feat: managed service accounts for BYOB users#2508
Merged
Conversation
Contributor
Author
|
@Logflare/dashbit will need to merge this in first but a review would be appreciated 🙏 |
Ziinc
deleted the
ziinc/anl-948-logflare-byob-managed-service-accounts-handling
branch
wojtekmach
reviewed
Jul 9, 2025
Comment on lines
+49
to
+60
| def append_managed_sa_to_iam_policy(user) do | ||
| with {:enabled?, true} <- {:enabled?, BigQueryAdaptor.managed_service_accounts_enabled?()}, | ||
| {:ok, policy} <- get_iam_policy(user), | ||
| {:contains?, _policy, false} <- | ||
| {:contains?, policy, contains_managed_service_accounts?(policy)} do | ||
| append_managed_service_accounts(user.bigquery_project_id, policy) | ||
| else | ||
| {:contains?, policy, _} -> {:ok, policy} | ||
| {:enabled?, false} -> {:error, :managed_service_accounts_disabled} | ||
| {:error, _err} = err -> err | ||
| end | ||
| end |
There was a problem hiding this comment.
This is pretty subjective but in our experience, with/1 + "tagged tuples" decreases readability as one has to go back'n'forth between the "happy" path and the corresponding else clause. For me, with/1 is ideal without else clause or with a single catch-all else clause, anything other than that, to me, gives me a pause what's going on every single time.
I haven't tested it but I think this would be the equivalent:
def append_managed_sa_to_iam_policy(user) do
if BigQueryAdaptor.managed_service_accounts_enabled?() do
with {:ok, policy} <- get_iam_policy(user) do
if contains_managed_service_accounts?(policy) do
{:ok, policy}
else
append_managed_service_accounts(user.bigquery_project_id, policy)
end
end
else
{:error, :managed_service_accounts_disabled}
end
endagain, pretty subjective though!
|
|
||
| def change do | ||
| alter table(:users) do | ||
| add :bigquery_enable_managed_service_accounts, :boolean, default: false |
There was a problem hiding this comment.
consider adding null: false which would be safe since there's a default.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds in adding of managed SAs to BYOB users' projects. This ensures that the IAM policy updating is non-destructive. It also requires the permissions to fetch and set the IAM policies (i.e. IAM admin), and thusly this is optional depending on whether the user has enabled it.
Queries are routed through partitioned Goth servers, each service account gets their own partitioned goth server to ensure that token refreshing does not bottleneck requests.
This is only true when:
Otherwise, queries are all routed through Logflare.Goth (whcih is the main service account)