google-cloud-bigquery 1.60.0 → 1.61.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cfd8eb30d69f00bd5456b486ff5fa103b58ef743f7218bab37ec26024c7b8ef2
-  data.tar.gz: 35b45c78ebdb2561f5e059ba52c3998232262607bbdbb9240bbe3ec14f738624
+  metadata.gz: ae087fd9a1d2cc0921fe7b72c505fe3828add1beefa9482f4323de8759a6ef1f
+  data.tar.gz: 7390b66a15f2b1b63efd8ce65b94190f437d8f20a3184512722e41d5f9a80e3f
 SHA512:
-  metadata.gz: 715cc0d0301c141f589f8e968fcb1aaa862d036fcf74775184a1a1cfc6c2aa56e35bbf6c5abccabebea5be5ebfca59939905ae56c5985953326167fd712be8ec
-  data.tar.gz: fd1c105c9eae04b004176351ead6287d856bc3f4a8c8ecee4ab6931a7b8ae1aded11a3c32faa296af725d0115edb8a793f9bfe9172c6f181ba0432e504dc140e
+  metadata.gz: d645597d965f183c9eefcdbbd7d5759eef90f05a68ac5210291dab1146924bb0bc3bd0b5c25f42055b4750474125123333333de177e40fb100d160af179eee62
+  data.tar.gz: c08b54e15f8fdc7177f97ee7d073ab32057bce243ce0465dc26c121a29cbf95f913f1045eaafffcf614037e13c47d37b58dd00d386f30f268def6a50425b73b5

data/AUTHENTICATION.md

@@ -28,6 +28,12 @@ providing **Project ID** and **Service Account Credentials** directly in code.
 
 **Credentials** are discovered in the following order:
 
+> [!WARNING]
+> If you accept a credential configuration (JSON file or Hash) from an
+> external source for authentication to Google Cloud, you must validate it before
+> providing it to a Google API client library. Providing an unvalidated credential
+> configuration to Google APIs can compromise the security of your systems and data.
+
 1. Specify credentials in method arguments
 2. Specify credentials in configuration
 3. Discover credentials path in environment variables
@@ -81,11 +87,16 @@ The **Project ID** and the path to the **Credentials JSON** file can be configur
 instead of placing them in environment variables or providing them as arguments.
 
 ```ruby
+require "googleauth"
 require "google/cloud/bigquery"
 
+credentials = ::Google::Auth::ServiceAccountCredentials.make_creds(
+  json_key_io: ::File.open("/path/to/keyfile.json")
+)
+
 Google::Cloud::Bigquery.configure do |config|
   config.project_id  = "my-project-id"
-  config.credentials = "path/to/keyfile.json"
+  config.credentials = credentials
 end
 
 bigquery = Google::Cloud::Bigquery.new

data/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Release History
 
+### 1.61.0 (2025-11-04)
+
+#### Features
+
+* Support fine grained ACLs ([#31772](https://github.com/googleapis/google-cloud-ruby/issues/31772)) 
+#### Documentation
+
+* add warning about loading unvalidated credentials ([#32121](https://github.com/googleapis/google-cloud-ruby/issues/32121)) 
+
 ### 1.60.0 (2025-10-24)
 
 #### Features

data/lib/google/cloud/bigquery/dataset.rb

@@ -29,6 +29,48 @@ require "google/apis/bigquery_v2"
 module Google
   module Cloud
     module Bigquery
+      module DatasetView
+        # Provides constants for the dataset_view parameter, an optional field
+        # in the GetDatasetRequest used to specify which information about a
+        # BigQuery dataset should be returned in the response. By controlling
+        # this parameter, users can request a partial or full response, which
+        # helps enforce fine-grained access control based on their permissions.
+
+        # Default. Equivalent to `FULL`. `datasets.get` and `datasets.getIamPolicy` permissions required.
+        DATASET_VIEW_UNSPECIFIED = "DATASET_VIEW_UNSPECIFIED".freeze
+
+        # Returns metadata only. `datasets.get` permission required.
+        METADATA = "METADATA".freeze
+
+        # Returns ACLs only. `datasets.getIamPolicy` permission required.
+        ACL = "ACL".freeze
+
+        # Returns metadata and ACLs. `datasets.get` and `datasets.getIamPolicy` permissions required.
+        FULL = "FULL".freeze
+      end
+
+      module UpdateMode
+        # Provides constants for the update_mode parameter, an optional field
+        # in the PatchDatasetRequest and UpdateDatasetRequest used to specify
+        # whether the resource is being updated with full or partial semantics
+        # (metadata, ACLs, or both).
+        # By controlling this parameter, users can request full or partial
+        # update semantics, which helps enforce fine-grained access control
+        # based on their permissions.
+
+        # Default. Equivalent to `UPDATE_FULL`. `datasets.update` and `datasets.setIamPolicy` permissions required.
+        UPDATE_MODE_UNSPECIFIED = "UPDATE_MODE_UNSPECIFIED".freeze
+
+        # Updates both metadata and ACLs. `datasets.update` and `datasets.setIamPolicy` permissions required.
+        UPDATE_FULL = "UPDATE_FULL".freeze
+
+        # Updates only metadata. `datasets.update` permission required.
+        UPDATE_METADATA = "UPDATE_METADATA".freeze
+
+        # Updates only ACLs. `datasets.setIamPolicy` permission required.
+        UPDATE_ACL = "UPDATE_ACL".freeze
+      end
+
       ##
       # # Dataset
       #
@@ -63,6 +105,13 @@ module Google
         # @private Access Policy Version for get, update, patch, and insert API calls
         attr_accessor :access_policy_version
 
+        ##
+        # @private The dataset_view parameter is an optional field in the GetDatasetRequest used to specify which
+        # information about a BigQuery dataset should be returned in the response. By controlling this parameter, users
+        # can request a partial or full response, which helps enforce fine-grained access control based on their
+        # permissions.
+        attr_accessor :dataset_view
+
         ##
         # @private Create an empty Dataset object.
         def initialize
@@ -70,6 +119,7 @@ module Google
           @gapi = nil
           @reference = nil
           @access_policy_version = nil
+          @dataset_view = nil
         end
 
         ##
@@ -2610,7 +2660,8 @@ module Google
         #
         def reload!
           ensure_service!
-          @gapi = service.get_project_dataset project_id, dataset_id, access_policy_version: @access_policy_version
+          @gapi = service.get_project_dataset project_id, dataset_id, access_policy_version: @access_policy_version,
+            dataset_view: @dataset_view
           @reference = nil
           @exists = nil
           self
@@ -2739,11 +2790,12 @@ module Google
 
         ##
         # @private New Dataset from a Google API Client object.
-        def self.from_gapi gapi, conn, access_policy_version: nil
+        def self.from_gapi gapi, conn, access_policy_version: nil, dataset_view: nil
           new.tap do |f|
             f.gapi = gapi
             f.service = conn
             f.access_policy_version = access_policy_version
+            f.dataset_view = dataset_view
           end
         end
 
@@ -3064,10 +3116,25 @@ module Google
         def patch_gapi! *attributes
           return if attributes.empty?
           ensure_service!
+
           patch_args = attributes.to_h { |attr| [attr, @gapi.send(attr)] }
+
+          update_mode = nil
+          has_access_key = patch_args.key? :access
+          other_keys_exist = (patch_args.keys - [:access]).any?
+
+          if has_access_key && !other_keys_exist
+            update_mode = UpdateMode::UPDATE_ACL
+          elsif !has_access_key && other_keys_exist
+            update_mode = UpdateMode::UPDATE_METADATA
+          elsif has_access_key && other_keys_exist
+            update_mode = UpdateMode::FULL
+          end
+
           patch_gapi = Google::Apis::BigqueryV2::Dataset.new(**patch_args)
           patch_gapi.etag = etag if etag
-          @gapi = service.patch_dataset dataset_id, patch_gapi, access_policy_version: @access_policy_version
+          @gapi = service.patch_dataset dataset_id, patch_gapi, access_policy_version: @access_policy_version,
+update_mode: update_mode
         end
 
         ##

data/lib/google/cloud/bigquery/project.rb

@@ -1536,6 +1536,13 @@ module Google
         #   mapped to
         #   [IAM Policy version](https://cloud.google.com/iam/docs/policies#versions)
         #   and will be used to set policy in IAM.
+        # @param [String] dataset_view The dataset_view parameter is an optional
+        #   field in the GetDatasetRequest used to specify which information
+        #   about a BigQuery dataset should be returned in the response. By
+        #   controlling this parameter, users can request a partial or full
+        #   response, which helps enforce fine-grained access control based on
+        #   their permissions. {Google::Cloud::Bigquery::DatasetView} provides
+        #   constants for this parameter.
         #
         # @return [Google::Cloud::Bigquery::Dataset, nil] Returns `nil` if the
         #   dataset does not exist.
@@ -1563,12 +1570,13 @@ module Google
         #
         #   dataset = bigquery.dataset "my_dataset", skip_lookup: true
         #
-        def dataset dataset_id, skip_lookup: nil, project_id: nil, access_policy_version: nil
+        def dataset dataset_id, skip_lookup: nil, project_id: nil, access_policy_version: nil, dataset_view: nil
           ensure_service!
           project_id ||= project
           return Dataset.new_reference project_id, dataset_id, service if skip_lookup
-          gapi = service.get_project_dataset project_id, dataset_id, access_policy_version: access_policy_version
-          Dataset.from_gapi gapi, service, access_policy_version: access_policy_version
+          gapi = service.get_project_dataset project_id, dataset_id, access_policy_version: access_policy_version,
+dataset_view: dataset_view
+          Dataset.from_gapi gapi, service, access_policy_version: access_policy_version, dataset_view: dataset_view
         rescue Google::Cloud::NotFoundError
           nil
         end
@@ -1601,6 +1609,14 @@ module Google
         #   mapped to
         #   [IAM Policy version](https://cloud.google.com/iam/docs/policies#versions)
         #   and will be used to set policy in IAM.
+        # @param [String] dataset_view The dataset_view parameter is an optional
+        #   field in the GetDatasetRequest used to specify which information
+        #   about a BigQuery dataset should be returned in the response. By
+        #   controlling this parameter, users can request a partial or full
+        #   response, which helps enforce fine-grained access control based on
+        #   their permissions. {Google::Cloud::Bigquery::DatasetView} provides
+        #   constants for this parameter.
+        #
         # @yield [access] a block for setting rules
         # @yieldparam [Google::Cloud::Bigquery::Dataset] access the object
         #   accepting rules
@@ -1633,7 +1649,8 @@ module Google
         #   end
         #
         def create_dataset dataset_id, name: nil, description: nil,
-                           expiration: nil, location: nil, access_policy_version: nil
+                           expiration: nil, location: nil, access_policy_version: nil,
+                           dataset_view: nil
           ensure_service!
 
           new_ds = Google::Apis::BigqueryV2::Dataset.new(
@@ -1657,7 +1674,7 @@ module Google
           end
 
           gapi = service.insert_dataset new_ds, access_policy_version: access_policy_version
-          Dataset.from_gapi gapi, service, access_policy_version: access_policy_version
+          Dataset.from_gapi gapi, service, access_policy_version: access_policy_version, dataset_view: dataset_view
         end
 
         ##

data/lib/google/cloud/bigquery/service.rb

@@ -109,16 +109,18 @@ module Google
 
         ##
         # Returns the dataset specified by datasetID.
-        def get_dataset dataset_id, access_policy_version: nil
-          get_project_dataset @project, dataset_id, access_policy_version: access_policy_version
+        def get_dataset dataset_id, access_policy_version: nil, dataset_view: nil
+          get_project_dataset @project, dataset_id, access_policy_version: access_policy_version,
+dataset_view: dataset_view
         end
 
         ##
         # Gets the specified dataset resource by full dataset reference.
-        def get_project_dataset project_id, dataset_id, access_policy_version: nil
+        def get_project_dataset project_id, dataset_id, access_policy_version: nil, dataset_view: nil
           # The get operation is considered idempotent
           execute backoff: true do
-            service.get_dataset project_id, dataset_id, access_policy_version: access_policy_version
+            service.get_dataset project_id, dataset_id, access_policy_version: access_policy_version,
+dataset_view: dataset_view
           end
         end
 
@@ -131,7 +133,7 @@ module Google
         ##
         # Updates information in an existing dataset, only replacing
         # fields that are provided in the submitted dataset resource.
-        def patch_dataset dataset_id, patched_dataset_gapi, access_policy_version: nil
+        def patch_dataset dataset_id, patched_dataset_gapi, access_policy_version: nil, update_mode: nil
           patch_with_backoff = false
           options = {}
           if patched_dataset_gapi.etag
@@ -141,7 +143,7 @@ module Google
           end
           execute backoff: patch_with_backoff do
             service.patch_dataset @project, dataset_id, patched_dataset_gapi, options: options,
-access_policy_version: access_policy_version
+access_policy_version: access_policy_version, update_mode: update_mode
           end
         end
 

data/lib/google/cloud/bigquery/version.rb

@@ -16,7 +16,7 @@
 module Google
   module Cloud
     module Bigquery
-      VERSION = "1.60.0".freeze
+      VERSION = "1.61.0".freeze
     end
   end
 end

data/lib/google/cloud/bigquery.rb

@@ -37,9 +37,26 @@ module Google
       #
       # @param [String] project_id Identifier for a BigQuery project. If not
       #   present, the default project for the credentials is used.
-      # @param [String, Hash, Google::Auth::Credentials] credentials The path to
-      #   the keyfile as a String, the contents of the keyfile as a Hash, or a
-      #   Google::Auth::Credentials object. (See {Bigquery::Credentials})
+      # @param [Google::Auth::Credentials] credentials A Google::Auth::Credentials
+      #   object. (See {Bigquery::Credentials})
+      #   @note Warning: Passing a `String` to a keyfile path or a `Hash` of credentials
+      #     is deprecated. Providing an unvalidated credential configuration to
+      #     Google APIs can compromise the security of your systems and data.
+      #
+      #   @example
+      #
+      #     # The recommended way to provide credentials is to use the `make_creds` method
+      #     # on the appropriate credentials class for your environment.
+      #
+      #     require "googleauth"
+      #
+      #     credentials = ::Google::Auth::ServiceAccountCredentials.make_creds(
+      #       json_key_io: ::File.open("/path/to/keyfile.json")
+      #     )
+      #
+      #     client = ::Google::Cloud::Bigquery.new do |config|
+      #       config.credentials = credentials
+      #     end
       # @param [String, Array<String>] scope The OAuth 2.0 scopes controlling
       #   the set of resources and operations that the connection can access.
       #   See # [Using OAuth 2.0 to Access Google #
@@ -98,12 +115,11 @@ module Google
       #
       # * `project_id` - (String) Identifier for a BigQuery project. (The
       #   parameter `project` is considered deprecated, but may also be used.)
-      # * `credentials` - (String, Hash, Google::Auth::Credentials) The path to
-      #   the keyfile as a String, the contents of the keyfile as a Hash, or a
-      #   Google::Auth::Credentials object. (See {Bigquery::Credentials}) (The
-      #   parameter `keyfile` is considered deprecated, but may also be used.)
-      # * `endpoint` - (String) Override of the endpoint host name, or `nil`
-      #   to use the default endpoint.
+      # * `credentials` - (Google::Auth::Credentials) A Google::Auth::Credentials
+      #   object. (See {Bigquery::Credentials})
+      #   @note Warning: Passing a `String` to a keyfile path or a `Hash` of credentials
+      #     is deprecated. Providing an unvalidated credential configuration to
+      #     Google APIs can compromise the security of your systems and data.
       # * `scope` - (String, Array<String>) The OAuth 2.0 scopes controlling
       #   the set of resources and operations that the connection can access.
       # * `retries` - (Integer) Number of times to retry requests on server

data/lib/google-cloud-bigquery.rb

@@ -87,9 +87,25 @@ module Google
     #
     # @param [String] project_id Identifier for a BigQuery project. If not
     #   present, the default project for the credentials is used.
-    # @param [String, Hash, Google::Auth::Credentials] credentials The path to
-    #   the keyfile as a String, the contents of the keyfile as a Hash, or a
-    #   Google::Auth::Credentials object. (See {Bigquery::Credentials})
+    # @param [Google::Auth::Credentials] credentials A Google::Auth::Credentials
+    #     object. (See {Bigquery::Credentials})
+    #   @note Warning: Passing a `String` to a keyfile path or a `Hash` of credentials
+    #     is deprecated. Providing an unvalidated credential configuration to
+    #     Google APIs can compromise the security of your systems and data.
+    #
+    #   @example
+    #
+    #     # The recommended way to provide credentials is to use the `make_creds` method
+    #     # on the appropriate credentials class for your environment.
+    #
+    #     require "googleauth"
+    #
+    #     credentials = ::Google::Auth::ServiceAccountCredentials.make_creds(
+    #       json_key_io: ::File.open("/path/to/keyfile.json")
+    #     )
+    #
+    #     client = ::Google::Cloud::Bigquery.new credentials: credentials
+    #
     # @param [String, Array<String>] scope The OAuth 2.0 scopes controlling the
     #   set of resources and operations that the connection can access. See
     #   [Using OAuth 2.0 to Access Google

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: google-cloud-bigquery
 version: !ruby/object:Gem::Version
-  version: 1.60.0
+  version: 1.61.0
 platform: ruby
 authors:
 - Mike Moore