App Hub 角色和权限

App Hub 具有以下 Identity and Access Management (IAM) 角色:

  • App Hub Admin (roles/apphub.admin)
  • App Hub Editor (roles/apphub.editor)
  • App Hub Viewer (roles/apphub.viewer)

App Hub 角色

下表介绍了各种角色及其典型职责。

角色

说明

用途

App Hub Admin

能够将服务项目关联到宿主项目、创建应用、更新应用属性、注册服务和工作负载、更新服务和工作负载属性,以及将应用控制权委托给 App Hub 编辑者。

  • 管理宿主项目的完整生命周期并关联服务项目
  • 通常是平台管理员,他们一般拥有管理权限,并且可以全面了解端到端架构

App Hub Editor

能够创建和更新应用;注册和取消注册服务和工作负载;更新属性。

  • 扩展创建、更新或删除服务和工作负载的功能,从而减轻平台管理员的工作量
  • 通常是应用运营商,对部署有深入了解

App Hub Viewer

能够查看服务、工作负载和应用及其属性。

  • 实现对服务、工作负载和应用及其依赖项的基本可观测性
  • 通常是组织中的大多数人员。为了获得最大价值,应向所有应用中心用户授予此角色

App Hub 权限

下表列出了 App Hub IAM 角色及其权限。

roles/apphub.admin

拥有对 App Hub 资源的完整访问权限。

apphub.*

  • apphub.applications.create
  • apphub.applications.delete
  • apphub.applications.get
  • apphub.applications.getIamPolicy
  • apphub.applications.list
  • apphub.applications.setIamPolicy
  • apphub.applications.update
  • apphub.discoveredServices.get
  • apphub.discoveredServices.list
  • apphub.discoveredServices.register
  • apphub.discoveredWorkloads.get
  • apphub.discoveredWorkloads.list
  • apphub.discoveredWorkloads.register
  • apphub.locations.get
  • apphub.locations.list
  • apphub.operations.cancel
  • apphub.operations.delete
  • apphub.operations.get
  • apphub.operations.list
  • apphub.serviceProjectAttachments.attach
  • apphub.serviceProjectAttachments.create
  • apphub.serviceProjectAttachments.delete
  • apphub.serviceProjectAttachments.detach
  • apphub.serviceProjectAttachments.get
  • apphub.serviceProjectAttachments.list
  • apphub.serviceProjectAttachments.lookup
  • apphub.services.create
  • apphub.services.delete
  • apphub.services.get
  • apphub.services.list
  • apphub.services.update
  • apphub.workloads.create
  • apphub.workloads.delete
  • apphub.workloads.get
  • apphub.workloads.list
  • apphub.workloads.update

resourcemanager.projects.get

resourcemanager.projects.list

roles/apphub.editor

拥有对 App Hub 资源的编辑权限。

apphub.applications.create

apphub.applications.delete

apphub.applications.get

apphub.applications.list

apphub.applications.update

apphub.discoveredServices.*

  • apphub.discoveredServices.get
  • apphub.discoveredServices.list
  • apphub.discoveredServices.register

apphub.discoveredWorkloads.*

  • apphub.discoveredWorkloads.get
  • apphub.discoveredWorkloads.list
  • apphub.discoveredWorkloads.register

apphub.locations.*

  • apphub.locations.get
  • apphub.locations.list

apphub.operations.*

  • apphub.operations.cancel
  • apphub.operations.delete
  • apphub.operations.get
  • apphub.operations.list

apphub.serviceProjectAttachments.lookup

apphub.services.*

  • apphub.services.create
  • apphub.services.delete
  • apphub.services.get
  • apphub.services.list
  • apphub.services.update

apphub.workloads.*

  • apphub.workloads.create
  • apphub.workloads.delete
  • apphub.workloads.get
  • apphub.workloads.list
  • apphub.workloads.update

resourcemanager.projects.get

resourcemanager.projects.list

roles/apphub.viewer

拥有对 App Hub 资源的查看权限。

apphub.applications.get

apphub.applications.list

apphub.discoveredServices.get

apphub.discoveredServices.list

apphub.discoveredWorkloads.get

apphub.discoveredWorkloads.list

apphub.locations.*

  • apphub.locations.get
  • apphub.locations.list

apphub.operations.get

apphub.operations.list

apphub.serviceProjectAttachments.lookup

apphub.services.get

apphub.services.list

apphub.workloads.get

apphub.workloads.list

resourcemanager.projects.get

resourcemanager.projects.list

如需详细了解权限,请参阅预定义角色