将 Google BigQuery 连接的 OAuth 范围限制为只读

在 Looker 24.20 之前,为 Google BigQuery 连接设置 OAuth 身份验证时,Looker 会创建 OAuth 凭据,以允许数据库用户请求读写权限范围。从 Looker 24.20 开始,Looker 会改为为任何新的 BigQuery OAuth 连接请求 OAuth 只读权限范围,为现有 BigQuery OAuth 连接请求新的 OAuth 授权,以及为现有 BigQuery OAuth 连接重新授权。

自 2025 年 3 月 1 日起,Looker 将从所有相应的 BigQuery 连接中退出尚未使用 OAuth 只读权限范围重新授权的所有用户。这会导致依赖于这些连接的所有时间表都失败。这些用户中的每一个都需要重新授权其 OAuth 连接凭据,以确保投放时间表的顺利投放。您还可以向重新授权了 OAuth 连接凭据的用户重新分配时间表

为确保顺利过渡到更新后的 OAuth 凭据,请按照后续部分中的步骤操作:

重新授权您的 OAuth 连接凭据

如需更新您的 OAuth 凭据以使用只读范围,请按以下步骤操作:

  1. 前往账号页面
  2. OAuth 连接凭据部分,点击每组凭据旁边的重新授权
  3. 系统会提示您重新授权 Looker 访问 BigQuery 数据。确认屏幕应列出“在 Google BigQuery 中查看您的数据”权限,而不是“在 Google BigQuery 中查看和管理您的数据”权限。

拥有 BigQuery 连接 OAuth 凭据的每位用户都需要完成这些步骤。

生成可能受影响的所有用户的时间表列表

如需生成在您的 BigQuery 连接中创建了时间表但没有只读 OAuth 凭据的所有用户的列表,请访问以下“系统活动探索”页面,并将 INSTANCE_NAME 替换为 Looker 实例的地址(例如 https://example.cloud.looker.com)。

INSTANCE_NAME/explore/system__activity/scheduled_plan_oauth_events?fields=user.name,count,query.model&f[query.model]=-NULL&f[count]=0&sorts=user.name&limit=500&column_limit=50&query_timezone=America%2FLos_Angeles&vis=%7B%22show_view_names%22%3Afalse%2C%22show_row_numbers%22%3Atrue%2C%22transpose%22%3Afalse%2C%22truncate_text%22%3Atrue%2C%22hide_totals%22%3Afalse%2C%22hide_row_totals%22%3Afalse%2C%22size_to_fit%22%3Atrue%2C%22table_theme%22%3A%22white%22%2C%22limit_displayed_rows%22%3Afalse%2C%22enable_conditional_formatting%22%3Afalse%2C%22header_text_alignment%22%3A%22left%22%2C%22header_font_size%22%3A12%2C%22rows_font_size%22%3A12%2C%22conditional_formatting_include_totals%22%3Afalse%2C%22conditional_formatting_include_nulls%22%3Afalse%2C%22x_axis_gridlines%22%3Afalse%2C%22y_axis_gridlines%22%3Atrue%2C%22show_y_axis_labels%22%3Atrue%2C%22show_y_axis_ticks%22%3Atrue%2C%22y_axis_tick_density%22%3A%22default%22%2C%22y_axis_tick_density_custom%22%3A5%2C%22show_x_axis_label%22%3Atrue%2C%22show_x_axis_ticks%22%3Atrue%2C%22y_axis_scale_mode%22%3A%22linear%22%2C%22x_axis_reversed%22%3Afalse%2C%22y_axis_reversed%22%3Afalse%2C%22plot_size_by_field%22%3Afalse%2C%22trellis%22%3A%22%22%2C%22stacking%22%3A%22%22%2C%22legend_position%22%3A%22center%22%2C%22point_style%22%3A%22none%22%2C%22show_value_labels%22%3Afalse%2C%22label_density%22%3A25%2C%22x_axis_scale%22%3A%22auto%22%2C%22y_axis_combined%22%3Atrue%2C%22ordering%22%3A%22none%22%2C%22show_null_labels%22%3Afalse%2C%22show_totals_labels%22%3Afalse%2C%22show_silhouette%22%3Afalse%2C%22totals_color%22%3A%22%23808080%22%2C%22type%22%3A%22looker_grid%22%2C%22defaults_version%22%3A1%2C%22series_types%22%3A%7B%7D%2C%22hidden_fields%22%3A%5B%22count%22%5D%7D&filter_config=%7B%22query.model%22%3A%5B%7B%22type%22%3A%22%21null%22%2C%22values%22%3A%5B%7B%7D%2C%7B%7D%5D%2C%22id%22%3A0%7D%5D%2C%22count%22%3A%5B%7B%22type%22%3A%22%3D%22%2C%22values%22%3A%5B%7B%22constant%22%3A%220%22%7D%2C%7B%7D%5D%2C%22id%22%3A1%7D%5D%2C%22__%21internal%21__%22%3A%5B%22OR%22%2C%5B%5B%22AND%22%2C%5B%5B%22FILTER%22%2C%7B%22field%22%3A%22query.model%22%2C%22value%22%3A%22-NULL%22%2C%22type%22%3A%22%21null%22%7D%5D%2C%5B%22FILTER%22%2C%7B%22field%22%3A%22count%22%2C%22value%22%3A%220%22%7D%5D%5D%5D%5D%5D%7D&dynamic_fields=%5B%7B%22category%22%3A%22measure%22%2C%22expression%22%3Anull%2C%22label%22%3A%22Count%22%2C%22value_format%22%3Anull%2C%22value_format_name%22%3Anull%2C%22based_on%22%3A%22event_attribute.value%22%2C%22_kind_hint%22%3A%22measure%22%2C%22measure%22%3A%22count%22%2C%22type%22%3A%22count_distinct%22%2C%22_type_hint%22%3A%22number%22%2C%22filters%22%3A%7B%22event_attribute.value%22%3A%22%25%2Fauth%2Fbigquery.readonly%25%22%7D%7D%5D&origin=share-expanded

这些用户中的每个用户都需要重新授权其 OAuth 连接凭据,以确保投放时间表的正常投放。

(可选)强制在 Looker 实例中使用只读权限范围

如需让所有拥有允许对任何 BigQuery 连接执行读写操作的 OAuth 凭据的用户退出账号,请按以下步骤操作:

  1. 前往管理设置 - 常规设置 页面。
  2. 强制使用 BigQuery 只读权限范围设置切换为“已启用”,然后点击更新

此过程不会让用户重新登录 BigQuery。当用户下次运行基于具有 BigQuery 连接的模型的查询时,系统会提示他们登录 BigQuery。在用户登录之前,依赖于这些连接的所有时间表都将失败。您还可以将时间表重新分配给自己或其他已重新授权其 OAuth 关联凭据的用户