I am new to Hive.
Can we create a group inside Hive and ensure that only group with functional id / password is able to access the archived data?
Thanks in Advance...
Privileges in HIVE can be handled using users, groups and roles. HIVE Language Manual has the details of the syntax and usage.
Also, if you are looking for further fine-grained security, you can make use of Apache Sentry.
Related
I have many SQL Server login users created in a database, and I want some users NOT to be allowed to alter tables (such as adding column name, changing data type, etc..) for all tables. Not specific tables.
Is there any way can we do it?
Thanks in advance.
You can do this via assigning a particular role to that user.You can use existing role if your need suite this or you can create custom role according to your need.
Here you can know about database level roles.
Here is a guide to create custom role.
I have only seen examples of SQL statements granting users access to one database in a Postgres cluster at a time. Is there a way to grant a non-superuser access to all databases and their tables including future databases that get created in the cluster?
Since PostgreSQL v14, this is fairly easy, and you can use the following SQL script:
-- exempt the user from row level security
ALTER ROLE seeall BYPASSRLS;
-- allow the user to read all data
GRANT read_all_data TO seeall;
If you want write access as well, there is also a predefined role pg_write_all_data.
This relies on the fact that by default, everybody has the CONNECT privilege on databases. Of course you also have to configure pg_hba.conf to allow access.
And in case you wonder: no, before v14 you have to grant access to all objects individually. Group roles help with that.
roles/bigquery.user is the permission to use some BigQuery datasets. But we need to grant permissions of a specific tables instead of the whole dataset. How to do it by CEL and condition builder?
Thanks
As I mention in the comment section you should check GCP Documentation Controlling access to tables and views
This document describes how to use BigQuery Table ACL to control access to tables and views. For an overview of BigQuery Table ACL, see Introduction to table access controls.
After you create a table or view, you can set its policy in the following ways:
using the Cloud Console
using the bq set-iam-policy command
calling the tables.setIamPolicy method
using the GRANT or REVOKE data control language statements
As addition, you could also check Authorized views
Suppose I have 2 users available for the same project. The requirement is to restrict the table access in the same project to one user. How can it be managed it in Bigquery? what kind of access controls to be applied and how?
Thanks in advance.
You can use table level ACLS and set Bigquery roles/bigquery.dataViewer for users on the tables you wish to grant access. More details here https://cloud.google.com/bigquery/docs/table-access-controls-intro
This approach doesn't require creating a separate dataset(as a workaround for table level access) for access control which use to be the case earlier.
Depending on requirements, and the strictness of them, this is what I do:
Grant the user access to a specific table within a dataset by granting the BigQuery Data Viewer role at the table level.
You can do this as follows:
-> Open the table in the console and click Share, then click Add Principal
And to make it easier for the user to navigate the metadata of the table, such as schema, details and preview, I grant them the BigQuery Metadata Viewer role at the dataset level.
You should only do this of course if it is ok for the user to see which other tables within the dataset are there. (they can't see the data in the other tables, just the schema etc)
The advantage is that it will be easier for the user to see the schema and a preview of the data.
More info can be found here:
https://cloud.google.com/bigquery/docs/table-access-controls
Issue: In GCP IAM I have >30 users assigned the pre-defined roles BigQuery Data Viewer and BigQuery Data Editor, and now when I create a new dataset, it's automatically accessible to these 30+ users because of "policy inheritance".
Question: As BQ project admin, I want a newly created dataset only accessible to certain users (a small subset of the 30+ users). What's the best approach to do this? Thanks!
You cannot override the permissions granted at higher leves. So, if you want to restrict access at dataset level, the best approach would be to:
1) Remove the current permissions BigQuery Data Viewerand BigQuery Data Editor from project level.
2) Grant the permissions again, but only at dataset level
This also complies with the recommended best practice of least privilege. Also, if possible, use groups to grant the permissions, as it will be easier to manage.
In addition to this, you could use another project to create the dataset and allow access to the desired subset of users; however, I wouldn't recommend this approach as it only makes more difficult to handle the data and the users with access to them.