Querying on authorized view
hamza-busuri opened this issue · comments
Hi there,
I am trying to create an authorized view via the nodejs-bigquery library. I have followed the tutorial on https://github.com/googleapis/nodejs-bigquery/blob/main/samples/authViewTutorial.js
I have a few questions.
- Can we create authorized views within the source dataset id or do we need to create a shared one?
- How can I check whether the user trying to query is authorized within the code? Do I need to check the metadata.access object? How does that work?
- Is it possible to have an authorized view just via role and not email? i.e if I want all users with a role to be able to query
Thanks!
hey @hamza-busuri thanks for asking:
Can we create authorized views within the source dataset id or do we need to create a shared one?- The shared dataset is required so we can restrict which users/groups/role can access the table/views inside of it.
How can I check whether the user trying to query is authorized within the code? Do I need to check the metadata.access object? How does that work?- You would have to check the
metadata.accessobject and see if the user part of the email group, role, etc, depending on how the Dataset access was set up.
- You would have to check the
Is it possible to have an authorized view just via role and not email? i.e if I want all users with a role to be able to query- Yes, you can assign to a role. You can check all the options here in the src/types.d.ts file or in the BigQuery Datasets Reference docs.
Thanks @alvarowolfx !
I wanted to double check is it possible to apply the access policy on the created view or does the access policy need to be created on the dataset? Say for example I want to apply a role on one view but not the other view but within the same dataset? How can I go about doing that?
is there a code sample somewhere where I can achieve this?
Would some thing like this not work?
`const adminAccessEntry = {
role: "READER"
};
// // Make API request to retrieve dataset metadata
const [sharedMetadata] = await sharedDataset.getMetadata();
const sharedAccessEntries = sharedMetadata.access;
sharedAccessEntries.push(adminAccessEntry);
sharedMetadata.access = sharedAccessEntries;
// // Make API request to update dataset metadata
const [updatedSharedMetadata] =
await sharedDataset.setMetadata(sharedMetadata);`
It results in the following:
"An access entry must have exactly one of userByEmail, groupByEmail, domain, specialGroup defined, view, routine, or dataset."
Thanks @alvarowolfx !
I wanted to double check is it possible to apply the access policy on the created view or does the access policy need to be created on the dataset? Say for example I want to apply a role on one view but not the other view but within the same dataset? How can I go about doing that?
is there a code sample somewhere where I can achieve this?
That access configuration It's only available on a Dataset level. For that example that you gave, you have to create two datasets with the given set of permissions/roles and each view on a separate dataset.
Would some thing like this not work?
`const adminAccessEntry = { role: "READER" };
// // Make API request to retrieve dataset metadata const [sharedMetadata] = await sharedDataset.getMetadata(); const sharedAccessEntries = sharedMetadata.access; sharedAccessEntries.push(adminAccessEntry); sharedMetadata.access = sharedAccessEntries; // // Make API request to update dataset metadata const [updatedSharedMetadata] = await sharedDataset.setMetadata(sharedMetadata);`It results in the following: "An access entry must have exactly one of userByEmail, groupByEmail, domain, specialGroup defined, view, routine, or dataset."
Yeah, sorry for the confusion, the role attribute is the BigQuery IAM role that is going to be applied to the given target, which needs to be a user, group or domain. From the docs:
An IAM role ID that should be granted to the user, group, or domain specified in this access entry
A more recommended approach is to create groups using the Cloud Identity API and assign users to those groups and have each authorized view attached to a group. Essentially those groups would work like the role that you mentioned before.
- Node client for Cloud Identity: https://github.com/googleapis/google-api-nodejs-client/tree/main/src/apis/cloudidentity
- https://cloud.google.com/identity/docs/groups
- https://support.google.com/a/answer/10427204?hl=en
Maybe for a more granular control that you need, there is a Pre-GA APIs called IAM Conditions, where you can write custom conditions to give access to a given BigQuery resource. See https://cloud.google.com/bigquery/docs/conditions#examples. But this is not on GA yet.