-
Notifications
You must be signed in to change notification settings - Fork 3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(ingest): bigquery-beta - eliminate the need for data.read permiss…
…ion for table schema (#6146) Co-authored-by: Shirshanka Das <[email protected]>
- Loading branch information
1 parent
2e2ef53
commit 0f04cd6
Showing
4 changed files
with
234 additions
and
98 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,59 +1,53 @@ | ||
| ### Prerequisites | ||
| To understand how BigQuery ingestion needs to be set up, first familiarize yourself with the concepts in the diagram below: | ||
| <p align="center"> | ||
| <img width="70%" src="https://github.com/datahub-project/static-assets/raw/main/imgs/integrations/bigquery/source-bigquery-setup.png"/> | ||
| </p> | ||
|
|
||
| #### Create a datahub profile in GCP | ||
| There are two important concepts to understand and identify: | ||
| - *Extractor Project*: This is the project associated with a service-account, whose credentials you will be configuring in the connector. The connector uses this service-account to run jobs (including queries) within the project. | ||
| - *Bigquery Projects* are the projects from which table metadata, lineage, usage, and profiling data need to be collected. By default, the extractor project is included in the list of projects that DataHub collects metadata from, but you can control that by passing in a specific list of project ids that you want to collect metadata from. Read the configuration section below to understand how to limit the list of projects that DataHub extracts metadata from. | ||
|
|
||
| #### Create a datahub profile in GCP | ||
| 1. Create a custom role for datahub as per [BigQuery docs](https://cloud.google.com/iam/docs/creating-custom-roles#creating_a_custom_role). | ||
| 2. Grant the following permissions to this role: | ||
| 2. Follow the sections below to grant permissions to this role on this project and other projects. | ||
|
|
||
| ##### Basic Requirements (needed for metadata ingestion) | ||
| 1. Identify your Extractor Project where the service account will run queries to extract metadata. | ||
|
|
||
| | permission | Description | Capability | | ||
| |----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------| | ||
| | `bigquery.jobs.create` | Run jobs (e.g. queries) within the project. *This only needs for the extractor project where the service account belongs* | | | ||
| | `bigquery.jobs.list` | Manage the queries that the service account has sent. *This only needs for the extractor project where the service account belongs* | | | ||
| | `bigquery.readsessions.create` | Create a session for streaming large results. *This only needs for the extractor project where the service account belongs* | | | ||
| | `bigquery.readsessions.getData` | Get data from the read session. *This only needs for the extractor project where the service account belongs* | | ||
| | `bigquery.tables.create` | Create temporary tables when profiling tables. Tip: Use the `profiling.bigquery_temp_table_schema` to ensure that all temp tables (across multiple projects) are created in this project under a specific dataset. | Profiling | | | ||
| | `bigquery.tables.delete` | Delete temporary tables when profiling tables. Tip: Use the `profiling.bigquery_temp_table_schema` to ensure that all temp tables (across multiple projects) are created in this project under a specific dataset. | Profiling | | | ||
| 2. Grant the following permissions to the Service Account on every project where you would like to extract metadata from | ||
|
|
||
| :::info | ||
|
|
||
| If you have multiple projects in your BigQuery setup, the role should be granted these permissions in each of the projects. | ||
|
|
||
| ::: | ||
|
|
||
| ##### Basic Requirements (needs for metadata ingestion) | ||
|
|
||
| | permission | Description | | ||
| | -------------------------------- | ----------------------------------------------------- | | ||
| | `bigquery.datasets.get` | Retrieve metadata about a dataset. | | ||
| | `bigquery.datasets.getIamPolicy` | Read a dataset's IAM permissions. | | ||
| | `bigquery.jobs.create` | Run jobs (e.g. queries) within the project. | | ||
| | `bigquery.jobs.list` | Manage the queries that the service account has sent. | | ||
| | `bigquery.tables.list` | List BigQuery tables. | | ||
| | `bigquery.tables.get` | Retrieve metadata for a table. | | ||
| | `bigquery.readsessions.create` | Create a session for streaming large results. | | ||
| | `bigquery.readsessions.getData` | Get data from the read session. | | ||
| | `resourcemanager.projects.get` | Retrieve project names and metadata. | | ||
|
|
||
| You can use the following predefined IAM role which has all the needed permissions as well: | ||
| - [roles/bigquery.metadataViewer](https://cloud.google.com/bigquery/docs/access-control#bigquery.metadataViewer) | ||
|
|
||
| ##### Lineage/usage generation requirements | ||
|
|
||
| Additional requirements needed on the top of the basic requirements. | ||
| If you want to get lineage from multiple projects you have to grant this permission | ||
| for each of them. | ||
|
|
||
| | permission | Description | | ||
| | -------------------------------- | ------------------------------------------------------------------------------------------------------------ | | ||
| | `bigquery.jobs.listAll` | List all jobs (queries) submitted by any user. | | ||
| | `logging.logEntries.list` | Fetch log entries for lineage/usage data. Not required if `use_exported_bigquery_audit_metadata` is enabled. | | ||
| | `logging.privateLogEntries.list` | Fetch log entries for lineage/usage data. Not required if `use_exported_bigquery_audit_metadata` is enabled. | | ||
|
|
||
| ##### Profiling requirements | ||
|
|
||
| Additional requirements needed on the top of the basic requirements. | ||
|
|
||
| | permission | Description | | ||
| | ------------------------- | ----------------------------------------------------------------------------------------- | | ||
| | `bigquery.tables.getData` | Access table data to do the profiling. | | ||
| | `bigquery.tables.create` | Create temporary tables when profiling partitioned/sharded tables. See below for details. | | ||
| | `bigquery.tables.delete` | Delete temporary tables when profiling partitioned/sharded tables. See below for details. | | ||
|
|
||
| Profiler creates temporary tables to profile partitioned/sharded tables and that is why it needs table create/delete privilege. | ||
| | permission | Description | Capability | Default GCP role which contains this permission | | ||
| |----------------------------------|--------------------------------------------------------------------------------------------------------------|-------------------------------------|-----------------------------------------------------------------------------------------------------------------| | ||
| | `bigquery.datasets.get` | Retrieve metadata about a dataset. | Table Metadata Extraction | [roles/bigquery.metadataViewer](https://cloud.google.com/bigquery/docs/access-control#bigquery.metadataViewer) | | ||
| | `bigquery.datasets.getIamPolicy` | Read a dataset's IAM permissions. | Table Metadata Extraction | [roles/bigquery.metadataViewer](https://cloud.google.com/bigquery/docs/access-control#bigquery.metadataViewer) | | ||
| | `bigquery.tables.list` | List BigQuery tables. | Table Metadata Extraction | [roles/bigquery.metadataViewer](https://cloud.google.com/bigquery/docs/access-control#bigquery.metadataViewer) | | ||
| | `bigquery.tables.get` | Retrieve metadata for a table. | Table Metadata Extraction | [roles/bigquery.metadataViewer](https://cloud.google.com/bigquery/docs/access-control#bigquery.metadataViewer) | | ||
| | `resourcemanager.projects.get` | Retrieve project names and metadata. | Table Metadata Extraction | [roles/bigquery.metadataViewer](https://cloud.google.com/bigquery/docs/access-control#bigquery.metadataViewer) | | ||
| | `bigquery.jobs.listAll` | List all jobs (queries) submitted by any user. Needs for Lineage extraction. | Lineage Extraction/Usage extraction | [roles/bigquery.resourceViewer](https://cloud.google.com/bigquery/docs/access-control#bigquery.resourceViewer) | | ||
| | `logging.logEntries.list` | Fetch log entries for lineage/usage data. Not required if `use_exported_bigquery_audit_metadata` is enabled. | Lineage Extraction/Usage extraction | [roles/logging.privateLogViewer](https://cloud.google.com/logging/docs/access-control#logging.privateLogViewer) | | ||
| | `logging.privateLogEntries.list` | Fetch log entries for lineage/usage data. Not required if `use_exported_bigquery_audit_metadata` is enabled. | Lineage Extraction/Usage extraction | [roles/logging.privateLogViewer](https://cloud.google.com/logging/docs/access-control#logging.privateLogViewer) | | ||
| | `bigquery.tables.getData` | Access table data to extract storage size, last updated at, data profiles etc. | Profiling | | | ||
| | `bigquery.tables.create` | [Optional] Only needed if not using the `profiling.bigquery_temp_table_schema` config option. | Profiling | | | ||
| | `bigquery.tables.delete` | [Optional] Only needed if not using the `profiling.bigquery_temp_table_schema` config option. | Profiling | | | ||
|
|
||
| The profiler creates temporary tables to profile partitioned/sharded tables and that is why it needs table create/delete privilege. | ||
| Use `profiling.bigquery_temp_table_schema` to restrict to one specific dataset the create/delete permission | ||
|
|
||
| #### Create a service account | ||
| #### Create a service account in the Extractor Project | ||
|
|
||
| 1. Setup a ServiceAccount as per [BigQuery docs](https://cloud.google.com/iam/docs/creating-managing-service-accounts#iam-service-accounts-create-console) | ||
| and assign the previously created role to this service account. | ||
|
|
@@ -62,16 +56,16 @@ Use `profiling.bigquery_temp_table_schema` to restrict to one specific dataset t | |
|
|
||
| ```json | ||
| { | ||
| "type": "service_account", | ||
| "project_id": "project-id-1234567", | ||
| "private_key_id": "d0121d0000882411234e11166c6aaa23ed5d74e0", | ||
| "private_key": "-----BEGIN PRIVATE KEY-----\nMIIyourkey\n-----END PRIVATE KEY-----", | ||
| "client_email": "[email protected]", | ||
| "client_id": "113545814931671546333", | ||
| "auth_uri": "https://accounts.google.com/o/oauth2/auth", | ||
| "token_uri": "https://oauth2.googleapis.com/token", | ||
| "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", | ||
| "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/test%suppproject-id-1234567.iam.gserviceaccount.com" | ||
| "type": "service_account", | ||
| "project_id": "project-id-1234567", | ||
| "private_key_id": "d0121d0000882411234e11166c6aaa23ed5d74e0", | ||
| "private_key": "-----BEGIN PRIVATE KEY-----\nMIIyourkey\n-----END PRIVATE KEY-----", | ||
| "client_email": "[email protected]", | ||
| "client_id": "113545814931671546333", | ||
| "auth_uri": "https://accounts.google.com/o/oauth2/auth", | ||
| "token_uri": "https://oauth2.googleapis.com/token", | ||
| "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", | ||
| "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/test%suppproject-id-1234567.iam.gserviceaccount.com" | ||
| } | ||
| ``` | ||
|
|
||
|
|
@@ -115,8 +109,8 @@ Temporary tables are removed after profiling. | |
|
|
||
| ```yaml | ||
| profiling: | ||
| enabled: true | ||
| bigquery_temp_table_schema: my-project-id.my-schema-where-views-can-be-created | ||
| enabled: true | ||
| bigquery_temp_table_schema: my-project-id.my-schema-where-views-can-be-created | ||
| ``` | ||
|
|
||
| :::note | ||
|
|
||
Oops, something went wrong.