What permissions does a service account needs to read from BigQuery __TABLE__ tables? Our scenario is that we want to grant the service account collecting storage stats from our BigQuery projects minimum necessary permissions. Ideally it shouldn't be able to read the data from BQ tables but still it needs to read the __TABLE__ tables from all our datasets. We tried granting metadataViewer permissions but that didn't work, still getting 403.
Ideally it shouldn't be able to read the data from BQ tables but still it needs to read the __TABLE__ tables from all our datasets.
Currently, you cannot grant permissions on tables, views, columns, or rows. A dataset is the lowest level resource that supports access controls in BigQuery.
-- source --
Therefore you will need to grant roles/bigquery.dataViewer to the service account.
You might also need to grant a second permission. Under the hood the code that executes with service account credentials will be making API calls. I don't know the details applicable to your case, but the code will likely use one of the basic REST objects (such as Job object) to make the calls. And will likely need another permission(s) that come under umbrella of roles/bigquery.jobUser or similar role.
The required permissions to query __TABLES__ are the same as to query any regular tables. Thus, the roles/bigquery.dataViewer role viewer at dataset level should be enough.
Since your requirement is to only grant access to this particular table's data, but not to the user generated tables, a possible workaround is to create an authorized view in a separate dataset. The view will have dataViewer access to your current dataset and the user will have dataViewer access to the dataset containing the view.
Related
Suppose I have 2 users available for the same project. The requirement is to restrict the table access in the same project to one user. How can it be managed it in Bigquery? what kind of access controls to be applied and how?
Thanks in advance.
You can use table level ACLS and set Bigquery roles/bigquery.dataViewer for users on the tables you wish to grant access. More details here https://cloud.google.com/bigquery/docs/table-access-controls-intro
This approach doesn't require creating a separate dataset(as a workaround for table level access) for access control which use to be the case earlier.
Depending on requirements, and the strictness of them, this is what I do:
Grant the user access to a specific table within a dataset by granting the BigQuery Data Viewer role at the table level.
You can do this as follows:
-> Open the table in the console and click Share, then click Add Principal
And to make it easier for the user to navigate the metadata of the table, such as schema, details and preview, I grant them the BigQuery Metadata Viewer role at the dataset level.
You should only do this of course if it is ok for the user to see which other tables within the dataset are there. (they can't see the data in the other tables, just the schema etc)
The advantage is that it will be easier for the user to see the schema and a preview of the data.
More info can be found here:
https://cloud.google.com/bigquery/docs/table-access-controls
Issue: In GCP IAM I have >30 users assigned the pre-defined roles BigQuery Data Viewer and BigQuery Data Editor, and now when I create a new dataset, it's automatically accessible to these 30+ users because of "policy inheritance".
Question: As BQ project admin, I want a newly created dataset only accessible to certain users (a small subset of the 30+ users). What's the best approach to do this? Thanks!
You cannot override the permissions granted at higher leves. So, if you want to restrict access at dataset level, the best approach would be to:
1) Remove the current permissions BigQuery Data Viewerand BigQuery Data Editor from project level.
2) Grant the permissions again, but only at dataset level
This also complies with the recommended best practice of least privilege. Also, if possible, use groups to grant the permissions, as it will be easier to manage.
In addition to this, you could use another project to create the dataset and allow access to the desired subset of users; however, I wouldn't recommend this approach as it only makes more difficult to handle the data and the users with access to them.
I would like to add a member (xxxxxxx#developer.gserviceaccount.com) in the list of members that are allowed to read the tables in a data set.
However, when in the Big Query console, when I click on SHARE DATASET , I have the message :
**"You don't have permission to edit the permissions of the selected resource "****
However, I have the permission to use the query editor and to run queries on this Data Set.
How can I add a member to the list of members who can read this DATA SET so that to access to this Data Set through a Virtual Machine ?
The error message you are receiving is because you do not have the required permissions associated with your account to share a Dataset with another member.
In order to do this, you(if possible), or an admin of the project, i.e., someone with project editor or project owner role assigned. Will need to assign the needed permissions to allow you to share datasets.
You can see all the available permissions in this document Predefined roles and permissions
For a comprehensive document dealing with controlling access to Datasets review this document Controlling access to datasets
As long as you have the appropriate roles/permissions you should have no problems sharing BigQuery Datasets
Is there a way to grant users the ability to view and query tables in a specific dataset (and only that dataset), without granting them the ability to also create new datasets within the overall project?
I'm trying to give access to a third party to integrate with a very specific subset of our data.
The documentation I've been reading is here: https://cloud.google.com/bigquery/docs/access-control#bigquery.user
You can share the specific dataset with your 3rd parties by. Using the web UI:
Dataset -> Share Dataset -> Email/user -> "Can View"
Add the user as viewer. They can now see and query (using their own Google account) the tables in your dataset, but not create anything in your project.
They should have the role bigquery.jobUser.
This gives them the permission to query but not the ability to create datasets.
This role is applied at the org and dataset level.
https://cloud.google.com/bigquery/docs/access-control#bigquery.jobUser
my question is rather simple.
Can i grant permissions on a database table wise? something in the lines:
User Management has permission to select, update, insert and delete on table Projects
User Supervisor has permission to select, update, insert on table Projects
User Colaborator has permission to select on table Projects
If so, I could set up a system to create database users based on the levels of access of my application, much like the examples above.
Is it a valid mechanism to use this to secure a application?
is it worth on a real world application?
i've used PHP with Oracle and MySQL, but I'm look for a database/language agnostic answer, but any example would be useful.
pushing my luck a bit, what about per record permission granting?
also, what about table schemas, are they a more acceptable then table based permissions?
The main problem with using database security would be that you need separate connections for each user rather than being able to use a "service user" for the connection from your application server to your DB server. That would mean that you would no longer be able to use database connection pooling have to "connect" and "disconnect" from the database for every user request, which is not very efficient as connections are relatively expensive.
Having said that, there is good reason for using separate users in the database, such as DATA_USER (which the application server connects as) and DATA_OWNER (which owns all the tables but is used only for DB maintenance) and then only give DATA_USER the permissions that it needs to, e.g. only select on a lookup table. By separating DATA_USER and DATA_OWNER you can add an additional level of confidence that your application won't issue DDL commands (e.g. dropping a table).
Answer to part 1:
Yes as long as you handle the responses correctly.
Part 2:
It's not as good as implementating security in the application layer, as most applications will need flexibility in the solution (what if you want a user to get increased privledges, have to code in lots of alter/deny/grant scripts)
Part 3: (Speaking from purely MSSQL) Row-level permissions aren't possible. Create custom views for this purpose.