向用户授予基本 Dataproc Metastore IAM 角色

本页面介绍了如何向 Google Cloud 用户账号或服务账号授予对项目中基本 Dataproc Metastore 资源的访问权限。本页面介绍的角色提供创建 Dataproc Metastore 服务的权限。

根据您希望该账号拥有的控制范围,您可以向其授予以下预定义 IAM 角色之一:

  • roles/metastore.editor,用于授予对 Dataproc Metastore 资源的完全控制权
  • roles/metastore.admin,用于授予对 Dataproc Metastore 资源的完全控制权,包括更新 IAM 权限。

如需详细了解这些角色提供的特定 IAM 权限,请参阅 Dataproc Metastore IAM 角色

准备工作

  1. 登录您的 Google Cloud 账号。如果您是新手 Google Cloud, 请创建一个账号来评估我们的产品在 实际场景中的表现。新客户还可获享 $300 赠金,用于 运行、测试和部署工作负载。

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the Dataproc Metastore API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the Dataproc Metastore API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

    8.

所需的角色

您必须在所使用的项目中拥有 roles/owner (Owner) 基本 IAM 角色,或者拥有授予以下权限的角色:Google Cloud

  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.setIamPolicy

如需获得这些权限,同时遵循最小权限原则,请让管理员向您授予 roles/resourcemanager.projectIamAdmin (Project IAM Admin) 角色。

如何授予访问角色

gcloud

如需使用 gcloud CLI,您可以安装并初始化 Google Cloud CLI,也可以使用Cloud Shell

运行以下 add-iam-policy-binding 命令,向 IAM 主账号 (用户账号或服务帐号)授予 Dataproc Metastore 预定义角色。

  gcloud projects add-iam-policy-binding PROJECT_ID \
     --member=PRINCIPAL \
     --role=METASTORE_ROLE

替换以下内容:

  • PROJECT_ID:您要启用 Metastore 访问权限的项目的 ID。
  • PRINCIPAL:正文的类型和邮件 ID(邮箱)。
    • 对于用户账号:user:EMAIL_ID
    • 对于服务账号:serviceAccount:EMAIL_ID
    • 对于 Google 群组:group:EMAIL_ID
  • METASTORE_ROLE:以下值之一,具体取决于您要向主账号授予的角色:roles/metastore.editorroles/metastore.admin。如需详细了解这些角色授予的权限,请参阅 Dataproc Metastore IAM 角色