feat: allow additional roles for BQ provider

core/policy/service_test.go

@@ -72,7 +72,7 @@ func (s *ServiceTestSuite) TestCreate() {
 			{
 				name: "id contains tab(s)",
 				policy: &domain.Policy{
-					ID:      "a	a",
+					ID: "a	a",
 					Version: 1,
 					Steps:   validSteps,
 				},

plugins/providers/bigquery/client.go

@@ -110,38 +110,21 @@ func (c *bigQueryClient) GetTables(ctx context.Context, datasetID string) ([]*Ta
 	return results, nil
 }
 
-func (c *bigQueryClient) ResolveDatasetRole(role string) (bq.AccessRole, error) {
-	switch role {
-	case DatasetRoleReader:
-		return bq.ReaderRole, nil
-	case DatasetRoleWriter:
-		return bq.WriterRole, nil
-	case DatasetRoleOwner:
-		return bq.OwnerRole, nil
-	default:
-		return "", ErrInvalidRole
-	}
-}
-
 func (c *bigQueryClient) GrantDatasetAccess(ctx context.Context, d *Dataset, user, role string) error {
 	dataset := c.client.Dataset(d.DatasetID)
 	metadata, err := dataset.Metadata(ctx)
 	if err != nil {
 		return err
 	}
 
-	bqRole, err := c.ResolveDatasetRole(role)
-	if err != nil {
-		return err
-	}
 	for _, a := range metadata.Access {
-		if a.Entity == user && a.Role == bqRole {
+		if a.Entity == user && a.Role == bq.AccessRole(role) {
 			return ErrPermissionAlreadyExists
 		}
 	}
 	update := bq.DatasetMetadataToUpdate{
 		Access: append(metadata.Access, &bq.AccessEntry{
-			Role:       bqRole,
+			Role:       bq.AccessRole(role),
 			EntityType: bq.UserEmailEntity,
 			Entity:     user,
 		}),
@@ -157,14 +140,10 @@ func (c *bigQueryClient) RevokeDatasetAccess(ctx context.Context, d *Dataset, us
 	if err != nil {
 		return err
 	}
-	bqRole, err := c.ResolveDatasetRole(role)
-	if err != nil {
-		return err
-	}
 
 	remainingAccessEntries := []*bq.AccessEntry{}
 	for _, a := range metadata.Access {
-		if a.Entity == user && a.Role == bqRole {
+		if a.Entity == user && a.Role == bq.AccessRole(role) {
 			continue
 		}
 		remainingAccessEntries = append(remainingAccessEntries, a)
@@ -327,6 +306,34 @@ func (c *bigQueryClient) ListAccess(ctx context.Context, resources []*domain.Res
 	return access, nil
 }
 
+func (c *bigQueryClient) getGrantAbleRoleForDataset() ([]bq.AccessRole, error) {
+	var roles = []bq.AccessRole{bq.OwnerRole, bq.WriterRole, bq.ReaderRole}
+	var resourceName string
+	ctx := context.Background()
+	datasetIterator := c.client.Datasets(ctx)
+	for {
+		dataset, err := datasetIterator.Next()
+		if err == iterator.Done || err != nil {
+			break
+		}
+
+		resourceName = fmt.Sprintf("//bigquery.googleapis.com/projects/%v/datasets/%v", dataset.ProjectID, dataset.DatasetID)
+		request := &iam.QueryGrantableRolesRequest{
+			FullResourceName: resourceName,
+		}
+		response, err := c.iamService.Roles.QueryGrantableRoles(request).Do()
+		if err != nil {
+			return roles, err
+		}
+
+		for _, role := range response.Roles {
+			roles = append(roles, bq.AccessRole(role.Name))
+		}
+		return roles, nil
+	}
+	return roles, nil
+}
+
 func (c *bigQueryClient) getGrantableRolesForTables() ([]string, error) {
 	var resourceName string
 	ctx := context.Background()

plugins/providers/bigquery/config.go

@@ -13,10 +13,6 @@ import (
 )
 
 const (
-	DatasetRoleReader = "READER"
-	DatasetRoleWriter = "WRITER"
-	DatasetRoleOwner  = "OWNER"
-
 	AccountTypeUser           = "user"
 	AccountTypeServiceAccount = "serviceAccount"
 )
@@ -173,7 +169,18 @@ func (c *Config) validatePermission(value interface{}, resourceType string, clie
 	}
 
 	if resourceType == ResourceTypeDataset {
-		if !utils.ContainsString([]string{DatasetRoleReader, DatasetRoleWriter, DatasetRoleOwner}, permision) {
+		roles, err := client.getGrantAbleRoleForDataset()
+		if err != nil {
+			return nil, ErrCannotFetchDatabasePermission
+		}
+		findMatchingRole := false
+		for _, role := range roles {
+			if string(role) == permision {
+				findMatchingRole = true
+				break
+			}
+		}
+		if !findMatchingRole {
 			return nil, fmt.Errorf("%v: %v", ErrInvalidDatasetPermission, permision)
 		}
 	} else if resourceType == ResourceTypeTable {

plugins/providers/bigquery/errors.go

@@ -12,19 +12,20 @@ var (
 	// ErrUnableToDecryptNilCredentials is the error value if the to be decrypted credentials is nil
 	ErrUnableToDecryptNilCredentials = errors.New("unable to decrypt nil credentials")
 	// ErrInvalidCredentialsType is the error value if the credentials value can't be casted into the bigquery.Credentials type
-	ErrInvalidCredentialsType      = errors.New("invalid credentials type")
-	ErrInvalidRole                 = errors.New("invalid role")
-	ErrInvalidResourceType         = errors.New("invalid resource type")
-	ErrInvalidTableURN             = errors.New("table URN is invalid")
-	ErrPermissionAlreadyExists     = errors.New("permission already exists")
-	ErrPermissionNotFound          = errors.New("permission not found")
-	ErrNilProviderConfig           = errors.New("provider config can't be nil")
-	ErrNilAppeal                   = errors.New("appeal can't be nil")
-	ErrNilResource                 = errors.New("designated resource can't be nil")
-	ErrProviderTypeMismatch        = errors.New("provider type in the config and in the appeal don't match")
-	ErrProviderURNMismatch         = errors.New("provider urn in the config and in the appeal don't match")
-	ErrInvalidDatasetPermission    = errors.New("provided permission is not supported for dataset resource")
-	ErrInvalidTablePermission      = errors.New("provided permission is not supported for table resource")
-	ErrEmptyResource               = errors.New("this bigquery project has no resources")
-	ErrCannotVerifyTablePermission = errors.New("cannot verify the table permissions since this bigquery project does not have any tables")
+	ErrInvalidCredentialsType        = errors.New("invalid credentials type")
+	ErrInvalidRole                   = errors.New("invalid role")
+	ErrInvalidResourceType           = errors.New("invalid resource type")
+	ErrInvalidTableURN               = errors.New("table URN is invalid")
+	ErrPermissionAlreadyExists       = errors.New("permission already exists")
+	ErrPermissionNotFound            = errors.New("permission not found")
+	ErrNilProviderConfig             = errors.New("provider config can't be nil")
+	ErrNilAppeal                     = errors.New("appeal can't be nil")
+	ErrNilResource                   = errors.New("designated resource can't be nil")
+	ErrProviderTypeMismatch          = errors.New("provider type in the config and in the appeal don't match")
+	ErrProviderURNMismatch           = errors.New("provider urn in the config and in the appeal don't match")
+	ErrInvalidDatasetPermission      = errors.New("provided permission is not supported for dataset resource")
+	ErrInvalidTablePermission        = errors.New("provided permission is not supported for table resource")
+	ErrEmptyResource                 = errors.New("this bigquery project has no resources")
+	ErrCannotVerifyTablePermission   = errors.New("cannot verify the table permissions since this bigquery project does not have any tables")
+	ErrCannotFetchDatabasePermission = errors.New("failed to fetch grant-able roles for dataset")
 )

plugins/providers/bigquery/provider.go

@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"strings"
 
-	bq "cloud.google.com/go/bigquery"
 	"github.com/mitchellh/mapstructure"
 	"github.com/odpf/guardian/core/provider"
 	"github.com/odpf/guardian/domain"
@@ -20,7 +19,6 @@ type BigQueryClient interface {
 	RevokeDatasetAccess(ctx context.Context, d *Dataset, user, role string) error
 	GrantTableAccess(ctx context.Context, t *Table, accountType, accountID, role string) error
 	RevokeTableAccess(ctx context.Context, t *Table, accountType, accountID, role string) error
-	ResolveDatasetRole(role string) (bq.AccessRole, error)
 	ListAccess(ctx context.Context, resources []*domain.Resource) (domain.MapResourceAccess, error)
 }