猿问

从 Google 存储桶 IAM 策略中删除用户(身份)不起作用

为了从谷歌云存储桶中删除身份,我使用了 GCP 示例存储库中提供的示例:此处。我想知道我是否遗漏了什么,我有正确的云帐户根凭据,以及项目所有权凭据。基本上,删除操作不会同时来自Java代码和使用gsutil来自gcpWeb 控制台的功能。


这是原始政策:


Policy{  

bindings=   {  

  roles/storage.legacyBucketOwner=      [  

     projectOwner:csbauditor

  ],

  roles/storage.objectAdmin=      [  

     serviceAccount:company-kiehn-log@csbauditor.iam.gserviceaccount.com,

     serviceAccount:company-kiehn-file@csbauditor.iam.gserviceaccount.com,

     serviceAccount:company-howe-file@csbauditor.iam.gserviceaccount.com,

     serviceAccount:company-satterfield-log@csbauditor.iam.gserviceaccount.com,

     serviceAccount:customer-0c1e8536-8bf5-46f4-8e@csbauditor.iam.gserviceaccount.com,

     serviceAccount:company-fahey-log@csbauditor.iam.gserviceaccount.com,

     serviceAccount:company-hammes-file@csbauditor.iam.gserviceaccount.com,

     serviceAccount:company-howe-log@csbauditor.iam.gserviceaccount.com,

     serviceAccount:company-sipes-file@csbauditor.iam.gserviceaccount.com,

     serviceAccount:company-doyle-log@csbauditor.iam.gserviceaccount.com,

     serviceAccount:customer-6a53ee71-95eb-49b2-8a@csbauditor.iam.gserviceaccount.com,

     serviceAccount:company-bergnaum-file@csbauditor.iam.gserviceaccount.com

  ],

  roles/storage.legacyBucketReader=      [  

     projectViewer:csbauditor

  ],

  roles/storage.objectViewer=      [  

   serviceAccount:company-block-log@csbauditor.iam.gserviceaccount.com

  ]

 },

   etag=CLgE,

      version=0

 }

这是写入 IAM 之前的第二个策略版本:


 Policy{  

 bindings=   {  

    roles/storage.legacyBucketOwner=      [  

      projectOwner:csbauditor

  ],

红颜莎娜
浏览 90回答 1
1回答

小怪兽爱吃肉

我在您的代码中发现了问题。虽然我不能完全确定这是唯一的问题,因为我无法编译您的代码,但我也不得不更改几个类。在我能够编译并运行代码后,我注意到即使执行了“删除”功能,也没有真正发生任何事情,在打印了几张之后,我注意到它正在尝试使用错误的“角色”删除服务帐户,因为您正在更改“for”循环中的“role”值,如果“set”不等于“attacker-service-account”,则循环进行另一次迭代并更改“role”值。这是我班级的代码(对示例片段的修改):package com.google.cloud.examples.storage.snippets;import com.google.cloud.Identity;import com.google.cloud.Policy;import com.google.cloud.Role;import com.google.cloud.storage.Storage;import com.google.cloud.storage.StorageOptions;import com.google.cloud.storage.StorageRoles;import java.util.Map;import java.util.Set;import java.util.Arrays;import java.util.HashMap;import java.util.HashSet;import java.util.ArrayList;import java.util.List;import java.util.Map;/** This class contains Bucket-level IAM snippets for the {@link Storage} interface. */public class BucketIamSnippets {  /** Example of listing the Bucket-Level IAM Roles and Members */  public Policy listBucketIamMembers(String bucketName) {    // [START view_bucket_iam_members]    // Initialize a Cloud Storage client    Storage storage = StorageOptions.getDefaultInstance().getService();    // Get IAM Policy for a bucket    Policy policy = storage.getIamPolicy(bucketName);    // Print Roles and its identities    Map<Role, Set<Identity>> policyBindings = policy.getBindings();    for (Map.Entry<Role, Set<Identity>> entry : policyBindings.entrySet()) {      System.out.printf("Role: %s Identities: %s\n", entry.getKey(), entry.getValue());    }    // [END view_bucket_iam_members]    return policy;  }  /** Example of adding a member to the Bucket-level IAM */  public Policy addBucketIamMember(String bucketName, Role role, Identity identity) {    // [START add_bucket_iam_member]    // Initialize a Cloud Storage client    Storage storage = StorageOptions.getDefaultInstance().getService();    // Get IAM Policy for a bucket    Policy policy = storage.getIamPolicy(bucketName);    // Add identity to Bucket-level IAM role    Policy updatedPolicy =        storage.setIamPolicy(bucketName, policy.toBuilder().addIdentity(role, identity).build());    if (updatedPolicy.getBindings().get(role).contains(identity)) {      System.out.printf("Added %s with role %s to %s\n", identity, role, bucketName);    }    // [END add_bucket_iam_member]    return updatedPolicy;  }  public static void removeUserFromBucketUsingEmail(String bucketName, Role role, String email)  {        Storage storage = StorageOptions.getDefaultInstance().getService();         Policy policy = storage.getIamPolicy(bucketName);        Identity identity = Identity.serviceAccount(email);        String eTag = policy.getEtag();        System.out.println("etag: " + eTag);        Policy updatedPolicy = storage.setIamPolicy(bucketName, policy.toBuilder().removeIdentity(role, identity).build());    if (updatedPolicy.getBindings().get(role) == null        || !updatedPolicy.getBindings().get(role).contains(identity)) {      System.out.printf("Removed %s with role %s from %s\n", identity, role, bucketName);    }    }public static void main(String... args) throws Exception {    try    {    String bucketName = "my-bucket-name";    BucketIamSnippets obj = new BucketIamSnippets ();    Role role_admin = StorageRoles.objectAdmin();    String acc_1 = "test1@my.iam.gserviceaccount.com";    String acc_2 = "test2@my.iam.gserviceaccount.com";    Identity identity_1 = Identity.serviceAccount(acc_1);    Identity identity_2 = Identity.serviceAccount(acc_2);     System.out.println(obj.addBucketIamMember (bucketName, role_admin, identity_1 ));     System.out.println(obj.addBucketIamMember (bucketName, role_admin, identity_2 ));      Storage storage = StorageOptions.getDefaultInstance().getService();        Policy policy = storage.getIamPolicy(bucketName);        System.out.println(policy);        //List<Role> roleList = new ArrayList<>();        List<Set<Identity>> identities = new ArrayList<>();        // Print Roles and its identities        Set<Identity> wrongIdentities = new HashSet<Identity>();        Role aux = null;        Map<Role, Set<Identity>> policyBindings = policy.getBindings();        Set<Identity> setidentities = new HashSet<>();        for (Map.Entry<Role, Set<Identity>> entry : policyBindings.entrySet()) {            aux = entry.getKey();            System.out.println("role plain " + aux);            System.out.println("role other  " + aux.getValue());            if (aux.getValue().equals("roles/storage.objectAdmin")) {                System.out.println("role :" + aux.getValue());                System.out.println("Identities getV :" + entry.getValue());                System.out.println("Identities getK :" + entry.getKey());                setidentities = entry.getValue();                System.out.println("setidentities  :" + setidentities);                System.out.println("setidentities size :" + setidentities.size());                for (Identity set : setidentities) {                    if ((set.equals("serviceAccount: test2@my.iam.gserviceaccount.com"))) {                        System.out.println("strong one : " + set);                        continue;                    } else {                        wrongIdentities.add(set);                        System.out.println("strong one : " + set);                    }                    System.out.println("wrongIdentities.size() : " + wrongIdentities.size());                }            }        }        System.out.println("ww " + wrongIdentities);        System.out.println("policyEtag " + policy.getEtag());        //GCSFunctions function = new GCSFunctions();         for (Identity identity : wrongIdentities) {            BucketIamSnippets.removeUserFromBucketUsingEmail(bucketName, role_admin, identity.getValue());        }    }    catch (Exception e)    {        e.printStackTrace ();    }}}笔记:我添加了两个测试服务帐户,然后运行您的代码(稍作修改)。我直接将“角色”初始化为 objectAdmin,这就是我传递给删除函数的内容。修改代码以符合您的实际用例。我用示例中使用的相同依赖项编译了它
0
随时随地看视频慕课网APP

相关分类

Java
我要回答