Google BigQuery
    • 01 Sep 2024
    • 2 Minutes to read
    • Dark
      Light
    • PDF

    Google BigQuery

    • Dark
      Light
    • PDF

    Article summary

    PlainID offers a Data Authorizer integration pattern for this third-party vendor. For more information, see Data Access Authorization Patterns.

    The Platform offers unique support for database adaptive access using the policy resolution endpoint. This endpoint is designed to add/modify the SQL query the user is trying to perform, so that only authorized data is processed.

    The BigQuery interceptor leverages the policy resolution endpoint to modify the Google BigQuery data selection, within the API calls, based on the decision from the policies.

    Introduction

    Consistently protecting the same data assets across different databases is a challenge that many data owners struggle with. Often there is a lack of transparency around the authorizations that are enabled due to the different layers of permissions that can surround a database.

    The Platform for managing access to data will provide the following main benefits:

    • Unified Access Management - Manage access to data objects using a unified interface, that can provide consistent access decisions.
    • Fine-grained access solution - Use an access solution that supports fine-grained access controls, both on row and column level.
    • Central enforcement layer - Implement a central enforcement layer for all data access.

    The Platform offers unique support for database adaptive access using the policy resolution endpoint. This endpoint is designed to add/modify the SQL query the user is trying to perform, so that only authorized data is processed.

    The BigQuery interceptor, is leveraging the policy resolution endpoint, to modify the Google BigQuery data selection, within the API calls, based on the decision from the policies.

    Architecture Flow

    image.png

    Explanation:

    1. Authenticated users access the application/service
    2. Applications and services use data APIs to access the data.
    3. The request is directed through an API Gateway, where it’s intercepted and sends to Data interceptor service”.
    4. The data interceptor service requests a “policy resolution” decision from the Platform PDP at the time of access.
    5. The response is translated to a data filtering cluse and a list of authorized data elements, this is used to modify the original data query.
    6. The data API request continues to the relevant repositories with the modified query. Required data, with the filtering based on the access controls, is send back to the application.

    Prerequisites

    In order to configure the PlainID Google BigQuery Authorizer, you need to create a Service Account in Google Cloud Platform:

    • Create a GCP Service Account in the GCP IAM
    • Grant the following Roles to the created Service Account:
      • BigQuery Connection User
      • BigQuery Data Viewer
      • BigQuery User
    • Create a new Key for the Service Account
    • Download the Key in JSON format and save it into a file, e.g. creds.json

    Was this article helpful?