Skip to content
This repository has been archived by the owner on Jun 5, 2023. It is now read-only.

Reduced BigQuery Read Privilege #2395

Merged
merged 4 commits into from Dec 21, 2018
Merged

Reduced BigQuery Read Privilege #2395

merged 4 commits into from Dec 21, 2018

Conversation

osandoval011
Copy link
Contributor

@osandoval011 osandoval011 commented Dec 13, 2018
edited

Fix #2366

bigquery.metadataViewer is least privilege necessary to facilitate Forseti actions that were previously permitted by the more permissive bigquer.dataViewer

@googlebot
Copy link

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.
In order to pass this check, please resolve this problem and have the pull request author add another comment and the bot will run again. If the bot doesn't comment, it means it doesn't think anything has changed.

@EricBeach
Copy link
Contributor

@osandoval011 - re: CLA, you need to submit the commit with the email you have registered internally. This is documented at go/cla#googlers

From bbbe906 Mon Sep 17 00:00:00 2001
From: Oscar Sandoval
oscarsandoval@oscarsandoval-macbookpro.roam.corp.google.com
Date: Wed, 12 Dec 2018 15:38:46 -0800
Subject: [PATCH] changed forseti's assigned bigquery role from
bigquery.dataViewer to bigquery.metadataViewer

@osandoval011
Copy link
Contributor Author

Ran create inventory with cai and api with each of bigquery.metadataviewer and bigquery.dataviewer. All 4 produced 54 rows with identical data. I believe this is ready for merge.

@googlebot
Copy link

CLAs look good, thanks!

@angelsungoogle
Copy link
Contributor

I still see some errors in the travis run?

@osandoval011
Copy link
Contributor Author

osandoval011 commented Dec 20, 2018
edited

image

Tables.getData and Tables.Export were only permissions taken off by this change as can be seen here

@osandoval011 osandoval011 changed the title changed forseti's assigned bigquery role from bigquery.dataViewer to … Reduced BigQuery Read Privilege Dec 20, 2018
blueandgold
blueandgold approved these changes Dec 21, 2018
View reviewed changes
Copy link
Contributor

@blueandgold blueandgold left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this PR, and adding the screenshot to verify the permission changes.

@codecov
Copy link

codecov bot commented Dec 21, 2018

Codecov Report

Merging #2395 into dev will decrease coverage by <.01%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##              dev    #2395      +/-   ##
==========================================
- Coverage   88.57%   88.57%   -0.01%     
==========================================
  Files         180      180              
  Lines       14120    14117       -3     
==========================================
- Hits        12507    12504       -3     
  Misses       1613     1613
Impacted Files Coverage Δ
...loud/forseti/services/inventory/base/cloudasset.py 100% <0%> (ø) ⬆️

@osandoval011 osandoval011 merged commit d98b269 into dev Dec 21, 2018
@osandoval011 osandoval011 deleted the bigquery_read_downprivilege branch December 21, 2018 21:26
@osandoval011 osandoval011 mentioned this pull request Dec 21, 2018
Merged
6 tasks
@morgante morgante mentioned this pull request Jan 4, 2019
Closed
@joecheuk joecheuk mentioned this pull request Jan 10, 2019
Merged
@umairidris umairidris mentioned this pull request Jul 26, 2019
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@blueandgold blueandgold blueandgold approved these changes

@angelsungoogle angelsungoogle Awaiting requested review from angelsungoogle

@joecheuk joecheuk Awaiting requested review from joecheuk

Assignees
No one assigned
Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@osandoval011 @googlebot @EricBeach @angelsungoogle @blueandgold @forseti-security-waffle-bot