使用自定义组织政策进行舰队管理

您可以使用 组织政策服务自定义限制条件,在组织的 Managed Service for Apache Spark 集群中强制执行特定配置。这种集中式方法有助于确保合规性、控制费用并标准化 Managed Service for Apache Spark 舰队。

本指南介绍了如何为 Managed Service for Apache Spark 集群创建和强制执行自定义组织政策。如需了解详情,请参阅组织政策 简介

准备工作

  1. 登录您的 Google Cloud 账号。如果您是新手 Google Cloud, 请创建一个账号来评估我们的产品在 实际场景中的表现。新客户还可获享 $300 赠金,用于 运行、测试和部署工作负载。

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the Resource Manager API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

  5. Make sure that you have the following role or roles on the project: Organization Policy Administrator

    Check for the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.

    3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

    4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. Click Grant access.

    4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

    5. Click Select a role, then search for the role.
    6. To grant additional roles, click Add another role and add each additional role.
    7. Click Save.

  6. 安装 Google Cloud CLI。

  7. 如果您使用的是外部身份提供方 (IdP),则必须先使用联合身份登录 gcloud CLI

  8. 如需初始化 gcloud CLI,请运行以下命令: 

    gcloud init

  9. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  10. Verify that billing is enabled for your Google Cloud project.

  11. Enable the Resource Manager API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

  12. Make sure that you have the following role or roles on the project: Organization Policy Administrator

    Check for the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.

    3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

    4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. Click Grant access.

    4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

    5. Click Select a role, then search for the role.
    6. To grant additional roles, click Add another role and add each additional role.
    7. Click Save.

  13. 安装 Google Cloud CLI。

  14. 如果您使用的是外部身份提供方 (IdP),则必须先使用联合身份登录 gcloud CLI

  15. 如需初始化 gcloud CLI,请运行以下命令: 

    gcloud init

强制执行自定义限制条件

以下步骤介绍了如何强制执行常见的安全要求:确保所有新的 Managed Service for Apache Spark 集群都启用了 Kerberos。

  1. 定义自定义限制条件。

    1. 创建一个包含以下内容的 YAML 文件:
    name: organizations/ORGANIZATION_ID/customConstraints/custom.dataprocKerberos
resourceTypes:
-   dataproc.googleapis.com/Cluster
methodTypes:
-   CREATE
condition: "resource.config.securityConfig.kerberosConfig.enableKerberos == true"
actionType: ALLOW
displayName: Cluster must have Kerberos enabled.

    ORGANIZATION_ID 替换为您的组织 ID。

  2. 设置自定义限制条件,使其可供您的组织使用。

    gcloud org-policies set-custom-constraint CONSTRAINT_PATH

    CONSTRAINT_PATH 替换为 YAML 限制条件文件的路径。

  3. 创建组织政策,以强制实施限制条件。

    1. 创建另一个包含以下内容的 YAML 文件:
    name: projects/PROJECT_ID/policies/custom.dataprocKerberos
spec:
  rules:
    -   enforce: true

    PROJECT_ID 替换为要应用政策的项目 ID 。您还可以在文件夹级或 组织级应用此政策。

  4. 应用该政策。

    gcloud org-policies set-policy POLICY_PATH

    POLICY_PATH 替换为 YAML 政策文件的路径。

应用该政策后,尝试在指定资源中创建未启用 Kerberos 的 Managed Service for Apache Spark 集群会失败。

自定义限制条件的应用场景

您可以创建自定义限制条件,为 Managed Service for Apache Spark 舰队强制执行各种政策。应用舰队政策有助于控制费用、实现标准化和提高安全性。

示例:您可以要求使用特定机器类型,或禁止在集群节点上使用公共 IP 地址。

后续步骤