Dataproc Metastore 身分與存取權管理角色

Dataproc Metastore 定義了幾個身分與存取權管理 (IAM) 角色。每個預先定義的角色都包含一組 IAM 權限,可讓主體執行特定動作。您可以使用 IAM 政策為主體提供一或多個 IAM 角色。

身分與存取權管理 (IAM) 也提供建立自訂 IAM 角色的功能。您可以建立自訂 IAM 角色,並為角色指派一或多個權限。接著,您可以將新角色授予實體。您可以使用自訂角色,直接根據自己的需求建立存取權控制模型;此外,Google 也提供預先定義的角色。

本頁主要說明與 Dataproc Metastore 相關的 IAM 角色。

事前準備

  • 請參閱 IAM 說明文件。

Dataproc Metastore 角色

IAM Dataproc Metastore 角色是由一或多個權限組合而成。您可以為主體授予角色,讓他們能夠對專案中的 Dataproc Metastore 資源執行動作。舉例來說,Dataproc Metastore 使用者角色包含 metastore.*.getmetastore.*.list 權限,可讓使用者取得及列出專案中的 Dataproc Metastore 服務、中繼資料匯入、備份和作業。

下表列出所有 Dataproc Metastore 角色,以及與各角色相關聯的權限:

Role Permissions

(roles/metastore.admin)

Full access to all Dataproc Metastore resources.

metastore.backups.*

  • metastore.backups.create
  • metastore.backups.delete
  • metastore.backups.get
  • metastore.backups.getIamPolicy
  • metastore.backups.list
  • metastore.backups.setIamPolicy
  • metastore.backups.use

metastore.federations.*

  • metastore.federations.create
  • metastore.federations.createTagBinding
  • metastore.federations.delete
  • metastore.federations.deleteTagBinding
  • metastore.federations.get
  • metastore.federations.getIamPolicy
  • metastore.federations.list
  • metastore.federations.listEffectiveTags
  • metastore.federations.listTagBindings
  • metastore.federations.setIamPolicy
  • metastore.federations.update
  • metastore.federations.use

metastore.imports.*

  • metastore.imports.create
  • metastore.imports.get
  • metastore.imports.list
  • metastore.imports.update

metastore.locations.*

  • metastore.locations.get
  • metastore.locations.list

metastore.migrations.*

  • metastore.migrations.cancel
  • metastore.migrations.complete
  • metastore.migrations.delete
  • metastore.migrations.get
  • metastore.migrations.list
  • metastore.migrations.start

metastore.operations.*

  • metastore.operations.cancel
  • metastore.operations.delete
  • metastore.operations.get
  • metastore.operations.list

metastore.services.create

metastore.services.createTagBinding

metastore.services.delete

metastore.services.deleteTagBinding

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.listEffectiveTags

metastore.services.listTagBindings

metastore.services.restore

metastore.services.setIamPolicy

metastore.services.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/metastore.editor)

Read and write access to all Dataproc Metastore resources.

metastore.backups.create

metastore.backups.delete

metastore.backups.get

metastore.backups.list

metastore.backups.use

metastore.federations.create

metastore.federations.delete

metastore.federations.get

metastore.federations.list

metastore.federations.listEffectiveTags

metastore.federations.listTagBindings

metastore.federations.update

metastore.imports.*

  • metastore.imports.create
  • metastore.imports.get
  • metastore.imports.list
  • metastore.imports.update

metastore.locations.*

  • metastore.locations.get
  • metastore.locations.list

metastore.migrations.*

  • metastore.migrations.cancel
  • metastore.migrations.complete
  • metastore.migrations.delete
  • metastore.migrations.get
  • metastore.migrations.list
  • metastore.migrations.start

metastore.operations.*

  • metastore.operations.cancel
  • metastore.operations.delete
  • metastore.operations.get
  • metastore.operations.list

metastore.services.create

metastore.services.createTagBinding

metastore.services.delete

metastore.services.deleteTagBinding

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.listEffectiveTags

metastore.services.listTagBindings

metastore.services.restore

metastore.services.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/metastore.federationAccessor)

Access to the Metastore Federation resource.

metastore.federations.use

(roles/metastore.metadataEditor)

Access to read and modify the metadata of databases and tables under those databases.

metastore.databases.create

metastore.databases.delete

metastore.databases.get

metastore.databases.getIamPolicy

metastore.databases.list

metastore.databases.update

metastore.services.get

metastore.services.use

metastore.tables.create

metastore.tables.delete

metastore.tables.get

metastore.tables.getIamPolicy

metastore.tables.list

metastore.tables.update

(roles/metastore.metadataMutateAdmin)

Access to mutate metadata from a Dataproc Metastore service's underlying metadata store.

metastore.services.mutateMetadata

(roles/metastore.metadataOperator)

Read-only access to Dataproc Metastore resources with additional metadata operations permission.

metastore.backups.create

metastore.backups.delete

metastore.backups.get

metastore.backups.list

metastore.backups.use

metastore.imports.*

  • metastore.imports.create
  • metastore.imports.get
  • metastore.imports.list
  • metastore.imports.update

metastore.locations.*

  • metastore.locations.get
  • metastore.locations.list

metastore.operations.get

metastore.operations.list

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.listEffectiveTags

metastore.services.listTagBindings

metastore.services.restore

resourcemanager.projects.get

resourcemanager.projects.list

(roles/metastore.metadataOwner)

Full access to the metadata of databases and tables under those databases.

metastore.databases.*

  • metastore.databases.create
  • metastore.databases.delete
  • metastore.databases.get
  • metastore.databases.getIamPolicy
  • metastore.databases.list
  • metastore.databases.setIamPolicy
  • metastore.databases.update

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.listEffectiveTags

metastore.services.listTagBindings

metastore.services.use

metastore.tables.*

  • metastore.tables.create
  • metastore.tables.delete
  • metastore.tables.get
  • metastore.tables.getIamPolicy
  • metastore.tables.list
  • metastore.tables.setIamPolicy
  • metastore.tables.update

(roles/metastore.metadataQueryAdmin)

Access to query metadata from a Dataproc Metastore service's underlying metadata store.

metastore.services.queryMetadata

(roles/metastore.metadataUser)

Access to the Dataproc Metastore gRPC endpoint

metastore.databases.get

metastore.databases.list

metastore.services.get

metastore.services.use

(roles/metastore.metadataViewer)

Access to read the metadata of databases and tables under those databases

metastore.databases.get

metastore.databases.getIamPolicy

metastore.databases.list

metastore.services.get

metastore.services.use

metastore.tables.get

metastore.tables.getIamPolicy

metastore.tables.list

(roles/metastore.migrationAdmin)

Access to Dataproc Metastore Managed Migration resources and workflow.

cloudsql.instances.connect

cloudsql.instances.get

cloudsql.instances.login

compute.autoscalers.create

compute.autoscalers.delete

compute.disks.create

compute.disks.delete

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.use

compute.instanceGroupManagers.create

compute.instanceGroupManagers.delete

compute.instanceGroupManagers.use

compute.instanceGroups.delete

compute.instanceGroups.use

compute.instanceTemplates.create

compute.instanceTemplates.delete

compute.instanceTemplates.get

compute.instanceTemplates.useReadOnly

compute.instances.create

compute.instances.delete

compute.instances.get

compute.instances.setMetadata

compute.machineTypes.list

compute.regionBackendServices.create

compute.regionBackendServices.delete

compute.regionBackendServices.use

compute.regionHealthChecks.create

compute.regionHealthChecks.delete

compute.regionHealthChecks.use

compute.regionHealthChecks.useReadOnly

compute.serviceAttachments.create

compute.serviceAttachments.delete

compute.subnetworks.get

compute.subnetworks.use

compute.zones.list

datastream.connectionProfiles.create

datastream.connectionProfiles.delete

datastream.objects.*

  • datastream.objects.get
  • datastream.objects.list
  • datastream.objects.startBackfillJob
  • datastream.objects.stopBackfillJob

datastream.operations.get

datastream.privateConnections.create

datastream.privateConnections.delete

datastream.streams.create

datastream.streams.delete

datastream.streams.get

datastream.streams.update

(roles/metastore.serviceAgent)

Gives the Dataproc Metastore service account access to managed resources.

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.use

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.get

compute.forwardingRules.pscCreate

compute.forwardingRules.pscDelete

compute.globalAddresses.createInternal

compute.globalAddresses.deleteInternal

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalOperations.get

compute.globalOperations.list

compute.networks.addPeering

compute.networks.get

compute.networks.removePeering

compute.networks.updatePeering

compute.networks.use

compute.regionOperations.get

compute.subnetworks.get

compute.subnetworks.use

dns.changes.create

dns.changes.get

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.list

dns.networks.bindPrivateDNSZone

dns.networks.targetWithPeeringZone

dns.resourceRecordSets.*

  • dns.resourceRecordSets.create
  • dns.resourceRecordSets.delete
  • dns.resourceRecordSets.get
  • dns.resourceRecordSets.list
  • dns.resourceRecordSets.update

metastore.databases.get

metastore.databases.setIamPolicy

metastore.databases.update

metastore.federations.use

metastore.services.get

metastore.tables.get

metastore.tables.setIamPolicy

metastore.tables.update

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

storage.buckets.create

storage.buckets.delete

storage.buckets.get

storage.buckets.update

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

(roles/metastore.user)

Read-only access to all Dataproc Metastore resources.

metastore.backups.get

metastore.backups.list

metastore.federations.get

metastore.federations.getIamPolicy

metastore.federations.list

metastore.federations.listEffectiveTags

metastore.federations.listTagBindings

metastore.imports.get

metastore.imports.list

metastore.locations.*

  • metastore.locations.get
  • metastore.locations.list

metastore.operations.get

metastore.operations.list

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.listEffectiveTags

metastore.services.listTagBindings

resourcemanager.projects.get

resourcemanager.projects.list

後續步驟