-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CT-2619] [Feature] Group and access configuration for sources and exposures #7750
Comments
@Thrasi Thanks for opening, and sorry for the delay getting back to you! Could you talk to me more about your use case for "private" sources? Are these source tables containing sensitive data (PII), and is your idea to prepare them (perhaps anonymize in a staging layer) before surfacing to the rest of the project / analytics universe? If so, thinking within the realm of model access: I'm wondering if these are "private" sources, or if this is really a use case for splitting out these sources & staging models into an entirely separate project, and surfacing those as public models for use in other projects? In the initial implementation for v1.5, we didn't include
|
Hi! @jtcohen6 Thanks for the response!
One of the reasons we haven't is that we want access to the full lineage graph. I can still describe the situation: |
Given that this has lingered for a little bit, I'll add my two cents. Suppose you're working in a large (1000+++ models) project with dozens of analytics engineers across multiple distributed teams owning different parts of the DAG. Now, suppose that the project leverages groups and access to create interfaces to core marts that can be used between groups. While we'd love for everyone to follow best practices, without flowchart LR
classDef source fill:#60b826, stroke:#60b826, color:#fff
classDef model fill:#0094b3, stroke:#0094b3, color:#fff
classDef privateModel fill:#ffffff00, stroke:#0094b3, color:#0094b3
style product fill:#ffffff00, stroke:#bbb
style revenue fill:#ffffff00, stroke:#bbb
style customer_success fill:#ffffff00, stroke:#bbb
crm.deals:::source
crm.customers:::source
product.events:::source
subgraph product
stg_product__events:::privateModel
user_events:::model
end
subgraph revenue
stg_crm__deals:::privateModel
stg_crm__customers:::privateModel
deals:::model
end
subgraph customer_success
report_product_outcomes:::model
end
crm.deals --> stg_crm__deals
crm.customers --> stg_crm__customers
product.events --> stg_product__events
stg_crm__deals --> deals
stg_crm__customers --> deals
stg_product__events --> user_events
crm.deals -- Bypass access and groups by using `source` --> report_product_outcomes
user_events --> report_product_outcomes
Other optionsSomething something macros?I'm confident that an enterprising community member could implement a macro that runs Use multiple projects
My primary rebuttal to this is that there is no dbt-core-specific way to actually do this!
|
Okay, @Thrasi and @nicholasyager we buy it! After discussing this further with @graciegoheen and @jtcohen6, we are aligned for adding support for groups + access on sources 👍 For consistency, we'll add it to exposures too so that all resource types can be grouped (see #8550) We haven't seen convincing use-cases for exposures yet, so we will document as a best practice that you probably shouldn't be "exposing" a private model 🙂 |
Acceptance criteriaAs described here, referencing a resource outside of its supported access should raise an error (but otherwise should not). So a private source should not be referencable outside of its group. And a private model should be referencable by an exposure inside of its group. |
Notes from technical refinement:
|
Thanks for all of the input, I'm going to close this one in favor of an implementation ticket -> #9339 |
Is this your first time submitting a feature request?
Describe the feature
Hi
We would like to be able to control access to sources as well as models using group access. So private sources will only be accessible from within their assigned group.
Currently this is possible for models, seeds, snapshots, tests, analysis and metrics, but not sources.
Groups
Model Access
Acceptance criteria
group and access work for sources
group works for exposures
As described here, referencing a resource outside of its supported access should raise an error (but otherwise should not).
So a private source should not be referencable outside of its group. And a private model should be referencable by an exposure inside of its group.
The text was updated successfully, but these errors were encountered: