透過自訂組織政策管理機群

您可以搭配自訂限制使用 機構政策服務,在機構的 Managed Service for Apache Spark 叢集中強制執行特定設定。這種集中式做法有助於確保合規性、控管成本,以及標準化 Managed Service for Apache Spark 機群。

本指南說明如何為 Managed Service for Apache Spark 叢集建立及強制執行自訂組織政策。詳情請參閱「組織政策簡介」。

事前準備

  1. 登入 Google Cloud 帳戶。如果您是 Google Cloud新手,歡迎 建立帳戶,親自評估產品在實際工作環境中的成效。新客戶還能獲得價值 $300 美元的免費抵免額,可用於執行、測試及部署工作負載。

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the Resource Manager API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

  5. Make sure that you have the following role or roles on the project: Organization Policy Administrator

    Check for the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.

    3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

    4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. Click Grant access.

    4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

    5. Click Select a role, then search for the role.
    6. To grant additional roles, click Add another role and add each additional role.
    7. Click Save.

  6. 安裝 Google Cloud CLI。

  7. 若您採用的是外部識別資訊提供者 (IdP),請先使用聯合身分登入 gcloud CLI

  8. 執行下列指令,初始化 gcloud CLI:

    gcloud init

  9. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  10. Verify that billing is enabled for your Google Cloud project.

  11. Enable the Resource Manager API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

  12. Make sure that you have the following role or roles on the project: Organization Policy Administrator

    Check for the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.

    3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

    4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. Click Grant access.

    4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

    5. Click Select a role, then search for the role.
    6. To grant additional roles, click Add another role and add each additional role.
    7. Click Save.

  13. 安裝 Google Cloud CLI。

  14. 若您採用的是外部識別資訊提供者 (IdP),請先使用聯合身分登入 gcloud CLI

  15. 執行下列指令,初始化 gcloud CLI:

    gcloud init

強制執行自訂限制

下列步驟說明如何強制執行常見的安全防護需求:確保所有新的 Managed Service for Apache Spark 叢集都已啟用 Kerberos。

  1. 定義自訂限制條件。

    1. 建立含有下列內容的 YAML 檔案:
    name: organizations/ORGANIZATION_ID/customConstraints/custom.dataprocKerberos
resourceTypes:
-   dataproc.googleapis.com/Cluster
methodTypes:
-   CREATE
condition: "resource.config.securityConfig.kerberosConfig.enableKerberos == true"
actionType: ALLOW
displayName: Cluster must have Kerberos enabled.

    請將 ORGANIZATION_ID 替換成組織 ID。

  2. 設定自訂限制,讓貴機構可以使用。

    gcloud org-policies set-custom-constraint CONSTRAINT_PATH

    請將 CONSTRAINT_PATH 替換為 YAML 限制檔案的路徑。

  3. 建立機構政策,強制執行限制。

    1. 建立另一個 YAML 檔案,並加入下列內容:
    name: projects/PROJECT_ID/policies/custom.dataprocKerberos
spec:
  rules:
    -   enforce: true

    PROJECT_ID 替換為要套用政策的專案 ID。您也可以在資料夾或機構層級套用這項政策。

  4. 套用政策。

    gcloud org-policies set-policy POLICY_PATH

    POLICY_PATH 替換為 YAML 政策檔案的路徑。

套用政策後,如果嘗試在指定資源中建立 Managed Service for Apache Spark 叢集,但未啟用 Kerberos,就會失敗。

自訂限制的用途

您可以建立自訂限制條件,對 Managed Service for Apache Spark 機群強制執行各種政策。套用機群政策有助於控管成本、標準化及確保安全。

範例:您可以要求特定機器類型,或禁止叢集節點使用公開 IP 位址。

後續步驟