.routine_ref
+            # Remove existing routine rule, if any
+            @rules.reject!(&find_by_scope_and_resource_ref(:routine, value))
+            # Add new rule for this role, scope, and value
+            opts = { routine: value }
+            @rules << Google::Apis::BigqueryV2::Dataset::Access.new(opts)
+          end
+
           # @private
           def add_access_view value
             # scope is view, make sure value is in the right format
             value = validate_view value
             # Remove existing view rule, if any
-            @rules.reject!(&find_view(value))
+            @rules.reject!(&find_by_scope_and_resource_ref(:view, value))
             # Add new rule for this role, scope, and value
             opts = { view: value }
             @rules << Google::Apis::BigqueryV2::Dataset::Access.new(opts)
@@ -1144,12 +1230,18 @@ module Google
             )
           end
 
+          # @private
+          def remove_access_routine routine
+            # Remove existing routine rule, if any
+            @rules.reject!(&find_by_scope_and_resource_ref(:routine, routine.routine_ref))
+          end
+
           # @private
           def remove_access_view value
             # scope is view, make sure value is in the right format
             value = validate_view value
             # Remove existing view rule, if any
-            @rules.reject!(&find_view(value))
+            @rules.reject!(&find_by_scope_and_resource_ref(:view, value))
           end
 
           # @private
@@ -1162,12 +1254,18 @@ module Google
             !(!@rules.detect(&find_by_role_and_scope_and_value(role, scope, value)))
           end
 
+          # @private
+          def lookup_access_routine routine
+            # Detect routine rule, if any
+            !(!@rules.detect(&find_by_scope_and_resource_ref(:routine, routine.routine_ref)))
+          end
+
           # @private
           def lookup_access_view value
             # scope is view, make sure value is in the right format
             value = validate_view value
             # Detect view rule, if any
-            !(!@rules.detect(&find_view(value)))
+            !(!@rules.detect(&find_by_scope_and_resource_ref(:view, value)))
           end
 
           # @private
@@ -1186,11 +1284,11 @@ module Google
             end
           end
 
-          # @private
-          def find_view value
+          # @private Compare hash representations to find table_ref, routine_ref.
+          def find_by_scope_and_resource_ref scope, value
             lambda do |a|
               h = a.to_h
-              h[:view].to_h == value.to_h
+              h[scope].to_h == value.to_h
             end
           end
         end

data/lib/google/cloud/bigquery/policy.rb

@@ -0,0 +1,431 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+require "google/apis/bigquery_v2"
+
+module Google
+  module Cloud
+    module Bigquery
+      ##
+      # # Policy
+      #
+      # Represents a Cloud IAM Policy for BigQuery resources.
+      #
+      # A Policy is a collection of bindings. A {Policy::Binding} binds one or more members to a single role. Member
+      # strings can describe user accounts, service accounts, Google groups, and domains. A role string represents a
+      # named list of permissions; each role can be an IAM predefined role or a user-created custom role.
+      #
+      # @see https://cloud.google.com/iam/docs/managing-policies Managing Policies
+      # @see https://cloud.google.com/bigquery/docs/table-access-controls-intro Controlling access to tables
+      #
+      # @attr [String] etag Used to check if the policy has changed since the last request. When you make a request with
+      #   an `etag` value, Cloud IAM compares the `etag` value in the request with the existing `etag` value associated
+      #   with the policy. It writes the policy only if the `etag` values match.
+      # @attr [Array<Binding>] bindings The bindings in the policy, which may be mutable or frozen depending on the
+      #   context. See [Understanding Roles](https://cloud.google.com/iam/docs/understanding-roles) for a list of
+      #   primitive and curated roles. See [BigQuery Table ACL
+      #   permissions](https://cloud.google.com/bigquery/docs/table-access-controls-intro#permissions) for a list of
+      #   values and patterns for members.
+      #
+      # @example
+      #   require "google/cloud/bigquery"
+      #
+      #   bigquery = Google::Cloud::Bigquery.new
+      #   dataset = bigquery.dataset "my_dataset"
+      #   table = dataset.table "my_table"
+      #   policy = table.policy
+      #
+      #   policy.frozen? #=> true
+      #   binding_owner = policy.bindings.find { |b| b.role == "roles/owner" }
+      #
+      #   binding_owner.role #=> "roles/owner"
+      #   binding_owner.members #=> ["user:owner@example.com"]
+      #   binding_owner.frozen? #=> true
+      #   binding_owner.members.frozen? #=> true
+      #
+      # @example Update mutable bindings in the policy.
+      #   require "google/cloud/bigquery"
+      #
+      #   bigquery = Google::Cloud::Bigquery.new
+      #   dataset = bigquery.dataset "my_dataset"
+      #   table = dataset.table "my_table"
+      #
+      #   table.update_policy do |p|
+      #     p.grant role: "roles/viewer", members: "user:viewer@example.com"
+      #     p.revoke role: "roles/editor", members: "user:editor@example.com"
+      #     p.revoke role: "roles/owner"
+      #   end
+      #
+      # @example Iterate over frozen bindings.
+      #   require "google/cloud/bigquery"
+      #
+      #   bigquery = Google::Cloud::Bigquery.new
+      #   dataset = bigquery.dataset "my_dataset"
+      #   table = dataset.table "my_table"
+      #   policy = table.policy
+      #
+      #   policy.frozen? #=> true
+      #   policy.bindings.each do |b|
+      #     puts b.role
+      #     puts b.members
+      #   end
+      #
+      # @example Update mutable bindings.
+      #   require "google/cloud/bigquery"
+      #
+      #   bigquery = Google::Cloud::Bigquery.new
+      #   dataset = bigquery.dataset "my_dataset"
+      #   table = dataset.table "my_table"
+      #
+      #   table.update_policy do |p|
+      #     p.bindings.each do |b|
+      #       b.members.delete_if { |m| m.include? "@example.com" }
+      #     end
+      #   end
+      #
+      class Policy
+        attr_reader :etag, :bindings
+
+        # @private
+        def initialize etag, bindings
+          @etag = etag.freeze
+          @bindings = bindings
+        end
+
+        ##
+        # Convenience method adding or updating a binding in the policy. See [Understanding
+        # Roles](https://cloud.google.com/iam/docs/understanding-roles) for a list of primitive and curated roles. See
+        # [BigQuery Table ACL
+        # permissions](https://cloud.google.com/bigquery/docs/table-access-controls-intro#permissions) for a list of
+        # values and patterns for members.
+        #
+        # @param [String] role The role that is bound to members in the binding. For example, `roles/viewer`,
+        #   `roles/editor`, or `roles/owner`. Required.
+        # @param [String, Array<String>] members Specifies the identities requesting access for a Cloud Platform
+        #   resource. `members` can have the following values. Required.
+        #
+        #   * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google
+        #     account.
+        #   * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google
+        #     account or a service account.
+        #   * `user:<emailid>`: An email address that represents a specific Google account. For example,
+        #     `alice@example.com`.
+        #   * `serviceAccount:<emailid>`: An email address that represents a service account. For example,
+        #     `my-other-app@appspot.gserviceaccount.com`.
+        #   * `group:<emailid>`: An email address that represents a Google group. For example, `admins@example.com`.
+        #   * `deleted:user:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier) representing a user
+        #     that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user
+        #     is recovered, this value reverts to `user:<emailid>` and the recovered user retains the role in the
+        #     binding.
+        #   * `deleted: serviceAccount:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier) representing
+        #     a service account that has been recently deleted. For example,
+        #     `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted,
+        #     this value reverts to `serviceAccount:<emailid>` and the undeleted service account retains the role in
+        #     the binding.
+        #   * `deleted:group:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier) representing a Google
+        #     group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the
+        #     group is recovered, this value reverts to `group:<emailid>` and the recovered group retains the role in
+        #     the binding.
+        #   * `domain:<domain>`: The G Suite domain (primary) that represents all the users of that domain. For example,
+        #     `google.com` or `example.com`.
+        #
+        # @return [nil]
+        #
+        # @example Grant a role to a member.
+        #   require "google/cloud/bigquery"
+        #
+        #   bigquery = Google::Cloud::Bigquery.new
+        #   dataset = bigquery.dataset "my_dataset"
+        #   table = dataset.table "my_table"
+        #
+        #   table.update_policy do |p|
+        #     p.grant role: "roles/viewer", members: "user:viewer@example.com"
+        #   end
+        #
+        def grant role:, members:
+          existing_binding = bindings.find { |b| b.role == role }
+          if existing_binding
+            existing_binding.members.concat Array(members)
+            existing_binding.members.uniq!
+          else
+            bindings << Binding.new(role, members)
+          end
+          nil
+        end
+
+        ##
+        # Convenience method for removing a binding or bindings from the policy. See
+        # [Understanding Roles](https://cloud.google.com/iam/docs/understanding-roles) for a list of primitive and
+        # curated roles. See [BigQuery Table ACL
+        # permissions](https://cloud.google.com/bigquery/docs/table-access-controls-intro#permissions) for a list of
+        # values and patterns for members.
+        #
+        # @param [String] role A role that is bound to members in the policy. For example, `roles/viewer`,
+        #   `roles/editor`, or `roles/owner`. Optional.
+        # @param [String, Array<String>] members Specifies the identities receiving access for a Cloud Platform
+        #   resource. `members` can have the following values. Optional.
+        #
+        #   * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google
+        #     account.
+        #   * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google
+        #     account or a service account.
+        #   * `user:<emailid>`: An email address that represents a specific Google account. For example,
+        #     `alice@example.com`.
+        #   * `serviceAccount:<emailid>`: An email address that represents a service account. For example,
+        #     `my-other-app@appspot.gserviceaccount.com`.
+        #   * `group:<emailid>`: An email address that represents a Google group. For example, `admins@example.com`.
+        #   * `deleted:user:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier) representing a user
+        #     that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user
+        #     is recovered, this value reverts to `user:<emailid>` and the recovered user retains the role in the
+        #     binding.
+        #   * `deleted: serviceAccount:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier) representing
+        #     a service account that has been recently deleted. For example,
+        #     `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted,
+        #     this value reverts to `serviceAccount:<emailid>` and the undeleted service account retains the role in
+        #     the binding.
+        #   * `deleted:group:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier) representing a Google
+        #     group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the
+        #     group is recovered, this value reverts to `group:<emailid>` and the recovered group retains the role in
+        #     the binding.
+        #   * `domain:<domain>`: The G Suite domain (primary) that represents all the users of that domain. For example,
+        #     `google.com` or `example.com`.
+        #
+        # @return [nil]
+        #
+        # @example Revoke a role for a member or members.
+        #   require "google/cloud/bigquery"
+        #
+        #   bigquery = Google::Cloud::Bigquery.new
+        #   dataset = bigquery.dataset "my_dataset"
+        #   table = dataset.table "my_table"
+        #
+        #   table.update_policy do |p|
+        #     p.revoke role: "roles/viewer", members: "user:viewer@example.com"
+        #   end
+        #
+        # @example Revoke a role for all members.
+        #   require "google/cloud/bigquery"
+        #
+        #   bigquery = Google::Cloud::Bigquery.new
+        #   dataset = bigquery.dataset "my_dataset"
+        #   table = dataset.table "my_table"
+        #
+        #   table.update_policy do |p|
+        #     p.revoke role: "roles/viewer"
+        #   end
+        #
+        # @example Revoke all roles for a member or members.
+        #   require "google/cloud/bigquery"
+        #
+        #   bigquery = Google::Cloud::Bigquery.new
+        #   dataset = bigquery.dataset "my_dataset"
+        #   table = dataset.table "my_table"
+        #
+        #   table.update_policy do |p|
+        #     p.revoke members: ["user:viewer@example.com", "user:editor@example.com"]
+        #   end
+        #
+        def revoke role: nil, members: nil
+          bindings_for_role = role ? bindings.select { |b| b.role == role } : bindings
+          bindings_for_role.each do |b|
+            if members
+              b.members -= Array(members)
+              bindings.delete b if b.members.empty?
+            else
+              bindings.delete b
+            end
+          end
+          nil
+        end
+
+        ##
+        # @private Convert the Policy to a Google::Apis::BigqueryV2::Policy.
+        def to_gapi
+          Google::Apis::BigqueryV2::Policy.new(
+            bindings: bindings_to_gapi,
+            etag:     etag,
+            version:  1
+          )
+        end
+
+        ##
+        # @private Deep freeze the policy including its bindings.
+        def freeze
+          super
+          @bindings.each(&:freeze)
+          @bindings.freeze
+          self
+        end
+
+        ##
+        # @private New Policy from a Google::Apis::BigqueryV2::Policy object.
+        def self.from_gapi gapi
+          bindings = Array(gapi.bindings).map do |binding|
+            Binding.new binding.role, binding.members.to_a
+          end
+          new gapi.etag, bindings
+        end
+
+        ##
+        # # Policy::Binding
+        #
+        # Represents a Cloud IAM Binding for BigQuery resources within the context of a {Policy}.
+        #
+        # A binding binds one or more members to a single role. Member strings can describe user accounts, service
+        # accounts, Google groups, and domains. A role is a named list of permissions; each role can be an IAM
+        # predefined role or a user-created custom role.
+        #
+        # @see https://cloud.google.com/bigquery/docs/table-access-controls-intro Controlling access to tables
+        #
+        # @attr [String] role The role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or
+        #   `roles/owner`. Required.
+        # @attr [Array<String>] members Specifies the identities requesting access for a Cloud Platform resource.
+        #   `members` can have the following values. Required.
+        #
+        #   * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google
+        #     account.
+        #   * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google
+        #     account or a service account.
+        #   * `user:<emailid>`: An email address that represents a specific Google account. For example,
+        #     `alice@example.com`.
+        #   * `serviceAccount:<emailid>`: An email address that represents a service account. For example,
+        #     `my-other-app@appspot.gserviceaccount.com`.
+        #   * `group:<emailid>`: An email address that represents a Google group. For example, `admins@example.com`.
+        #   * `deleted:user:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier) representing a user
+        #     that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user
+        #     is recovered, this value reverts to `user:<emailid>` and the recovered user retains the role in the
+        #     binding.
+        #   * `deleted: serviceAccount:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier) representing
+        #     a service account that has been recently deleted. For example,
+        #     `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted,
+        #     this value reverts to `serviceAccount:<emailid>` and the undeleted service account retains the role in
+        #     the binding.
+        #   * `deleted:group:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier) representing a Google
+        #     group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the
+        #     group is recovered, this value reverts to `group:<emailid>` and the recovered group retains the role in
+        #     the binding.
+        #   * `domain:<domain>`: The G Suite domain (primary) that represents all the users of that domain. For example,
+        #     `google.com` or `example.com`.
+        #
+        # @example
+        #   require "google/cloud/bigquery"
+        #
+        #   bigquery = Google::Cloud::Bigquery.new
+        #   dataset = bigquery.dataset "my_dataset"
+        #   table = dataset.table "my_table"
+        #
+        #   policy = table.policy
+        #   binding_owner = policy.bindings.find { |b| b.role == "roles/owner" }
+        #
+        #   binding_owner.role #=> "roles/owner"
+        #   binding_owner.members #=> ["user:owner@example.com"]
+        #
+        #   binding_owner.frozen? #=> true
+        #   binding_owner.members.frozen? #=> true
+        #
+        # @example Update mutable bindings.
+        #   require "google/cloud/bigquery"
+        #
+        #   bigquery = Google::Cloud::Bigquery.new
+        #   dataset = bigquery.dataset "my_dataset"
+        #   table = dataset.table "my_table"
+        #
+        #   table.update_policy do |p|
+        #     binding_owner = p.bindings.find { |b| b.role == "roles/owner" }
+        #     binding_owner.members.delete_if { |m| m.include? "@example.com" }
+        #   end
+        #
+        class Binding
+          attr_accessor :role
+          attr_reader :members
+
+          # @private
+          def initialize role, members
+            members = Array(members).uniq
+            raise ArgumentError, "members cannot be empty" if members.empty?
+            @role = role
+            @members = members
+          end
+
+          ##
+          # Sets the binding members.
+          #
+          # @param [Array<String>] new_members Specifies the identities requesting access for a Cloud Platform resource.
+          #   `new_members` can have the following values. Required.
+          #
+          #   * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google
+          #     account.
+          #   * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google
+          #     account or a service account.
+          #   * `user:<emailid>`: An email address that represents a specific Google account. For example,
+          #     `alice@example.com`.
+          #   * `serviceAccount:<emailid>`: An email address that represents a service account. For example,
+          #     `my-other-app@appspot.gserviceaccount.com`.
+          #   * `group:<emailid>`: An email address that represents a Google group. For example, `admins@example.com`.
+          #   * `deleted:user:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier) representing a user
+          #     that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user
+          #     is recovered, this value reverts to `user:<emailid>` and the recovered user retains the role in the
+          #     binding.
+          #   * `deleted: serviceAccount:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier)
+          #     representing a service account that has been recently deleted. For example,
+          #     `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is
+          #     undeleted, this value reverts to `serviceAccount:<emailid>` and the undeleted service account retains
+          #     the role in the binding.
+          #   * `deleted:group:<emailid>?uid=<uniqueid>`: An email address (plus unique identifier) representing a
+          #     Google group that has been recently deleted. For example,
+          #     `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to
+          #     `group:<emailid>` and the recovered group retains the role in the binding.
+          #   * `domain:<domain>`: The G Suite domain (primary) that represents all the users of that domain. For
+          #     example, `google.com` or `example.com`.
+          #
+          def members= new_members
+            @members = Array(new_members).uniq
+          end
+
+          ##
+          # @private Convert the Binding to a Google::Apis::BigqueryV2::Binding.
+          def to_gapi
+            Google::Apis::BigqueryV2::Binding.new role: role, members: members
+          end
+
+          ##
+          # @private Deep freeze the policy including its members.
+          def freeze
+            super
+            role.freeze
+            members.each(&:freeze)
+            members.freeze
+            self
+          end
+
+          ##
+          # @private New Binding from a Google::Apis::BigqueryV2::Binding object.
+          def self.from_gapi gapi
+            new gapi.etag, gapi.members.to_a
+          end
+        end
+
+        protected
+
+        def bindings_to_gapi
+          @bindings.compact.uniq.map do |b|
+            next if b.members.empty?
+            b.to_gapi
+          end
+        end
+      end
+    end
+  end
+end

data/lib/google/cloud/bigquery/service.rb

@@ -182,6 +182,34 @@ module Google
           end
         end
 
+        ##
+        # Returns Google::Apis::BigqueryV2::Policy
+        def get_table_policy dataset_id, table_id
+          policy_options = API::GetPolicyOptions.new requested_policy_version: 1
+          execute do
+            service.get_table_iam_policy table_path(dataset_id, table_id),
+                                         API::GetIamPolicyRequest.new(options: policy_options)
+          end
+        end
+
+        ##
+        # @param [Google::Apis::BigqueryV2::Policy] new_policy
+        def set_table_policy dataset_id, table_id, new_policy
+          execute do
+            service.set_table_iam_policy table_path(dataset_id, table_id),
+                                         API::SetIamPolicyRequest.new(policy: new_policy)
+          end
+        end
+
+        ##
+        # Returns Google::Apis::BigqueryV2::TestIamPermissionsResponse
+        def test_table_permissions dataset_id, table_id, permissions
+          execute do
+            service.test_table_iam_permissions table_path(dataset_id, table_id),
+                                               API::TestIamPermissionsRequest.new(permissions: permissions)
+          end
+        end
+
         ##
         # Deletes the table specified by tableId from the dataset.
         # If the table contains data, all the data will be deleted.
@@ -508,6 +536,11 @@ module Google
 
         protected
 
+        # Creates a formatted table path.
+        def table_path dataset_id, table_id
+          "projects/#{@project}/datasets/#{dataset_id}/tables/#{table_id}"
+        end
+
         # Generate a random string similar to the BigQuery service job IDs.
         def generate_id
           SecureRandom.urlsafe_base64 21

data/lib/google/cloud/bigquery/table.rb

@@ -23,6 +23,7 @@ require "google/cloud/bigquery/external"
 require "google/cloud/bigquery/insert_response"
 require "google/cloud/bigquery/table/async_inserter"
 require "google/cloud/bigquery/convert"
+require "google/cloud/bigquery/policy"
 require "google/apis/bigquery_v2"
 
 module Google
@@ -1274,6 +1275,107 @@ module Google
           Array(udfs_gapi).map { |udf| udf.inline_code || udf.resource_uri }
         end
 
+        ##
+        # Gets the Cloud IAM access control policy for the table. The latest policy will be read from the service. See
+        # also {#update_policy}.
+        #
+        # @see https://cloud.google.com/iam/docs/managing-policies Managing Policies
+        # @see https://cloud.google.com/bigquery/docs/table-access-controls-intro Controlling access to tables
+        #
+        # @return [Policy] The frozen policy for the table.
+        #
+        # @example
+        #   require "google/cloud/bigquery"
+        #
+        #   bigquery = Google::Cloud::Bigquery.new
+        #   dataset = bigquery.dataset "my_dataset"
+        #   table = dataset.table "my_table"
+        #
+        #   policy = table.policy
+        #
+        #   policy.frozen? #=> true
+        #   binding_owner = policy.bindings.find { |b| b.role == "roles/owner" }
+        #   binding_owner.role #=> "roles/owner"
+        #   binding_owner.members #=> ["user:owner@example.com"]
+        #   binding_owner.frozen? #=> true
+        #   binding_owner.members.frozen? #=> true
+        #
+        def policy
+          raise ArgumentError, "Block argument not supported: Use #update_policy instead." if block_given?
+          ensure_service!
+          gapi = service.get_table_policy dataset_id, table_id
+          Policy.from_gapi(gapi).freeze
+        end
+
+        ##
+        # Updates the Cloud IAM access control policy for the table. The latest policy will be read from the service.
+        # See also {#policy}.
+        #
+        # @see https://cloud.google.com/iam/docs/managing-policies Managing Policies
+        # @see https://cloud.google.com/bigquery/docs/table-access-controls-intro Controlling access to tables
+        #
+        # @yield [policy] A block for updating the policy. The latest policy will be read from the service and passed to
+        #   the block. After the block completes, the modified policy will be written to the service.
+        # @yieldparam [Policy] policy The mutable Policy for the table.
+        #
+        # @return [Policy] The updated and frozen policy for the table.
+        #
+        # @example Update the policy by passing a block.
+        #   require "google/cloud/bigquery"
+        #
+        #   bigquery = Google::Cloud::Bigquery.new
+        #   dataset = bigquery.dataset "my_dataset"
+        #   table = dataset.table "my_table"
+        #
+        #   table.update_policy do |p|
+        #     p.grant role: "roles/viewer", members: "user:viewer@example.com"
+        #     p.revoke role: "roles/editor", members: "user:editor@example.com"
+        #     p.revoke role: "roles/owner"
+        #   end # 2 API calls
+        #
+        def update_policy
+          raise ArgumentError, "A block updating the policy must be provided" unless block_given?
+          ensure_service!
+          gapi = service.get_table_policy dataset_id, table_id
+          policy = Policy.from_gapi gapi
+          yield policy
+          # TODO: Check for changes before calling RPC
+          gapi = service.set_table_policy dataset_id, table_id, policy.to_gapi
+          Policy.from_gapi(gapi).freeze
+        end
+
+        ##
+        # Tests the specified permissions against the [Cloud
+        # IAM](https://cloud.google.com/iam/) access control policy.
+        #
+        # @see https://cloud.google.com/iam/docs/managing-policies Managing Policies
+        #
+        # @param [String, Array<String>] permissions The set of permissions
+        #   against which to check access. Permissions must be of the format
+        #   `bigquery.resource.capability`.
+        #   See https://cloud.google.com/bigquery/docs/access-control#bigquery.
+        #
+        # @return [Array<String>] The frozen array of permissions held by the caller.
+        #
+        # @example
+        #   require "google/cloud/bigquery"
+        #
+        #   bigquery = Google::Cloud::Bigquery.new
+        #   dataset = bigquery.dataset "my_dataset"
+        #   table = dataset.table "my_table"
+        #
+        #   permissions = table.test_iam_permissions "bigquery.tables.get",
+        #                                            "bigquery.tables.delete"
+        #   permissions.include? "bigquery.tables.get"    #=> true
+        #   permissions.include? "bigquery.tables.delete" #=> false
+        #
+        def test_iam_permissions *permissions
+          permissions = Array(permissions).flatten
+          ensure_service!
+          gapi = service.test_table_permissions dataset_id, table_id, permissions
+          gapi.permissions.freeze
+        end
+
         ##
         # Retrieves data from the table.
         #

data/lib/google/cloud/bigquery/version.rb

@@ -16,7 +16,7 @@
 module Google
   module Cloud
     module Bigquery
-      VERSION = "1.24.0".freeze
+      VERSION = "1.25.0".freeze
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: google-cloud-bigquery
 version: !ruby/object:Gem::Version
-  version: 1.24.0
+  version: 1.25.0
 platform: ruby
 authors:
 - Mike Moore
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-10-29 00:00:00.000000000 Z
+date: 2020-11-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby
@@ -257,6 +257,7 @@ files:
 - lib/google/cloud/bigquery/load_job.rb
 - lib/google/cloud/bigquery/model.rb
 - lib/google/cloud/bigquery/model/list.rb
+- lib/google/cloud/bigquery/policy.rb
 - lib/google/cloud/bigquery/project.rb
 - lib/google/cloud/bigquery/project/list.rb
 - lib/google/cloud/bigquery/query_job.rb