search

cal-itp / data-infra

Cal-ITP data infrastructure
https://docs.calitp.org/data-infra
GNU Affero General Public License v3.0
47 stars 12 forks source link

update payments row access policy to include new contributors #3418

Closed charlie-costanzo closed 1 month ago

charlie-costanzo commented 1 month ago

Description

Update payments row access polices in macro create_row_access_policy to include new GCP group: mov-project-team@jarv.us to facilitate querying and contributions to row access policy-protected tables (primarily fct_payments__rides_v2 and fct_elavon__transactions)

Type of change

ohrite commented 1 month ago

Hi @charlie-costanzo is it possible to add domain:ministryofvelocity.com or group:consultants@ministryofvelocity.com instead?

charlie-costanzo commented 1 month ago

Hi @charlie-costanzo is it possible to add domain:ministryofvelocity.com or group:consultants@ministryofvelocity.com instead?

Hey @ohrite – when creating new groups to allow access to row access policies in GCP, I believe that the domain for a new group's email address is actually automatically assigned the domain of the 'owner' of the GCP organization, and I believe Jarvus is still technically the 'owner' of the Cal-ITP GCP instance. So I wasn't given an option to substitute domains, and I don't think it has much impact other than the settings for the group's access to the tables, but can look into this further if you'd like.

I could also potentially change to a domain-level access to the tables, such as domain:ministryofvelocity.com, if preferred, but that would be a less granular way to control who accesses these (more sensitive) payments tables. Currently the only domain that's given broad domain access is calitp.org, as the group that Jarvus users have been in names users specifically. Let me know if you'd like me to look further into this though, as well.

themightychris commented 1 month ago

Compiler owns the existing GCP project, not Jarvus

We don't have access to the "organization" that owns the GCP project—either because none is assigned to the project or because we're not members of it.

Groups can only be created at the organization level so we're creating them under jarvus for now

We're about to rework all this stuff in the transition to Caltrans owning the GCP project so it might be best to just stick with small un-ideal changes for now rather than making the current IAM structure more complex for what will hopefully only be a few weeks