Kasus penggunaan: Kontrol akses dengan akun layanan namespace
Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Halaman ini menjelaskan kasus penggunaan saat Anda mengontrol akses ke Google Cloud
resource di tingkat namespace saat Anda memigrasikan data dari Cloud Storage ke
BigQuery.
Untuk mengontrol akses ke Google Cloud resource, namespace di
Cloud Data Fusion menggunakan Agen Layanan Cloud Data Fusion API
secara default.
Untuk isolasi data yang lebih baik, Anda dapat mengaitkan akun layanan IAM yang disesuaikan (dikenal sebagai Akun Layanan Per Namespace) dengan setiap namespace. Akun layanan IAM yang disesuaikan, yang dapat
berbeda untuk namespace yang berbeda, memungkinkan Anda mengontrol akses ke
resourceGoogle Cloud antar-namespace untuk operasi waktu desain pipeline
di Cloud Data Fusion, seperti pratinjau pipeline, Wrangler, dan
validasi pipeline.
Dalam kasus penggunaan ini, departemen pemasaran Anda memigrasikan data dari Cloud Storage ke BigQuery menggunakan Cloud Data Fusion.
Departemen pemasaran memiliki tiga tim: A, B, dan C.
Tujuan Anda adalah membuat pendekatan terstruktur untuk mengontrol akses data di
Cloud Storage melalui namespace Cloud Data Fusion yang sesuai
dengan setiap tim—A, B, dan C.
Solusi
Langkah-langkah berikut menunjukkan cara mengontrol akses ke resource Google Cloud
dengan akun layanan namespace, sehingga mencegah akses tidak sah di antara
datastore tim yang berbeda.
Mengaitkan akun layanan Identity and Access Management ke setiap namespace
Siapkan kontrol akses dengan menambahkan akun layanan yang disesuaikan untuk
Tim A—misalnya,
team-a@pipeline-design-time-project..
Gambar 1: Tambahkan akun layanan yang disesuaikan untuk Tim A.
Ulangi langkah-langkah konfigurasi untuk Tim B dan C guna menyiapkan kontrol akses dengan akun layanan kustom serupa.
Membatasi akses ke bucket Cloud Storage
Batasi akses ke bucket Cloud Storage dengan memberikan izin yang sesuai:
Beri akun layanan IAM izin storage.buckets.list, yang diperlukan untuk mencantumkan bucket Cloud Storage dalam project.
Untuk mengetahui informasi selengkapnya, lihat
Mencantumkan bucket.
Beri akun layanan IAM izin untuk mengakses
objek di bucket tertentu.
Misalnya, berikan peran
Storage Object Viewer
ke akun layanan IAM yang terkait dengan
namespace team_A pada bucket team_a1. Izin ini memungkinkan Tim A melihat
dan mencantumkan objek serta folder terkelola, beserta metadatanya, dalam
bucket tersebut di lingkungan waktu desain yang terisolasi.
Gambar 2: Di halaman Buckets Cloud Storage, tambahkan tim sebagai prinsipal dan tetapkan peran Storage Object User.
Buat koneksi Cloud Storage di namespace masing-masing
Buat koneksi Cloud Storage di namespace setiap tim:
Di konsol Google Cloud , buka halaman Instances Cloud Data Fusion dan buka instance di antarmuka web Cloud Data Fusion.
Klik namespace yang ingin Anda gunakan—misalnya, namespace untuk Tim A.
Klik tab Connections, lalu klik Add connection.
Pilih GCS dan konfigurasi koneksi.
Gambar 3: Konfigurasi koneksi Cloud Storage untuk namespace.
Buat koneksi Cloud Storage untuk setiap namespace dengan
mengulangi langkah-langkah sebelumnya. Setiap tim kemudian dapat berinteraksi dengan salinan
terisolasi dari resource tersebut untuk operasi waktu desain mereka.
Memvalidasi isolasi waktu desain untuk setiap namespace
Tim A dapat memvalidasi isolasi pada desain dengan mengakses bucket Cloud Storage di namespace masing-masing:
Di konsol Google Cloud , buka halaman Instances Cloud Data Fusion dan buka instance di antarmuka web Cloud Data Fusion.
Anda dapat melihat daftar bucket karena namespace Tim A memiliki izin storage.buckets.list.
Saat Anda mengklik bucket, Anda dapat melihat isinya karena namespace Tim A memiliki peran Storage Object Viewer.
Gambar 4 dan 5: Periksa apakah Tim A dapat mengakses bucket penyimpanan yang sesuai.
Kembali ke daftar bucket, lalu klik bucket team_b1 atau team_c1.
Akses dibatasi, karena Anda mengisolasi resource waktu desain ini untuk
Tim A menggunakan akun layanan namespace-nya.
Gambar 6: Periksa apakah Team A tidak dapat mengakses bucket penyimpanan Team B dan C.
Langkah berikutnya
Pelajari lebih lanjut fitur keamanan di Cloud Data Fusion.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-09-04 UTC."],[[["\u003cp\u003eThis content details how to control access to Google Cloud resources at the namespace level in Cloud Data Fusion, using a customized IAM service account for each namespace to enhance data isolation.\u003c/p\u003e\n"],["\u003cp\u003eA practical scenario is presented where the marketing department, divided into three teams (A, B, and C), utilizes Cloud Data Fusion to migrate data from Cloud Storage to BigQuery, with each team operating within its own isolated namespace.\u003c/p\u003e\n"],["\u003cp\u003eAccess to Cloud Storage buckets is limited by granting the IAM service account \u003ccode\u003estorage.buckets.list\u003c/code\u003e permission and specific bucket access permissions like the Storage Object Viewer role.\u003c/p\u003e\n"],["\u003cp\u003eEach team creates a Cloud Storage connection within its respective namespace, allowing them to interact with an isolated copy of the resource during design-time operations, preventing unauthorized access between teams.\u003c/p\u003e\n"],["\u003cp\u003eThe isolation is validated by demonstrating that Team A can access its designated bucket (\u003ccode\u003eteam_a1\u003c/code\u003e) but is restricted from accessing buckets belonging to other teams (\u003ccode\u003eteam_b1\u003c/code\u003e or \u003ccode\u003eteam_c1\u003c/code\u003e).\u003c/p\u003e\n"]]],[],null,["# Use case: Access control with namespace service accounts\n\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThis page describes the use case where you control access to Google Cloud\nresources at the namespace level when you migrate data from Cloud Storage to\nBigQuery.\n\nTo control access to Google Cloud resources, namespaces in\nCloud Data Fusion use the [Cloud Data Fusion API Service Agent](/iam/docs/understanding-roles#datafusion.serviceAgent)\nby default.\n\nFor better data isolation, you can associate a customized IAM\nservice account (known as a *Per Namespace Service Account*) with each\nnamespace. The customized IAM service account, which can be\ndifferent for different namespaces, lets you control access to\nGoogle Cloud resources between namespaces for pipeline design-time\noperations in Cloud Data Fusion, such as pipeline preview, Wrangler, and\npipeline validation.\n\nFor more information, see [Access control with namespace service accounts](/data-fusion/docs/how-to/control-access-in-namespace).\n\nScenario\n--------\n\nIn this use case, your marketing department migrates data from\nCloud Storage to BigQuery using Cloud Data Fusion.\n\nThe marketing department has three teams: A, B, and C.\nYour objective is to establish a structured approach to control data access in\nCloud Storage through Cloud Data Fusion namespaces corresponding\nto each team---A, B, and C, respectively.\n\nSolution\n--------\n\nThe following steps show how you control access to Google Cloud resources\nwith namespace service accounts, preventing unauthorized access between the\ndatastores of different teams.\n\n### Associate an Identity and Access Management service account to each namespace\n\nConfigure an IAM service account in the namespace for each team\n(see\n[Configure a namespace service account](/data-fusion/docs/how-to/control-access-in-namespace#configure)):\n\n1. Set up the access control by adding a customized service account for\n Team A---for example,\n `team-a@pipeline-design-time-project.iam.gserviceaccount.com`.\n\n **Figure 1**: Add a customized service account for Team A.\n2. Repeat the configuration steps for Teams B and C to set up access\n control with similar customized service accounts.\n\n### Limit access to the Cloud Storage buckets\n\nLimit the access to Cloud Storage buckets by giving appropriate\npermissions:\n\n1. Give the IAM service account the `storage.buckets.list` permission, required to list Cloud Storage buckets in the project. For more information, see [Listing buckets](/storage/docs/listing-buckets#console-list-buckets).\n2. Give the IAM service account permission to access the\n objects in particular buckets.\n\n For example, grant the\n [Storage Object Viewer](/storage/docs/access-control/iam-roles#standard-roles)\n role to the IAM service account associated with the\n namespace `team_A` on the bucket `team_a1`. This permission lets Team A view\n and list objects and managed folders, along with their metadata, in that\n bucket in an isolated design time environment.\n **Figure 2** : On the Cloud Storage **Buckets** page, add the team as a principal and assign the Storage Object User role.\n\n### Create the Cloud Storage connection in the respective namespaces\n\nCreate Cloud Storage connection in each team's namespace:\n\n1. In the Google Cloud console, go to the Cloud Data Fusion\n **Instances** page and open an instance in the Cloud Data Fusion web\n interface.\n\n [Go to Instances](https://console.cloud.google.com/data-fusion/locations/-/instances)\n2. Click **System admin \\\u003e Configuration \\\u003e Namespaces**.\n\n3. Click the namespace you want to use---for example, the namespace for Team A.\n\n4. Click the **Connections** tab, and then click **Add connection**.\n\n5. Select **GCS** and configure the connection.\n\n **Figure 3**: Configure the Cloud Storage connection for the namespace.\n6. Create a Cloud Storage connection for every namespace by\n repeating the preceding steps. Each team can then interact with an isolated\n copy of that resource for their design time operations.\n\n### Validate design time isolation for each namespace\n\nTeam A can validate the isolation at design by accessing Cloud Storage\nbuckets in their respective namespaces:\n\n1. In the Google Cloud console, go to the Cloud Data Fusion\n **Instances** page and open an instance in the Cloud Data Fusion web\n interface.\n\n [Go to Instances](https://console.cloud.google.com/data-fusion/locations/-/instances)\n2. Click **System admin \\\u003e Configuration \\\u003e Namespaces**.\n\n3. Select a namespace---for example the Team A namespace, `team_A`.\n\n4. Click menu\n **Menu \\\u003e Wrangler**.\n\n5. Click **GCS**.\n\n6. In the bucket list, click the `team_a1` bucket.\n\n - You can view the list of buckets because the Team A namespace has\n `storage.buckets.list` permission.\n\n - When you click the bucket, you can view its contents because the Team A\n namespace has the Storage Object Viewer role.\n\n **Figures 4 and 5**: Check that Team A can access the appropriate storage bucket.\n7. Go back to the bucket list and click the `team_b1` or `team_c1` bucket.\n The access is restricted, as you isolated this design time resource for\n Team A using its namespace service account.\n\n **Figure 6**: Check that Team A cannot access Team B and C storage buckets.\n\nWhat's next\n-----------\n\n- Learn more about [security](/data-fusion/docs/concepts/security) features in Cloud Data Fusion."]]