Closed Bug 1712956 Opened 3 years ago Closed 3 years ago

Give Frank and GKE access to Contextual Services

Categories

(Data Platform and Tools Graveyard :: Operations, task)

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: frank, Unassigned)

References

Details

See request in https://bugzilla.mozilla.org/show_bug.cgi?id=1711955.

I need personal access for development of those datasets in Looker. We will deploy through the automated pipeline, which means the GKE cluster we run lookml-generator on needs access to those datasets as well. That looks to be workloads-prod-v1.

The connection will be with a bigquery-oauth, which means that while the underlying schemas are available for people to peruse, they will not be able to run any queries unless they already have access to the tables. This also means we don't need to give the Looker service account access to that data.

Blocks: 1711955

I think the easiest thing to do here is to get you added to the contextual services workgroup (currently tracked by bug #1692598). NI :atsay in that bug and she should be able to add you (I'm also able to add you, but I want this access to be managed like any other contextual-services access).

I'm not familiar with the bigquery-oauth based access but it sounds like it greatly simplifies some of the looker access group logic I remember reading early drafts of (i.e. it sounds like it doesn't require a separate access implementation because it passes through user credentials). Do you have a document describing the access model?

It does simplify things, but isn't going to be great for large datasets (where we lose caching abilities): https://docs.looker.com/setup-and-management/database-config/google-bigquery.

Thanks whd!

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED

As an additional note, airflow-based GKE service accounts should already have had access to these datasets, so that part of the request was already covered.

Product: Data Platform and Tools → Data Platform and Tools Graveyard
You need to log in before you can comment on or make changes to this bug.