| python |
Pythonタグが付けられた新着投稿 - Qiita |
streamlitでexcel形式のファイルをダウンロードする方法 |
https://qiita.com/nyakiri_0726/items/2ae8cfb926c48072b190
|
excel |
2023-02-01 02:39:16 |
| Docker |
dockerタグが付けられた新着投稿 - Qiita |
DockerでRedmineを起動した話 |
https://qiita.com/koiusa/items/3454e3707592af67d36a
|
githubproject |
2023-02-01 02:53:37 |
| Azure |
Azureタグが付けられた新着投稿 - Qiita |
【Azure】クラウドサービスの種類まとめてみた |
https://qiita.com/maru401/items/5f8902619fa25563cd49
|
saassoftwar |
2023-02-01 02:51:53 |
| 海外TECH |
MakeUseOf |
How to Wirelessly Connect a PS3 DualShock Controller to Windows |
https://www.makeuseof.com/ps3-dualshock-controller-windows-wireless/
|
connect |
2023-01-31 17:15:15 |
| 海外TECH |
MakeUseOf |
How to Trace Emails Back to Their Source IP Address |
https://www.makeuseof.com/tag/how-to-trace-your-emails-back-to-the-source/
|
addresshere |
2023-01-31 17:05:15 |
| 海外TECH |
DEV Community |
Build a Team permissions system in Node.js app using Auth0 and Permify - Part 2 |
https://dev.to/permify/build-a-team-permissions-system-in-nodejs-app-using-auth0-and-permify-part-2-4i9d
|
Build a Team permissions system in Node js app using Auth and Permify Part This is Part in the series of guides on building a team permission system in Node js app using Auth and Permify IntroductionIn the first part we set up our express js server and handle authentication via Auth In this part we ll handle the authorization with using Permify It is an open source authorization service for creating and maintaining access control in your applications In this part we will Build team permission authorization model with Permify Schema Run and set up Permify authorization service Build endpoints with check permission middleware to secure our resources Test it out You can find the source code on Github PrerequisitesDocker installed Step Build team permission authorization modelAuthorization model is basically the structure of set of rules that give users or services permission to access some data or perform a particular action Before creating the authorization model lets remember our user types and rules for this example We have different user types to create a simple team permission system Member Member of the organization and can only view teams Admin Administrator in an organization can view edit and delete the team resources Team Manager Can view and edit resources of the teamTeam Member Can view resources of the team To develop the above model we ll use Permify authorization language called Permify Schema It allows you to specify your entities the relations between them and access control options In particular Permify Schema has Entities represents your main object Relations represents relationships between entities Actions describes what permissions the relations can do Permify has its own playground where you can create your Permify Schema Let s create our authorization model according to our team permissions rules above Copy and paste the following model to the Authorization Model section in the playground then click Save button on above You can see the relations between entities and permissions on Visualizerentity user entity organization organizational user types relation admin user entity team represents direct member of the team relation member user organization member reference for organization that team belong relation org organization entity document refers owner of the document relation owner user reference for team that team resource belongs relation team team reference for organization that resource belongs relation org organization permissions action view team member or team manager or org admin or owner action edit team manager or org admin or owner action delete team manager or org admin Breakdown of Schema Entities amp Relations User EntityThe user entity represents users This is a mandatory entity in Permify Schema Organization EntityThis entity represents the organization to which the users and the teams belong The organization entity has user types the admin Team EntityOrganizations and users can have multiple teams so each team is related with an organization and with users The team entity has relations manager represents the owner or creator of teammember represents direct member of the teamorg reference for organization that team belong Document EntityThe resource entity has relations refers owner of the documentrelation owner user reference for a team that team resource belongsrelation team team reference for the organization that the resource belongsrelation org organization ActionsAs we discussed above actions describe what relations can do which means it defines who can perform a specific action we can think of actions as permissions for entities We only defined actions on documents for the sake of creating a simple use case for our tutorial Lets examine document actions Document ActionsThese actions actually represents the user types and rules we defined earlier lets remember those Member Member of the organization and can only view teams Admin Administrator in an organization can view edit and delete the team resources Team Manager Can view and edit resources of the teamTeam Member Can view resources of the team So in Permify it can be achievable with following document actions action view team member or team manager or org admin or owner action edit team manager or org admin or owner action delete team manager or org admin or ownerLets look at the edit action if we say we have an document with id only users that is member of the team which document belongs or users that has administrator role in organization or users that is owner creator of the document can edit Step Run and set up Permify authorization serviceLets run our authorization service in our local environment We ll use docker for running our service If you don t have docker installed on your computer you can easily get it from here Lets run following docker command in our terminal Run Permify service in localdocker run p p ghcr io permify permify serveYou should see following output on your terminal please be sure that docker installed and running your computer This will start Permify our authorization service with the default configuration options Port is used to serve the REST API Port is used to serve the GRPC Service Authorization data stored in memoryFor this tutorial we ll use REST API to manage authorization in our application You can check our available endpoints from Permify Swagger Docs cautionProduction usage of Permify needs some other configurations when running this docker command such as defining running options selecting datastore to store authorization data etc But for simplicity of this tutorial we ll skip those parts and use our local environment and store authorization data in memory Test our connection via PostmanLets test our connection with creating an HTTP GET request localhost healthz Configure authorization modelWe ll use Permify access control checks to secure our endpoints but before that we need to configure our created authorization model to our authorization service and create some data to test it out Permify Schema needs to be sent to the Write Schema API endpoint for configuration of your authorization model Lets copy that schema from our playground using the Copy buttonAnd use it in postman as body params to make a POST v schemas write request as following yayy we just completed the configuration of Permify authorization service Now we have a running API that has authorization model configured and ready to use As next steps we ll build our endpoints and secure them with Permify Check Request Step Build API endpoints and secure them with Check MiddlewareSo at that point our Permify API running at port and our express server running at port in our local Our express server can behave Permify as an authorization service which is abstracted from source code And we ll use this authorization service to protect our API endpoints But before that we need to create a middleware to determine whether a user is authorized to perform a specific endpoint Creating the check permission middlewareWe will create a middleware that will take two parameters the id of the resource and the permission type of the action as follows const checkPermissions permissionType gt return async req res next gt get authenticated user id from auth const userInfo await req oidc user req userInfo userInfo console log userInfo userInfo body params of Permify check request const bodyParams metadata schema version snap token depth entity type document id req params id permission permissionType subject type user id userInfo sid relation performing the check request const checkRes await fetch http localhost v tenants tenant id permissions check method POST body JSON stringify bodyParams headers Content Type application json catch err gt res status send err let checkResJson await checkRes json console log Check Result checkResJson if checkResJson can RESULT ALLOWED if user authorized req authorized authorized next if user not authorized req authorized not authorized next As you can see this middleware performs a check request inside with using http localhost v tenants tenant id permissions check Permify Check RequestWe need to pass some information such as who s performing action what is the specific action etc via body params to endpoint http localhost v tenants tenant id permissions check and this endpoint will return a authorization decision result As you seen above the endpoints decision data is added to the req object as a property req authorized This can be used to determine whether the user is authorized to perform the action This middleware is used in the application s routing to ensure that only authorized users can access specific routes or execute specific operations Build endpoints and secure them with checkPermissionsWe ll create following endpoints to test our authorization structure GET docs id API route to view resourcePUT docs id API route to edit resourceDELETE docs id API route to delete resourceFor the sake of simplicity we ll not do any operations in endpoints just check the access control for each route View a resource that belongs to a specific team view the resourceapp get docs id requiresAuth checkPermissions view req res gt Result res send User req userInfo sid is req authorized to view document req params id Update a resource edit the resourceapp put docs id requiresAuth checkPermissions edit req res gt Result res send User req userInfo sid is req authorized to edit document req params id Delete a resource delete the resourceapp delete docs id requiresAuth checkPermissions delete req res gt Result res send User req userInfo sid is req authorized to delete document req params id Step Test it outSo thus far we build an endpoints that protected from unauthorized actions according to our authorization model so lets see this endpoints in action Our Permify service is running on local please be sure its running before testing you can check it with localhost healthz request If its not running please repeat the set up process and make authorization service ready to use so lets run our express server with nodemon as follows nodemon app jsSince we handled authentication part we should see Logged in when in the home page localhost If you re not authenticated please check out the steps in part of this series to log in After successfully logged in lets hit the PUT docs endpoint we should see not authorized message in the form of User USER ID FROM AUTH is not authorized to edit document Since we defined the action edit in our authorization model as follows action edit team manager or org admin or ownerUser sTLJTzwXhURpqiWSmRFcZvAr KCoh should be either team manager or administrator in organization or be the owner creator of document to have access to edit document Let s assign our user as an owner of document and see the result In Permify authorization data stored in relationships in a database you prefer Since we didn t make any database configuration for now its storing in memory of your instance Moreover in Permify these relationships are relations between your entities objects and users stored as relational tuples Since relations and authorization data s are live instances these relational tuples can be created with an simple API call in runtime We will use Write Relationship API to make our user owner of document as follows So now our user is the owner of document so lets try our edit endpoint again Our user is authorized now ConclusionThis is the end of our tutorial series we created a boilerplate structure of team permission mechanism with using Auth for authentication and Permify for authorization You can use this boilerplate and expand it according to your needs If you have any questions or doubts feel free to reach me out at ege permify co |
2023-01-31 17:29:48 |
| 海外TECH |
DEV Community |
Build a team permissions system in Node.js app using Auth0 and Permify - Part 1 |
https://dev.to/permify/build-a-team-permissions-system-in-nodejs-app-using-auth0-and-permify-part-1-52bo
|
Build a team permissions system in Node js app using Auth and Permify Part In this article series we will build a team permission system in ExpressJs using Auth and Permify IntroductionWorking in a team is part of most BB applications As such you need to build a robust auth system that lets an different user types has various degrees of access to resources according to their organization roles the team their belonged even their role in the team For simplicity of this tutorial series we ll structure our application with user types Member Member of the organization and can only view teams Admin Administrator in an organization can view edit and delete the team resources Team Manager Can view and edit resources of the teamTeam Member Can view resources of the team This is Part of the series and in this part we will Set up a backend server with Express js Set Up Authentication with using Auth OpenID Connect Test it out In the second part of this series we will set up our authorization structure with using open source authorization service Permify You can find the source code on Github PrerequisitesNode js installedCreate a Auth account Step Create the backend Node js server with Express jsLet s start by creating a basic server with express js Start by creating an empty directory and creating a package json file with the help of the following command npm init yAfter you are done creating a package json file let s install some packages that we will need for authentication expressexpress openid connect Express middleware to protect web applications using OpenID Connectdotenv Loads environment variables from env file nodemon It monitors for any changes in your source and automatically restarts your server You can download all of the packages with a single command npm install express express openid connect dotenv nodemon saveNow let s quickly create a basic express js server Create a new app js file inside the root folder of our project In this app js file we have just created a basic express server that is running on port app js const express require express const app express const port process env PORT app listen port gt console log Server running on port port Test the server by running following command in your terminal nodemon app js Step Set Up Authentication with AuthWe will create a simple login that will Let the user enter an email and passwordAfter a user logs in it should be registered as a member user type We will use Auth to handle authentication and then add the Express OpenID Connect library that we installed earlier to our app for login logout workflows To get started with authentication signup for an Auth account After signing up you will be automatically redirected to the dashboard On your dashboard click on Create Application Create a new Regular Web Application which we will be using for our authentication You will be asked to select the technology you re using For the simplicity of this tutorial we will skip the integrationOnce you are done you will end up on the dashboard of your Auth application Go to settings and add the following Application URIs You need to scroll down a little bit Configure Callback URL This is where the user will be redirected after they complete their authentication Set the URL to http localhost callback in the Allowed Callback URLs field for the application you just created Configure Logout URL A logout URL is an application route to which Auth can redirect users when they log out Set the URL to http localhost in the Allowed Logout URLs field for the application you just created Make sure you save the changes after adding the URLs Now that we have our application setup we will proceed further to configure the router with the following configuration keys that we will get from our Auth application dashboard The Express OpenId Connect library that we installed earlier provides an auth router in order to attach authentication routes to your application We will need the following configuration keys in order to configure the router issuerBaseURL The Domain as a secure URL found in your Application settingsbaseURL The URL where the application is served since its test you can make it localhost clientID The Client ID found in your Application settingssecret A long random string minimum of characters longNow create a new env file in the root of our project which will store all of our configuration keys env ISSUER BASE URL https YOUR DOMAIN URLCLIENT ID YOUR CLIENT ID BASE URL http localhost SECRET LONG RANDOM VALUE You can get the Domain and Client Id from your application settings in Auth under the “Basic Information section as shown in screenshot below We can access these configuration keys in our app js and make the openid connect initialization as follows app js require dotenv config const auth require express openid connect app use auth issuerBaseURL process env ISSUER BASE URL baseURL process env BASE URL clientID process env CLIENT ID secret process env SECRET idpLogout true Here we require a dotenv package that will reference the environment variables using the auth router we discussed earlier A user can now log in to our application after visiting the login route After the completion of authentication the user will be redirected to the home page that we don t have set up yet So let s quickly set up our root route app js app use auth authRequired false authLogout true issuerBaseURL process env ISSUER BASE URL baseURL process env BASE URL clientID process env CLIENT ID secret process env SECRET idpLogout true app get req res gt res send req oidc isAuthenticated Logged in Logged out Also note that we have set up two properties authRequired false which will make sure that each route requires authentication authLogout trueThe last thing we want to do is to create a profile route that will show the information about the user The profile route consists of requiresAuth middleware for routes that require authentication Every route utilizing this middleware will check to see if there is a current active user session and if not it will direct the user to log in That s it pat yourself on the back if you have made it till here The final app js file should look like this app jsconst express require express const app express require dotenv config const auth requiresAuth require express openid connect app use auth authRequired false authLogout true issuerBaseURL process env ISSUER BASE URL baseURL process env BASE URL clientID process env CLIENT ID secret process env SECRET idpLogout true req isAuthenticated is provided from the auth routerapp get req res gt res send req oidc isAuthenticated Logged in Logged out The profile route will show the user profile as JSONapp get profile requiresAuth req res gt res send JSON stringify req oidc user const port process env PORT app listen port gt console log Server running on port port Step Test it outLet s test out what we just implemented run the app on your terminal with the followingnodemon app jsNow visit localhost login route for authentication Once you visit the route it redirects you to the Auth custom page for login Enter your details and you will be redirected back to the applicationSince you logged in now you can try to get your user details with the profile endpoint Next StepsThat s it for Part of this tutorial where we created a basic server with express js and then implemented authentication with Auth This was just the authentication part for the part series of Build a Team permissions system using Auth and Permify In the next part we will dive deep into how to implement authorization with Permify on our NodeJS application If you have any questions or doubts feel free to ask them |
2023-01-31 17:23:46 |
| Apple |
AppleInsider - Frontpage News |
Periscope camera exclusive to Ultra iPhone models through 2024 |
https://appleinsider.com/articles/23/01/31/periscope-camera-exclusive-to-ultra-iphone-models-through-2024?utm_medium=rss
|
Periscope camera exclusive to Ultra iPhone models through A new note from Ming Chi Kuo states that Apple will include a periscope camera in only one model through ーthe iPhone Ultra and iPhone Ultra iPhone Ultra to gain periscope lensApple has been rumored to include a super zoom or periscope camera in its premium iPhones for years It seems the iPhone Ultra will finally get the feature and it will remain exclusive to Apple s largest and most premium model through the iPhone cycle Read more |
2023-01-31 17:32:43 |
| Apple |
AppleInsider - Frontpage News |
New HomePod still leaves rings on finished wood surfaces |
https://appleinsider.com/articles/23/01/31/new-homepod-still-leaves-rings-on-finished-wood-surfaces?utm_medium=rss
|
New HomePod still leaves rings on finished wood surfacesHomePod has a silicone base for vibration dampening but this material can react with some wood finishes that will leave a white ring behind HomePod s silicone base will leave rings on finished woodUsers were quick to discover damaged surfaces under the original HomePod in and the problem that caused it hasn t changed The speaker uses a silicone base to absorb vibrations from its large inch woofer which can chemically interact with some surfaces Read more |
2023-01-31 17:11:41 |
| 海外TECH |
Engadget |
Amazon is offering a $50 gift card when you buy a year of Microsoft 365 Family |
https://www.engadget.com/sign-up-for-a-year-of-microsoft-365-family-and-get-a-50-amazon-gift-card-171927611.html?src=rss
|
Amazon is offering a gift card when you buy a year of Microsoft FamilyIf you ve been thinking about adding Microsoft Word Excel and Powerpoint to your home office this may be a good day to sign up Today only Amazon is offering a month subscription to Microsoft Family bundled with a Amazon gift card for The price of the yearly subscription is usually so you re essentially getting a free gift card for signing up The deal is only good through the end of the day and the subscription will auto renew at the end of the year so set a reminder if you want to cancel before that kicks in nbsp nbsp nbsp The year long subscription will come as a digital download and runs on PCs or Macs as well as smartphones and tablets running Apple s iOS or Android OS It covers up to six people and can run on five devices at the same time with offline access included Microsoft is the new branding for the well known Office software and the Family subscription includes access to Word Excel Outlook email and PowerPoint It also comes with the Microsoft Teams video calling app which updated last year to include a Live Share feature enabling easier real time collaboration You also get Clipchamp video editor which Microsoft acquired in Included security add ons like Microsoft Defender and ransomeware protection will help protect your data and devices nbsp Each person gets TB of OneDrive personal cloud storage which not only lets you store a large amount of files in the cloud it lets you share photos and files with other OneDrive users across pretty much any device nbsp The Microsoft family subscription is activated as a digital download but the gift card will arrive as a physical card in the mail And as we said the deal ends today so take advantage if you want to add Microsoft s productivity apps to your setup nbsp Follow EngadgetDeals on Twitter and subscribe to the Engadget Deals newsletter for the latest tech deals and buying advice |
2023-01-31 17:19:27 |
| 海外TECH |
Engadget |
Paramount+ Premium will absorb Showtime and rebrand as 'Paramount+ With Showtime' |
https://www.engadget.com/paramount-plus-showtime-merger-premium-plan-cable-network-170551927.html?src=rss
|
Paramount Premium will absorb Showtime and rebrand as x Paramount With Showtime x Amid stern competition from other streaming platforms Paramount Global is combining two of its services It will fold Showtime into the Premium tier of Paramount later this year The combined offering will be known as “Paramount With Showtime Showtime s linear TV network will be rebranded with the same name in the US As part of the move some Paramount original programs will air on the cable network ーso maybe more people will finally recognize the brilliance of The Good Fight “Now with Showtime s content integrated into our flagship streaming service and select Paramount originals joining the linear offering Paramount will become the definitive multiplatform brand in the streaming space ーand the first of its kind to integrate streaming and linear content in this way Paramount Global CEO Bob Bakish said in a memo to staff as Variety reports quot This change will also drive stronger alignment across our domestic and international Paramount offerings as international Paramount already includes Showtime content Showtime debuted its own streaming service in a year after CBS All Access arrived The latter was rebranded as Paramount in Last year Paramount Global integrated Showtime content into its namesake streaming service as part of a bundle Now it s going a step further by unifying them While the move may come as a disappointment to those who are only interested in Showtime s content and aren t sold on Paramount the move makes sense from a business perspective There s a wave of consolidation across the media industry including in streaming where HBO Max and Discovery will combine in the coming months Paramount will look to cut some costs and funnel extra resources into its more successful properties amid the transition Just as news of the streaming merger broke it emerged that Showtime has canceled American Gigolo and Let The Right One In a series based on one of the best films of the last years while it s reportedly trying to offload a new show called Three Women “As a part of Paramount we can put more resources into building out the lanes that have made the Showtime brand famous as well as turning our hit shows into global hit franchises quot Chris McCarthy president and CEO of Showtime and Paramount Media Networks wrote in a staff memo quot To do this we will divert investment away from areas that are underperforming and that account for less than percent of our views |
2023-01-31 17:05:51 |
| 金融 |
金融庁ホームページ |
「記述情報の開示の好事例集2022」の公表 (サステナビリティ情報等に関する開示)を公表しました。 |
https://www.fsa.go.jp/news/r4/singi/20230131/00.html
|
開示 |
2023-01-31 18:01:00 |
| 金融 |
金融庁ホームページ |
「企業内容等の開示に関する内閣府令」等の一部改正(案)に対するパブリックコメントの結果等を公表しました |
https://www.fsa.go.jp/news/r4/sonota/20230131/20230131.html
|
企業内容等の開示に関する内閣府令 |
2023-01-31 18:00:00 |
| ニュース |
BBC News - Home |
Strikes on Wednesday 1 February will disrupt daily life - No 10 |
https://www.bbc.co.uk/news/education-64470652?at_medium=RSS&at_campaign=KARANGA
|
february |
2023-01-31 17:27:56 |
| ニュース |
BBC News - Home |
Hillsborough disaster: Families profoundly failed, say police |
https://www.bbc.co.uk/news/uk-england-merseyside-64454778?at_medium=RSS&at_campaign=KARANGA
|
critical |
2023-01-31 17:16:21 |
| ニュース |
BBC News - Home |
Thousands protest against raising French pension age to 64 |
https://www.bbc.co.uk/news/world-europe-64463330?at_medium=RSS&at_campaign=KARANGA
|
retirement |
2023-01-31 17:35:25 |
| ニュース |
BBC News - Home |
What impact has Brexit had on the UK economy? |
https://www.bbc.co.uk/news/business-64450882?at_medium=RSS&at_campaign=KARANGA
|
brexit |
2023-01-31 17:29:57 |
| ビジネス |
ダイヤモンド・オンライン - 新着記事 |
「スリナムってどんな国?」2分で学ぶ国際社会 - 読むだけで世界地図が頭に入る本 |
https://diamond.jp/articles/-/316659
|
|
2023-02-01 02:55:00 |
| ビジネス |
ダイヤモンド・オンライン - 新着記事 |
【「世界一受けたい授業」で話題】カリスマ保育士てぃ先生が激推し! 子どもが車道へ飛び出さなくなる超簡単な方法とは? - カリスマ保育士てぃ先生の子育てのみんなの悩み、お助け中! |
https://diamond.jp/articles/-/316323
|
【「世界一受けたい授業」で話題】カリスマ保育士てぃ先生が激推し子どもが車道へ飛び出さなくなる超簡単な方法とはカリスマ保育士てぃ先生の子育てのみんなの悩み、お助け中【YouTube万人、Twitter万人、Instagram万人】今どきのママパパに圧倒的に支持されているカリスマ保育士・てぃ先生の子育てアドバイス本第弾『子どもにもっと伝わるスゴ技大全カリスマ保育士てぃ先生の子育てのみんなの悩み、お助け中』ができましたテレビやSNSで大人気、今どきのママパパに圧倒的に支持されている現役保育士・てぃ先生。 |
2023-02-01 02:50:00 |
| ビジネス |
ダイヤモンド・オンライン - 新着記事 |
メンタルの切り替えは「根性」ではなく「技術」その方法とは? - 1秒で答えをつくる力 お笑い芸人が学ぶ「切り返し」のプロになる48の技術 |
https://diamond.jp/articles/-/316899
|
|
2023-02-01 02:45:00 |
| ビジネス |
ダイヤモンド・オンライン - 新着記事 |
日本で少子化が進む「残酷すぎる理由」とは?【書籍オンライン編集部セレクション】 - 経済は統計から学べ! |
https://diamond.jp/articles/-/316734
|
進行 |
2023-02-01 02:40:00 |
| ビジネス |
ダイヤモンド・オンライン - 新着記事 |
「やる気はあるのに行動できない人」が「すぐやる人」に変わる。かんたんすぎる意外な方法【予約の取れないカウンセラーが教える】 - あなたはもう、自分のために生きていい |
https://diamond.jp/articles/-/316888
|
twitter |
2023-02-01 02:35:00 |
| ビジネス |
ダイヤモンド・オンライン - 新着記事 |
【神様】は見ている。汚い人は運も悪い! 立春に神様が見る、意外な場所 - 旬のカレンダー |
https://diamond.jp/articles/-/316257
|
【神様】は見ている。 |
2023-02-01 02:30:00 |
| Azure |
Azure障害情報 |
Virtual Machines - East US 2 - Applying Mitigation |
https://status.azure.com/ja-jp/status/
|
Virtual Machines East US Applying MitigationAs of UTC on Jan customers using Virtual Machines in East US may receive error notifications when performing service management operations such as create delete update scaling start stop for resources hosted in this region Only Availability Zone is currently impacted however Availability Zones and are not impacted Automatic monitoring alerted us of two partitions of a backend service hosted in East US region becoming unhealthy due to a data process issue Due to dependencies between services this manifests in failures when performing service management operations for a subset of Virtual Machines customers with resources in a single Availability Zone We are working to restore the partitions to a healthy state and will provide an update with our progress in hour or sooner as events warrant |
2023-01-31 17:43:28 |
| GCP |
Cloud Blog |
BigQuery authorized views permissions via Terraform, avoiding the chicken & egg problem |
https://cloud.google.com/blog/products/infrastructure/iam-policy-for-bigquery-dataset-authorized-views-terraform/
|
BigQuery authorized views permissions via Terraform avoiding the chicken amp egg problemEnterprises that use Terraform for spinning up their Infrastructure including the instantiation of Google BigQuery can run into a chicken amp egg problem if using the IAM access permissions resource blocks for both their Datasets and Authorized Views This problem can cause BigQuery operational issues across an organization creating an unpleasant experience for the end user due to the momentary loss of access to the data End users without access to “private data are likely to rely on the Authorized views to a great extent This blog post shows how to avoid running into the problem and provides a step by step guide to correctly managing Authorized View permissions via Terraform This publication has three components Use case problem statement and solution Use caseThe use case at hand involves products Google Cloud BigQuery and Hashicorp Terraform Let s look at both in light of the use case one by one BigQuery is Google Cloud s fully managed enterprise data warehouse that helps you manage and analyze your data with built in features like machine learning geospatial analysis and business intelligence To consume and take advantage of BigQuery you need datasets Datasets are logical containers contained within a specific project that are used to organize and control access to your BigQuery resources Datasets are similar to schemas in other database systems A table or view must belong to a dataset so you need to create at least one dataset before loading data into BigQuery Cloud IAM can restrict members access to table levels but not to parts of a table Suppose you have a use case where you want a member with a data viewer role to query access specific information in a table like an employee s name and job title by department without having access to the address of every employee In that case you can create a BigQuery authorized view An authorized view lets you share query results with particular users and groups without giving them access to the underlying source data The industry standard for infrastructure provisioning on Google Cloud is via Terraform tool by HashiCorp Terraform is used to instantiate all infrastructure components and supports BigQuery resources To manage IAM policies for BigQuery datasets Terraform has three different resources google bigquery dataset iam policy google bigquery dataset iam binding and google bigquery dataset iam member Problem statementThese BigQuery resources are intended to convert the permissions system for BigQuery datasets to the standard IAM interface Still there is a warning note as part of the Terraform documentation Using any of these resources will remove any authorized view permissions from the dataset To assign and preserve authorized view permissions use the google bigquery dataset access instead As the note said these resources work well in some scenarios but not for Authorized Views permissions The Google Terraform resources to manage IAM policy for a BigQuery dataset each have respective unique use cases google bigquery dataset iam policy Authoritative Sets the IAM policy for the dataset and replaces any existing policy already attached google bigquery dataset iam binding Authoritative for a given role Updates the IAM policy to grant a role to a list of members Other roles within the IAM policy for the dataset are preserved google bigquery dataset iam member Non authoritative Updates the IAM policy to grant a role to a new member Other members for the role for the dataset are preserved Using any of these resources together with an authorized view will remove the permissions from the dataset If any of these resources are used in conjunction with the google bigquery dataset access resource or the access field on the google bigquery dataset resource we will end up in a race condition where these resources will fight over which permissions take precedence So this essentially means that if we try to create and assign permissions to authorized views simultaneously as dataset creation from within the Terraform code we will end up with a chicken amp egg problem where there will be a dispute between the dataset and authorized views policy causing the authorized views permissions to be wiped out as a result Lets see the issue re creation in action below Terraform BigQuery dataset table and authorized view resourcesTerraform BigQuery table IAM policy resourceWe can confirm the creation works with following query and Console screenshot From the Google Cloud console we can see the created dataset the authorized view and the dummy SAGoogle Cloud console Authorized view BQ datasetGoogle Cloud console Authorized view permissionsNow we add a new user to the source dataset with the following code This revokes the authorized view and the “dummy terraform SA loses its previously functional access Google Cloud console Authorized view BQ datasetAs we discussed previously this will be the behavior due to how IAM is implemented on BQ datasets we need to consider all constraints around the IAM policy for BigQuery dataset and design our Terraform with the google bigquery resource that best fits our needs For our scenario the resource that helped us resolve this issue is google bigquery dataset access this resource gives dataset access for a single entity and is intended to be used in cases where it is not possible to compile a complete list of access blocks to include in a google bigquery dataset resource and is the recommended resource when creating authorized views Referring to the HCL code below we have created a module for the dataset access resource due to the nature of google bigquery dataset access of giving access to a single entity We are looping through a list of datasets and passing the dataset details to the module this helped us avoid removing any authorized views from that dataset Terraform module dataset access main tfTerraform module dataset access output tfTerraform module dataset access variables tfTerraform example main tfTerraform example terraform tfvarsIn conclusion how BigQuery implements IAM via Terraform is unique and different from how we do IAM for other Google Cloud services It is essential first to understand the architecture of a specific BigQuery implementation and then feed that into deciding which BQ TF IAM resource s to use We encourage you to read more about creating Authorized views and take a look at all the available Terraform blueprints for Google Cloud at the following links Create an authorized viewTerraform blueprints and modules for Google Cloud |
2023-01-31 18:00:00 |
コメント
コメントを投稿