forked from GoogleCloudPlatform/professional-services
-
Notifications
You must be signed in to change notification settings - Fork 0
/
comparison.html
113 lines (112 loc) · 4.02 KB
/
comparison.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
<style>
#greenrow {
text-align: left;
background-color: #A8DAB5;
color: #5F6368
}
#redrow {
text-align: left;
background-color: #F6AEA9;
color: #5F6368
}
#yellowrow {
text-align: left;
background-color: #FDE293;
color: #5F6368
}
#rowheader {
text-align: center;
font-weight: bold;
}
</style>
<table>
<thead style="text-align:center;background-color: #E8EAED; font-size: large; color: #3C4043;" >
<tr>
<th></th>
<th>BigLake/BigQuery IAM</th>
<th>Ranger Hive Plugin</th>
</tr>
</thead>
<tbody>
<tr>
<td id="rowheader">Users and Groups</td>
<td id="greenrow">supported</td>
<td id="greenrow">supported</td>
</tr>
<tr>
<td id="rowheader">Permission Mapping</td>
<td colspan="2">
<ul>
<li>Select -> bigquery.tables.getData, bigquery.jobs.create</li>
<li>Update -> bigquery.tables.updateData</li>
<li>Create -> bigquery.tables.create </li>
<li>Drop -> bigquery.tables.delete</li>
<li>Alter -> bigquery.tables.update </li>
<li>Index, -> index is different in BigQuery, clustering and partitioning features exist.</li>
<li>Lock -> there is no lock</li>
</ul>
</td>
</tr>
<tr>
<td id="rowheader">Authorization Granularity</td>
<td id="greenrow" colspan="2">Dataset, Table, Column, Row</td>
</tr>
<tr>
<td id="rowheader">Data Masking on Columns</td>
<td id="greenrow"> <a href="https://cloud.google.com/bigquery/docs/column-data-masking-intro">supported</a></td>
<td id="greenrow">supported</td>
</tr>
<tr>
<td id="rowheader">Policy Labels</td>
<td id="greenrow">supported</td>
<td id="greenrow">supported</td>
</tr>
<tr>
<td id="rowheader">Tag Based Access Control</td>
<td id="greenrow">
<ul>
<li><a href="https://cloud.google.com/data-catalog/docs/policy-tags">Policy Tags</a> for column based access control</li>
<li><a href="https://cloud.google.com/resource-manager/docs/tags/tags-overview"> Resource Tags</a> at BigQuery dataset level</li>
</ul>
</td>
<td id="greenrow">supported</td>
</tr>
<tr>
<td id="rowheader">Allow Exceptions</td>
<td id="redrow">not supported</td>
<td id="greenrow">supported</td>
</tr>
<tr>
<td id="rowheader">Deny Policies</td>
<td id="redrow">not supported. Preview for GCS. Please check the latest information.</td>
<td id="greenrow">supported</td>
</tr>
<tr>
<td id="rowheader">Policy Priorities (Priorities of 0 or 1)</td>
<td id="yellowrow">Not supported since IAM is additive. <br/>
In Ranger, policy priorities are used to allow access
temporarily by overriding other policies.
We can achieve temporary access by using group memberships
</td>
<td id="greenrow">supported</td>
</tr>
<tr>
<td id="rowheader">Wildcard</td>
<td id="yellowrow">Wildcard (*) are not supported in IAM.
For instance, we cannot create IAM rules for finance_* <br/>
However, we can group resources in Projects, Folders etc.
</td>
<td id="greenrow">supported</td>
</tr>
<tr>
<td id="rowheader">Validity Period</td>
<td id="yellowrow">Validity period is not supported since
BigQuery IAM does not support conditions yet (please check the latest information).<br/>
Nevertheless, temporary access can be given by temporary group membership, which is also
the recommended since it does not require changes in the IAM policy and hence no need to run a
CI/CD pipeline.
</td>
<td id="greenrow">supported</td>
</tr>
</tbody>
</table>