Page tree

Trifacta Dataprep


Contents:

On April 28, 2021, Google is changing the required permissions for attaching IAM roles to service accounts. If you are using IAM roles for your Google service accounts, please see Changes to User Management.

   

Contents:


This section covers changes between release on the following topics:

  • Authorization to the platform
    • User roles
    • Permissions of roles
  • Required permissions
  • Authentication methods
  • User management

Release 8.0

Scheduled outputs now inherit service account settings

Feature Availability: This feature is available in Cloud Dataprep Premium by TRIFACTA INC.

Previously, when companion service accounts were enabled for use, outputs for scheduled jobs that had already been created did not inherit the use of the companion service accounts. Without a companion service account, these scheduled outputs cannot be executed, and their jobs would fail with a No Dataflow service account provided error message. The issue and prior workaround are described below.

Beginning in Release 8.0, scheduled outputs that do not have a companion service account inherit the companion service account defined in the user's preferences.

NOTE: The workaround described below to fix scheduled outputs is no longer required.

See User Profile Page.

Release 7.10

Changes to IAM roles for service accounts

Feature Availability: This feature is available in Cloud Dataprep Premium by TRIFACTA INC.

Recently, Google announced changes to the required permissions for IAM roles used by service accounts to access Google Cloud Platform resources.

NOTE: The following changes will be deployed by Google on January 27, 2021. These changes have been enacted by Google and are outside of the Google Cloud Platform. All administrators of Cloud Dataprep by TRIFACTA INC. should review the following changes to requirements and verify the impacts on their deployments.

Cloud Dataprep Premium by TRIFACTA INC. customers

Steps:

  1. Login as an administrator.
  2. From the left menu bar, select User menu > Admin console > Dataprep settings.
  3. Locate the following setting: Manage access to data using user IAM permissions. Check the current setting:

    SettingDescription
    EnabledUsers in your deployment are using IAM permissions. Please review and complete the following steps.
    DisabledUsers in your deployment are not affected. No further action is required. See "Other product editions" below for details.
    DefaultDefault setting is Disabled. See previous.

    For more information, see Dataprep Settings Page.

New requirements:

NOTE: With this change, users who connect to Google Cloud Platform resources using IAM roles must meet one of the following requirements to run jobs on Cloud Dataflow.

  • User must have iam.serviceAccounts.actAs permission on a compute service account, which must be specified during job execution.
  • User must have iam.serviceAccounts.actAs permission specified at the project level or in the default compute service account.
  • Project owners are not affected.

Recommendations:

For uninterrupted service, please do one of the following:

  1. Project administrators can grant their users the iam.serviceAccounts.actAs permission on the default compute service account:

    <project-number>-compute@developer.gserviceaccount.com


  2. (preferred) Project administrators should provision compute service accounts of narrower scope for their users. Users should be educated on how to use them.

    If users are now using compute service accounts, the outputs of any scheduled jobs must be updated. See "Fixing schedules" below.

Fixing schedules:

If individual users are now using companion service accounts to run jobs, all affected schedules must be updated.

Steps:

NOTE: Each user should complete the following steps for each of flow that they own.

  1. Identify if the flow contains a schedule:
    1. Open the flow in Flow View.
    2. At the top of the page, you may see one of the following icons.
    3. This icon indicates that there is an enabled schedule. Its outputs must be updated. Please see Step 2.

    4. This icon indicates that there is a schedule, but it is disabled. Its outputs must be updated. Please see Step 2.

    5. If neither icon is present, then the flow does not have a schedule. Please go to the next flow.
  2. For flows that do contain enabled or disabled schedules, please do the following:
    1. Locate the scheduled outputs. In the Flow View canvas, these outputs are labeled Scheduled Output.
    2. Select a scheduled output.
    3. In the right panel, under Scheduled Destinations click Edit.
    4. In the Scheduled publishing settings, click the Advanced Settings caret to open it.
    5. In the Service Account textbox, insert the new companion service account that you should use for the scheduled job.
  3. Repeat Step 2 for any other scheduled outputs in the flow.
  4. Repeat these steps for other scheduled flows that you own.

References:

Other product editions

No action is required. Actions on Cloud Dataflow are already executed with the proper permissions.

For more information on Cloud Dataprep by TRIFACTA INC. permissions, see Required Dataprep User Permissions.



Release 7.9

Manage access to data using IAM permissions

Feature Availability: This feature is available in Cloud Dataprep Premium by TRIFACTA INC.

You can optionally configure the workspace to manage access to BigQuery and Google Cloud Storage data based on a fine-grained set of permissions in the user's IAM role.

Reduced scope of minimum required permissions

Feature Availability: This feature is available in Cloud Dataprep Premium by TRIFACTA INC.

Prior to Release 7.9, the required IAM permissions for Cloud Dataprep Premium by TRIFACTA INC. were the following list. These permissions had to be included in any IAM role assigned to a product user.

However, many of these previously required permissions do not directly apply to use of the product. Beginning in Release 7.9, the list of required permissions has been reduced to only those required to access the Trifacta application and other elements of the product.

NOTE: Permissions that are needed for access to other services are now considered optional for use of the product itself. In the list below, these optional permissions are primarily tied to use of BigQuery.

NOTE: The storage.buckets.list permission must be enabled at the project level. All other storage.* permissions only need to be enabled on the staging bucket.

NOTE: The bigquery.jobs.create permission is required if you wish to use to BigQuery at all. The other permissions are optional and can be applied at the project or dataset level.

AreaPermissionRelease 7.8 and earlierRelease 7.9 and later
Generalresourcemanager.projects.getrequiredrequired

dataprep.projects.userequiredrequired
BigQuerybigquery.datasets.getrequiredoptional

bigquery.jobs.createrequired

optional

NOTE: This permission is required if you wish to use to BigQuery at all.


bigquery.tables.createrequiredoptional

bigquery.tables.getrequiredoptional

bigquery.tables.getDatarequiredoptional

bigquery.tables.listrequiredoptional

Cloud Dataflow

compute.machineTypes.getrequiredrequired

dataflow.jobs.createrequiredrequired

dataflow.jobs.getrequiredrequired

dataflow.messages.listrequiredrequired

dataflow.metrics.getrequiredrequired
base storagestorage.buckets.getrequiredrequired

storage.buckets.listrequired

required

NOTE: This permission must be enabled at the project level.



storage.objects.createrequiredrequired

storage.objects.deleterequiredrequired

storage.objects.getrequiredrequired

storage.objects.listrequiredrequired

storage.objects.updaterequiredoptional

New permissions

The following permissions are newly tracked for use with Cloud Dataprep Premium by TRIFACTA INC.:

NOTE: Please verify that any newly required permissions are added to user roles.


AreaPermissionRelease 7.8 and earlierRelease 7.9 and later
BigQuerybigquery.tables.deleten/a

optional

NOTE: This permission is required on a table if you wish to publish to it. Otherwise, the table is reported as being read-only. For more information, see Required Dataprep User Permissions.


bigquery.datasets.createn/aoptional

bigquery.datasets.updaten/aoptional

Cloud Dataflow

dataflow.jobs.canceln/aoptional

For more information, see Required Dataprep User Permissions.


This page has no comments.