'SrSSKJr SSKJr SSKJr SSKJr SSKJr SSK J r SSK J r S r S rS rS rS rSrSrSrSrSrSS/r/SQrSS/rSS/rS/r"SS\R85rg)z0Troubleshoot user permission for ssh connection.)absolute_import)division)unicode_literals)apis)ssh_troubleshooter)ssh)logcomputeiamcloudresourcemanageriapv1v3z!You need the IAM permissions {0} aThe VM has an attached service account. You need the permission iam.serviceAccounts.actAs on the project or service account. Alternatively, this permission is included in the roles/iam.serviceAccountUser role. Help for service account permission: https://cloud.google.com/iam/docs/service-accounts-actas Help for service account role: https://cloud.google.com/iam/docs/service-accounts zYou need the Compute OS Admin Login role (roles/compute.osAdminLogin) or the Compute OS Login role (roles/compute.osLogin). Help for roles: https://cloud.google.com/compute/docs/access/iam#predefinedroles zYou need permission to SSH to a private IP address: iap.tunnelInstances.accessViaIAP. Help for IAP permissions: https://cloud.google.com/iap/docs/managing-access zcompute.instances.getzcompute.instances.use)zresourcemanager.projects.getzcompute.projects.getzcompute.zoneOperations.getzcompute.globalOperations.getziam.serviceAccounts.actAsziam.serviceAccounts.getzcompute.instances.osAdminLoginzcompute.instances.osLoginz iap.tunnelInstances.accessViaIAPc`\rSrSrSrSrSrSrSrSr Sr S r S r S r S rS rSrSrg)UserPermissionTroubleshooterHaLCheck user permission. Perform IAM authorization checks for the following IAM resources: instance, project, service account, IAP, and OS Login if applicable. Attributes: project: The project object. instance: The instance object. zone: str, the zone name. iap_tunnel_args: SshTunnelArgs or None if IAP Tunnel is disabled. cXlX lX0lX@l[R "[ [5Ul[R"[ [5Ul [R "[[5Ul [R"[[5Ul [R "[[5Ul[R"[[5Ul[R "[$[5Ul[R"[$[5UlSUl0Ulg)NF)projectzoneinstanceiap_tunnel_argsrGetClientInstance_API_COMPUTE_CLIENT_NAME_API_CLIENT_VERSION_V1compute_clientGetMessagesModulecompute_message_API_IAM_CLIENT_NAME iam_client iam_message _API_RESOURCEMANAGER_CLIENT_NAME_API_CLIENT_VERSION_V3resourcemanager_client_v3resourcemanager_message_v3_API_IAP_CLIENT_NAME iap_client iap_messageenable_osloginissues)selfrrrrs Hlib/googlecloudsdk/command_lib/compute/user_permission_troubleshooter.py__init__%UserPermissionTroubleshooter.__init__UsLIM*001I1GID112J2HJD,,-A-CEDO--.B.DFD%)%;%;(*@&BD"&*&<&<(*@'BD#,,-A-CEDO--.B.DFDDDKc.UR5Ulg)z)Validate if the user has enabled oslogin.N)_IsOsLoginEnabledr(r*s r+check_prerequisite/UserPermissionTroubleshooter.check_prerequisitems002Dr.cg)Nr1s r+cleanup_resources.UserPermissionTroubleshooter.cleanup_resourcesqs r.c[RRS5 UR(a)UR 5(a[ UR S'O*[RS5 [RS5 [UR5RUR555nU(a1[RSR!U55UR S'UR"R$(a(UR'5(a[(UR S'UR*(a(UR-5(a[.UR S'[RRS R[1UR R35555 UR R55H"n[RRU5 M$ g) Nz#---- Checking user permissions ----osloginzcompute.instances.setMetadataz*compute.projects.setCommonInstanceMetadata instance_projectserviceaccountr z&User permissions: {0} issue(s) found. )r statusPrintr(_CheckOsLoginPermissionsOS_LOGIN_MESSAGEr)instance_permissionsappendproject_permissionssorted_CheckInstancePermissionsunion_CheckProjectPermissionsINSTANCE_PROJECT_MESSAGEformatjoinrserviceAccounts_CheckServiceAccountPermissionsSERVICE_ACCOUNT_MESSAGEr_CheckIapPermissions IAP_MESSAGElenkeysvalues)r*missing_instance_projectmessages r+ troubleshoot)UserPermissionTroubleshooter.troubleshoottsjJJ:;   & & ( (!1 I!!"AB  !MN &d&D&D&F&L&L %%'') *(@(G(G ((+ ,).dkk$% }}$$)M)M)O)O&=dkk"#  9 9 ; ;&dkk%JJ>EE DKK   !";;%%' jjw(r.cURR[S9nSRURR UR URR 5nURRX!S9nURRRU5n[[5[UR5- $)zRCheck if user miss any IAP Permissions. Returns: set, missing IAM permissions.  permissionsz,projects/{}/iap_tunnel/zones/{}/instances/{}resourcetestIamPermissionsRequest)r'TestIamPermissionsRequestiap_permissionsrIrnamerrIapTestIamPermissionsRequestr&rTestIamPermissionssetrY)r* iam_requestr[requestresponses r+rN1UserPermissionTroubleshooter._CheckIapPermissionss ""<<#=%K=DD 499dmm&8&8:H;;<BG!!44W=H  #h&:&:"; ;;r.cURR[S9nURRSR UR R URRSRS9US9nURRRU5n[[5[UR5- $)zcCheck whether user has service account IAM permissions. Returns: set, missing IAM permissions. rXz3projects/{project}/serviceAccounts/{serviceaccount}r)rr<rZ)r r]serviceaccount_permissions3IamProjectsServiceAccountsTestIamPermissionsRequestrIrr_rrKemailrprojects_serviceAccountsrarbrY)r*rcrdres r+rL*>&? ??r.cvUR[5n[[5[UR5- $)zfCheck whether user has IAM permission on instance resource. Returns: set, missing IAM permissions. )rnrArbrYrps r+rE6UserPermissionTroubleshooter._CheckInstancePermissionss1 ../CDH # $s8+?+?'@ @@r.cURRUS9nURRURRUR RUUR S9nURRRU5$)zCall TestIamPermissions to check whether user has certain IAM permissions. Args: permissions: list, the permissions to check for the instance resource. Returns: TestPermissionsResponse, the API response from TestIamPermissions. rX)rr[testPermissionsRequestr) rTestPermissionsRequest)ComputeInstancesTestIamPermissionsRequestrr_rrr instancesrar*rYrcrds r+rn7UserPermissionTroubleshooter._ComputeTestIamPermissionss&&==>!K""LL !!##* YY MG    ( ( ; ;G DDr.cvUR[5n[[5[UR5- $)zeCheck whether user has IAM permission on project resource. Returns: set, missing IAM permissions. )"_ResourceManagerTestIamPermissionsrCrbrYrps r+rG5UserPermissionTroubleshooter._CheckProjectPermissionss1 667JKH " #c(*>*>&? ??r.cURRUS9nURRSRURR S9US9nUR RRU5$)zCheck whether user has IAM permission on resource manager. Args: permissions: list, the permissions to check for the project resource. Returns: set, missing IAM permissions. rXzprojects/{project})rrZ) r$r]5CloudresourcemanagerProjectsTestIamPermissionsRequestrIrr_r#projectsrarys r+r|?UserPermissionTroubleshooter._ResourceManagerTestIamPermissionss|11KKL!K--cc%,,T\\5F5F,G"-d/G  ) ) 2 2 E Eg NNr.c[R"URUR[R5n[ U5$)ziCheck whether OS Login is enabled on the VM. Returns: boolean, indicates whether OS Login is enabled. )rFeatureEnabledInMetadatarrOSLOGIN_ENABLE_METADATA_KEYbool)r*oslogin_enableds r+r0.UserPermissionTroubleshooter._IsOsLoginEnableds7 22 t||S%D%DFO   r.)rrr(rr r&r'rrr)rr#r$rN)__name__ __module__ __qualname____firstlineno____doc__r,r2r6rUrNrLr?rErnrGr|r0__static_attributes__r5r.r+rrHsJ 03   D <G$@AE$@O !r.rN)r __future__rrrgooglecloudsdk.api_lib.utilr"googlecloudsdk.command_lib.computer#googlecloudsdk.command_lib.util.sshrgooglecloudsdk.corer rrr!r%rr"rHrMr@rOrArCrhror^SshTroubleshooterrr5r.r+rs7&',A3#$#9 ?;I : 01HI  %66u!#5#G#Gu!r.