将 Google BigQuery 连接的 OAuth 范围限制为只读

在 Looker 24.20 之前,当为 Google BigQuery 连接设置 OAuth 身份验证时,Looker 会创建允许数据库用户请求读取和写入权限范围的 OAuth 凭据。从 Looker 24.20 开始,对于任何新的 BigQuery OAuth 连接、针对现有 BigQuery OAuth 连接的新 OAuth 授权以及针对现有 BigQuery OAuth 连接的重新授权,Looker 都会请求 OAuth 只读权限范围。

对于具有只读范围的 Google BigQuery 连接,请注意以下事项:

自 2025 年 3 月 1 日起,Looker 将从所有相应的 BigQuery 连接中退出未重新授权只读 OAuth 范围的所有用户。这会导致任何依赖于这些连接的安排失败。每位用户都需要重新授权其 OAuth 连接凭据,以确保广告排期能够顺利投放。您还可以将日程重新分配给已重新授权其 OAuth 连接凭据的用户。

为确保顺利过渡到更新后的 OAuth 凭据,请按照后续部分中的步骤操作:

重新授权 OAuth 连接凭据

如需更新 OAuth 凭据以使用只读范围,请按以下步骤操作:

  1. 前往账号页面
  2. OAuth 连接凭据部分中,点击每组凭据旁边的重新授权
  3. 系统会提示您重新授权 Looker 访问 BigQuery 数据。 确认屏幕应列出“在 Google BigQuery 中查看您的数据”权限,而不是“在 Google BigQuery 中查看和管理您的数据”权限。

拥有 BigQuery 连接的 OAuth 凭据的每个用户都需要完成这些步骤。

生成可能受到影响的所有用户名单

如需生成一份列表,其中包含所有没有只读 OAuth 凭据但已在 BigQuery 连接上创建时间表的用户,请访问以下“系统活动”探索,并将 INSTANCE_NAME 替换为您的 Looker 实例的地址(例如 https://example.cloud.looker.com)。

INSTANCE_NAME/explore/system__activity/scheduled_plan_oauth_events?fields=user.name,count,query.model&f[query.model]=-NULL&f[count]=0&sorts=user.name&limit=500&column_limit=50&query_timezone=America%2FLos_Angeles&vis=%7B%22show_view_names%22%3Afalse%2C%22show_row_numbers%22%3Atrue%2C%22transpose%22%3Afalse%2C%22truncate_text%22%3Atrue%2C%22hide_totals%22%3Afalse%2C%22hide_row_totals%22%3Afalse%2C%22size_to_fit%22%3Atrue%2C%22table_theme%22%3A%22white%22%2C%22limit_displayed_rows%22%3Afalse%2C%22enable_conditional_formatting%22%3Afalse%2C%22header_text_alignment%22%3A%22left%22%2C%22header_font_size%22%3A12%2C%22rows_font_size%22%3A12%2C%22conditional_formatting_include_totals%22%3Afalse%2C%22conditional_formatting_include_nulls%22%3Afalse%2C%22x_axis_gridlines%22%3Afalse%2C%22y_axis_gridlines%22%3Atrue%2C%22show_y_axis_labels%22%3Atrue%2C%22show_y_axis_ticks%22%3Atrue%2C%22y_axis_tick_density%22%3A%22default%22%2C%22y_axis_tick_density_custom%22%3A5%2C%22show_x_axis_label%22%3Atrue%2C%22show_x_axis_ticks%22%3Atrue%2C%22y_axis_scale_mode%22%3A%22linear%22%2C%22x_axis_reversed%22%3Afalse%2C%22y_axis_reversed%22%3Afalse%2C%22plot_size_by_field%22%3Afalse%2C%22trellis%22%3A%22%22%2C%22stacking%22%3A%22%22%2C%22legend_position%22%3A%22center%22%2C%22point_style%22%3A%22none%22%2C%22show_value_labels%22%3Afalse%2C%22label_density%22%3A25%2C%22x_axis_scale%22%3A%22auto%22%2C%22y_axis_combined%22%3Atrue%2C%22ordering%22%3A%22none%22%2C%22show_null_labels%22%3Afalse%2C%22show_totals_labels%22%3Afalse%2C%22show_silhouette%22%3Afalse%2C%22totals_color%22%3A%22%23808080%22%2C%22type%22%3A%22looker_grid%22%2C%22defaults_version%22%3A1%2C%22series_types%22%3A%7B%7D%2C%22hidden_fields%22%3A%5B%22count%22%5D%7D&filter_config=%7B%22query.model%22%3A%5B%7B%22type%22%3A%22%21null%22%2C%22values%22%3A%5B%7B%7D%2C%7B%7D%5D%2C%22id%22%3A0%7D%5D%2C%22count%22%3A%5B%7B%22type%22%3A%22%3D%22%2C%22values%22%3A%5B%7B%22constant%22%3A%220%22%7D%2C%7B%7D%5D%2C%22id%22%3A1%7D%5D%2C%22__%21internal%21__%22%3A%5B%22OR%22%2C%5B%5B%22AND%22%2C%5B%5B%22FILTER%22%2C%7B%22field%22%3A%22query.model%22%2C%22value%22%3A%22-NULL%22%2C%22type%22%3A%22%21null%22%7D%5D%2C%5B%22FILTER%22%2C%7B%22field%22%3A%22count%22%2C%22value%22%3A%220%22%7D%5D%5D%5D%5D%5D%7D&dynamic_fields=%5B%7B%22category%22%3A%22measure%22%2C%22expression%22%3Anull%2C%22label%22%3A%22Count%22%2C%22value_format%22%3Anull%2C%22value_format_name%22%3Anull%2C%22based_on%22%3A%22event_attribute.value%22%2C%22_kind_hint%22%3A%22measure%22%2C%22measure%22%3A%22count%22%2C%22type%22%3A%22count_distinct%22%2C%22_type_hint%22%3A%22number%22%2C%22filters%22%3A%7B%22event_attribute.value%22%3A%22%25%2Fauth%2Fbigquery.readonly%25%22%7D%7D%5D&origin=share-expanded

每位用户都需要重新授权其 OAuth 连接凭据,以确保日程安排能够顺利交付。

(可选)强制在整个 Looker 实例中使用只读权限范围

如需让所有拥有 OAuth 凭据的用户从您的任何 BigQuery 连接中退出,请按以下步骤操作:

  1. 前往“管理员设置 - 常规设置” 页面。
  2. 强制使用 BigQuery 只读权限范围设置切换为“已启用”,然后点击更新

此过程不会让用户重新登录 BigQuery。下次用户运行基于具有 BigQuery 连接的模型的查询时,系统会提示用户登录 BigQuery。在用户登录之前,任何依赖于这些连接的日程安排都会失败。您还可以将日程重新分配给自己或已重新授权其 OAuth 连接凭据的其他用户。