为了从 Google 云存储桶中删除身份,我使用 GCP 示例存储库中提供的示例:here 。我想知道是否缺少某些内容,我拥有云帐户的正确根凭据以及项目所有权凭据。基本上,删除操作不能同时通过 Java 代码和使用 gcp Web 控制台中的 gsutil 函数进行。
以下是原始政策:
Policy{
bindings= {
roles/storage.legacyBucketOwner= [
projectOwner:csbauditor
],
roles/storage.objectAdmin= [
serviceAccount:company-kiehn-log@csbauditor.iam.gserviceaccount.com,
serviceAccount:company-kiehn-file@csbauditor.iam.gserviceaccount.com,
serviceAccount:company-howe-file@csbauditor.iam.gserviceaccount.com,
serviceAccount:company-satterfield-log@csbauditor.iam.gserviceaccount.com,
serviceAccount:customer-0c1e8536-8bf5-46f4-8e@csbauditor.iam.gserviceaccount.com,
serviceAccount:company-fahey-log@csbauditor.iam.gserviceaccount.com,
serviceAccount:company-hammes-file@csbauditor.iam.gserviceaccount.com,
serviceAccount:company-howe-log@csbauditor.iam.gserviceaccount.com,
serviceAccount:company-sipes-file@csbauditor.iam.gserviceaccount.com,
serviceAccount:company-doyle-log@csbauditor.iam.gserviceaccount.com,
serviceAccount:customer-6a53ee71-95eb-49b2-8a@csbauditor.iam.gserviceaccount.com,
serviceAccount:company-bergnaum-file@csbauditor.iam.gserviceaccount.com
],
roles/storage.legacyBucketReader= [
projectViewer:csbauditor
],
roles/storage.objectViewer= [
serviceAccount:company-block-log@csbauditor.iam.gserviceaccount.com
]
},
etag=CLgE,
version=0
}
以下是写入 IAM 之前的第二个策略版本:
Policy{
bindings= {
roles/storage.legacyBucketOwner= [
projectOwner:csbauditor
],
roles/storage.objectAdmin= [
serviceAccount:company-kiehn-log@csbauditor.iam.gserviceaccount.com,
serviceAccount:company-kiehn-file@csbauditor.iam.gserviceaccount.com,
serviceAccount:company-howe-file@csbauditor.iam.gserviceaccount.com,
serviceAccount:company-satterfield-log@csbauditor.iam.gserviceaccount.com,
serviceAccount:customer-0c1e8536-8bf5-46f4-8e@csbauditor.iam.gserviceaccount.com,
serviceAccount:company-fahey-log@csbauditor.iam.gserviceaccount.com,
serviceAccount:company-hammes-file@csbauditor.iam.gserviceaccount.com,
serviceAccount:company-howe-log@csbauditor.iam.gserviceaccount.com,
serviceAccount:company-sipes-file@csbauditor.iam.gserviceaccount.com,
serviceAccount:company-doyle-log@csbauditor.iam.gserviceaccount.com,
serviceAccount:customer-6a53ee71-95eb-49b2-8a@csbauditor.iam.gserviceaccount.com,
serviceAccount:company-bergnaum-file@csbauditor.iam.gserviceaccount.com
],
roles/storage.legacyBucketReader= [
projectViewer:csbauditor
],
roles/storage.objectViewer= [
serviceAccount:company-block-log@csbauditor.iam.gserviceaccount.com
]
},
etag=CLgE,
version=0
}
这是我的代码片段:
读取存储桶策略并提取不需要的身份
Set<Identity> wrongIdentities = new HashSet<Identity>();
Role roler = null;
Policy p = Cache.GCSStorage.getIamPolicy("bucketxyz");
Map<Role, Set<Identity>> policyBindings = p.getBindings();
for (Map.Entry<Role, Set<Identity>> entry : policyBindings.entrySet()) {
Set<Identity> setidentities = entry.getValue();
roler = entry.getKey();
if (roler.getValue().equals("roles/storage.objectAdmin")) {
setidentities = entry.getValue();
if ((set.equals("serviceAccount:attacker@csbauditor.iam.gserviceaccount.com"))) {
continue;
} else {
wrongIdentities.add(set);
}
}
}
}
removeBucketIamMember("bucektxyz", roler, identity));
}
}
从策略中删除不需要的身份
public static Policy removeBucketIamMember(String bucketName, Role role,
Identity identity) {
Storage storage = GoogleStorage.initStorage();
Policy policy = storage.getIamPolicy(bucketName);
System.out.println("policyt "+ policy);
Policy updatedPolicy = policy.toBuilder().removeIdentity(role,
Identity.serviceAccount(identity.getValue())).build();
System.out.println("updatedPolicy "+ policy);
storage.setIamPolicy(bucketName,updatedPolicy);
if (updatedPolicy.getBindings().get(role) == null||
!updatedPolicy.getBindings().get(role).contains(identity)) {
System.out.printf("Removed %s with role %s from %s\n", identity, role,
bucketName);
}
return updatedPolicy;
}
更新01
我还尝试在 Web 控制台中使用 gsutil,但仍然不起作用。
myaccount@cloudshell:~ (csbauditor)$ gsutil iam ch -d user:company-sipes-
file@csbauditor.iam.gserviceaccount.com gs://company-block-log-fce65e82-a0cd-
4f71-8693-381100d93c18
No changes made to gs://company-block-log-fce65e82-a0cd-4f71-8693-381100d93c18/
更新 02 根据 @JohnHanley 的建议,在我用 serviceAccount 替换 user 后,gsutil 开始工作。但是,java 代码尚未运行。
最佳答案
我在您的代码中发现了问题。尽管我不能完全确定这是唯一的问题,因为我无法编译您的代码,但我也必须更改几个类。
在我能够编译并运行代码后,我注意到即使执行了“删除”函数,也没有真正发生任何事情,在进行了一些打印之后,我注意到它正在尝试使用错误的“角色”来删除服务帐户”,因为您正在更改“for”循环上的“角色”值,并且如果“集合”不等于“攻击者服务帐户”,则循环会进行另一次迭代并更改“角色”值。
这是我的类的代码(示例片段的修改):
package com.google.cloud.examples.storage.snippets;
import com.google.cloud.Identity;
import com.google.cloud.Policy;
import com.google.cloud.Role;
import com.google.cloud.storage.Storage;
import com.google.cloud.storage.StorageOptions;
import com.google.cloud.storage.StorageRoles;
import java.util.Map;
import java.util.Set;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
/** This class contains Bucket-level IAM snippets for the {@link Storage} interface. */
public class BucketIamSnippets {
/** Example of listing the Bucket-Level IAM Roles and Members */
public Policy listBucketIamMembers(String bucketName) {
// [START view_bucket_iam_members]
// Initialize a Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();
// Get IAM Policy for a bucket
Policy policy = storage.getIamPolicy(bucketName);
// Print Roles and its identities
Map<Role, Set<Identity>> policyBindings = policy.getBindings();
for (Map.Entry<Role, Set<Identity>> entry : policyBindings.entrySet()) {
System.out.printf("Role: %s Identities: %s\n", entry.getKey(), entry.getValue());
}
// [END view_bucket_iam_members]
return policy;
}
/** Example of adding a member to the Bucket-level IAM */
public Policy addBucketIamMember(String bucketName, Role role, Identity identity) {
// [START add_bucket_iam_member]
// Initialize a Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();
// Get IAM Policy for a bucket
Policy policy = storage.getIamPolicy(bucketName);
// Add identity to Bucket-level IAM role
Policy updatedPolicy =
storage.setIamPolicy(bucketName, policy.toBuilder().addIdentity(role, identity).build());
if (updatedPolicy.getBindings().get(role).contains(identity)) {
System.out.printf("Added %s with role %s to %s\n", identity, role, bucketName);
}
// [END add_bucket_iam_member]
return updatedPolicy;
}
public static void removeUserFromBucketUsingEmail(String bucketName, Role role, String email) {
Storage storage = StorageOptions.getDefaultInstance().getService();
Policy policy = storage.getIamPolicy(bucketName);
Identity identity = Identity.serviceAccount(email);
String eTag = policy.getEtag();
System.out.println("etag: " + eTag);
Policy updatedPolicy = storage.setIamPolicy(bucketName, policy.toBuilder().removeIdentity(role, identity).build());
if (updatedPolicy.getBindings().get(role) == null
|| !updatedPolicy.getBindings().get(role).contains(identity)) {
System.out.printf("Removed %s with role %s from %s\n", identity, role, bucketName);
}
}
public static void main(String... args) throws Exception {
try
{
String bucketName = "my-bucket-name";
BucketIamSnippets obj = new BucketIamSnippets ();
Role role_admin = StorageRoles.objectAdmin();
String acc_1 = "test1@my.iam.gserviceaccount.com";
String acc_2 = "test2@my.iam.gserviceaccount.com";
Identity identity_1 = Identity.serviceAccount(acc_1);
Identity identity_2 = Identity.serviceAccount(acc_2);
System.out.println(obj.addBucketIamMember (bucketName, role_admin, identity_1 ));
System.out.println(obj.addBucketIamMember (bucketName, role_admin, identity_2 ));
Storage storage = StorageOptions.getDefaultInstance().getService();
Policy policy = storage.getIamPolicy(bucketName);
System.out.println(policy);
//List<Role> roleList = new ArrayList<>();
List<Set<Identity>> identities = new ArrayList<>();
// Print Roles and its identities
Set<Identity> wrongIdentities = new HashSet<Identity>();
Role aux = null;
Map<Role, Set<Identity>> policyBindings = policy.getBindings();
Set<Identity> setidentities = new HashSet<>();
for (Map.Entry<Role, Set<Identity>> entry : policyBindings.entrySet()) {
aux = entry.getKey();
System.out.println("role plain " + aux);
System.out.println("role other " + aux.getValue());
if (aux.getValue().equals("roles/storage.objectAdmin")) {
System.out.println("role :" + aux.getValue());
System.out.println("Identities getV :" + entry.getValue());
System.out.println("Identities getK :" + entry.getKey());
setidentities = entry.getValue();
System.out.println("setidentities :" + setidentities);
System.out.println("setidentities size :" + setidentities.size());
for (Identity set : setidentities) {
if ((set.equals("serviceAccount: test2@my.iam.gserviceaccount.com"))) {
System.out.println("strong one : " + set);
continue;
} else {
wrongIdentities.add(set);
System.out.println("strong one : " + set);
}
System.out.println("wrongIdentities.size() : " + wrongIdentities.size());
}
}
}
System.out.println("ww " + wrongIdentities);
System.out.println("policyEtag " + policy.getEtag());
//GCSFunctions function = new GCSFunctions();
for (Identity identity : wrongIdentities) {
BucketIamSnippets.removeUserFromBucketUsingEmail(bucketName, role_admin, identity.getValue());
}
}
catch (Exception e)
{
e.printStackTrace ();
}
}
}
注释:
- 我添加两个测试服务帐户,然后运行您的代码(稍加修改)。
- 我已直接将“角色”初始化为 objectAdmin,这就是我传递给删除函数的内容。
- 修改代码以符合您的实际用例。
- 我使用 example 上使用的相同依赖项编译了此文件。
关于java - 从 Google 存储桶删除用户(身份) IAM 策略不起作用,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/56798852/