Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

An access entry must have exactly one of userByEmail, groupByEmail, domain, specialGroup defined, view, routine, or dataset. #2085

Open
nyck33 opened this issue Nov 30, 2024 · 1 comment
Assignees
Labels
api: bigquery Issues related to the googleapis/python-bigquery API. priority: p3 Desirable enhancement or fix. May not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@nyck33
Copy link

nyck33 commented Nov 30, 2024

Thanks for stopping by to let us know something could be better!

PLEASE READ: If you have a support contract with Google, please create an issue in the support console instead of filing on GitHub. This will ensure a timely response.

Please run down the following list and make sure you've tried the usual "quick fixes":

If you are still having issues, please be sure to include as much information as possible:

Environment details

  • OS type and version: WSL2 Windows Home
  • Python version: python --version 3.9
  • pip version: pip --version
  • google-cloud-bigquery version: pip show google-cloud-bigquery

Steps to reproduce

  1. based on your sample code here https://cloud.google.com/bigquery/docs/updating-datasets#python_2
import logging
import os
from google.cloud import bigquery
from google.cloud.bigquery.dataset import AccessEntry
from dotenv import load_dotenv

# Configure logging
logging.basicConfig(
    level=logging.INFO,
    format="%(asctime)s - %(levelname)s - %(message)s"
)

# Load environment variables from a .env file
load_dotenv()

# Retrieve environment variables
SERVICE_ACCOUNT_JSON = os.getenv("GCP_C2C_SERVICE_ACCOUNT_JSON")
PROJECT_ID = os.getenv("GCP_C2C_PROJECT_ID")
DATASET_ID = "jsons_rep_data_warehouse"
MASKED_READER_EMAIL = os.getenv("MASKEDREADER_EMAIL")
FINEGRAINEDREADER_EMAIL = os.getenv("FINEGRAINEDREADER_EMAIL")


# TODO(developer): Set dataset_id to the ID of the dataset to fetch.
dataset_id = f'{PROJECT_ID}.{DATASET_ID}'

# TODO(developer): Set entity_id to the ID of the email or group from whom
# you are adding access. Alternatively, to the JSON REST API representation
# of the entity, such as a view's table reference.
entity_id = MASKED_READER_EMAIL

from google.cloud.bigquery.enums import EntityTypes

# TODO(developer): Set entity_type to the type of entity you are granting access to.
# Common types include:
#
# * "userByEmail" -- A single user or service account. For example "fred@example.com"
# * "groupByEmail" -- A group of users. For example "example@googlegroups.com"
# * "view" -- An authorized view. For example
#       {"projectId": "p", "datasetId": "d", "tableId": "v"}
#
# For a complete reference, see the REST API reference documentation:
# https://cloud.google.com/bigquery/docs/reference/rest/v2/datasets#Dataset.FIELDS.access
entity_type_group = EntityTypes.GROUP_BY_EMAIL
entity_type_user = EntityTypes.USER_BY_EMAIL
entity_type_view = EntityTypes.VIEW

# TODO(developer): Set role to a one of the "Basic roles for datasets"
# described here:
# https://cloud.google.com/bigquery/docs/access-control-basic-roles#dataset-basic-roles
role = "READER"

from google.cloud import bigquery

# Construct a BigQuery client object.
client = bigquery.Client.from_service_account_json(SERVICE_ACCOUNT_JSON)

dataset = client.get_dataset(dataset_id)  # Make an API request.

entries = list(dataset.access_entries)
entries.append(
    bigquery.AccessEntry(
        role=role,
        entity_type=entity_type_user,
        entity_id=entity_id,
    )
)
dataset.access_entries = entries

dataset = client.update_dataset(dataset, ["access_entries"])  # Make an API request.

full_dataset_id = "{}.{}".format(dataset.project, dataset.dataset_id)
print(
    "Updated dataset '{}' with modified user permissions.".format(full_dataset_id)
)

throws

(bigquery) nyck33@lenovo-gtx1650:/mnt/d/c2c/sdp-masking-nov28-2024/policy_tags_udfs$ python set_iam_update_dataset_access_control_sample.py
Traceback (most recent call last):
  File "/mnt/d/c2c/sdp-masking-nov28-2024/policy_tags_udfs/set_iam_update_dataset_access_control_sample.py", line 71, in <module>
    dataset = client.update_dataset(dataset, ["access_entries"])  # Make an API request.
  File "/home/nyck33/miniconda3/envs/bigquery/lib/python3.9/site-packages/google/cloud/bigquery/client.py", line 1228, in update_dataset
    api_response = self._call_api(
  File "/home/nyck33/miniconda3/envs/bigquery/lib/python3.9/site-packages/google/cloud/bigquery/client.py", line 833, in _call_api
    return call()
  File "/home/nyck33/miniconda3/envs/bigquery/lib/python3.9/site-packages/google/api_core/retry/retry_unary.py", line 293, in retry_wrapped_func
    return retry_target(
  File "/home/nyck33/miniconda3/envs/bigquery/lib/python3.9/site-packages/google/api_core/retry/retry_unary.py", line 153, in retry_target
    _retry_error_helper(
  File "/home/nyck33/miniconda3/envs/bigquery/lib/python3.9/site-packages/google/api_core/retry/retry_base.py", line 212, in _retry_error_helper
    raise final_exc from source_exc
  File "/home/nyck33/miniconda3/envs/bigquery/lib/python3.9/site-packages/google/api_core/retry/retry_unary.py", line 144, in retry_target
    result = target()
  File "/home/nyck33/miniconda3/envs/bigquery/lib/python3.9/site-packages/google/cloud/_http/__init__.py", line 494, in api_request
    raise exceptions.from_http_response(response)
google.api_core.exceptions.BadRequest: 400 PATCH https://bigquery.googleapis.com/bigquery/v2/projects/c2c-dwh-dev/datasets/jsons_rep_data_warehouse?prettyPrint=false: An access entry must have exactly one of userByEmail, groupByEmail, domain, specialGroup defined, view, routine, or dataset.
(bigquery) nyck33@lenovo-gtx1650:/mnt/d/c2c/sdp-masking-nov28-2024/policy_tags_udfs$ 

that email address I set up a service account in the console and gave it masked reader permissions.

@product-auto-label product-auto-label bot added the api: bigquery Issues related to the googleapis/python-bigquery API. label Nov 30, 2024
@Linchin
Copy link
Contributor

Linchin commented Dec 2, 2024

Hi @nyck33, thank you for raising the issue. I'm unable to reproduce the error, neither with the sample code nor the snippet you provided. This error message is returned by the backend, if either 0 or more than 1 of the listed fields are provided.

To have more info for debugging, could you print out the list entries after appending, and see the entity_type property of each item? My guess is one of them happen to be empty.

@Linchin Linchin self-assigned this Dec 2, 2024
@Linchin Linchin added type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. priority: p3 Desirable enhancement or fix. May not be included in next release. labels Dec 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
api: bigquery Issues related to the googleapis/python-bigquery API. priority: p3 Desirable enhancement or fix. May not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Development

No branches or pull requests

3 participants