Page tree

Trifacta Dataprep


Contents:

On April 28, 2021, Google changed the required permissions for attaching IAM roles to service accounts. If you are using IAM roles for your Google service accounts, please see Changes to User Management.

   

Contents:


This section covers changes between release on the following topics:

  • Authorization to the platform
    • User roles
    • Permissions of roles
  • Required permissions
  • Authentication methods
  • User management

Release 8.2

None.

Release 8.1

Fine-grained sharing permissions on individual objects

Beginning in this release, you can change the permissions to a shared object for individual users. These fine-grained permissions can be assigned at the time of sharing by the object's Owner or a workspace admin. They can also be changed at a later time.


NOTE: In this release, fine-grained sharing permissions apply to flows and connections only.

For more information, see Overview of Sharing.


Release 8.0

Scheduled outputs now inherit service account settings

Feature Availability: This feature is available in
Dataprep Premium by Trifacta only.

Previously, when companion service accounts were enabled for use, outputs for scheduled jobs that had already been created did not inherit the use of the companion service accounts. Without a companion service account, these scheduled outputs cannot be executed, and their jobs would fail with a No Dataflow service account provided error message. The issue and prior workaround are described below.

Beginning in Release 8.0, scheduled outputs that do not have a companion service account inherit the companion service account defined in the user's preferences.

NOTE: The workaround described below to fix scheduled outputs is no longer required.

See User Profile Page.

Release 7.10

Changes to IAM roles for service accounts

Feature Availability: This feature is available in
Dataprep Premium by Trifacta only.

Recently, Google announced changes to the required permissions for IAM roles used by service accounts to access Google Cloud Platform resources.

NOTE: The following changes will be deployed by Google on January 27, 2021. These changes have been enacted by Google and are outside of the Google Cloud Platform. All administrators of Dataprep by Trifacta should review the following changes to requirements and verify the impacts on their deployments.

Dataprep Premium by Trifacta customers

Steps:

  1. Login as an administrator.
  2. From the left menu bar, select User menu > Admin console > Project settings.
  3. Locate the following setting: Manage access to data using user IAM permissions. Check the current setting:

    SettingDescription
    EnabledUsers in your deployment are using IAM permissions. Please review and complete the following steps.
    DisabledUsers in your deployment are not affected. No further action is required. See "Other product editions" below for details.
    DefaultDefault setting is Disabled. See previous.

    For more information, see Dataprep Project Settings Page.

New requirements:

NOTE: With this change, users who connect to Google Cloud Platform resources using IAM roles must meet one of the following requirements to run jobs on Dataflow.

  • User must have iam.serviceAccounts.actAs permission on a compute service account, which must be specified during job execution.
  • User must have iam.serviceAccounts.actAs permission specified at the project level or in the default compute service account.
  • Project owners are not affected.

Recommendations:

For uninterrupted service, please do one of the following:

  1. Project administrators can grant their users the iam.serviceAccounts.actAs permission on the default compute service account:

    <project-number>-compute@developer.gserviceaccount.com


  2. (preferred) Project administrators should provision compute service accounts of narrower scope for their users. Users should be educated on how to use them.

    If users are now using companion service accounts, the outputs of any scheduled jobs must be updated. See "Fixing schedules" below.

Fixing schedules:

If individual users are now using companion service accounts to run jobs, all affected schedules must be updated.

Steps:

NOTE: Each user should complete the following steps for each of flow that they own.

  1. Identify if the flow contains a schedule:
    1. Open the flow in Flow View.
    2. At the top of the page, you may see one of the following icons.
    3. This icon indicates that there is an enabled schedule. Its outputs must be updated. Please see Step 2.

    4. This icon indicates that there is a schedule, but it is disabled. Its outputs must be updated. Please see Step 2.

    5. If neither icon is present, then the flow does not have a schedule. Please go to the next flow.
  2. For flows that do contain enabled or disabled schedules, please do the following:
    1. Locate the scheduled outputs. In the Flow View canvas, these outputs are labeled Scheduled Output.
    2. Select a scheduled output.
    3. In the right panel, under Scheduled Destinations click Edit.
    4. In the Scheduled publishing settings, click the Advanced Settings caret to open it.
    5. In the Service Account textbox, insert the new companion service account that you should use for the scheduled job.
  3. Repeat Step 2 for any other scheduled outputs in the flow.
  4. Repeat these steps for other scheduled flows that you own.

References:

Other product editions

No action is required. Actions on Dataflow are already executed with the proper permissions.

For more information on Dataprep by Trifacta permissions, see Required Dataprep User Permissions.



Release 7.9

Manage access to data using IAM permissions

Feature Availability: This feature is available in
Dataprep Premium by Trifacta only.

You can optionally configure the workspace to manage access to BigQuery and Google Cloud Storage data based on a fine-grained set of permissions in the user's IAM role.

Reduced scope of minimum required permissions

Feature Availability: This feature is available in
Dataprep Premium by Trifacta only.

Prior to Release 7.9, the required IAM permissions for Dataprep Premium by Trifacta were the following list. These permissions had to be included in any IAM role assigned to a product user.

However, many of these previously required permissions do not directly apply to use of the product. Beginning in Release 7.9, the list of required permissions has been reduced to only those required to access the Trifacta application and other elements of the product.

NOTE: Permissions that are needed for access to other services are now considered optional for use of the product itself. In the list below, these optional permissions are primarily tied to use of BigQuery.

NOTE: The storage.buckets.list permission must be enabled at the project level. All other storage.* permissions only need to be enabled on the staging bucket.

NOTE: The bigquery.jobs.create permission is required if you wish to use to BigQuery at all. The other permissions are optional and can be applied at the project or dataset level.

AreaPermissionRelease 7.8 and earlierRelease 7.9 and later
Generalresourcemanager.projects.getrequiredrequired

dataprep.projects.userequiredrequired
BigQuerybigquery.datasets.getrequiredoptional

bigquery.jobs.createrequired

optional

NOTE: This permission is required if you wish to use to BigQuery at all.


bigquery.tables.createrequiredoptional

bigquery.tables.getrequiredoptional

bigquery.tables.getDatarequiredoptional

bigquery.tables.listrequiredoptional

Dataflow

compute.machineTypes.getrequiredrequired

dataflow.jobs.createrequiredrequired

dataflow.jobs.getrequiredrequired

dataflow.messages.listrequiredrequired

dataflow.metrics.getrequiredrequired
base storagestorage.buckets.getrequiredrequired

storage.buckets.listrequired

required

NOTE: This permission must be enabled at the project level.



storage.objects.createrequiredrequired

storage.objects.deleterequiredrequired

storage.objects.getrequiredrequired

storage.objects.listrequiredrequired

storage.objects.updaterequiredoptional

New permissions

The following permissions are newly tracked for use with Dataprep Premium by Trifacta:

NOTE: Please verify that any newly required permissions are added to user roles.


AreaPermissionRelease 7.8 and earlierRelease 7.9 and later
BigQuerybigquery.tables.deleten/a

optional

NOTE: This permission is required on a table if you wish to publish to it. Otherwise, the table is reported as being read-only. For more information, see Required Dataprep User Permissions.


bigquery.datasets.createn/aoptional

bigquery.datasets.updaten/aoptional

Dataflow

dataflow.jobs.canceln/aoptional

For more information, see Required Dataprep User Permissions.


This page has no comments.