Installation and Configuration
    • 01 Sep 2024
    • 5 Minutes to read
    • Dark
      Light
    • PDF

    Installation and Configuration

    • Dark
      Light
    • PDF

    Article summary

    Installation

    To install the Platfom BigQuery interceptor:

    1. First, pull the BigQuery interceptor container image from PlainID Container Registry using the docker pull command:
    docker pull <platform registry location>:<version>
    

    For example:

    docker pull gcr.io/plainid-presales/bigquery:1.0
    
    1. Create a secret from the credentials JSON:

    Note - The credentials JSON

    kubectl create secret generic google-creds --from-file=<json location>
    

    For example:

    kubectl create secret generic google-creds --from-file=query-enforcer/creds.json
    
    1. Make the required changes in bigq.yaml. Check the Sample Configuration below
    2. Apply the bigq.yaml
    kubectl apply -f bigq.yaml
    

    Sample Configuration bigq.yaml

    This sample bigq.yaml contains the following yamls:

    • Configmap
    • Service
    • Deployment
    • Secret (Optional)
    apiVersion: v1
    data:
      application.properties: |
        server.port=8080
        #server.tomcat.uri-encoding=UTF-8
        #server.error.whitelabel.enabled=false
    
        logging.config=classpath:logback-spring.xml
    #   The PlainID logging level options include trace, debug, info, error, and OFF. 
        logging.level.org.springframework=OFF
        logging.level.org.springframework.core=OFF
        logging.level.org.springframework.beans=OFF
        logging.level.org.springframework.context=OFF
        logging.level.org.springframework.transaction=OFF
        logging.level.org.springframework.web=OFF
        logging.level.org.springframework.test=OFF
        logging.level.org.springframework.data=OFF
        logging.level.com.google.zetasql=info
        logging.level.com.plainid=error
    
        spring.main.banner-mode=OFF
        spring.http.encoding.charset=UTF-8
        spring.http.encoding.enabled=true
        spring.http.encoding.force=true
        spring.mvc.throw-exception-if-no-handler-found=true
        spring.resources.add-mappings=false
    
        spring.redis.host=redis.example.com
        spring.redis.port=6379
        spring.redis.password=SXSIvHJo1OzaWnU2YHZ8p3us0z
        spring.data.redis.ssl.enabled=true
    
        management.security.enabled=false
        management.endpoints.enabled-by-default=false
        management.endpoints.web.exposure.include=info, health
        management.endpoint.info.enabled=true
        management.endpoint.health.enabled=true
        management.endpoint.health.show-components=always
        management.endpoint.health.show-details=always
        management.endpoint.health.probes.enabled=true
        management.endpoint.health.group.liveness.include=livenessState
        management.endpoint.health.group.liveness.show-details=always
        management.endpoint.health.group.readiness.include=readinessState
        management.endpoint.health.group.readiness.show-details=always
        management.health.postgres.enabled=true
        management.health.readinessstate.enabled=true
        management.info.git.mode=full
    
        spring.cloud.gcp.core.enabled=false
        spring.cloud.gcp.bigquery.enabled=false
    
        app.request-context.prefix=context
    # update the following parameter to your PDP URL
        app.policy-resolution.api-url=https://URL-TO-PDP-RUNTIME/api/runtime/resolution/v3
        app.cache.prefix=query-enforcer.v2
        app.cache.ttl-policy-resolution=3000
        app.cache.ttl-db-schema-initial-delay=3000
        app.cache.ttl-db-schema=600000
        app.cache.ttl-catalog=300000
    # update to the full path of the GCP Service Account Credentials file:
        app.enforcer.bigquery-credential-files[0]=file:creds.json
        app.enforcer.resolutionresponse-empty=deny
        app.enforcer.resolutionaccess-empty=deny
        app.enforcer.resolutionprivileges-empty=allow
        app.enforcer.ignoreforbidden-columns=deny
        app.enforcer.columnenforcermasks[string]=***
        app.enforcer.resolutionmasking-as-column=deny
        app.enforcer.resolution-attribute-projectId=projectid
        app.enforcer.resolution-attribute-dataset=dataset
        app.enforcer.resolution-attribute-table=table
        app.enforcer.resolution-attribute-column=column
        app.enforcer.bigquery-information-schema=allow
        app.enforcer.ignore-enforcer-fails=deny
        # app.enforcer.ignore-tables[0]=plainid-142815.*.*
        app.enforcer.ignore-forbidden-columns=deny
        # SSL configuration (Uncomment to enable SSL)
        # The format used for the keystore. It could be set to JKS in case it is a JKS file
        # server.ssl.key-store-type=PKCS12
        # The path to the keystore containing the certificate
        # server.ssl.key-store=/app/keystore.jks
        # The password used to generate the certificate
        # server.ssl.key-store-password=111
        # The alias mapped to the certificate
        # server.ssl.key-alias=111
        # security.require-ssl=false
    kind: ConfigMap
    metadata:
      name: bigq-config
    
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: bigq
    spec:
      selector:
        app: bigq
      ports:
      - name: "bigq"
        protocol: "TCP"
        port: 8080
        targetPort: 8080
    ---
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: bigq
    spec:
      selector:
        matchLabels:
          app: bigq
      strategy:
        rollingUpdate:
          maxSurge: 2
          maxUnavailable: 0
        type: RollingUpdate
      template:
        metadata:
          labels:
            app: bigq
        spec:
          containers:
    # The following 3 lines are optional - depending on the used redis - internal or managed
           - image: redis
             name: redis
             resources: {}
    # Use the Image and Tag provided by PlainID
           - image: plainid/authz-bigquery:5.2321.0
             imagePullPolicy: Always
             name: bigq
             resources: {}
             volumeMounts:
             - name: bigq
               mountPath: /app/application.properties
               subPath: application.properties
             - name: creds
               mountPath: /app/creds.json
    # The name of the credentials JSON file - matching the name of the local file `creds.json`
               subPath: creds.json
          volumes:
          - name: bigq
            configMap:
              name: bigq-config
          - name: creds
            secret:
              secretName: google-creds
    

    Configuration Properties

    PropertyDescriptionValues
    app.policy-resolution.api-urlThe runtime resolution API URLExample: https://localhost:8010/api/runtime/resolution/v3
    app.policy-resolution.connection-timeoutSets the connection timeout in millisecondsDefault: 10000
    app.policy-resolution.socket-timeoutSets the socket timeout in millisecondsDefault: 60000
    app.policy-resolution.automatic-retriesToggle disabling automatic retries (up to 4 times) for socket timeoutsDefault: true
    app.bigquery.total-timeouttotalTimeout has ultimate control over how long the logic should keep trying the remote call until it gives up completely. The higher the total timeout, the more retries can be attempted.Default: 0 milliseconds
    app.bigquery.initial-retry-delayInitialRetryDelay controls the delay before the first retry. Subsequent retries will use this value adjusted according to the RetryDelayMultiplier.Default: 0 milliseconds
    app.bigquery.max-retry-delayMaxRetryDelay puts a limit on the value of the retry delay, so that the RetryDelayMultiplier can't increase the retry delay higher than this amount.Default: 0 milliseconds
    app.bigquery.retry-delay-multiplierRetryDelayMultiplier controls the change in retry delay. The retry delay of the previous call is multiplied by the RetryDelayMultiplier to calculate the retry delay for the next call.Default: 1.0
    app.bigquery.max-attemptsMaxAttempts defines the maximum number of attempts to perform. If this value is greater than 0, and the number of attempts reaches this limit, the logic will give up retrying even if the total retry time is still lower than TotalTimeout.Default: 0
    app.cache.prefixRedis cache prefixDefault: query-enforcer.v2
    app.cache.ttl-policy-resolutionCache TTL in milliseconds for Policy Resolution responseDefault: 300000 (5m)
    Minimum: 2000 (2s)
    app.cache.ttl-db-schemaCache TTL in milliseconds for BigQuery requestDefault: 10800000 (3h)
    Minimum: 60000 (1m)
    app.cache.ttl-catalogCache TTL in milliseconds for building internal DB schema for dataset from enforcer requestDefault: 600000 (10m)
    Minimum: 10000 (10s)
    app.enforcer.bigquery-credential-filesList of GCP credential filenames

    if empty or not defined the workload identity will be used for authentication.

    The first credentials file is used as default in cases where the project user is querying doesn't have a designated file.

    Example: app.enforcer.bigquery-credential-files[0]=project-12345.json
    app.enforcer.resolution-response-emptyHow to act in case there is no response (empty response) from the Policy Decision Point. allow – enable access without any limitations. deny – block all access.Default: deny
    app.enforcer.resolution-access-emptyHow to act in case response includes row level policy only (no column level response). allow – All columns are returned to the user. deny – All columns are masked.Default: deny
    app.enforcer.resolution-privileges-emptyHow to act in case the response includes column level policy only, (No row level response). allow – no limitation on row level. deny – no rows are returned to the userDefault: deny
    app.enforcer.resolution-masking-as-columnHow to act in case the response from Policy Decision Point does not contain any access but does contain masking instruction.
    allow – mask all columns in the table based on masking instructions.
    deny – block all access.

    Note: this is relvant only when app.enforcer.resolution-response-empty is defined as deny
    V2.4 and above

    Default: deny
    app.enforcer.resolution-attribute-projectIdName of "projectId" attribute in policy Asset TemplateDefault: projectid
    app.enforcer.resolution-attribute-datasetName of "dataset" attribute in policy Asset TemplateDefault: dataset
    app.enforcer.resolution-attribute-tableName of "table" attribute in policy Asset TemplateDefault: table
    app.enforcer.resolution-attribute-columnName of "column" attribute in policy Asset TemplateDefault: column
    app.enforcer.resolution-masking-resource-type-nameName of the Asset Template used to manage masking instructions

    V2.4 and above

    Default: Masking_Instructions
    app.enforcer.resolution-attribute-maskAsName of attribute used to manage the masking instruction within the Asset Template

    V2.4 and above

    Default: maskas
    app.enforcer.bigquery-information-schemaSupporting queries with using information_schema tables. Possible values: allow or deny. After changing this value the DB schema cache must be updated.Default: allow
    app.enforcer.ignore-enforcer-failsIndicates what to do in case a SQL query that can’t be parsed is sent to the enforcer. Possible values: allow or denyDefault: deny
    app.enforcer.ignore-tablesList of tables with full name “project.dataset.table” to ignore for enforcing. It is possible to use “*” (star) instead of name for each part.Example:
    app.enforcer.ignore-tables[0]=*.*.members
    app.enforcer.ignore-forbidden-columnsA behavior of using a forbidden column is sent within the WHERE clause of SQL query. Possible values: allow or denyDefault: deny
    app.enforcer.bigquery-prefetch-db-schemaFiltering used metadata based on mentioned tables in SQL.

    If true might be received RESOURCE_EXHAUSTED error in case BigQuery contains a very big list of datasets/tables/columns.

    If false the metadata will be fetched at runtime.

    V2.2 and above

    Default: true
    app.enforcer.column-enforcer-masks[coulmnType]Define default masking instruction per Column Type. Will be considered in case no masking instruction will return from the Policy Decision Point V2.4 and aboveExamples:
    app.enforcer.column-enforcer-masks[string]=***
    app.enforcer.column-enforcer-masks[numerical]=-1
    app.enforcer.column-enforcer-masks[bool]=false
    app.enforcer.column-enforcer-masks[timestamp]=0
    app.enforcer.column-enforcer-masks[date]=2007-12-03
    app.enforcer.column-enforcer-masks[time]=10:15:30

    Optional Configuration to create the secret on-the-fly

    Append the following yaml to the bigq.yaml:

    apiVersion: v1
    metadata:
      name: google-creds
    data:
      creds.json: the-gcp-iam-service-user-credentials-content
    kind: Secret
    

    Configuration

    Required Parameters/Attributes

    Parameter/AttributeDescriptionExample
    data:creds.jsonthe IAM certificate content (obtained from Google Cloud Platform IAM){ "type": "service_account", "project_id": "example", "private_key_id": "867b49f1cb844f1757d6265e3608f814a05b4bce", "private_key": "-----BEGIN PRIVATE KEY-----\nMII...\n-----END PRIVATE KEY-----\n", "client_email": "bigquery@example.iam.gserviceaccount.com", "client_id": "930123456789012345678", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/bigquery%40example.iam.gserviceaccount.com" }
    app.policy-resolution.api-urlThe URL to the PlainID PDP Policy Resolution API End-PointCloud: https://[your-tenant].[data-center].plainid.io/api/runtime/resolution/v3

    Policy Authorization Agent: https://[url/address of the PDP]/api/runtime/resolution/v3

    Customer Hosted Platform:https://[url/address of the PDP]/api/runtime/resolution/v3


    Was this article helpful?