-
Notifications
You must be signed in to change notification settings - Fork 161
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CT-717] Add Grants to BigQuery Materializations #198
Comments
Following up on latest thinking in dbt-labs/dbt-core#5263 (comment), there may actually be a way to do this that's SQL-only, without any API calls. That may be slightly slower, but it's much more visible, and easier to debug. Docs:
Defaults should work for:
We'd need a custom version of select * from {{ relation.project }}.`{{ target.location }}`.INFORMATION_SCHEMA.OBJECT_PRIVILEGES
where object_schema = '{{ relation.dataset }}' and object_name = '{{ relation.identifier }}' Example flowIn dbt: -- models/my_table.sql
{{ config(grants = {
'roles/bigquery.dataViewer': ['user:[email protected]'],
'roles/custom.whatEver': ['user:[email protected]'],
} }}
select ... So dbt runs: grant `roles/bigquery.dataViewer` on dbt_jcohen.my_table to "user:[email protected]";
grant `roles/custom.whatEver` on dbt_jcohen.my_table to "user:[email protected]"; Now, we change that to just: -- models/my_table.sql
{{ config(grants = {
'roles/bigquery.dataViewer': ['user:[email protected]'],
} }}
select ... So dbt runs: select * from `region-us`.INFORMATION_SCHEMA.OBJECT_PRIVILEGES
where object_schema = 'dbt_jcohen' and object_name = 'my_table'; (result of that query, in JSON format) { "object_catalog": "dbt-test-env", "object_schema": "dbt_jcohen", "object_name": "my_table", "object_type": "TABLE", "privilege_type": "roles/bigquery.dataViewer", "grantee": "user:[email protected]"}
{ "object_catalog": "dbt-test-env", "object_schema": "dbt_jcohen", "object_name": "my_table", "object_type": "TABLE", "privilege_type": "roles/custom.whatEver", "grantee": "user:[email protected]"} revoke `roles/custom.whatEver` on dbt_jcohen.my_table from "user:[email protected]"; The cool thing about BigQuery is that we could actually perform the show + revoke + grant statements all in one dynamic "script," using "procedural SQL", if we so chose. That's fairly different from the general implementation we'd need on other databases, though. |
Will this also work for Authorized Views? @jtcohen6
I can see that done via API calls in Python from https://cloud.google.com/bigquery/docs/samples/bigquery-revoke-dataset-access |
@avipaul6 This will not work for authorized views, for the reasons you've indicated. dbt already supports authorized views on BigQuery today, but the syntax is pretty wonky, and differs from the standard we're looking to implement in this feature: https://docs.getdbt.com/reference/resource-configs/bigquery-configs#authorized-views Our main constraint here by what BigQuery StandardSQL makes available. I'm definitely interested in future work that reconciles / rationalizes dbt's approach to standard grants with the dataset operations required by authorized views. |
blocked by: dbt-labs/dbt-core#5263
Once the above work is merged into core, there are some tweaks that need to be made in the BigQuery adapter to fully expose the feature:
apply_grants
so that it directly makes the API call to revoke grants (BigQuery Docs) instead of getting sql fromget_revoke_all_sql
.The text was updated successfully, but these errors were encountered: