Is the addition of an IAM (particularly authorized view permissions) additive or destructive?

[goyalmunish]

Is the addition of an IAM (particularly authorized view permissions) additive or destructive?

In a process to add an access_entry to a view_dataset, does BQ has to drop existing ones and then create all (along with new addition) of them, or is it smart enough to keep the existing ones untouched? If it is a destructive one, then similar calls (adding different access entries to the same dataset) from two different clients can encounter race conditions.

# additive or destructive?
access_entries.append(some_new_access_entry)
view_dataset.access_entries = access_entries

The corresponding API (https://cloud.google.com/bigquery/docs/reference/rest/v2/datasets/patch) (and data object https://cloud.google.com/bigquery/docs/reference/rest/v2/datasets) also doesn't seem to provide any details on this.

[goyalmunish]

Link to source code file: https://github.com/googleapis/python-bigquery/blob/master/samples/snippets/view.py#L128

[tswast]

This replaces the existing ACLs.

As far as race conditions are concerned, the client library uses the etag property to catch this.

python-bigquery/google/cloud/bigquery/client.py

Line 916 in 8f274e8

headers = {"If-Match": dataset.etag}

This happens automatically if you first fetch a dataset with get_dataset.

[goyalmunish]

Okay, so this is if one is using multiple Python clients. But in my case, I am expecting a clash between the Python client library and Terraform (via GitHub automation, Atlantis) as well.

This replaces the existing ACLs.

Do you mean, the existing ones (such as "foo" and "bar") will be dropped and recreated?

# get existing access entries
existing_access_entries = view_dataset.access_entries     # ["foo", "bar"]
# append an additional one to it
access_entries.append(some_new_access_entry)               # ["foo", "bar", "baz"]
# update
view_dataset.access_entries = access_entries                     

[tswast]

Do you mean, the existing ones (such as "foo" and "bar") will be dropped and recreated?

I mean that the whole ACLs property is replaced atomically.

[tswast]

Regarding clash between Python and Terraform, I'm not as familiar with the Terraform provider. It's probably worth confirming with them at https://github.com/hashicorp/terraform-provider-google to see what they do with the ACLs property.