To enable row level security, I used Filter By Email
option as suggested here . But I want to know can I enable access to same row for multiple users and also how to enable super users who can see all rows. For example if below is the sample data then I want to have different output based on who is logged in.
userId age email
A 20 usera@gmail.com
B 15 userb@gmail.com
C 25 userc@gmail.com
Z 30 admin@gmail.com
When A is logged in
userId age email
A 20 usera@gmail.com
When B is logged in
userId age email
A 20 usera@gmail.com
B 15 userb@gmail.com
When Z is logged in
userId age email
A 20 usera@gmail.com
B 15 userb@gmail.com
C 25 userc@gmail.com
Z 30 admin@gmail.com
Update1: I am using postgres instance for reporting (not bigQuery), so solution which make use of @DS_USER_EMAIL
will not work
The filter by email simply provide you the email of the current logged user. You have to use it to filter your query. I designed a simple test like this
with sample as (
select "a" as userId, 10 as age, "usera@gmail.com" as email
UNION ALL
select "b" as userId, 20 as age, "userb@gmail.com" as email
UNION ALL
select "c" as userId, 30 as age, "userc@gmail.com" as email
), auth as (
select "usera@gmail.com" as user, "usera@gmail.com" as permission
UNION ALL
select "userb@gmail.com" as user, "usera@gmail.com" as permission
UNION ALL
select "userb@gmail.com" as user, "userb@gmail.com" as permission
UNION ALL
select "admin@gmail.com" as user, ".*" as permission
)
select * from sample
where REGEXP_CONTAINS(email,(select STRING_AGG(permission,"|") from auth where auth.user = @DS_USER_EMAIL))
I have the sample
table with your data. I created a auth
table with the link between the user email and the view authorization.
In the final request, I use a regex to check if the row is authorized or not. The admin has the value .*
to view all the data. The other is simple an aggregation of all the rows, separated by a pipe |
(OR in regex language)
EDIT
The power of BigQuery is the compliance with the SQL2011 standard, and a working query in postgres is similar. For the regex pattern use SIMILAR TO
. Look at the admin regex pattern, it's not regex conventional, but it works
string_agg
is an existing function
with sample as (
select 'a' as userId, 10 as age, 'usera@gmail.com' as email
UNION ALL
select 'b' as userId, 20 as age, 'userb@gmail.com' as email
UNION ALL
select 'c' as userId, 30 as age, 'userc@gmail.com' as email
), auth as (
select 'usera@gmail.com' as user, 'usera@gmail.com' as permission
UNION ALL
select 'userb@gmail.com' as user, 'usera@gmail.com' as permission
UNION ALL
select 'userb@gmail.com' as user, 'userb@gmail.com' as permission
UNION ALL
select 'admin@gmail.com' as user, '%' as permission
)
select * from sample
where email SIMILAR TO (select STRING_AGG(permission,'|') from auth where auth.user = @DS_USER_EMAIL)
The query works, but it's not usable with Datastudio because the @DS_USER_EMAIL
exists only with BigQuery
The workaround is to use Cloud SQL federated query . And the final request is a mix between both db engine
with sample as (
SELECT * FROM EXTERNAL_QUERY("gbl-imt-homerider-basguillaueb.us.vertx-postgres", """ select 'a' as userId, 10 as age, 'usera@gmail.com' as email
UNION ALL
select 'b' as userId, 20 as age, 'userb@gmail.com' as email
UNION ALL
select 'c' as userId, 30 as age, 'userc@gmail.com' as email""")), auth as (
SELECT * FROM EXTERNAL_QUERY("gbl-imt-homerider-basguillaueb.us.vertx-postgres", """ select 'usera@gmail.com' as user, 'usera@gmail.com' as permission
UNION ALL
select 'userb@gmail.com' as user, 'usera@gmail.com' as permission
UNION ALL
select 'userb@gmail.com' as user, 'userb@gmail.com' as permission
UNION ALL
select 'admin@gmail.com' as user, '.*' as permission"""))
select * from sample
where REGEXP_CONTAINS(email,(select STRING_AGG(permission,"|") from auth where auth.user = @DS_USER_EMAIL))
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.