Access control

Overview

The Cloud Data Fusion API uses Cloud Identity and Access Management (Cloud IAM) for access control.

In the Cloud Data Fusion API, you can configure access control at the project level. For example, you can grant access to all Cloud Data Fusion API resources within a project to a group of developers.

For a detailed description of Cloud IAM and its features, see the Cloud IAM developer's guide. In particular, see its Managing Cloud IAM Policies section.

Every Cloud Data Fusion API method requires the caller to have the necessary permissions. See roles and permissions for more information.

Required permissions

The following table lists the permissions required to run Cloud Data Fusion. These permissions are automatically granted when the Cloud Data Fusion API is enabled.

Service Type Name Reason
Compute Engine and Networking Permission

compute.globalOperations.get
compute.networks.addPeering
compute.networks.removePeering
compute.networks.update
compute.networks.get

To create peered networks between consumer and tenant projects
Cloud Dataproc Role

dataproc.editor
compute.networkViewer

To create and manage Cloud Dataproc clusters
Various storage Role

storage.admin
bigquery.dataOwner
bigquery.jobUser
spanner.databaseUser
spanner.viewer
bigtable.admin

Provide a seamless data integration experience for GCP storage services

Cloud Data Fusion roles

Role Title Description Permissions Lowest resource

roles/datafusion.admin

Cloud Data Fusion Admin Provides full access to Cloud Data Fusion instances and related resources.

datafusion.instances.get
datafusion.instances.list
datafusion.instances.create
datafusion.instances.delete
datafusion.instances.update
datafusion.operations.get
datafusion.operations.list
datafusion.operations.cancel
resourcemanager.projects.get
resourcemanager.projects.list

Project

roles/datafusion.viewer

Cloud Data Fusion Viewer Provides read-only access to Cloud Data Fusion Instances and related resources.

datafusion.instances.get
datafusion.instances.list
datafusion.operations.get
datafusion.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

Project

Cloud Data Fusion API permissions

This section lists the various permissions required to run the Cloud Data Fusion APIs.

API Permission

instances.create

datafusion.instances.create

instances.delete

datafusion.instances.delete

instances.list

datafusion.instances.list

instances.get

datafusion.instances.get

instances.update

datafusion.instances.update

operations.cancel

datafusion.operations.cancel

operations.list

datafusion.operations.list

operations.get

datafusion.operations.get

Permissions for common tasks

This section lists the permissions required to perform common tasks in Cloud Data Fusion.

Task Permissions
Accessing the Cloud IAP-protected Cloud Data Fusion graphical interface

datafusion.instances.get

View the instances page on the GCP Console

datafusion.instances.list

View the details page of an instance

datafusion.instances.get

Create a new instance

datafusion.instances.create

Update the labels and advanced options to customize an instance

datafusion.instances.update

Delete an instance

datafusion.instances.delete

Access control via GCP Console

To manage access control for your environments and projects, you can use the GCP Console. To set access controls at the project level:

  1. Open the Cloud IAM page in the GCP Console.
  2. Select your project, and click Continue.
  3. Click Add Member.
  4. Enter the email address of a new member to whom you have not granted any Cloud IAM role previously.
  5. To select the desired role, click the Down arrow.
  6. Click Add.
  7. Verify that the member is listed under the role that you granted.
Trang này có hữu ích không? Hãy cho chúng tôi biết đánh giá của bạn:

Gửi phản hồi về...