feat(bigquery): WIP add samples for access policies

bigquery/cloud-client/app.js

@@ -0,0 +1,55 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+'use strict';
+
+const {viewDatasetAccessPolicy} = require('./src/viewDatasetAccessPolicy');
+const {
+  viewTableOrViewAccessPolicy,
+} = require('./src/viewTableOrViewAccessPolicy');
+const {revokeTableOrViewAccess} = require('./src/revokeTableOrViewAccess');
+
+async function main() {
+  try {
+    const projectId = process.env.GOOGLE_CLOUD_PROJECT;
+
+    // Example usage of dataset access policy viewer
+    await viewDatasetAccessPolicy();
+
+    // Example usage of table/view access policy viewer
+    await viewTableOrViewAccessPolicy({
+      projectId,
+      datasetId: 'my_new_dataset',
+      resourceName: 'my_table',
+    });
+
+    await revokeTableOrViewAccess({
+      projectId,
+      datasetId: 'my_new_dataset',
+      resourceName: 'my_table',
+      memberToRevoke: 'group:[email protected]',
+      roleToRevoke: 'roles/bigquery.dataViewer',
+    });
+  } catch (error) {
+    console.error('Error:', error);
+    process.exitCode = 1;
+  }
+}
+
+// Run the samples if this file is run directly
+if (require.main === module) {
+  main();
+}
+
+module.export = {viewDatasetAccessPolicy, viewTableOrViewAccessPolicy};

bigquery/cloud-client/package.json

@@ -0,0 +1,26 @@
+{
+    "name": "bigquery-cloud-client",
+    "description": "Big Query Cloud Client Node.js for Google App",
+    "version": "0.0.1",
+    "private": true,
+    "license": "Apache Version 2.0",
+    "author": "Google Inc.",
+    "engines": {
+        "node": "20.x"
+    },
+    "scripts": {
+        "deploy": "gcloud app deploy",
+        "start": "node app.js",
+        "unit-test": "c8 mocha -p -j 2 test/ --timeout=10000 --exit",
+        "test": "npm run unit-test"
+    },
+    "dependencies": {
+        "@google-cloud/bigquery": "7.9.2"
+    },
+    "devDependencies": {
+        "c8": "^10.0.0",
+        "chai": "^4.5.0",
+        "mocha": "^10.0.0",
+        "sinon": "^18.0.0"
+    }
+}

bigquery/cloud-client/src/revokeTableOrViewAccess.js

@@ -0,0 +1,105 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+const {BigQuery} = require('@google-cloud/bigquery');
+
+// [START bigquery_revoke_access_to_table_or_view]
+/**
+ * Revokes access to a BigQuery table or view
+ * @param {Object} params - The parameters object
+ * @param {string} params.projectId - The ID of the Google Cloud project
+ * @param {string} params.datasetId - The ID of the dataset containing the table/view
+ * @param {string} params.resourceId - The ID of the table or view
+ * @param {string} [params.memberToRevoke] - Optional. Specific member to revoke access from (e.g., 'group:[email protected]')
+ * @param {string} [params.roleToRevoke='roles/bigquery.dataViewer'] - Optional. Specific role to revoke
+ * @returns {Promise<void>}
+ */
+async function revokeTableOrViewAccess({
+  projectId,
+  datasetId,
+  resourceId,
+  memberToRevoke,
+  roleToRevoke = 'roles/bigquery.dataViewer',
+}) {
+  // Validate required parameters
+  if (!projectId || !datasetId || !resourceId) {
+    throw new Error(
+      'projectId, datasetId and resourceID are required parameters'
+    );
+  }
+  try {
+    // Create BigQuery client
+    const bigquery = new BigQuery({
+      projectId: projectId,
+    });
+
+    // Get reference to the table or view
+    const dataset = bigquery.dataset(datasetId);
+    const table = dataset.table(resourceId);
+
+    // Get current IAM policy
+    const [policy] = await table.iam.getPolicy();
+    console.log(
+      'Current IAM Policy:',
+      JSON.stringify(policy.bindings, null, 2)
+    );
+
+    // Filter bindings based on parameters
+    let newBindings = policy.bindings;
+
+    if (memberToRevoke && roleToRevoke) {
+      // Remove specific member from specific role
+      newBindings = policy.bindings
+        .map(binding => ({
+          ...binding,
+          members:
+            binding.role === roleToRevoke
+              ? binding.members.filter(member => member !== memberToRevoke)
+              : binding.members,
+        }))
+        .filter(binding => binding.members.length > 0);
+    } else if (!memberToRevoke && roleToRevoke) {
+      // Remove all bindings for the specified role
+      newBindings = policy.bindings.filter(
+        binding => binding.role !== roleToRevoke
+      );
+    } else {
+      // Keep the current binding as is
+      newBindings = policy.bindings;
+    }
+
+    // Create new policy with updated bindings
+    const newPolicy = {
+      bindings: newBindings,
+    };
+
+    // Set the new IAM policy
+    await table.iam.setPolicy(newPolicy);
+    console.log(`Access revoked successfully for ${resourceId}`);
+
+    // Verify the changes
+    const [updatedPolicy] = await table.iam.getPolicy();
+    console.log(
+      'Updated IAM Policy:',
+      JSON.stringify(updatedPolicy.bindings, null, 2)
+    );
+  } catch (error) {
+    console.error('Error revoking access:', error);
+    throw error;
+  }
+}
+
+// [END bigquery_revoke_access_to_table_or_view]
+
+module.exports = {revokeTableOrViewAccess};

bigquery/cloud-client/src/viewDatasetAccessPolicy.js

@@ -0,0 +1,57 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+'use strict';
+
+const {BigQuery} = require('@google-cloud/bigquery');
+
+// [START bigquery_view_dataset_access_policy]
+/**
+ * View access policies for a BigQuery dataset
+ *
+ * @param {object} [overrideValues] Optional parameters to override defaults
+ * @param {string} [overrideValues.datasetId] Dataset ID to view access policies
+ */
+async function viewDatasetAccessPolicy(overrideValues = {}) {
+  // Instantiate BigQuery client
+  const bigquery = new BigQuery();
+
+  // Dataset from which to get the access policy
+  const datasetId = overrideValues.datasetId || 'my_new_dataset';
+
+  try {
+    // Prepares a reference to the dataset
+    const dataset = bigquery.dataset(datasetId);
+    const [metadata] = await dataset.getMetadata();
+
+    // Shows the Access policy as a list of access entries
+    console.log('Access entries:', metadata.access);
+
+    // Get properties for an AccessEntry
+    if (metadata.access && metadata.access.length > 0) {
+      console.log(`Details for Access entry 0 in dataset '${datasetId}':`);
+      console.log(`Role: ${metadata.access[0].role || 'N/A'}`);
+      console.log(`SpecialGroup: ${metadata.access[0].specialGroup || 'N/A'}`);
+      console.log(`UserByEmail: ${metadata.access[0].userByEmail || 'N/A'}`);
+    }
+  } catch (error) {
+    console.error(`Error viewing dataset access policy: ${error.message}`);
+    throw error;
+  }
+}
+// [END bigquery_view_dataset_access_policy]
+
+module.exports = {
+  viewDatasetAccessPolicy,
+};

bigquery/cloud-client/src/viewTableOrViewAccessPolicy.js

@@ -0,0 +1,73 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+'use strict';
+
+const {BigQuery} = require('@google-cloud/bigquery');
+
+// [START bigquery_view_table_or_view_access_policy]
+/**
+ * View access policies for a BigQuery table or view
+ *
+ * @param {object} [overrideValues] Optional parameters to override defaults
+ * @param {string} [overrideValues.projectId] Google Cloud project ID
+ * @param {string} [overrideValues.datasetId] Dataset ID where the table or view is located
+ * @param {string} [overrideValues.resourceName] Table or view name to get the access policy
+ * @throws {Error} If required parameters are missing or if there's an API error
+ */
+async function viewTableOrViewAccessPolicy(overrideValues = {}) {
+  // Initialize default values
+  const projectId =
+    overrideValues.projectId || process.env.GOOGLE_CLOUD_PROJECT;
+  const datasetId = overrideValues.datasetId || 'my_new_dataset';
+  const resourceName = overrideValues.resourceName || 'my_table';
+
+  if (!projectId) {
+    throw new Error(
+      'Project ID is required. Set it in overrideValues or GOOGLE_CLOUD_PROJECT environment variable.'
+    );
+  }
+
+  try {
+    // Instantiate BigQuery client
+    const bigquery = new BigQuery({projectId});
+
+    // Get the IAM access policy for the table or view
+    const [policy] = await bigquery
+      .dataset(datasetId)
+      .table(resourceName)
+      .getIamPolicy();
+
+    // Show policy details
+    console.log(`Access Policy details for table or view '${resourceName}':`);
+    console.log(`Bindings: ${JSON.stringify(policy.bindings, null, 2)}`);
+    console.log(`etag: ${policy.etag}`);
+    console.log(`version: ${policy.version}`);
+
+    return policy;
+  } catch (error) {
+    console.error(`Error viewing table/view access policy: ${error.message}`);
+    throw error;
+  }
+}
+// [END bigquery_view_table_or_view_access_policy]
+
+// If this file is run directly, execute the function with default values
+if (require.main === module) {
+  viewTableOrViewAccessPolicy().catch(console.error);
+}
+
+module.exports = {
+  viewTableOrViewAccessPolicy,
+};