IAM-Rollen für Dataproc Metastore

Dataproc Metastore definiert mehrere Rollen für die Identitäts- und Zugriffsverwaltung (IAM). Jede vordefinierte Rolle enthält eine Reihe von IAM-Berechtigungen, mit denen Hauptkonten bestimmte Aktionen ausführen können. Mit einer IAM-Richtlinie können Sie einem Hauptkonto eine oder mehrere IAM-Rollen zuweisen.

Identity and Access Management (IAM) bietet auch die Möglichkeit, benutzerdefinierte IAM-Rollen zu erstellen. Sie können benutzerdefinierte IAM-Rollen erstellen und der Rolle eine oder mehrere Berechtigungen zuweisen. Anschließend können Sie Ihren Hauptkonten die neue Rolle zuweisen. Verwenden Sie neben den verfügbaren vordefinierten Rollen benutzerdefinierte Rollen, um ein Modell zur Zugriffssteuerung zu erstellen, das auf Ihre Anforderungen zugeschnitten ist.

Auf dieser Seite werden die IAM-Rollen behandelt, die für Dataproc Metastore relevant sind.

Hinweise

Lesen Sie die IAM-Dokumentation.

Dataproc Metastore-Rollen

IAM Dataproc Metastore-Rollen bestehen aus einer oder mehreren Berechtigungen. Sie weisen Hauptkonten Rollen zu, damit sie Aktionen für die Dataproc Metastore-Ressourcen in Ihrem Projekt ausführen können. Die Rolle Dataproc Metastore-Nutzer enthält beispielsweise die Berechtigungen metastore.*.get und metastore.*.list, mit denen Nutzer Dataproc Metastore-Dienste, Metadatenimporte, Sicherungen und Vorgänge in einem Projekt abrufen und auflisten können.

In der folgenden Tabelle sind alle Dataproc Metastore-Rollen und die mit jeder Rolle verknüpften Berechtigungen aufgeführt:

Role Permissions

Role	Permissions
Dataproc Metastore Admin (`roles/metastore.admin`) Full access to all Dataproc Metastore resources.	`metastore.backups.` `metastore.backups.create` `metastore.backups.delete` `metastore.backups.get` `metastore.backups.getIamPolicy` `metastore.backups.list` `metastore.backups.setIamPolicy` `metastore.backups.use` `metastore.federations.` `metastore.federations.create` `metastore.federations.delete` `metastore.federations.get` `metastore.federations.getIamPolicy` `metastore.federations.list` `metastore.federations.setIamPolicy` `metastore.federations.update` `metastore.federations.use` `metastore.imports.` `metastore.imports.create` `metastore.imports.get` `metastore.imports.list` `metastore.imports.update` `metastore.locations.` `metastore.locations.get` `metastore.locations.list` `metastore.migrations.` `metastore.migrations.cancel` `metastore.migrations.complete` `metastore.migrations.delete` `metastore.migrations.get` `metastore.migrations.list` `metastore.migrations.start` `metastore.operations.` `metastore.operations.cancel` `metastore.operations.delete` `metastore.operations.get` `metastore.operations.list` `metastore.services.create` `metastore.services.delete` `metastore.services.export` `metastore.services.get` `metastore.services.getIamPolicy` `metastore.services.list` `metastore.services.restore` `metastore.services.setIamPolicy` `metastore.services.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Metastore Editor (`roles/metastore.editor`) Read and write access to all Dataproc Metastore resources.	`metastore.backups.create` `metastore.backups.delete` `metastore.backups.get` `metastore.backups.list` `metastore.backups.use` `metastore.federations.create` `metastore.federations.delete` `metastore.federations.get` `metastore.federations.list` `metastore.federations.update` `metastore.imports.` `metastore.imports.create` `metastore.imports.get` `metastore.imports.list` `metastore.imports.update` `metastore.locations.` `metastore.locations.get` `metastore.locations.list` `metastore.migrations.` `metastore.migrations.cancel` `metastore.migrations.complete` `metastore.migrations.delete` `metastore.migrations.get` `metastore.migrations.list` `metastore.migrations.start` `metastore.operations.` `metastore.operations.cancel` `metastore.operations.delete` `metastore.operations.get` `metastore.operations.list` `metastore.services.create` `metastore.services.delete` `metastore.services.export` `metastore.services.get` `metastore.services.getIamPolicy` `metastore.services.list` `metastore.services.restore` `metastore.services.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Metastore Federation Accessor (`roles/metastore.federationAccessor`) Access to the Metastore Federation resource.	`metastore.federations.use`
Dataproc Metastore Metadata Editor (`roles/metastore.metadataEditor`) Access to read and modify the metadata of databases and tables under those databases.	`metastore.databases.create` `metastore.databases.delete` `metastore.databases.get` `metastore.databases.getIamPolicy` `metastore.databases.list` `metastore.databases.update` `metastore.services.get` `metastore.services.use` `metastore.tables.create` `metastore.tables.delete` `metastore.tables.get` `metastore.tables.getIamPolicy` `metastore.tables.list` `metastore.tables.update`
Dataproc Metastore Metadata Mutate Admin (`roles/metastore.metadataMutateAdmin`) Access to mutate metadata from a Dataproc Metastore service's underlying metadata store.	`metastore.services.mutateMetadata`
Dataproc Metastore Metadata Operator (`roles/metastore.metadataOperator`) Read-only access to Dataproc Metastore resources with additional metadata operations permission.	`metastore.backups.create` `metastore.backups.delete` `metastore.backups.get` `metastore.backups.list` `metastore.backups.use` `metastore.imports.` `metastore.imports.create` `metastore.imports.get` `metastore.imports.list` `metastore.imports.update` `metastore.locations.` `metastore.locations.get` `metastore.locations.list` `metastore.operations.get` `metastore.operations.list` `metastore.services.export` `metastore.services.get` `metastore.services.getIamPolicy` `metastore.services.list` `metastore.services.restore` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Metastore Data Owner (`roles/metastore.metadataOwner`) Full access to the metadata of databases and tables under those databases.	`metastore.databases.` `metastore.databases.create` `metastore.databases.delete` `metastore.databases.get` `metastore.databases.getIamPolicy` `metastore.databases.list` `metastore.databases.setIamPolicy` `metastore.databases.update` `metastore.services.get` `metastore.services.getIamPolicy` `metastore.services.list` `metastore.services.use` `metastore.tables.` `metastore.tables.create` `metastore.tables.delete` `metastore.tables.get` `metastore.tables.getIamPolicy` `metastore.tables.list` `metastore.tables.setIamPolicy` `metastore.tables.update`
Dataproc Metastore Metadata Query Admin (`roles/metastore.metadataQueryAdmin`) Access to query metadata from a Dataproc Metastore service's underlying metadata store.	`metastore.services.queryMetadata`
Dataproc Metastore Metadata User (`roles/metastore.metadataUser`) Access to the Dataproc Metastore gRPC endpoint	`metastore.databases.get` `metastore.databases.list` `metastore.services.get` `metastore.services.use`
Dataproc Metastore Metadata Viewer (`roles/metastore.metadataViewer`) Access to read the metadata of databases and tables under those databases	`metastore.databases.get` `metastore.databases.getIamPolicy` `metastore.databases.list` `metastore.services.get` `metastore.services.use` `metastore.tables.get` `metastore.tables.getIamPolicy` `metastore.tables.list`
Dataproc Metastore Managed Migration Admin (`roles/metastore.migrationAdmin`) Access to Dataproc Metastore Managed Migration resources and workflow.	`cloudsql.instances.connect` `cloudsql.instances.get` `cloudsql.instances.login` `compute.autoscalers.create` `compute.autoscalers.delete` `compute.disks.create` `compute.disks.delete` `compute.forwardingRules.create` `compute.forwardingRules.delete` `compute.forwardingRules.use` `compute.instanceGroupManagers.create` `compute.instanceGroupManagers.delete` `compute.instanceGroupManagers.use` `compute.instanceGroups.delete` `compute.instanceGroups.use` `compute.instanceTemplates.create` `compute.instanceTemplates.delete` `compute.instanceTemplates.get` `compute.instanceTemplates.useReadOnly` `compute.instances.create` `compute.instances.delete` `compute.instances.get` `compute.instances.setMetadata` `compute.machineTypes.list` `compute.regionBackendServices.create` `compute.regionBackendServices.delete` `compute.regionBackendServices.use` `compute.regionHealthChecks.create` `compute.regionHealthChecks.delete` `compute.regionHealthChecks.use` `compute.regionHealthChecks.useReadOnly` `compute.serviceAttachments.create` `compute.serviceAttachments.delete` `compute.subnetworks.get` `compute.subnetworks.use` `compute.zones.list` `datastream.connectionProfiles.create` `datastream.connectionProfiles.delete` `datastream.objects.*` `datastream.objects.get` `datastream.objects.list` `datastream.objects.startBackfillJob` `datastream.objects.stopBackfillJob` `datastream.operations.get` `datastream.privateConnections.create` `datastream.privateConnections.delete` `datastream.streams.create` `datastream.streams.delete` `datastream.streams.get` `datastream.streams.update`
Dataproc Metastore Viewer (`roles/metastore.user`) Read-only access to all Dataproc Metastore resources.	`metastore.backups.get` `metastore.backups.list` `metastore.federations.get` `metastore.federations.getIamPolicy` `metastore.federations.list` `metastore.imports.get` `metastore.imports.list` `metastore.locations.*` `metastore.locations.get` `metastore.locations.list` `metastore.operations.get` `metastore.operations.list` `metastore.services.export` `metastore.services.get` `metastore.services.getIamPolicy` `metastore.services.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Dataproc Metastore Admin

(roles/metastore.admin)

Full access to all Dataproc Metastore resources.

metastore.backups.*

metastore.backups.create
metastore.backups.delete
metastore.backups.get
metastore.backups.getIamPolicy
metastore.backups.list
metastore.backups.setIamPolicy
metastore.backups.use

metastore.federations.*

metastore.federations.create
metastore.federations.delete
metastore.federations.get
metastore.federations.getIamPolicy
metastore.federations.list
metastore.federations.setIamPolicy
metastore.federations.update
metastore.federations.use

metastore.imports.*

metastore.imports.create
metastore.imports.get
metastore.imports.list
metastore.imports.update

metastore.locations.*

metastore.locations.get
metastore.locations.list

metastore.migrations.*

metastore.migrations.cancel
metastore.migrations.complete
metastore.migrations.delete
metastore.migrations.get
metastore.migrations.list
metastore.migrations.start

metastore.operations.*

metastore.operations.cancel
metastore.operations.delete
metastore.operations.get
metastore.operations.list

metastore.services.create

metastore.services.delete

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.restore

metastore.services.setIamPolicy

metastore.services.update

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Metastore Editor

(roles/metastore.editor)

Read and write access to all Dataproc Metastore resources.

metastore.backups.create

metastore.backups.delete

metastore.backups.get

metastore.backups.list

metastore.backups.use

metastore.federations.create

metastore.federations.delete

metastore.federations.get

metastore.federations.list

metastore.federations.update

metastore.imports.*

metastore.imports.create
metastore.imports.get
metastore.imports.list
metastore.imports.update

metastore.locations.*

metastore.locations.get
metastore.locations.list

metastore.migrations.*

metastore.migrations.cancel
metastore.migrations.complete
metastore.migrations.delete
metastore.migrations.get
metastore.migrations.list
metastore.migrations.start

metastore.operations.*

metastore.operations.cancel
metastore.operations.delete
metastore.operations.get
metastore.operations.list

metastore.services.create

metastore.services.delete

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.restore

metastore.services.update

resourcemanager.projects.get

resourcemanager.projects.list

Metastore Federation Accessor

(roles/metastore.federationAccessor)

Access to the Metastore Federation resource.

metastore.federations.use

Dataproc Metastore Metadata Editor

(roles/metastore.metadataEditor)

Access to read and modify the metadata of databases and tables under those databases.

metastore.databases.create

metastore.databases.delete

metastore.databases.get

metastore.databases.getIamPolicy

metastore.databases.list

metastore.databases.update

metastore.services.get

metastore.services.use

metastore.tables.create

metastore.tables.delete

metastore.tables.get

metastore.tables.getIamPolicy

metastore.tables.list

metastore.tables.update

Dataproc Metastore Metadata Mutate Admin

(roles/metastore.metadataMutateAdmin)

Access to mutate metadata from a Dataproc Metastore service's underlying metadata store.

metastore.services.mutateMetadata

Dataproc Metastore Metadata Operator

(roles/metastore.metadataOperator)

Read-only access to Dataproc Metastore resources with additional metadata operations permission.

metastore.backups.create

metastore.backups.delete

metastore.backups.get

metastore.backups.list

metastore.backups.use

metastore.imports.*

metastore.imports.create
metastore.imports.get
metastore.imports.list
metastore.imports.update

metastore.locations.*

metastore.locations.get
metastore.locations.list

metastore.operations.get

metastore.operations.list

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.restore

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Metastore Data Owner

(roles/metastore.metadataOwner)

Full access to the metadata of databases and tables under those databases.

metastore.databases.*

metastore.databases.create
metastore.databases.delete
metastore.databases.get
metastore.databases.getIamPolicy
metastore.databases.list
metastore.databases.setIamPolicy
metastore.databases.update

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.use

metastore.tables.*

metastore.tables.create
metastore.tables.delete
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list
metastore.tables.setIamPolicy
metastore.tables.update

Dataproc Metastore Metadata Query Admin

(roles/metastore.metadataQueryAdmin)

Access to query metadata from a Dataproc Metastore service's underlying metadata store.

metastore.services.queryMetadata

Dataproc Metastore Metadata User

(roles/metastore.metadataUser)

Access to the Dataproc Metastore gRPC endpoint

metastore.databases.get

metastore.databases.list

metastore.services.get

metastore.services.use

Dataproc Metastore Metadata Viewer

(roles/metastore.metadataViewer)

Access to read the metadata of databases and tables under those databases

metastore.databases.get

metastore.databases.getIamPolicy

metastore.databases.list

metastore.services.get

metastore.services.use

metastore.tables.get

metastore.tables.getIamPolicy

metastore.tables.list

Dataproc Metastore Managed Migration Admin

(roles/metastore.migrationAdmin)

Access to Dataproc Metastore Managed Migration resources and workflow.

cloudsql.instances.connect

cloudsql.instances.get

cloudsql.instances.login

compute.autoscalers.create

compute.autoscalers.delete

compute.disks.create

compute.disks.delete

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.use

compute.instanceGroupManagers.create

compute.instanceGroupManagers.delete

compute.instanceGroupManagers.use

compute.instanceGroups.delete

compute.instanceGroups.use

compute.instanceTemplates.create

compute.instanceTemplates.delete

compute.instanceTemplates.get

compute.instanceTemplates.useReadOnly

compute.instances.create

compute.instances.delete

compute.instances.get

compute.instances.setMetadata

compute.machineTypes.list

compute.regionBackendServices.create

compute.regionBackendServices.delete

compute.regionBackendServices.use

compute.regionHealthChecks.create

compute.regionHealthChecks.delete

compute.regionHealthChecks.use

compute.regionHealthChecks.useReadOnly

compute.serviceAttachments.create

compute.serviceAttachments.delete

compute.subnetworks.get

compute.subnetworks.use

compute.zones.list

datastream.connectionProfiles.create

datastream.connectionProfiles.delete

datastream.objects.*

datastream.objects.get
datastream.objects.list
datastream.objects.startBackfillJob
datastream.objects.stopBackfillJob

datastream.operations.get

datastream.privateConnections.create

datastream.privateConnections.delete

datastream.streams.create

datastream.streams.delete

datastream.streams.get

datastream.streams.update

Dataproc Metastore Viewer

(roles/metastore.user)

Read-only access to all Dataproc Metastore resources.

metastore.backups.get

metastore.backups.list

metastore.federations.get

metastore.federations.getIamPolicy

metastore.federations.list

metastore.imports.get

metastore.imports.list

metastore.locations.*

metastore.locations.get
metastore.locations.list

metastore.operations.get

metastore.operations.list

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

resourcemanager.projects.get

resourcemanager.projects.list

IAM-Rollen für Dataproc Metastore

Hinweise

Dataproc Metastore-Rollen

Dataproc Metastore Admin

Dataproc Metastore Editor

Metastore Federation Accessor

Dataproc Metastore Metadata Editor

Dataproc Metastore Metadata Mutate Admin

Dataproc Metastore Metadata Operator

Dataproc Metastore Data Owner

Dataproc Metastore Metadata Query Admin

Dataproc Metastore Metadata User

Dataproc Metastore Metadata Viewer

Dataproc Metastore Managed Migration Admin

Dataproc Metastore Viewer

Nächste Schritte