Database Reference
In-Depth Information
Authentication versus Authorization
It is easy to confuse
authentication
(how do I know you're who you say
you are?) and
authorization
(how do I know what you're allowed to
do?). The term “auth” is often used so that you don't have to try to
remember which one is correct. Part of the problem is that the words
look similar, but they also are easy to mix up because most physical
examples you have do both types of “auth” at the same time. For
example, your driver's license is a token that both authenticates you
(establishes your identity) and authorizes you to drive a car (certifies
you passed your driving requirements in your state).
To see how authentication and authorization can be separated, imagine
what happens when your driver's license expires. You obviously
shouldn't drive without getting it renewed. But it is only the
authorization portion that has expired. It should be (although I
wouldn't try arguing this with a bouncer at a bar) completely acceptable
as a form of authentication; it still uniquely identifies you as the person
on the card.
In BigQuery, authorization and authentication are distinct
mechanisms. Authorization is done via project teams and dataset ACLs,
which are described in Chapter 4, “Understanding the BigQuery Object
Model.” Authentication is done via the mysterious mechanisms
described next.
Why Is Authentication So Hard?
To understand why authentication can be so tricky, it helps to consider some
history. Back in the wild and freewheeling days of the World Wide Web,
you didn't need fancy authentication schemes. You just sent your username
and password as part of the URL request and everyone loved it. This was
called HTTP Basic Authentication, which was easy to use. Of course, from
a security perspective, it is terrible—your password is sent in the clear on
every request. It is easy for someone listening on the network to get your
password, and from then on, they can impersonate you.
