將基本 Dataproc Metastore IAM 角色授予使用者

本頁說明如何授予 Google Cloud 使用者帳戶或服務帳戶存取專案中基本 Dataproc Metastore 資源的權限。本頁面說明的角色可授予建立 Dataproc Metastore 服務的權限。

視您希望帳戶擁有的控制範圍而定,授予下列其中一個預先定義的 IAM 角色:

  • roles/metastore.editor 授予 Dataproc Metastore 資源的完整控制權
  • roles/metastore.admin,可授予 Dataproc Metastore 資源的完整控制權,包括更新 IAM 權限。

如要進一步瞭解這些角色提供的特定 IAM 權限,請參閱「Dataproc Metastore IAM 角色」。

事前準備

  1. 登入 Google Cloud 帳戶。如果您是 Google Cloud新手,歡迎 建立帳戶,親自評估產品在實際工作環境中的成效。新客戶還能獲得價值 $300 美元的免費抵免額,可用於執行、測試及部署工作負載。

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the Dataproc Metastore API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the Dataproc Metastore API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

    8.

必要的角色

您必須在使用的Google Cloud 專案中具備 roles/owner (擁有者) 基本 IAM 角色,或是具備可授予下列權限的角色:

  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.setIamPolicy

如要在遵循最小權限原則的情況下取得這些權限,請要求管理員授予您 roles/resourcemanager.projectIamAdmin (專案 IAM 管理員) 角色。

如何授予存取角色

gcloud

如要使用 gcloud CLI,可以安裝並初始化 Google Cloud CLI,也可以使用 Cloud Shell

執行下列 add-iam-policy-binding 指令,將 Dataproc Metastore 預先定義的角色授予 IAM 主體 (使用者帳戶或服務帳戶)。

  gcloud projects add-iam-policy-binding PROJECT_ID \
     --member=PRINCIPAL \
     --role=METASTORE_ROLE

更改下列內容:

  • PROJECT_ID:您要啟用 Metastore 存取權的專案 ID。
  • PRINCIPAL:主體的類型和電子郵件 ID (電子郵件地址)。
    • 使用者帳戶:user:EMAIL_ID
    • 服務帳戶:serviceAccount:EMAIL_ID
    • Google 網路論壇:group:EMAIL_ID
  • METASTORE_ROLE:下列其中一個值,視您要授予主體的角色而定:roles/metastore.editorroles/metastore.admin。如要進一步瞭解這些角色授予的權限,請參閱「Dataproc Metastore IAM 角色」。