camelAI Legacy Product — This documentation covers camelAI’s embedded analytics offering, which is no longer being actively developed. We are migrating existing customers to the new camelAI platform. For the current product, visit camelAI.
BigQuery doesn’t support dynamic session variables like PostgreSQL or ClickHouse. Instead, it uses row access policies based on the authenticated user’s identity. To implement per-user RLS with Camel, you’ll need to create separate connections with different credentials.
BigQuery RLS requires managing multiple service accounts or user credentials, which adds complexity compared to PostgreSQL and ClickHouse implementations.
How Camel Handles BigQuery RLS
Unlike PostgreSQL and ClickHouse where Camel sets a session variable for each query, BigQuery requires a different approach:
- Service Account Authentication: Each connection uses a specific service account with its own credentials
- Row Access Policies: BigQuery filters data based on the authenticated service account’s identity
- Multiple Connections: You create separate Camel connections for different user groups or tenants
- Query Routing: Camel routes queries to the appropriate connection based on the
srcs parameter
Setting Up RLS
Step 1: Create Service Accounts
Create separate service accounts for each access level or tenant:
Step 2: Grant BigQuery Permissions
Step 3: Create Row Access Policies
Create policies that filter data based on the service account:
In Camel, create a connection for each service account:
- Navigate to your data sources
- Add a new BigQuery connection
- Configure with service account credentials:
- Name:
bigquery_tenant_a
- Service Account: Upload the
tenant-key.json file
- Project ID: Your GCP project ID
Repeat this process for each tenant or user group that needs separate access.
Complete Example: Multi-Tenant Setup
Let’s implement a multi-tenant system where different service accounts represent different tenants.
1. Create the Data Table
2. Create Service Accounts
3. Create Row Access Policies
4. Grant BigQuery Permissions
Set up the connections in Camel:
-
Tenant A Connection:
- Name:
bigquery_tenant_a
- Service Account:
tenant-a-reader@project.iam.gserviceaccount.com
- Key File: Upload
tenant-a-key.json
-
Tenant B Connection:
- Name:
bigquery_tenant_b
- Service Account:
tenant-b-reader@project.iam.gserviceaccount.com
- Key File: Upload
tenant-b-key.json
6. Use Tenant-Specific Connections
When creating an iframe, specify which data source to use based on the user’s tenant:
Testing Your Policies
Using BigQuery Console
Test your policies by impersonating different service accounts:
Verify Policy Application
Check which policies are applied to a table:
Troubleshooting
Common Issues
-
“Access Denied” Errors:
- Verify service account has BigQuery Data Viewer role
- Check row access policy syntax
- Ensure service account is included in GRANT TO clause
-
All Data Visible:
- Confirm row access policies are enabled on the table
- Check if user has additional roles (e.g., Owner, Editor)
- Verify FILTER USING clause logic
-
No Data Returned:
- Test the filter condition separately
- Verify service account email matches policy
- Check data exists matching the filter criteria
Learn More
For assistance with BigQuery RLS implementation, contact support@camelai.com.