GoogleCloudPlatform · hivanalejandro · Feb 13, 2025 · Feb 13, 2025 · Feb 13, 2025 · Feb 13, 2025
@@ -0,0 +1,75 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+'use strict';
+
+const {BigQuery} = require('@google-cloud/bigquery');
+
+/**
+ * Grants access to a BigQuery dataset for a specified entity
+ *
+ * @param {object} options The configuration object
+ * @param {string} options.datasetId ID of the dataset to grant access to (e.g. "my_project_id.my_dataset")
+ * @param {string} options.entityId ID of the user or group to grant access to (e.g. "[email protected]")
+ * @param {string} options.role One of the basic roles for datasets (e.g. "READER")
+ * @returns {Promise<Array>} Array of access entries
+ */
+// [START bigquery_grant_access_to_dataset]
+async function grantAccessToDataset(options) {
+  // Create a BigQuery client
+  const bigquery = new BigQuery();
+
+  const {datasetId, entityId, role} = options;
+
+  try {
+    // Get a reference to the dataset
+    const dataset = bigquery.dataset(datasetId);
+    const [metadata] = await dataset.getMetadata();
+
+    // The access entries list is immutable. Create a copy for modifications
+    const entries = [...(metadata.access || [])];
+
+    // Add the new access entry
+    entries.push({
+      role: role,
+      groupByEmail: entityId, // For group access. Use userByEmail for user access
+    });
+
+    // Update the dataset's access entries
+    const [updatedMetadata] = await dataset.setMetadata({
+      ...metadata,
+      access: entries,
+    });
+
+    console.log(
+      `Role '${role}' granted for entity '${entityId}' in dataset '${datasetId}'.`
+    );
+
+    return updatedMetadata.access;
+  } catch (error) {
+    if (error.code === 412) {
+      // 412 Precondition Failed - Dataset was modified between get and update
+      console.error(
+        `Dataset '${datasetId}' was modified remotely before this update. ` +
+          'Fetch the latest version and retry.'
+      );
+    }
+    throw error;
+  }
+}
+// [END bigquery_grant_access_to_dataset]
+
+module.exports = {
+  grantAccessToDataset,
+};
@@ -0,0 +1,81 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+'use strict';
+
+const {BigQuery} = require('@google-cloud/bigquery');
+
+/**
+ * Grants access to a BigQuery table or view for a specified principal.
+ *
+ * @param {string} projectId - Google Cloud Platform project ID
+ * @param {string} datasetId - Dataset where the table or view is
+ * @param {string} resourceName - Table or view name to get the access policy
+ * @param {string} principalId - The principal requesting access to the table or view
+ * @param {string} role - Role to assign to the member
+ * @returns {Promise<object[]>} The updated policy bindings
+ */
+async function grantAccessToTableOrView({
+  projectId,
+  datasetId,
+  resourceName,
+  principalId,
+  role,
+}) {
+  // [START bigquery_grant_access_to_table_or_view]
+  // Uncomment and update these variables:
+  // const projectId = 'my_project_id';
+  // const datasetId = 'my_dataset';
+  // const resourceName = 'my_table';
+  // const principalId = 'user:[email protected]';
+  // const role = 'roles/bigquery.dataViewer';
+
+  // Create a BigQuery client
+  const bigquery = new BigQuery();
+
+  // Get the dataset and table references
+  const dataset = bigquery.dataset(datasetId);
+  const table = dataset.table(resourceName);
+
+  try {
+    // Get the IAM access policy for the table or view
+    const [policy] = await table.iam.getPolicy();
+
+    // Create a new binding for the principal and role
+    const binding = {
+      role: role,
+      members: [principalId],
+    };
+
+    // Add the new binding to the policy
+    policy.bindings.push(binding);
+
+    // Set the updated IAM access policy
+    const [updatedPolicy] = await table.iam.setPolicy(policy);
+
+    console.log(
+      `Role '${role}' granted for principal '${principalId}' on resource '${projectId}.${datasetId}.${resourceName}'.`
+    );
+
+    return updatedPolicy.bindings;
+  } catch (error) {
+    console.error('Error granting access:', error);
+    throw error;
+  }
+  // [END bigquery_grant_access_to_table_or_view]
+}
+
+module.exports = {
+  grantAccessToTableOrView,
+};
@@ -0,0 +1,26 @@
+{
+    "name": "bigquery-cloud-client",
+    "description": "Big Query Cloud Client Node.js for Google App",
+    "version": "0.0.1",
+    "private": true,
+    "license": "Apache Version 2.0",
+    "author": "Google Inc.",
+    "engines": {
+        "node": "20.x"
+    },
+    "scripts": {
+        "deploy": "gcloud app deploy",
+        "start": "node app.js",
+        "unit-test": "c8 mocha -p -j 2 test/ --timeout=10000 --exit",
+        "test": "npm run unit-test"
+    },
+    "dependencies": {
+        "@google-cloud/bigquery": "7.9.2"
+    },
+    "devDependencies": {
+        "c8": "^10.0.0",
+        "chai": "^4.5.0",
+        "mocha": "^10.0.0",
+        "sinon": "^18.0.0"
+    }
+}
@@ -0,0 +1,64 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+'use strict';
+
+const {BigQuery} = require('@google-cloud/bigquery');
+
+// [START bigquery_revoke_dataset_access]
+/**
+ * Revokes access to a BigQuery dataset for a specified entity.
+ *
+ * @param {Object} params The parameters for revoking dataset access
+ * @param {string} params.datasetId The ID of the dataset to revoke access from
+ * @param {string} params.entityId The ID of the user or group to revoke access from
+ * @returns {Promise<Array>} A promise that resolves to the updated access entries
+ */
+async function revokeDatasetAccess({datasetId, entityId}) {
+  // Instantiate a client
+  const bigquery = new BigQuery();
+
+  try {
+    // Get a reference to the dataset
+    const [dataset] = await bigquery.dataset(datasetId).get();
+
+    // Filter out the access entry for the specified entity
+    dataset.metadata.access = dataset.metadata.access.filter(
+      entry => entry.userByEmail !== entityId && entry.groupByEmail !== entityId
+    );
+
+    // Update the dataset with the new access entries
+    const [updatedDataset] = await dataset.setMetadata(dataset.metadata);
+
+    console.log(
+      `Revoked dataset access for '${entityId}' to dataset '${dataset.id}'.`
+    );
+
+    return updatedDataset.metadata.access;
+  } catch (error) {
+    if (error.code === 412) {
+      // Handle precondition failed error (dataset modified externally)
+      console.error(
+        `Dataset '${datasetId}' was modified remotely before this update. ` +
+          'Fetch the latest version and retry.'
+      );
+    }
+    throw error;
+  }
+}
+// [END bigquery_revoke_dataset_access]
+
+module.exports = {
+  revokeDatasetAccess,
+};
@@ -0,0 +1,105 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+const {BigQuery} = require('@google-cloud/bigquery');
+
+// [START bigquery_revoke_access_to_table_or_view]
+/**
+ * Revokes access to a BigQuery table or view
+ * @param {Object} params - The parameters object
+ * @param {string} params.projectId - The ID of the Google Cloud project
+ * @param {string} params.datasetId - The ID of the dataset containing the table/view
+ * @param {string} params.resourceId - The ID of the table or view
+ * @param {string} [params.memberToRevoke] - Optional. Specific member to revoke access from (e.g., 'group:[email protected]')
+ * @param {string} [params.roleToRevoke='roles/bigquery.dataViewer'] - Optional. Specific role to revoke
+ * @returns {Promise<void>}
+ */
+async function revokeTableOrViewAccess({
+  projectId,
+  datasetId,
+  resourceId,
+  memberToRevoke,
+  roleToRevoke = 'roles/bigquery.dataViewer',
+}) {
+  // Validate required parameters
+  if (!projectId || !datasetId || !resourceId) {
+    throw new Error(
+      'projectId, datasetId and resourceID are required parameters'
+    );
+  }
+  try {
+    // Create BigQuery client
+    const bigquery = new BigQuery({
+      projectId: projectId,
+    });
+
+    // Get reference to the table or view
+    const dataset = bigquery.dataset(datasetId);
+    const table = dataset.table(resourceId);
+
+    // Get current IAM policy
+    const [policy] = await table.iam.getPolicy();
+    console.log(
+      'Current IAM Policy:',
+      JSON.stringify(policy.bindings, null, 2)
+    );
+
+    // Filter bindings based on parameters
+    let newBindings = policy.bindings;
+
+    if (memberToRevoke && roleToRevoke) {
+      // Remove specific member from specific role
+      newBindings = policy.bindings
+        .map(binding => ({
+          ...binding,
+          members:
+            binding.role === roleToRevoke
+              ? binding.members.filter(member => member !== memberToRevoke)
+              : binding.members,
+        }))
+        .filter(binding => binding.members.length > 0);
+    } else if (!memberToRevoke && roleToRevoke) {
+      // Remove all bindings for the specified role
+      newBindings = policy.bindings.filter(
+        binding => binding.role !== roleToRevoke
+      );
+    } else {
+      // Keep the current binding as is
+      newBindings = policy.bindings;
+    }
+
+    // Create new policy with updated bindings
+    const newPolicy = {
+      bindings: newBindings,
+    };
+
+    // Set the new IAM policy
+    await table.iam.setPolicy(newPolicy);
+    console.log(`Access revoked successfully for ${resourceId}`);
+
+    // Verify the changes
+    const [updatedPolicy] = await table.iam.getPolicy();
+    console.log(
+      'Updated IAM Policy:',
+      JSON.stringify(updatedPolicy.bindings, null, 2)
+    );
+  } catch (error) {
+    console.error('Error revoking access:', error);
+    throw error;
+  }
+}
+
+// [END bigquery_revoke_access_to_table_or_view]
+
+module.exports = {revokeTableOrViewAccess};