Closed Bug 1727081 Opened 3 years ago Closed 3 years ago

Document explicit policy on granting BQ access to services

Categories

(Data Platform and Tools :: General, task, P3)

Product:
Data Platform and Tools
Component:
General
Type:
task
Points:
2

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: klukas, Unassigned)

References

Details

(Whiteboard: [dataplatform])

Attachments

(1 file)

Link to GitHub pull-request: https://github.com/mozilla/bigquery-etl/pull/2623
49 bytes, text/x-github-pull-request
Details | Review

This bug is for tracking implementation of docs for our policies around granting Mozilla services access to specific tables in BigQuery, with special focus on policies around "live" data.

See the Access controls for services accessing BigQuery section of the proposal doc.

I am imagining that this end up on DTMO, but Data SRE may have suggestions for Mana content that should be updated to reflect this.

Blocks: 1727071

I created a data access workgroups doc, which covers a few cases where workgroups are used and includes this case: https://mana.mozilla.org/wiki/display/DOPS/Data+Access+Workgroups#DataAccessWorkgroups-Workgroupaccessforautomationandapplicationserviceaccounts. It's not as prescriptive as the proposal doc (which recommends specific views be created per application), it's meant mainly to indicate:

  1. service accounts shouldn't generally be granted workgroup:mozilla-confidential-level access to data
  2. how to grant specific access to data

If you think this is sufficient documentation for this case then we can close this.

I do think this documentation is sufficient, but we should make sure we link to this documentation from bigquery-etl before closing this. Just linked a PR for this.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Whiteboard: [data-platform-infra-wg] → [dataplatform]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: