允许组织主帐号使用标签

资源项目中创建 Data Catalog 标记模板后,您可以向主帐号授予 Data Catalog tagTemplateUser 角色。这样一来,他们就可以创建元数据,即使用模板来标记数据资源。如需了解详情,请参阅将标记附加到 GCP 资源

下一部分将介绍如何授予 tagTemplateUser 角色。

授予 tagTemplateUser 角色

控制台

控制台

如需将 Data Catalog tagTemplateUser 角色授予项目的主帐号,请执行以下操作:

  1. 在 Google Cloud Console 中转到 IAM,然后点击主帐号列表右侧的修改 () 按钮。

  2. 修改权限对话框中,点击 添加其他角色,然后点击选择角色下拉列表。

  3. 过滤条件框中,插入 Data Catalog TagTemplate User 以显示此角色,然后选择此角色并点击保存

Java

在尝试此示例之前,请按照《Data Catalog 快速入门:使用客户端库》中的 Java 设置说明进行操作。如需了解详情,请参阅 Data Catalog Java API 参考文档

import com.google.cloud.datacatalog.v1.DataCatalogClient;
import com.google.cloud.datacatalog.v1.TagTemplateName;
import com.google.iam.v1.Binding;
import com.google.iam.v1.Policy;
import com.google.iam.v1.SetIamPolicyRequest;
import java.io.IOException;

// Sample to grant tag access on template
public class GrantTagTemplateUserRole {

  public static void main(String[] args) throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "my-project";
    String tagTemplateId = "my_tag_template";
    grantTagTemplateUserRole(projectId, tagTemplateId);
  }

  public static void grantTagTemplateUserRole(String projectId, String templateId)
      throws IOException {
    // Currently, Data Catalog stores metadata in the us-central1 region.
    String location = "us-central1";

    // Format the Template name.
    String templateName =
        TagTemplateName.newBuilder()
            .setProject(projectId)
            .setLocation(location)
            .setTagTemplate(templateId)
            .build()
            .toString();

    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the "close" method on the client to safely clean up any remaining background resources.
    try (DataCatalogClient dataCatalogClient = DataCatalogClient.create()) {

      // Create a Binding to add the Tag Template User role and member to the policy.
      Binding binding =
          Binding.newBuilder()
              .setRole("roles/datacatalog.tagTemplateUser")
              .addMembers("group:example-analyst-group@google.com")
              .build();

      // Create a Policy object to update Template's IAM policy by adding the new binding.
      Policy policyUpdate = Policy.newBuilder().addBindings(binding).build();

      SetIamPolicyRequest request =
          SetIamPolicyRequest.newBuilder()
              .setPolicy(policyUpdate)
              .setResource(templateName)
              .build();

      // Update Template's policy.
      dataCatalogClient.setIamPolicy(request);
      System.out.println("Role successfully granted");
    }
  }
}

Node.js

在尝试此示例之前,请按照《Data Catalog 快速入门:使用客户端库》中的 Node.js 设置说明进行操作。如需了解详情,请参阅 Data Catalog Node.js API 参考文档

// Import the Google Cloud client library.
const {DataCatalogClient} = require('@google-cloud/datacatalog').v1;
const datacatalog = new DataCatalogClient();

async function grantTagTemplateUserRole() {
  // Grant the tagTemplateUser role to a member of the project.

  /**
   * TODO(developer): Uncomment the following lines before running the sample.
   */
  // const projectId = 'my_project'; // Google Cloud Platform project
  // const templateId = 'my_existing_template';
  // const memberId = 'my_member_id'

  const location = 'us-central1';

  // Format the Template name.
  const templateName = datacatalog.tagTemplatePath(
    projectId,
    location,
    templateId
  );

  // Retrieve Template's current IAM Policy.
  const [getPolicyResponse] = await datacatalog.getIamPolicy({
    resource: templateName,
  });
  const policy = getPolicyResponse;

  // Add Tag Template User role and member to the policy.
  policy.bindings.push({
    role: 'roles/datacatalog.tagTemplateUser',
    members: [memberId],
  });

  const request = {
    resource: templateName,
    policy: policy,
  };

  // Update Template's policy.
  const [updatePolicyResponse] = await datacatalog.setIamPolicy(request);

  updatePolicyResponse.bindings.forEach(binding => {
    console.log(`Role: ${binding.role}, Members: ${binding.members}`);
  });
}
grantTagTemplateUserRole();

Python

在尝试此示例之前,请按照《Data Catalog 快速入门:使用客户端库》中的 Python 设置说明进行操作。如需了解详情,请参阅 Data Catalog Python API 参考文档

from google.cloud import datacatalog_v1
from google.iam.v1 import iam_policy_pb2 as iam_policy
from google.iam.v1 import policy_pb2

datacatalog = datacatalog_v1.DataCatalogClient()

# TODO: Set these values before running the sample.
project_id = "project_id"
tag_template_id = "existing_tag_template_id"
# For a full list of values a member can have, see:
# https://cloud.google.com/iam/docs/reference/rest/v1/Policy?hl=en#binding
member_id = "user:super-cool.test-user@gmail.com"

# For all regions available, see:
# https://cloud.google.com/data-catalog/docs/concepts/regions
location = "us-central1"

# Format the Template name.
template_name = datacatalog_v1.DataCatalogClient.tag_template_path(
    project_id, location, tag_template_id
)

# Retrieve Template's current IAM Policy.
policy = datacatalog.get_iam_policy(resource=template_name)

# Add Tag Template User role and member to the policy.
binding = policy_pb2.Binding()
binding.role = "roles/datacatalog.tagTemplateUser"
binding.members.append(member_id)
policy.bindings.append(binding)

set_policy_request = iam_policy.SetIamPolicyRequest(
    resource=template_name, policy=policy
)

# Update Template's policy.
policy = datacatalog.set_iam_policy(set_policy_request)

for binding in policy.bindings:
    for member in binding.members:
        print(f"Member: {member}, Role: {binding.role}")

REST 和命令行

REST 和命令行

如果您无法使用针对您的语言的 Cloud 客户端库或者您想要使用 REST 请求来测试 API,请参阅以下示例并参阅 Data Catalog REST API 文档。

在使用任何请求数据之前,请先进行以下替换:

  • project-id:GCP 项目 ID
  • template-id:标记模板 ID

HTTP 方法和网址:

POST https://datacatalog.googleapis.com/v1/projects/project-id/locations/us-central1/tagTemplates/template-id:setIamPolicy

请求 JSON 正文:

{
  "policy":{
    "bindings":[
      {
        "role":"roles/datacatalog.tagTemplateUser",
        "members":[
          "user:username@gmail.com"
        ]
      }
    ]
  }
}

如需发送您的请求,请展开以下选项之一:

您应该会收到类似以下内容的 JSON 响应:

{
  "version":1,
  "etag":"xxxxx.....",
  "bindings":[
    {
      "role":"roles/datacatalog.tagTemplateUser",
      "members":[
        "user:username@gmail.com"
      ]
    }
  ]
}