dbt-bigquery icon indicating copy to clipboard operation
dbt-bigquery copied to clipboard

Published 20 hours ago verified publisher icon dbt-labs

[ADAP-545] [Feature] Add support for Authrorized Datasets and dataset-level grants

Open akerone opened this issue 1 year ago • 4 comments

Is this your first time submitting a feature request?

  • [X] I have read the expectations for open source contributors
  • [X] I have searched the existing issues, and I could not find an existing issue for this feature
  • [X] I am requesting a straightforward extension of existing dbt-bigquery functionality, rather than a Big Idea better suited to a discussion

Describe the feature

The ability to configure Authorized Datasets in dbt-project.yml, similarly to Authorized Views. For example, a +grant_access_to: where +schema: is also present at the same level could authorize the whole dataset rather than all individual views.

The same goes for direct grants.

Describe alternatives you've considered

dbt currently achieves the same result although, in our opinion, a less user-friendly way. Giving permissions to every separate model becomes hell when it's time to revoke any of them.

Who will this benefit?

Every single BQ admin who's in any way concerned by security. It also indirectly solves #126.

Are you interested in contributing this feature?

No response

Anything else?

No response

akerone avatar May 11 '23 11:05 akerone

Thanks for opening this feature request @akerone !

It sounds like making the revoke process easier is your primary goal?

Did you consider an alternative using grant config inheritance in your dbt_project.yml similar to the following (using BigQuery-specific syntax)?

dbt_project.yml

models:
  project_name_here:
    folder_name_containing_your_dataset_models:
      +grants:
            roles/bigquery.dataViewer: ['user:[email protected]', 'user:[email protected]']

dbeatty10 avatar May 11 '23 16:05 dbeatty10

Hi, sorry for the late response.

Giving read permission directly to the tables is not an option, as we want to grant read access only to the authorized views.

akerone avatar Jul 12 '23 11:07 akerone

👍🏻 It makes a lot of sense to grant dataset-level permissions (which can even be executed via SQL), and I ran into needing this too.

For example, you have a bunch of tables in your dataset. You want the user to see only specific ones. You need to grant:

  • bigquery.tables.get on the tables
  • bigquery.tables.list on the dataset

acovaci avatar Aug 15 '23 11:08 acovaci

This issue has been marked as Stale because it has been open for 180 days with no activity. If you would like the issue to remain open, please comment on the issue or else it will be closed in 7 days.

github-actions[bot] avatar Feb 12 '24 01:02 github-actions[bot]