Overview of authorized views
Authorized views are logical views of tables that give you fine-grained access control of your Bigtable data. An authorized view is a subset of a table that you configure to include specific table data. Then you grant access to the authorized view separately from access to the table.
Authorized views are useful for multi-tenant tables or other situations when your table contains data that not all users should be able to access. Unlike views in other database services, Bigtable authorized views can be used to control both read and write access. You can create thousands of authorized views programmatically, in the same way you can with what other storage systems call "updateable views" or "filtered aliases."
This document describes authorized views and provides examples of definition files. Before you read this document, you should be familiar with the Bigtable storage model. For instructions, see Create and manage authorized views.
What defines an authorized view
When you create an authorized view, you define it by specifying the data to include in the authorized view using one of the following parameters:
- Row key prefix - for example, all rows that start with
examplepetstore1| - Column qualifier prefix - for example, all columns whose qualifiers
start with
order#in the specified column family - Column qualifier - for example, only the
order-examplepetstorecolumn in the specified column family - A combination of row key prefix and column qualifier
If the same column qualifier is used in multiple column families and you want to include all columns with that qualifier in the view, you must specify every combination of column qualifier and column family separately when you define the view.
The row key and column qualifier values that you use to define an authorized view are treated as service data. For this reason, don't create an authorized view using row key or column qualifier values that contain sensitive information. For information about how service data is handled, see the Google Cloud Privacy Notice.
Including columns in a family or all rows
If you want to make sure that any column that is added to a column family in the
underlying table is also included in your authorized view, then you
should specify the empty string ("") as a column qualifier prefix. For
example, a definition file would include this in the family subset:
"qualifierPrefixes": [""].
Similarly, if you want to define an authorized view that includes all
rows in the table, specify the empty string ("") as a row key prefix. In a
definition file, this is written as "rowPrefixes": [""] in the view subset.
Definition file examples
This section presents JSON-formatted examples of authorized view definition files.
The following is an example of a definition file for an authorized view
that includes all rows with a row key prefix of examplepetstore1#.
{
"subsetView":
{
"rowPrefixes": ["examplestore1#"],
"familySubsets":
{
"customer":
{
"qualifiers":["address"],
"qualifierPrefixes":["tel"]
}
}
},
"deletionProtection": true
}
The following is an example of a definition file for an authorized view
that includes the skus column in the order column family and all columns in
the customer column family.
"subsetView": {
"familySubsets": {
"order": {
"qualifiers": ["skus"]
}
}
"familySubsets": {
"key": "customer"
"qualifierPrefixes": [""]
}
}
The following is an example of a definition file for an authorized view
that includes only data in the skus column in the order
column family in rows that have a row key prefix of examplepetstore1#.
"subsetView": {
"rowPrefixes": ["examplepetstore1#"]
"familySubsets": {
"order": {
"qualifiers": ["skus"]
}
}
}