תפקידי IAM ב-Dataproc Metastore

ב-Dataproc Metastore מוגדרים כמה תפקידים בניהול זהויות והרשאות גישה (IAM). כל תפקיד שמוגדר מראש מכיל קבוצה של הרשאות IAM שמאפשרות לחשבונות משתמשים לבצע פעולות מסוימות. אתם יכולים להשתמש במדיניות IAM כדי להעניק לחשבון משתמש תפקיד אחד או יותר ב-IAM.

בנוסף, ניהול הזהויות והרשאות הגישה (IAM) מאפשר ליצור תפקידי IAM בהתאמה אישית. אתם יכולים ליצור תפקידי IAM בהתאמה אישית ולהקצות לתפקיד הרשאה אחת או יותר. לאחר מכן תוכלו להעניק את התפקיד החדש לחשבונות המשתמש שלכם. אתם יכולים להשתמש בתפקידים בהתאמה אישית כדי ליצור מודל של בקרת גישה שמותאם ישירות לצרכים שלכם, בנוסף לתפקידים המוגדרים מראש שזמינים.

בדף הזה מתמקדים בתפקידי IAM שרלוונטיים ל-Dataproc Metastore.

לפני שמתחילים

  • קוראים את התיעוד בנושא IAM.

תפקידים ב-Dataproc Metastore

תפקידים ב-IAM Dataproc Metastore הם חבילה של הרשאה אחת או יותר. אתם מקצים תפקידים לחשבונות משתמשים כדי לאפשר להם לבצע פעולות על משאבי Dataproc Metastore בפרויקט שלכם. לדוגמה, התפקיד Dataproc Metastore User כולל את ההרשאות metastore.*.get ו-metastore.*.list, שמאפשרות למשתמש לקבל ולרשום שירותים, ייבוא מטא-נתונים, גיבויים ופעולות של Dataproc Metastore בפרויקט.

בטבלה הבאה מפורטים כל התפקידים ב-Dataproc Metastore וההרשאות שמשויכות לכל תפקיד:

Role Permissions

(roles/metastore.admin)

Full access to all Dataproc Metastore resources.

metastore.backups.*

  • metastore.backups.create
  • metastore.backups.delete
  • metastore.backups.get
  • metastore.backups.getIamPolicy
  • metastore.backups.list
  • metastore.backups.setIamPolicy
  • metastore.backups.use

metastore.federations.*

  • metastore.federations.create
  • metastore.federations.createTagBinding
  • metastore.federations.delete
  • metastore.federations.deleteTagBinding
  • metastore.federations.get
  • metastore.federations.getIamPolicy
  • metastore.federations.list
  • metastore.federations.listEffectiveTags
  • metastore.federations.listTagBindings
  • metastore.federations.setIamPolicy
  • metastore.federations.update
  • metastore.federations.use

metastore.imports.*

  • metastore.imports.create
  • metastore.imports.get
  • metastore.imports.list
  • metastore.imports.update

metastore.locations.*

  • metastore.locations.get
  • metastore.locations.list

metastore.migrations.*

  • metastore.migrations.cancel
  • metastore.migrations.complete
  • metastore.migrations.delete
  • metastore.migrations.get
  • metastore.migrations.list
  • metastore.migrations.start

metastore.operations.*

  • metastore.operations.cancel
  • metastore.operations.delete
  • metastore.operations.get
  • metastore.operations.list

metastore.services.create

metastore.services.createTagBinding

metastore.services.delete

metastore.services.deleteTagBinding

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.listEffectiveTags

metastore.services.listTagBindings

metastore.services.restore

metastore.services.setIamPolicy

metastore.services.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/metastore.editor)

Read and write access to all Dataproc Metastore resources.

metastore.backups.create

metastore.backups.delete

metastore.backups.get

metastore.backups.list

metastore.backups.use

metastore.federations.create

metastore.federations.delete

metastore.federations.get

metastore.federations.list

metastore.federations.listEffectiveTags

metastore.federations.listTagBindings

metastore.federations.update

metastore.imports.*

  • metastore.imports.create
  • metastore.imports.get
  • metastore.imports.list
  • metastore.imports.update

metastore.locations.*

  • metastore.locations.get
  • metastore.locations.list

metastore.migrations.*

  • metastore.migrations.cancel
  • metastore.migrations.complete
  • metastore.migrations.delete
  • metastore.migrations.get
  • metastore.migrations.list
  • metastore.migrations.start

metastore.operations.*

  • metastore.operations.cancel
  • metastore.operations.delete
  • metastore.operations.get
  • metastore.operations.list

metastore.services.create

metastore.services.createTagBinding

metastore.services.delete

metastore.services.deleteTagBinding

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.listEffectiveTags

metastore.services.listTagBindings

metastore.services.restore

metastore.services.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/metastore.viewer)

Viewer role for Dataproc Metastore

metastore.backups.get

metastore.backups.getIamPolicy

metastore.backups.list

metastore.backups.use

metastore.databases.get

metastore.databases.getIamPolicy

metastore.databases.list

metastore.federations.get

metastore.federations.getIamPolicy

metastore.federations.list

metastore.federations.listEffectiveTags

metastore.federations.listTagBindings

metastore.imports.get

metastore.imports.list

metastore.locations.*

  • metastore.locations.get
  • metastore.locations.list

metastore.migrations.get

metastore.migrations.list

metastore.operations.get

metastore.operations.list

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.listEffectiveTags

metastore.services.listTagBindings

metastore.tables.get

metastore.tables.getIamPolicy

metastore.tables.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/metastore.federationAccessor)

Access to the Metastore Federation resource.

metastore.federations.use

(roles/metastore.metadataEditor)

Access to read and modify the metadata of databases and tables under those databases.

metastore.databases.create

metastore.databases.delete

metastore.databases.get

metastore.databases.getIamPolicy

metastore.databases.list

metastore.databases.update

metastore.services.get

metastore.services.use

metastore.tables.create

metastore.tables.delete

metastore.tables.get

metastore.tables.getIamPolicy

metastore.tables.list

metastore.tables.update

(roles/metastore.metadataMutateAdmin)

Access to mutate metadata from a Dataproc Metastore service's underlying metadata store.

metastore.services.mutateMetadata

(roles/metastore.metadataOperator)

Read-only access to Dataproc Metastore resources with additional metadata operations permission.

metastore.backups.create

metastore.backups.delete

metastore.backups.get

metastore.backups.list

metastore.backups.use

metastore.imports.*

  • metastore.imports.create
  • metastore.imports.get
  • metastore.imports.list
  • metastore.imports.update

metastore.locations.*

  • metastore.locations.get
  • metastore.locations.list

metastore.operations.get

metastore.operations.list

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.listEffectiveTags

metastore.services.listTagBindings

metastore.services.restore

resourcemanager.projects.get

resourcemanager.projects.list

(roles/metastore.metadataOwner)

Full access to the metadata of databases and tables under those databases.

metastore.databases.*

  • metastore.databases.create
  • metastore.databases.delete
  • metastore.databases.get
  • metastore.databases.getIamPolicy
  • metastore.databases.list
  • metastore.databases.setIamPolicy
  • metastore.databases.update

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.listEffectiveTags

metastore.services.listTagBindings

metastore.services.use

metastore.tables.*

  • metastore.tables.create
  • metastore.tables.delete
  • metastore.tables.get
  • metastore.tables.getIamPolicy
  • metastore.tables.list
  • metastore.tables.setIamPolicy
  • metastore.tables.update

(roles/metastore.metadataQueryAdmin)

Access to query metadata from a Dataproc Metastore service's underlying metadata store.

metastore.services.queryMetadata

(roles/metastore.metadataUser)

Access to the Dataproc Metastore gRPC endpoint

metastore.databases.get

metastore.databases.list

metastore.services.get

metastore.services.use

(roles/metastore.metadataViewer)

Access to read the metadata of databases and tables under those databases

metastore.databases.get

metastore.databases.getIamPolicy

metastore.databases.list

metastore.services.get

metastore.services.use

metastore.tables.get

metastore.tables.getIamPolicy

metastore.tables.list

(roles/metastore.migrationAdmin)

Access to Dataproc Metastore Managed Migration resources and workflow.

cloudsql.instances.connect

cloudsql.instances.get

cloudsql.instances.login

compute.autoscalers.create

compute.autoscalers.delete

compute.disks.create

compute.disks.delete

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.use

compute.instanceGroupManagers.create

compute.instanceGroupManagers.delete

compute.instanceGroupManagers.use

compute.instanceGroups.delete

compute.instanceGroups.use

compute.instanceTemplates.create

compute.instanceTemplates.delete

compute.instanceTemplates.get

compute.instanceTemplates.useReadOnly

compute.instances.create

compute.instances.delete

compute.instances.get

compute.instances.setMetadata

compute.machineTypes.list

compute.regionBackendServices.create

compute.regionBackendServices.delete

compute.regionBackendServices.use

compute.regionHealthChecks.create

compute.regionHealthChecks.delete

compute.regionHealthChecks.use

compute.regionHealthChecks.useReadOnly

compute.serviceAttachments.create

compute.serviceAttachments.delete

compute.subnetworks.get

compute.subnetworks.use

compute.zones.list

datastream.connectionProfiles.create

datastream.connectionProfiles.delete

datastream.objects.*

  • datastream.objects.get
  • datastream.objects.list
  • datastream.objects.startBackfillJob
  • datastream.objects.stopBackfillJob

datastream.operations.get

datastream.privateConnections.create

datastream.privateConnections.delete

datastream.streams.create

datastream.streams.delete

datastream.streams.get

datastream.streams.update

(roles/metastore.user)

Read-only access to all Dataproc Metastore resources.

metastore.backups.get

metastore.backups.list

metastore.federations.get

metastore.federations.getIamPolicy

metastore.federations.list

metastore.federations.listEffectiveTags

metastore.federations.listTagBindings

metastore.imports.get

metastore.imports.list

metastore.locations.*

  • metastore.locations.get
  • metastore.locations.list

metastore.operations.get

metastore.operations.list

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.listEffectiveTags

metastore.services.listTagBindings

resourcemanager.projects.get

resourcemanager.projects.list

Service agent roles

Service agent roles should only be granted to service agents.

Role Permissions

(roles/metastore.serviceAgent)

Gives the Dataproc Metastore service account access to managed resources.

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.use

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.get

compute.forwardingRules.pscCreate

compute.forwardingRules.pscDelete

compute.globalAddresses.createInternal

compute.globalAddresses.deleteInternal

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalOperations.get

compute.globalOperations.list

compute.networks.addPeering

compute.networks.get

compute.networks.removePeering

compute.networks.updatePeering

compute.networks.use

compute.regionOperations.get

compute.subnetworks.get

compute.subnetworks.use

dns.changes.create

dns.changes.get

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.list

dns.networks.bindPrivateDNSZone

dns.networks.targetWithPeeringZone

dns.resourceRecordSets.*

  • dns.resourceRecordSets.create
  • dns.resourceRecordSets.delete
  • dns.resourceRecordSets.get
  • dns.resourceRecordSets.list
  • dns.resourceRecordSets.update

metastore.databases.get

metastore.databases.setIamPolicy

metastore.databases.update

metastore.federations.use

metastore.services.get

metastore.tables.get

metastore.tables.setIamPolicy

metastore.tables.update

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

storage.buckets.create

storage.buckets.delete

storage.buckets.get

storage.buckets.update

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

המאמרים הבאים