stackoom
  简体   繁体   中英

Automating Redshift Permissions

 原文  2020-02-02 17:54:53       amazon-web-services/ amazon-redshift/ airflow/ aws-glue

Question

I am trying to automate a few SQL queries on Redshift, that are 'triggered' from a user permission.

The queries simply create a view of the table with the filter of a customer_id, create a user with the customer_id and give permission for that customer_id to read the view of the table. This prevents different customers seeing eachothers data and this works nicely when I implemented this manually.

The issue I face is automating this as I am manually doing this in Redshift at the moment. I want to automate this given

What I considered:

  1. Redshift - doesn't support triggers.
  2. Lambda trigger - Lambda doesn't trigger from Redshift.
  3. API gateway - The 'request' is also not an API call so clients will not make an API call for permissions (they are non-technical).
  4. Airflow - seems like a big setup for something quite small. But could work.
  5. Glue - I am using Glue for the load into Redshift currently. Maybe I can add something in the workflow that gets a distinct list of customer_id's, then runs SQL on Redshift (through a Workflow)?

Any thoughts or suggestions on this please?

2 answers

solution1
 1  2020-02-04 22:00:02

Rather than using a different View for each user, you should create one View that uses current_user .

This will return the username of the currently logged-in user. Thus, the query can use the username in a Where clause to limit the rows to those that match their identity.

It would either need a column that contains their username, or the View would need to join a table that can match the username to the customer_id .

It would be something like:

CREATE VIEW foo
AS
SELECT
  ...
FROM table
JOIN users USING (customer_id)
WHERE users.username = current_user

solution2
 0  2020-02-03 13:32:20

You may use lazy pattern for creating view and permissions. In API-lambda:

  1. Check if view for customer id exists. If yes , check if user is created and have permission. Then fetch data using customer_id user
  2. If view is not created, create it using SQL query, go to step #3

  3. if user is not created, create it using SQL query, go to step #4

  4. If user permission is not created, create it using SQL query, go to step #1

You have to switch connection between superuser and customer_id user for first request and then it will be using customer_id user for all subsequent requests.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS: Automating queries in redshift How to UNLOAD Redshift permissions? Redshift - Group Level Permissions on a Schema Redshift - need query to list user permissions on procedures Grant permissions to a group in Redshift for new tables in schema View Permissions In Amazon REdshift - underlying table is recreated and permissions to view is blocked Drop all tables in a Redshift schema - without dropping permissions Permissions to use redshift COPY command from within lambda Materialized View Redshift - Refresh Failing due to Schema Permissions Changing Select Into - Redshift
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM