google.api_core.iam.Policy.__getitem__ does not correctly save empty bindings #154
Labels
priority: p1
Important issue which blocks shipping the next release. Will be fixed prior to next release.
type: bug
Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
We recently tried to upgrade a tool from 1.15.0 to 1.26.1 and found it breaks some code that handles IAM policies. The commit that introduces the bug was released in 1.16.0: fd47fda#diff-7cc73ea72342c139ff54060be9ff25b2f792f9225e0cc0f501dca9dbed9c4741 -
The new
__getitem__
implementation returns a new emptyset()
for roles not in the current policy. But it doesn't save that set in the bindings. So if the user manipulates it, the policy isn't actually updated. That breaks code written like this:This worked fine on v1.15.0 because of the use of
defaultdict
. But now, this adds the principal to a set that's not used by the policy.Something like the following (untested) patch should do the trick:
The text was updated successfully, but these errors were encountered: