Controlling access to datasets

This document describes how to control access to datasets in BigQuery.

You can apply access controls during dataset creation by calling the datasets.insert API method.

Access controls cannot be applied during dataset creation in the GCP Console, the classic BigQuery web UI, or the command-line tool.

You can apply access controls to a dataset after it is created by:

  • Using the GCP Console or classic BigQuery web UI
  • Using the bq update CLI command
  • Calling the datasets.patch API method

Overview

You share access to BigQuery tables and views using project- level IAM roles and dataset-level access controls. Currently, you cannot apply access controls directly to tables or views.

Project-level access controls determine the users, groups, and service accounts allowed to access all datasets, tables, views, and table data within a project. Dataset-level access controls determine the users, groups, and service accounts allowed to access the tables, views, and table data in a specific dataset.

For example, if you assign the bigquery.dataOwner role to a user at the project level, that user can create, update, and delete tables and views in all of the project's datasets. If you assign the OWNER role at the dataset level, the user can create, update, and delete tables and views only in that dataset. The dataset-level OWNER primitive role is equivalent to granting the bigquery.dataOwner role to the dataset.

If you assign users or groups to a more restrictive role at the project level, you must also grant access to individual datasets. For example, if you grant a user or group the bigquery.user role at the project level, the user can create datasets and can run query jobs against tables in those datasets. To query tables in datasets the user did not create, you must assign a minimum of dataset-level READER access to the user for each dataset the user needs to query. The dataset-level READER primitive role is equivalent to granting the bigquery.dataViewer role to the dataset.

For more information about predefined, project-level IAM roles and dataset-level access controls, see Access control.

Required permissions

To assign or update dataset access controls, you must have OWNER access at the dataset level, or you must be assigned a project-level IAM role that includes bigquery.datasets.update permissions. The following predefined, project-level IAM roles include bigquery.datasets.update permissions:

In addition, because the bigquery.user role has bigquery.datasets.create permissions, a user assigned to the bigquery.user role can update any dataset that user creates. When a user assigned to the bigquery.user role creates a dataset, that user is given OWNER access to the dataset. OWNER access to a dataset gives the user full control over it.

For more information on IAM roles and permissions in BigQuery, see Access Control. For more information on dataset-level roles, see Primitive roles for datasets.

Controlling access to a dataset

To assign access controls to a dataset:

Console

  1. Select a dataset from Resources, then click Share dataset near the right side of the window.

    Add people to dataset

  2. In the Share dataset panel, in the Dataset permissions tab, click Add members.

  3. In the Add members panel, type the email addresses of the users, groups, or service accounts you want to add into the New members text box.

  4. For Select a role, select BigQuery and choose an appropriate pre-defined IAM role for the new members. For more information on the permissions assigned to each predefined BigQuery role, see the Roles section of the access control page.

  5. Click Done.

Classic UI

  1. Click the drop-down arrow to the right of the dataset and choose Share Dataset.

  2. In the Share Dataset dialog, for Add People, click the drop-down to the left of the field, and choose the appropriate option. When you apply access controls to a dataset by using the classic web UI, you can grant access to the following users and groups:

    • User by e-mail - Gives an individual Google account access to the dataset
    • Group by e-mail - Gives all members of a Google group access to the dataset
    • Domain - Gives all users and groups in a Google domain access to the dataset
    • All Authenticated Users - Gives all Google account holders access to the dataset (makes the dataset public)
    • Project Owners - Gives all project owners access to the dataset
    • Project Viewers - Gives all project viewers access to the dataset
    • Project Editors - Gives all project editors access to the dataset
    • Authorized View - Gives a view access to the dataset

  3. Type a value in the text box. For example, if you choose User by e-mail or Group by e-mail, type the user or group's email address.

  4. To the right of the Add People field, click Can view and choose the appropriate role from the list.

    Add people to dataset

  5. Click Add and then click Save changes.

Command-line

  1. Write the existing dataset information (including access controls) to a JSON file using the show command. If the dataset is in a project other than your default project, add the project ID to the dataset name in the following format: [PROJECT_ID]:[DATASET].

    bq show --format=prettyjson [PROJECT_ID]:[DATASET] > [PATH_TO_FILE]
    

    Where:

    • [PROJECT_ID] is your project ID.
    • [DATASET] is the name of your dataset.
    • [PATH_TO_FILE] is the path to the JSON file on your local machine.

      Examples:

      Enter the following command to write the access controls for mydataset to a JSON file. mydataset is in your default project.

      bq show --format=prettyjson mydataset > /tmp/mydataset.json

      Enter the following command to write the access controls for mydataset to a JSON file. mydataset is in myotherproject.

      bq show --format=prettyjson myotherproject:mydataset > /tmp/mydataset.json

  2. Make your changes to the "access" section of the JSON file. You can add or remove any of the specialGroup entries: projectOwners, projectWriters, projectReaders, and allAuthenticatedUsers. You can also add, remove, or modify any of the following: userByEmail, groupByEmail, and domain.

    For example, the access section of a dataset's JSON file would look like the following:

    {
     "access": [
      {
       "role": "READER",
       "specialGroup": "projectReaders"
      },
      {
       "role": "WRITER",
       "specialGroup": "projectWriters"
      },
      {
       "role": "OWNER",
       "specialGroup": "projectOwners"
      },
      {
       "role": "READER",
       "specialGroup": "allAuthenticatedUsers"
      },
      {
       "role": "READER",
       "domain": "[DOMAIN_NAME]"
      },
      {
       "role": "WRITER",
       "userByEmail": "[USER_EMAIL]"
      },
      {
       "role": "READER",
       "groupByEmail": "[GROUP_EMAIL]"
      }
     ],
     ...
    }
    

  3. When your edits are complete, use the update command and include the JSON file using the --source flag. If the dataset is in a project other than your default project, add the project ID to the dataset name in the following format: [PROJECT_ID]:[DATASET].

    bq update --source [PATH_TO_FILE] [PROJECT_ID]:[DATASET]
    

    Where:

    • [PATH_TO_FILE] is the path to the JSON file on your local machine.
    • [PROJECT_ID] is your project ID.
    • [DATASET] is the name of your dataset.

      Examples:

      Enter the following command to update the access controls for mydataset. mydataset is in your default project.

      bq update --source /tmp/mydataset.json mydataset

      Enter the following command to update the access controls for mydataset. mydataset is in myotherproject.

      bq update --source /tmp/mydataset.json myotherproject:mydataset

  4. To verify your access control changes, enter the show command again without writing the information to a file.

    bq show --format=prettyjson [DATASET]

    or

    bq show --format=prettyjson [PROJECT_ID]:[DATASET]

API

Call datasets.insert with a defined dataset resource to apply access controls when the dataset is created. Call datasets.patch and use the access property in the dataset resource to update your access controls.

Because the datasets.update method replaces the entire dataset resource, datasets.patch is the preferred method for updating access controls.

Go

Set the dataset.access_entries property with the access controls for a dataset. Then call the client.update_dataset() function to update the property.

// To run this sample, you will need to create (or reuse) a context and
// an instance of the bigquery client.  For example:
// import "cloud.google.com/go/bigquery"
// ctx := context.Background()
// client, err := bigquery.NewClient(ctx, "your-project-id")
ds := client.Dataset(datasetID)
meta, err := ds.Metadata(ctx)
if err != nil {
	return err
}
// Append a new access control entry to the existing access list.
update := bigquery.DatasetMetadataToUpdate{
	Access: append(meta.Access, &bigquery.AccessEntry{
		Role:       bigquery.ReaderRole,
		EntityType: bigquery.UserEmailEntity,
		Entity:     "sample.bigquery.dev@gmail.com"},
	),
}

// Leverage the ETag for the update to assert there's been no modifications to the
// dataset since the metadata was originally read.
if _, err := ds.Update(ctx, update, meta.ETag); err != nil {
	return err
}

Python

Before trying this sample, follow the Python setup instructions in the BigQuery Quickstart Using Client Libraries . For more information, see the BigQuery Python API reference documentation .

Set the dataset.access_entries property with the access controls for a dataset. Then call the client.update_dataset() function to update the property.
from google.cloud import bigquery

# TODO(developer): Construct a BigQuery client object.
# client = bigquery.Client()

# TODO(developer): Set dataset_id to the ID of the dataset to fetch.
# dataset_id = 'your-project.your_dataset'

dataset = client.get_dataset(dataset_id)

entry = bigquery.AccessEntry(
    role="READER",
    entity_type="userByEmail",
    entity_id="sample.bigquery.dev@gmail.com",
)

entries = list(dataset.access_entries)
entries.append(entry)
dataset.access_entries = entries

dataset = client.update_dataset(dataset, ["access_entries"])  # API request

full_dataset_id = "{}.{}".format(dataset.project, dataset.dataset_id)
print(
    "Updated dataset '{}' with modified user permissions.".format(full_dataset_id)
)

Next steps

Оцените, насколько информация на этой странице была вам полезна:

Оставить отзыв о...

Текущей странице
Нужна помощь? Обратитесь в службу поддержки.