I want to list all the Currently Authorized Views in a dataset (projectID, datasetID, and tableID).
I have try to check using Information schema but still face the dead end. I want to gather information about projectID, datasetID, and tableID. Is there any possible way to do it?
Image of Authorized View
Inorder to list views in BigQuery, you can use below queries.
To Return metadata for views in a single dataset
SELECT * FROM dataset.INFORMATION_SCHEMA.VIEWS
To Return metadata for all views in a region
SELECT * FROM region-us.INFORMATION_SCHEMA.VIEWS
It's not possible to query only the authorized views using INFORMATION_SCHEMA. As per your requirement to view projectID, datasetID, and tableID details of Authorized Views in a dataset, as you have mentioned you can go to your dataset and click + Sharing > Authorize Views where you can add authorization and view the Currently Authorized Views.
For more information you can refer to this tutorial.
If you want the feature to view details of authorized views using INFORMATION_SCHEMA as present in BigQuery UI, you can raise a feature request on the issue tracker describing your requirement.
Related
According to the docs, I should be able to create Authorized views using BigQuery's Data Definition Language (DDL):
Creating authorized views
You can create an authorized view in BigQuery by:
Using the GCP Console or the classic BigQuery web UI.
Using the command line tool's bq mk command
Calling the tables.insert API method
Submitting a CREATE VIEW Data Definition Language (DDL) statement
I can't see how that's the case. There aren't any view options related to authorization. I see only options are labels, description, friendly_name, and expiration_timestamp.
You can CREATE VIEWs with DDL, but to set permissions you'll have to use the API or one of the documented methods:
https://cloud.google.com/bigquery/docs/authorized-views#granting_views_access_to_datasets
I am wanting to disable the "Share dataset" feature of bigquery.
For my use case I would like to disable this feature as you can't control what data can be shared and and who with. This means datasets are shareable with anyone who has gmail account.
I've been experimenting with removing various IAM permissions and I can't seem to pin it down. I've also used chrome dev tools to see what the API call is but I can't trace it back to how I can prevent the sharing of datasets.
If this cannot be disabled can you at least lock it down to a specific domain?
Try the following steps to restrict the share option.
Add the user to the IAM and don't assign any role.
Share the dataset with the user with Can view role
Now the user can still see the Share dataset option, but if they try to share they will get the following error
As per BigQuery permissions and roles matrix only Admin, Data owner(BigQuery role), and the Owner of a dataset can share it. Make sure to give the least privilege needed to your users.
For example, give the respective user the bigquery.jobUser permission and share him the dataset with "can edit" permission. This setup will not allow the dataset to be shared.
I see that there's a row for each user in the "Authentication" section of Firestore with their data. Am I able to query for users in this table and add columns, or to create a new collection of users with a one-to-one mapping from user in the authentication section to user in the collection? If it's the latter, is there any way to both create a new user account and create the corresponding document in the collection as part of a single transaction?
Firestore doesn't have an "Authentication" section. Firestore only lets you read and write data into its database. Firebase Authentication is a different product that keeps track of logged in users in a way that's completely separate from Firestore. You can't query users in Firebase Authentication using Firestore. In fact, you also can't even query Authentication using the mobile client libraries (because that would be a possible security hole for your app).
If you want to query for all users in your app, you're going to have to do perhaps arrange for each user to write a document in some collection in Firestore that can be queried by Firestore client libraries.
You can use Cloud Functions with Admin SDK. Make a http endpoint or a http Callable that queries at admin.auth. But this is not a secure. The best way to do that is registering a firestore docuement whenever user is created using functions.auth.user().onCreate
Background
I'm building a application where all users belongs to a Organization. I only want the user to be able to Create/Read/Update/Delete records in the Organization they belong to.
I'm using sails, but I'm looking for Connect/Express-based, or a standalone answer as sails-permissions node module is unmaintained.
Question
How can one implement a authorization that allow CRUD only for the organization the user belongs to?
We are also not relying on sails-permissions. In our app, users can be members of multiple orgs.
We are using auth0 for all authentication activities, i.e. every request must include a jwt that is included in the request header. The jwt includes userId, orgId and role.
Sails policies decode the jwt and attach userId, orgId and role the the req object for all later checks.
Every model has the property orgId - we are using MongoDB.
Every controller, db operation, etc. adds this verified orgId to the query. Actually we have a small pipeline preparing the query: we add the orgId, in update cases we filter out unwanted property updates, etc.
This approach does not require additional db calls for separation of tenants.
Some models have specific access requirements per individual RECORD. Here we store allowedUser properties (one for read, one for update, etc.) on exactly this record and we extend the query once more so that only records are returned or updated or Xyz where the current user is included in the applicable allowedUsers property.
This approach also does not require additional db calls. This leverages MongoDB-specific query features, though.
We currently do not have ACL-like requirements which would be right between the 2 approaches I described above (re access control granularity).
You'll need to intercept each request using middlewares
combine them with a role system by checking if a certain token is present on request headers and in a acl map and finally, if the token is present in the acl map, see which permissions are related with this token.
I am designing an app where a user adds another user to a group. I am implementing groups with tags. So one user has to change another users tags.
From the documentation, I can deduce that only the user can update its own information. So how can I do this?
You're right - only user can update own tags.
You can do it using CustomObjects API http://quickblox.com/developers/Custom_Objects
For example - create Group entity and use it for this purpose.
CustomObjects API has Permissions API - http://quickblox.com/developers/Custom_Objects#Permissions
So you can set who can update your records