代码使用 DML 更新 BQ 上的 table 失败,但使用 RPC 插入和删除成功
Code fails to update a table on BQ using DML, but succeeds for insertion and deletion with RPC
我写了一些代码,使用服务帐户写入 google-cloud 上的 BQ。
非常奇怪的是,只有使用DML 的“更新”操作失败。 (其他插入、删除RPC调用成功)
def create_table(self, table_id, schema):
table_full_name = self.get_table_full_name(table_id)
table = self.get_table(table_full_name)
if table is not None:
return # self.client.delete_table(table_full_name, not_found_ok=True) # Make an API
# request. # print("Deleted table '{}'.".format(table_full_name))
table = bigquery.Table(table_full_name, schema=schema)
table = self.client.create_table(table) # Make an API request.
print("Created table {}.{}.{}".format(table.project, table.dataset_id, table.table_id))
#Works!
def upload_rows_to_bq(self, table_id, rows_to_insert):
table_full_name = self.get_table_full_name(table_id)
for ads_chunk in split(rows_to_insert, _BQ_CHUNK_SIZE):
errors = self.client.insert_rows_json(table_full_name, ads_chunk,
row_ids=[None] * len(rows_to_insert)) # Make an API request.
if not errors:
print("New rows have been added.")
else:
print("Encountered errors while inserting rows: {}".format(errors))
#Permissions Failure
def update_bq_ads_status_removed(self, table_id, update_ads):
affected_rows = 0
table_full_name = self.get_table_full_name(table_id)
for update_ads_chunk in split(update_ads, _BQ_CHUNK_SIZE):
ad_ids = [item["ad_id"] for item in update_ads_chunk]
affected_rows += self.update_bq_ads_status(f"""
UPDATE {table_full_name}
SET status = 'Removed'
WHERE ad_id IN {tuple(ad_ids)}
""")
return affected_rows
我只在更新时收到此错误:
User does not have bigquery.jobs.create permission in project ABC.
请为服务帐户授予 bigquery.user 角色,然后再次尝试 运行 代码。
BigQuery Job User
role: bigquery.user
我会详细说明我的评论。
在 GCP 中,您有 3 种类型的 IAM 角色。
include the Owner, Editor, and Viewer roles.
provide granular access for a specific service and are managed by Google Cloud. Predefined roles are meant to support common use cases and access control patterns.
provide granular access according to a user-specified list of permissions.
预定义角色和自定义角色有什么区别?如果您更改 predefinied 角色的 (add/remove) 权限,它将变为 custom role.
可以找到具有权限列表的 BigQuery 预定义角色 here
提到的错误:
User does not have bigquery.jobs.create permission in project ABC.
表示 IAM Role 没有特定的 BigQuery Permission - bigquery.jobs.create.
bigquery.jobs.create 权限可以在两个预定义的角色中找到,例如:
- BigQuery 作业用户 - (roles/bigquery.jobUser)
- BigQuery 用户 - (roles/bigquery.user)
或可以添加到不同的 predefinied role,但它会更改为 custom role。
补充一下,在 Testing Permission 指南中,您可以找到有关如何测试 IAM 权限的信息。
我写了一些代码,使用服务帐户写入 google-cloud 上的 BQ。
非常奇怪的是,只有使用DML 的“更新”操作失败。 (其他插入、删除RPC调用成功)
def create_table(self, table_id, schema):
table_full_name = self.get_table_full_name(table_id)
table = self.get_table(table_full_name)
if table is not None:
return # self.client.delete_table(table_full_name, not_found_ok=True) # Make an API
# request. # print("Deleted table '{}'.".format(table_full_name))
table = bigquery.Table(table_full_name, schema=schema)
table = self.client.create_table(table) # Make an API request.
print("Created table {}.{}.{}".format(table.project, table.dataset_id, table.table_id))
#Works!
def upload_rows_to_bq(self, table_id, rows_to_insert):
table_full_name = self.get_table_full_name(table_id)
for ads_chunk in split(rows_to_insert, _BQ_CHUNK_SIZE):
errors = self.client.insert_rows_json(table_full_name, ads_chunk,
row_ids=[None] * len(rows_to_insert)) # Make an API request.
if not errors:
print("New rows have been added.")
else:
print("Encountered errors while inserting rows: {}".format(errors))
#Permissions Failure
def update_bq_ads_status_removed(self, table_id, update_ads):
affected_rows = 0
table_full_name = self.get_table_full_name(table_id)
for update_ads_chunk in split(update_ads, _BQ_CHUNK_SIZE):
ad_ids = [item["ad_id"] for item in update_ads_chunk]
affected_rows += self.update_bq_ads_status(f"""
UPDATE {table_full_name}
SET status = 'Removed'
WHERE ad_id IN {tuple(ad_ids)}
""")
return affected_rows
我只在更新时收到此错误:
User does not have bigquery.jobs.create permission in project ABC.
请为服务帐户授予 bigquery.user 角色,然后再次尝试 运行 代码。
BigQuery Job User
role: bigquery.user
我会详细说明我的评论。
在 GCP 中,您有 3 种类型的 IAM 角色。
include the Owner, Editor, and Viewer roles.
provide granular access for a specific service and are managed by Google Cloud. Predefined roles are meant to support common use cases and access control patterns.
provide granular access according to a user-specified list of permissions.
预定义角色和自定义角色有什么区别?如果您更改 predefinied 角色的 (add/remove) 权限,它将变为 custom role.
可以找到具有权限列表的 BigQuery 预定义角色 here
提到的错误:
User does not have bigquery.jobs.create permission in project ABC.
表示 IAM Role 没有特定的 BigQuery Permission - bigquery.jobs.create.
bigquery.jobs.create 权限可以在两个预定义的角色中找到,例如:
- BigQuery 作业用户 - (roles/bigquery.jobUser)
- BigQuery 用户 - (roles/bigquery.user)
或可以添加到不同的 predefinied role,但它会更改为 custom role。
补充一下,在 Testing Permission 指南中,您可以找到有关如何测试 IAM 权限的信息。