search

tokern / lakecli

A CLI to manage and monitor permissions in AWS Lake Formation
Apache License 2.0
25 stars 8 forks source link

ALL_TABLES grant option #23

Open hkuchi opened 3 years ago

hkuchi commented 3 years ago

Issue Summary

While lakecli is a great tool to view and manage permissions for your lakeformation resources, i think it is missing the ALL_TABLES grant option. For instance, if there are say 500 tables within a database, is it possible to GRANT select on ALL TABLES in database to a principal instead of granting each table at a time?

vrajat commented 3 years ago

boto3 or AWS Lakeformation API does not have the functionality to grant permissions to all tables. The closes is batch_grant_permissions or batch_revoke_permissions. However, these API take a maximum of 20 entries.

The nice part of lakecli is that it can be part of script - bash or python and you can automate granting permissions to a larger set. Happy to discuss if you want to try writing such a script.

hkuchibhotla commented 3 years ago

Hi Rajat, Thank you for your response.

Per boto3 documentation, batch_grant_permissions it can take a list of up to 20 entries. However, granting permissions to ALL TABLES within a Database can be performed by using "TableWildcard" option.

TableWildcard (dict) --
A wildcard object representing every table under a database.

Ref: batch_grant_permissions

Alternatively, this works via the CLI as well: 

aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=<ARN_OF_THE_IAM_PRINCIPAL> 
 --permissions "SELECT" --resource '{"Table": {"DatabaseName": "<DBNAME>", "TableWildCard": {} } }'

The above command grants SELECT access to ALL TABLES within the to the IAM principal.

Wonder if this feature could be added to lakecli, that would make it way easier to work with databases containing large number of tables. Apart from this limitation, found lakecli to be useful to view/ query permissions in a SQL-like dialect and to grant individual permissions!

Thanks.

vrajat commented 3 years ago

Thanks for pointing this out. This is a valid feature request and it should be possible to support. I'll add it to the queue. Happy to also accept contributions :)

hkuchibhotla commented 3 years ago

Hey @vrajat any idea when this enhancement request is being planned? Happy to pair with you on this.

vrajat commented 3 years ago

Hi, I havent had a chance to work on this feature. Most of my time is spent on tokern/data-lineage. However, I am happy to collaborate, work together to design and accept any contributions. This will also motivate me to support other feature requests like #17 by integrating tokern/dbcat to pull more info from AWS glue.

Will you be able contribute code for this feature?