+SrSSKJr SSKJr SSKJr SSKrSSKJr SSKJ r SSK J r SS K J r SS KJr SS KJr SS KJ r SS KJ r SS KJr SS KJ r SS KJr SSKJr SSKJr \R:\R<"\R>R@\R>RB5"SS\RD555r#Sr$g)zCommand to remove project-level and fleet scope-level IAM bindings and delete a fleet scope RBAC role binding for an app operator.)absolute_import)division)unicode_literalsN)encoding) projects_api)client)util)base) resources)iam_util)log) properties) console_ioc.\rSrSrSr\S5rSrSrg)RemoveAppOperatorBinding&a^ Remove project-level and fleet scope-level IAM bindings and delete a fleet scope RBAC role binding for an app operator principal. One binding consists of an app operator principal (user/group) and a role (view/edit/admin). This command unsets the different permissions required for an app operator, including usage of fleet scopes, connect gateway, logging, and metrics. The authoritative list for removing the permissions is the existing RBAC role bindings under the specified scope. This command can fail for the following reasons: * The scope specified does not exist. * The user does not have access to the specified scope. * The principal specified does not any binding for the scope. * The principal specified has bindings with different roles for the scope. ## EXAMPLES The following command: $ {command} SCOPE --group=people@google.com --project=PROJECT_ID assuming the group already has the `view` role: * removes IAM policy binding: roles/gkehub.scopeViewer from `SCOPE` * removes IAM policy binding: roles/gkehub.scopeViewerProjectLevel from `PROJECT_ID` if the group does not have the `view` role for any other scope under the project * removes IAM policy binding: roles/logging.viewAccessor from `PROJECT_ID` condition where bucket corresponds to `SCOPE` * deletes existing fleet scope RBAC role binding: role `view` for group `people@google.com`. --- The following command: $ {command} SCOPE --user=person@google.com --project=PROJECT_ID assuming the user already has the `edit` role: * removes IAM policy binding: roles/gkehub.scopeEditor from `SCOPE` * removes IAM policy binding: roles/gkehub.scopeEditorProjectLevel from `PROJECT_ID` if the user does not have the `edit`/`admin` role for any other scope under the project * removes IAM policy binding: roles/logging.viewAccessor from `PROJECT_ID` condition where bucket corresponds to `SCOPE` * deletes existing fleet scope RBAC role binding: role `edit` for user `person@google.com`. --- The following command: $ {command} SCOPE --user=person@google.com --project=PROJECT_ID assuming the user already has a custom role: * removes IAM policy binding: roles/gkehub.scopeViewer from `SCOPE` * removes IAM policy binding: roles/gkehub.scopeEditorProjectLevel from `PROJECT_ID` if the user does not have the `edit`/`admin` role for any other scope under the project * removes IAM policy binding: roles/logging.viewAccessor from `PROJECT_ID` condition where bucket corresponds to `SCOPE` * deletes existing fleet scope RBAC role binding: role `admin` for user `person@google.com`. --- The following command: $ {command} SCOPE --user=person@google.com --project=PROJECT_ID assuming the user already has the `admin` role: * removes IAM policy binding: roles/gkehub.scopeAdmin from `SCOPE` * removes IAM policy binding: roles/gkehub.scopeEditorProjectLevel from `PROJECT_ID` if the user does not have the `edit`/`admin` role for any other scope under the project * removes IAM policy binding: roles/logging.viewAccessor from `PROJECT_ID` condition where bucket corresponds to `SCOPE` * deletes existing fleet scope RBAC role binding: role `admin` for user `person@google.com`. c[R"US[RUR 5SSS9 UR SS9nUR S[SS9 UR S [S S9 g) NSCOPEz@Name of the fleet scope for removing IAM and RBAC role bindings.T) scope_helprequired)rz--userzUser for the role binding.)typehelpz--groupzGroup for the role binding.)r AddScopeResourceArgapi_util VERSION_MAP ReleaseTrackadd_mutually_exclusive_group add_argumentstr)clsparsergroups Alib/surface/container/fleet/scopes/remove_app_operator_binding.pyArgsRemoveAppOperatorBinding.Argszs !!S--/0 N  / / / >E   )    *c  URnUc2[RRRR 5n[ R "U5n[R"UR5S9nURRR5nUR5nUR5n[R "UR"UR$5n/n Sn UR'X&5n U Hn U R"UR":XdMU R$UR$:XdM;U (d![R("U R*5n OlU [R("U R*5:waH[,R."SR1UU [R("U R*5U55 gU R3U 5 M U (d&[,R."SR1X55 g[R4"U 5n [R6"U 5nSnUR9U5nUHnUR:U:XaMUR'U[<R>"UR:55n S/SS/SS/S .nU HIn URAU SS/5H.n[CU UUR"UR$5(dM,S nM0 MK M [DRF"5(amS R1X5nU(aUS R1XU5- nOUS R1X5- nUSR1X&X5- n[DRH"USS S9 U(d=[JRL"UUU5 [,RN"SR1U55 [RP"X&5n[RRT"U[RRV5 [JRX"UUSUS5 [,RN"S5 UR[U5n[RR\"UUU 5 UR_UU5 [,RN"S5 [aU 5S:a&[,Rb"SR1XU55 U Hn UReU R:5 M g)N) release_trackz`{}` has more than one role (`{}` and `{}`) for scope `{}` via existing RBAC role bindings. Please remove unexpected bindings invdividually and retry.zK`{}` does not have any role for scope `{}` via existing RBAC role bindings.Fvieweditadmin)r*r+r,TzAThe command: * removes IAM policy binding: `{}` from scope `{}`z} * does *not* remove IAM policy binding: `{}` from project `{}` as `{}` needs the binding for other scope(s) in the projectz7 * removes IAM policy binding: `{}` from project `{}`z * removes IAM policy binding: `roles/logging.viewAccessor` from project `{}` with a condition where the bucket corresponds to scope `{}` * deletes existing fleet scope RBAC role binding: role `{}` for `{}`zDo you want to continue)message prompt_string cancel_on_noz&Removed project-level binding for `{}`zroles/logging.viewAccessorzJRemoved conditional project-level binding for `roles/logging.viewAccessor`zRemoved scope-level IAM bindingzgMore than one RBAC role binding found for `{}` with role `{}` under scope `{}`; deleting all of them...)3projectrVALUEScoreGet projects_util ParseProjectr FleetClientrCONCEPTSscopeParseName RelativeName scopes_utilIamMemberFromRbacuserr"ListScopeRBACRoleBindingsScopeRbacRoleStringroler errorformatappendIamScopeLevelScopeRoleFromRbac IamProjectLevelScopeRoleFromRbac ListScopesnamer ResourceIdFromPathgetbindings_matchr CanPromptPromptContinuerRemoveIamPolicyBindingPrintScopeLogViewConditionr ValidateConditionArgumentCONDITION_FORMAT_EXCEPTION#RemoveIamPolicyBindingWithConditionGetScopeIamPolicyRemoveBindingFromIamPolicySetScopeIamPolicylenwarningDeleteScopeRBACRoleBinding)selfargsr1 project_ref fleetclient scope_argscope_id scope_path iam_membermatching_scope_rrbsrB scope_rrbs scope_rrbiam_scope_level_roleiam_project_level_role,another_scope_needs_project_level_permissionscopesr9roles_to_checkr prompt_msg conditionscope_iam_policys r#RunRemoveAppOperatorBinding.Runs,llG!!&&..224g,,W5K$$43D3D3FGK ##))+I~~H'')J..tyy$**EJ D66wIJ 499 $DJJ)F00@$ [44Y^^D D ))**0&11)..A +  ""9-! "  ii vj3 &EEdK(II$O490  # #G ,F z !88 4**5::6j(7#G$ n")##D67*;?II/0 !# kk 1172  ) ,,Y^^<)r&N) __name__ __module__ __qualname____firstlineno____doc__ classmethodr$ro__static_attributes__rqr&r#rr&s#Ob,K=r&rc[R"U[R"UR5S[R 5=(a% UR U:H=(a URU:H$)NpredefinedRole)researchrMessageToPyValuerB IGNORECASEr?r")rerBr?r"s r#rLrLs[ii   # #INN 34D E --# ..D # //U "r&)%rv __future__rrrr{apitools.base.pyr+googlecloudsdk.api_lib.cloudresourcemanagerr&googlecloudsdk.api_lib.container.fleetrr rgooglecloudsdk.callioper *googlecloudsdk.command_lib.container.fleetr 1googlecloudsdk.command_lib.container.fleet.scopesr=googlecloudsdk.command_lib.iamr #googlecloudsdk.command_lib.projectsr5googlecloudsdk.corer rgooglecloudsdk.core.consolerDefaultUniverseOnly ReleaseTracksrALPHABETA DeleteCommandrrLrqr&r#rsI&' %D9C(@;Q3E#*2D%%++T->->-C-CDt=t11t=Et=n r&