According to the docs, I should be able to create Authorized views using BigQuery's Data Definition Language (DDL):
Creating authorized views
You can create an authorized view in BigQuery by:
Using the GCP Console or the classic BigQuery web UI.
Using the command line tool's bq mk command
Calling the tables.insert API method
Submitting a CREATE VIEW Data Definition Language (DDL) statement
I can't see how that's the case. There aren't any view options related to authorization. I see only options are labels, description, friendly_name, and expiration_timestamp.
You can CREATE VIEWs with DDL, but to set permissions you'll have to use the API or one of the documented methods:
https://cloud.google.com/bigquery/docs/authorized-views#granting_views_access_to_datasets
Related
I want to list all the Currently Authorized Views in a dataset (projectID, datasetID, and tableID).
I have try to check using Information schema but still face the dead end. I want to gather information about projectID, datasetID, and tableID. Is there any possible way to do it?
Image of Authorized View
Inorder to list views in BigQuery, you can use below queries.
To Return metadata for views in a single dataset
SELECT * FROM dataset.INFORMATION_SCHEMA.VIEWS
To Return metadata for all views in a region
SELECT * FROM region-us.INFORMATION_SCHEMA.VIEWS
It's not possible to query only the authorized views using INFORMATION_SCHEMA. As per your requirement to view projectID, datasetID, and tableID details of Authorized Views in a dataset, as you have mentioned you can go to your dataset and click + Sharing > Authorize Views where you can add authorization and view the Currently Authorized Views.
For more information you can refer to this tutorial.
If you want the feature to view details of authorized views using INFORMATION_SCHEMA as present in BigQuery UI, you can raise a feature request on the issue tracker describing your requirement.
My team is attempting to move towards templatization of our services and their infrastructure.
We have found it to be extremely time-consuming to determine the set of permissions required to execute or update a given Cloudformation template. Our process is:
Create a user with permissions cloudformation:CreateStack and/or cloudformation:UpdateStack
Have that user attempt to create/update the specified stack
Observe which missing permission caused the stack operation to fail
Add that permission to the user
Go to 2.
The alternative to this would be to create a "God User" who has unlimited permissions and have that user execute the create/update - which seems to violate the Principle Of Least Privilege
Alternatively, is there a tool that can list "what permissions have been exercised by a given user in the past N minutes?". If such a tool existed, we could create the "God User", have them execute the template, and then create a more limited-scope user that has precisely the permissions that the God User had used.
There is no simple way/tool to do this.
Here are a couple of approaches you can try-
Using an User that has Admin priviledges, create the Stack. Once done, wait for 15-20 minutes for CloudTrail to populate. Now in CloudTrail list the API calls made by the 'Event Source' - 'cloudformation.amazonaws.com'. That should be roughly all the API calls required. There can be a few more calls required, for other operations as you keep on adding functionalities to the Resources. Again, you would need to figure that out this way.
Create a CFN service role , and add admin privileges to this Role. Use this Role to create/update/delete the Stacks. Allow the IAM users only iam:PassRole and cloudformation:* . However, users will be able to create different resources using CFN.
Use Service Catalog and create Products. Service Catalog Products are CFN Templates which can be launched by a specific user/Role/Group. The user does not need permission to create/modify the Resources in a Stack/Product. Also the end user cannot change the Product to add more Resources. Here's a great video that explains this stuff : https://www.youtube.com/watch?v=A9kKy6WhqVA
Hope this helps...
I am exploring XACML and WSO2 to see if it fits my use cases. One of use case is to dynamically create XACML policies. I want to use role based access control system and my application allows admin users to create roles and assign permissions to these roles. Is there a way for my application to insert a policy/modify policy at run time?
Thanks
Chaitanya
PAP interface via SOAP API:
https://docs.wso2.com/display/IS540/Entitlement+with+APIs
Java example:
https://svn.wso2.org/repos/wso2/people/asela/xacml/pap/5.X.X/src/main/java/org/xacmlinfo/xacml/pap/is/PolicyAdminClient.java
Python example:
https://github.com/welkson/WSO2-PDP-CacheTest
I've implemented an application using Moqui Framework. I provided url:http://localhost:8080/fvl-plus-runtime/rest/s1/example/examples
It is getting error like:
User [null] is not authorized for View on AT_REST_PATH [/example/loginexamples/{username}]
You can add ArtifactAuthz records for all users, like the ones already in place for admin users for the REST APIs. In general it is best to secure all API access, and that is how things are setup by default. There are various examples you can follow to see them in action, see the extensive comments in the rest.xml file (the XML Screen for the /rest path).
This feature as been added in commit #44272ba. You are now able to create a new REST service and set require-authentication=anonymous-view or anonymous-all.
See How to create a publicly accessible REST API in Moqui for more details.
I am attempting to create a trigger through the Tooling API. This is being executed within Salesforce and being performed on the same Salesforce org. This is being done in a dev org and the running user is an administrator.
When I create the MetadataContainer it works as expected. When I create the ApexTriggerMember I am presented with the following error:
INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY
Here is some debugging of the process along the way:
The JSON that is sent to create the MetadataContainer
{"Name":"Container 2013-03-08 17:28:06"}
The URL it's being sent to
https://na11.salesforce.com/services/data/v27.0/tooling/sobjects/MetadataContainer/
The response:
{"id":"1dcG0000000PAwZIAW","success":true,"errors":[]}
The JSON that is sent to create the ApexTriggerMember
{"MetadataContainerId":"1dcG0000000PAwZIAW","Body":"trigger TestTrg1 on Account (after insert, after update, before insert, before update) {\n\n}"}
The URL it's being sent to:
https://na11.salesforce.com/services/data/v27.0/tooling/sobjects/ApexTriggerMember/
The response:
[{"fields":[],"message":"insufficient access rights on cross-reference id","errorCode":"INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY"}]
Any help is greatly appreciated.
I just tried the same thing but via the SOAP version of the Tooling API.
It worked fine if I specified the ApexTriggerMember.ContentEntityId as an existing Trigger Id (key prefix 01q). Of course, this is updating an existing trigger rather than creating a new trigger.
If I didn't set the ContentEntityId I get exactly the same error you do. "insufficient access rights on cross-reference id" (StatusCode.INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY)
The documentation says (my emphasis):
ContentEntityId
Type: reference
Properties: Create, Filter, Group, Sort
Description:
A reference to an Apex trigger.
There can be only one ContentEntityId per ApexTriggerMember,
otherwise, an error is reported.
This field is required.
So the field is required, but we don't have an Id to assign to it yet...
Note, I've asked a similar question on the dedicated Salesforce StackExchange - How do I use the Tooling API to create a new Apex Trigger?