为了账号安全,请及时绑定邮箱和手机立即绑定

从 Google 存储桶 IAM 策略中删除用户(身份)不起作用

首页 猿问 从 Google 存储桶 IAM...

从 Google 存储桶 IAM 策略中删除用户(身份)不起作用

Java
红颜莎娜 2023-02-23 15:52:41
为了从谷歌云存储桶中删除身份,我使用了 GCP 示例存储库中提供的示例:此处。我想知道我是否遗漏了什么,我有正确的云帐户根凭据,以及项目所有权凭据。基本上,删除操作不会同时来自Java代码和使用gsutil来自gcpWeb 控制台的功能。这是原始政策:Policy{  bindings=   {    roles/storage.legacyBucketOwner=      [       projectOwner:csbauditor  ],  roles/storage.objectAdmin=      [       serviceAccount:company-kiehn-log@csbauditor.iam.gserviceaccount.com,     serviceAccount:company-kiehn-file@csbauditor.iam.gserviceaccount.com,     serviceAccount:company-howe-file@csbauditor.iam.gserviceaccount.com,     serviceAccount:company-satterfield-log@csbauditor.iam.gserviceaccount.com,     serviceAccount:customer-0c1e8536-8bf5-46f4-8e@csbauditor.iam.gserviceaccount.com,     serviceAccount:company-fahey-log@csbauditor.iam.gserviceaccount.com,     serviceAccount:company-hammes-file@csbauditor.iam.gserviceaccount.com,     serviceAccount:company-howe-log@csbauditor.iam.gserviceaccount.com,     serviceAccount:company-sipes-file@csbauditor.iam.gserviceaccount.com,     serviceAccount:company-doyle-log@csbauditor.iam.gserviceaccount.com,     serviceAccount:customer-6a53ee71-95eb-49b2-8a@csbauditor.iam.gserviceaccount.com,     serviceAccount:company-bergnaum-file@csbauditor.iam.gserviceaccount.com  ],  roles/storage.legacyBucketReader=      [       projectViewer:csbauditor  ],  roles/storage.objectViewer=      [     serviceAccount:company-block-log@csbauditor.iam.gserviceaccount.com  ] },   etag=CLgE,      version=0 }这是写入 IAM 之前的第二个策略版本: Policy{   bindings=   {      roles/storage.legacyBucketOwner=      [        projectOwner:csbauditor  ],
查看完整描述

1 回答

?
小怪兽爱吃肉

TA贡献1852条经验 获得超1个赞

我在您的代码中发现了问题。虽然我不能完全确定这是唯一的问题,因为我无法编译您的代码,但我也不得不更改几个类。


在我能够编译并运行代码后,我注意到即使执行了“删除”功能,也没有真正发生任何事情,在打印了几张之后,我注意到它正在尝试使用错误的“角色”删除服务帐户,因为您正在更改“for”循环中的“role”值,如果“set”不等于“attacker-service-account”,则循环进行另一次迭代并更改“role”值。


这是我班级的代码(对示例片段的修改):


package com.google.cloud.examples.storage.snippets;


import com.google.cloud.Identity;

import com.google.cloud.Policy;

import com.google.cloud.Role;

import com.google.cloud.storage.Storage;

import com.google.cloud.storage.StorageOptions;

import com.google.cloud.storage.StorageRoles;

import java.util.Map;

import java.util.Set;

import java.util.Arrays;

import java.util.HashMap;

import java.util.HashSet;

import java.util.ArrayList;

import java.util.List;

import java.util.Map;


/** This class contains Bucket-level IAM snippets for the {@link Storage} interface. */

public class BucketIamSnippets {


  /** Example of listing the Bucket-Level IAM Roles and Members */

  public Policy listBucketIamMembers(String bucketName) {

    // [START view_bucket_iam_members]

    // Initialize a Cloud Storage client

    Storage storage = StorageOptions.getDefaultInstance().getService();


    // Get IAM Policy for a bucket

    Policy policy = storage.getIamPolicy(bucketName);


    // Print Roles and its identities

    Map<Role, Set<Identity>> policyBindings = policy.getBindings();

    for (Map.Entry<Role, Set<Identity>> entry : policyBindings.entrySet()) {

      System.out.printf("Role: %s Identities: %s\n", entry.getKey(), entry.getValue());

    }

    // [END view_bucket_iam_members]

    return policy;

  }


  /** Example of adding a member to the Bucket-level IAM */

  public Policy addBucketIamMember(String bucketName, Role role, Identity identity) {

    // [START add_bucket_iam_member]

    // Initialize a Cloud Storage client

    Storage storage = StorageOptions.getDefaultInstance().getService();


    // Get IAM Policy for a bucket

    Policy policy = storage.getIamPolicy(bucketName);


    // Add identity to Bucket-level IAM role

    Policy updatedPolicy =

        storage.setIamPolicy(bucketName, policy.toBuilder().addIdentity(role, identity).build());


    if (updatedPolicy.getBindings().get(role).contains(identity)) {

      System.out.printf("Added %s with role %s to %s\n", identity, role, bucketName);

    }

    // [END add_bucket_iam_member]

    return updatedPolicy;

  }



  public static void removeUserFromBucketUsingEmail(String bucketName, Role role, String email)  {


        Storage storage = StorageOptions.getDefaultInstance().getService(); 

        Policy policy = storage.getIamPolicy(bucketName);

        Identity identity = Identity.serviceAccount(email);

        String eTag = policy.getEtag();

        System.out.println("etag: " + eTag);


        Policy updatedPolicy = storage.setIamPolicy(bucketName, policy.toBuilder().removeIdentity(role, identity).build());


    if (updatedPolicy.getBindings().get(role) == null

        || !updatedPolicy.getBindings().get(role).contains(identity)) {

      System.out.printf("Removed %s with role %s from %s\n", identity, role, bucketName);

    }



    }



public static void main(String... args) throws Exception {


    try

    {


    String bucketName = "my-bucket-name";


    BucketIamSnippets obj = new BucketIamSnippets ();

    Role role_admin = StorageRoles.objectAdmin();


    String acc_1 = "test1@my.iam.gserviceaccount.com";

    String acc_2 = "test2@my.iam.gserviceaccount.com";

    Identity identity_1 = Identity.serviceAccount(acc_1);

    Identity identity_2 = Identity.serviceAccount(acc_2);


     System.out.println(obj.addBucketIamMember (bucketName, role_admin, identity_1 ));

     System.out.println(obj.addBucketIamMember (bucketName, role_admin, identity_2 ));



      Storage storage = StorageOptions.getDefaultInstance().getService();

        Policy policy = storage.getIamPolicy(bucketName);

        System.out.println(policy);


        //List<Role> roleList = new ArrayList<>();

        List<Set<Identity>> identities = new ArrayList<>();

        // Print Roles and its identities

        Set<Identity> wrongIdentities = new HashSet<Identity>();

        Role aux = null;


        Map<Role, Set<Identity>> policyBindings = policy.getBindings();

        Set<Identity> setidentities = new HashSet<>();

        for (Map.Entry<Role, Set<Identity>> entry : policyBindings.entrySet()) {

            aux = entry.getKey();

            System.out.println("role plain " + aux);

            System.out.println("role other  " + aux.getValue());


            if (aux.getValue().equals("roles/storage.objectAdmin")) {

                System.out.println("role :" + aux.getValue());

                System.out.println("Identities getV :" + entry.getValue());

                System.out.println("Identities getK :" + entry.getKey());


                setidentities = entry.getValue();

                System.out.println("setidentities  :" + setidentities);

                System.out.println("setidentities size :" + setidentities.size());

                for (Identity set : setidentities) {

                    if ((set.equals("serviceAccount: test2@my.iam.gserviceaccount.com"))) {

                        System.out.println("strong one : " + set);

                        continue;

                    } else {

                        wrongIdentities.add(set);

                        System.out.println("strong one : " + set);


                    }


                    System.out.println("wrongIdentities.size() : " + wrongIdentities.size());


                }

            }


        }


        System.out.println("ww " + wrongIdentities);

        System.out.println("policyEtag " + policy.getEtag());

        //GCSFunctions function = new GCSFunctions(); 


        for (Identity identity : wrongIdentities) {

            BucketIamSnippets.removeUserFromBucketUsingEmail(bucketName, role_admin, identity.getValue());

        }



    }

    catch (Exception e)

    {

        e.printStackTrace ();

    }

}


}

笔记:

  1. 我添加了两个测试服务帐户,然后运行您的代码(稍作修改)。

  2. 我直接将“角色”初始化为 objectAdmin,这就是我传递给删除函数的内容。

  3. 修改代码以符合您的实际用例。

  4. 我用示例中使用的相同依赖项编译了它


查看完整回答
反对 回复 2023-02-23
  • 1 回答
  • 0 关注
  • 86 浏览
慕课专栏
更多

添加回答

了解更多

举报

0/150
提交
取消
意见反馈 帮助中心 APP下载
官方微信