Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Bigquery - write only authorization

Tags:

acl

google-bigquery

I am new to Google's Bigquery, so apologize my ignorance.

The idea was to use Bigquery to store events that happen inside applications that are installed at different sites. The sites are completely isolated entities and therefore one site should not be able to access the data from another site.

At the same time consolidated views should also be possible, assuming a user with more permissions (e.g. a manager in some head quarter facility)

The amount of sites can run into hundreds so it seems difficult to give each of them a separate dataset/table and associated (service) authentication (.p12)

Is there any way I can set this up in Bigquery

All tips welcomed.

Many thanks!

Peter

like image 825
Peter Avatar asked May 15 '14 14:05

Peter

People also ask

How do I set permissions in BigQuery?

On the open sidebar, click the ⁺👤 ADD PRINCIPAL button to open the contextual menu: On the contextual menu, write the list of emails or Google groups that you want to grant access to, and select the right roles ( roles/bigquery. dataViewer role for query permissions, roles/bigquery.

How do I give access to a table in BigQuery?

When you use a BigQuery table access policy, you have the following options for table access: Share a dataset, including all of its source tables, with users. This option is IAM access control set at the dataset level. Create an authorized view to access source data which the user does not have IAM access to.

2 Answers

Write only authorization (specifically for streaming inserts to bigquery tables only) has been added recently to BigQuery. You can use the https://www.googleapis.com/auth/bigquery.insertdata scope when you authenticate instead of the https://www.googleapis.com/auth/bigquery scope, and the only method the user will be able to use will be tabledata.insertall().

With regards to the type of authorization you want for views, this is a high-priority feature request that we would love to enable. Can you give more details about the scenario you'd like to see work?

like image 105
Jordan Tigani Avatar answered Oct 11 '22 08:10

Jordan Tigani

As of June 2017, the best approach to storing events with "insert only" access in BigQuery is to send the events through Stackdriver Logging (now part of Google). Configure an Export in Stackdriver to send the logs to BigQuery. This effectively produces an "insert only" event storage system. You can then configure user roles in BigQuery to aggregate data across multiple sites.

The approach Jordan described is good for preventing an application from accidentally over-writing data. Unfortunately, it does not address the scenario of audit or security logs. There is still no pre-defined IAM role for BigQuery that supports "insert only" access, and custom IAM roles are still in "alpha" status. If a hacker has gained privileged access to a server that can write directly to BigQuery, the hacker will also have access to the BigQuery keyfile that allows them to over-write data in the logs, allowing them to cover their tracks. This defeats the purpose of the logs.

You can push events to Stackdriver directly via the REST API or a client library. You can also configure the Stackdriver Logging Agent to monitor any text-based log on a Linux system.

like image 36
Craig Finch Avatar answered Oct 11 '22 07:10

Craig Finch
Sign in to Comment

Related questions

Zend_Acl, with roles and permissions stored in database
What is the ace_order column in Spring ACL table?
When self-hosting what exactly causes AddressAccessDeniedException : HTTP could not register URL
ServiceFabric standalone: Failed to get private key file
Posting image to S3 Conflicting query string parameters
How to change permission recursively to folder with AWS s3 or AWS s3api

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!