Dataproc Metastore IAM ロール

Dataproc Metastore は、いくつかの Identity and Access Management（IAM）ロールを定義します。各事前定義ロールには、プリンシパルが特定のアクションを実行できる一連の IAM 権限が含まれています。IAM ポリシーを使用して、プリンシパルに 1 つ以上の IAM ロールを付与できます。

Identity and Access Management（IAM）では、カスタマイズされた IAM ロールを作成することもできます。カスタムの IAM のロールを作成し、このロールに 1 つ以上の権限を割り当てることができます。その後、新しいロールをプリンシパルに付与できます。カスタムロールを使用して、使用可能な事前定義ロールとともにニーズに直接対応するアクセス制御モデルを作成します。

このページでは、Dataproc Metastore に関連する IAM ロールについて説明します。

始める前に

IAM のドキュメントをお読みください。

Dataproc Metastore のロール

IAM の Dataproc Metastore ロールは、1 つ以上の権限をまとめたものです。プリンシパルがプロジェクトの Dataproc Metastore リソースを操作できるようにロールを付与します。たとえば、Dataproc Metastore ユーザーのロールには、metastore.*.get と metastore.*.list の権限が含まれています。これらの権限を付与されたユーザーは、プロジェクトの Dataproc Metastore サービス、メタデータのインポート、バックアップ、オペレーションを取得して一覧表示できます。

次の表は、Dataproc Metastore のすべてのロールと、各ロールに関連付けられた権限を示しています。

Role Permissions

Role	Permissions
Dataproc Metastore Admin (`roles/metastore.admin`) Full access to all Dataproc Metastore resources.	`metastore.backups.` `metastore.backups.create` `metastore.backups.delete` `metastore.backups.get` `metastore.backups.getIamPolicy` `metastore.backups.list` `metastore.backups.setIamPolicy` `metastore.backups.use` `metastore.federations.` `metastore.federations.create` `metastore.federations.delete` `metastore.federations.get` `metastore.federations.getIamPolicy` `metastore.federations.list` `metastore.federations.setIamPolicy` `metastore.federations.update` `metastore.federations.use` `metastore.imports.` `metastore.imports.create` `metastore.imports.get` `metastore.imports.list` `metastore.imports.update` `metastore.locations.` `metastore.locations.get` `metastore.locations.list` `metastore.migrations.` `metastore.migrations.cancel` `metastore.migrations.complete` `metastore.migrations.delete` `metastore.migrations.get` `metastore.migrations.list` `metastore.migrations.start` `metastore.operations.` `metastore.operations.cancel` `metastore.operations.delete` `metastore.operations.get` `metastore.operations.list` `metastore.services.create` `metastore.services.delete` `metastore.services.export` `metastore.services.get` `metastore.services.getIamPolicy` `metastore.services.list` `metastore.services.restore` `metastore.services.setIamPolicy` `metastore.services.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Metastore Editor (`roles/metastore.editor`) Read and write access to all Dataproc Metastore resources.	`metastore.backups.create` `metastore.backups.delete` `metastore.backups.get` `metastore.backups.list` `metastore.backups.use` `metastore.federations.create` `metastore.federations.delete` `metastore.federations.get` `metastore.federations.list` `metastore.federations.update` `metastore.imports.` `metastore.imports.create` `metastore.imports.get` `metastore.imports.list` `metastore.imports.update` `metastore.locations.` `metastore.locations.get` `metastore.locations.list` `metastore.migrations.` `metastore.migrations.cancel` `metastore.migrations.complete` `metastore.migrations.delete` `metastore.migrations.get` `metastore.migrations.list` `metastore.migrations.start` `metastore.operations.` `metastore.operations.cancel` `metastore.operations.delete` `metastore.operations.get` `metastore.operations.list` `metastore.services.create` `metastore.services.delete` `metastore.services.export` `metastore.services.get` `metastore.services.getIamPolicy` `metastore.services.list` `metastore.services.restore` `metastore.services.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Metastore Federation Accessor (`roles/metastore.federationAccessor`) Access to the Metastore Federation resource.	`metastore.federations.use`
Dataproc Metastore Metadata Editor (`roles/metastore.metadataEditor`) Access to read and modify the metadata of databases and tables under those databases.	`metastore.databases.create` `metastore.databases.delete` `metastore.databases.get` `metastore.databases.getIamPolicy` `metastore.databases.list` `metastore.databases.update` `metastore.services.get` `metastore.services.use` `metastore.tables.create` `metastore.tables.delete` `metastore.tables.get` `metastore.tables.getIamPolicy` `metastore.tables.list` `metastore.tables.update`
Dataproc Metastore Metadata Mutate Admin (`roles/metastore.metadataMutateAdmin`) Access to mutate metadata from a Dataproc Metastore service's underlying metadata store.	`metastore.services.mutateMetadata`
Dataproc Metastore Metadata Operator (`roles/metastore.metadataOperator`) Read-only access to Dataproc Metastore resources with additional metadata operations permission.	`metastore.backups.create` `metastore.backups.delete` `metastore.backups.get` `metastore.backups.list` `metastore.backups.use` `metastore.imports.` `metastore.imports.create` `metastore.imports.get` `metastore.imports.list` `metastore.imports.update` `metastore.locations.` `metastore.locations.get` `metastore.locations.list` `metastore.operations.get` `metastore.operations.list` `metastore.services.export` `metastore.services.get` `metastore.services.getIamPolicy` `metastore.services.list` `metastore.services.restore` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Metastore Data Owner (`roles/metastore.metadataOwner`) Full access to the metadata of databases and tables under those databases.	`metastore.databases.` `metastore.databases.create` `metastore.databases.delete` `metastore.databases.get` `metastore.databases.getIamPolicy` `metastore.databases.list` `metastore.databases.setIamPolicy` `metastore.databases.update` `metastore.services.get` `metastore.services.getIamPolicy` `metastore.services.list` `metastore.services.use` `metastore.tables.` `metastore.tables.create` `metastore.tables.delete` `metastore.tables.get` `metastore.tables.getIamPolicy` `metastore.tables.list` `metastore.tables.setIamPolicy` `metastore.tables.update`
Dataproc Metastore Metadata Query Admin (`roles/metastore.metadataQueryAdmin`) Access to query metadata from a Dataproc Metastore service's underlying metadata store.	`metastore.services.queryMetadata`
Dataproc Metastore Metadata User (`roles/metastore.metadataUser`) Access to the Dataproc Metastore gRPC endpoint	`metastore.databases.get` `metastore.databases.list` `metastore.services.get` `metastore.services.use`
Dataproc Metastore Metadata Viewer (`roles/metastore.metadataViewer`) Access to read the metadata of databases and tables under those databases	`metastore.databases.get` `metastore.databases.getIamPolicy` `metastore.databases.list` `metastore.services.get` `metastore.services.use` `metastore.tables.get` `metastore.tables.getIamPolicy` `metastore.tables.list`
Dataproc Metastore Managed Migration Admin (`roles/metastore.migrationAdmin`) Access to Dataproc Metastore Managed Migration resources and workflow.	`cloudsql.instances.connect` `cloudsql.instances.get` `cloudsql.instances.login` `compute.autoscalers.create` `compute.autoscalers.delete` `compute.disks.create` `compute.disks.delete` `compute.forwardingRules.create` `compute.forwardingRules.delete` `compute.forwardingRules.use` `compute.instanceGroupManagers.create` `compute.instanceGroupManagers.delete` `compute.instanceGroupManagers.use` `compute.instanceGroups.delete` `compute.instanceGroups.use` `compute.instanceTemplates.create` `compute.instanceTemplates.delete` `compute.instanceTemplates.get` `compute.instanceTemplates.useReadOnly` `compute.instances.create` `compute.instances.delete` `compute.instances.get` `compute.instances.setMetadata` `compute.machineTypes.list` `compute.regionBackendServices.create` `compute.regionBackendServices.delete` `compute.regionBackendServices.use` `compute.regionHealthChecks.create` `compute.regionHealthChecks.delete` `compute.regionHealthChecks.use` `compute.regionHealthChecks.useReadOnly` `compute.serviceAttachments.create` `compute.serviceAttachments.delete` `compute.subnetworks.get` `compute.subnetworks.use` `compute.zones.list` `datastream.connectionProfiles.create` `datastream.connectionProfiles.delete` `datastream.objects.*` `datastream.objects.get` `datastream.objects.list` `datastream.objects.startBackfillJob` `datastream.objects.stopBackfillJob` `datastream.operations.get` `datastream.privateConnections.create` `datastream.privateConnections.delete` `datastream.streams.create` `datastream.streams.delete` `datastream.streams.get` `datastream.streams.update`
Dataproc Metastore Viewer (`roles/metastore.user`) Read-only access to all Dataproc Metastore resources.	`metastore.backups.get` `metastore.backups.list` `metastore.federations.get` `metastore.federations.getIamPolicy` `metastore.federations.list` `metastore.imports.get` `metastore.imports.list` `metastore.locations.*` `metastore.locations.get` `metastore.locations.list` `metastore.operations.get` `metastore.operations.list` `metastore.services.export` `metastore.services.get` `metastore.services.getIamPolicy` `metastore.services.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Dataproc Metastore Admin

(roles/metastore.admin)

Full access to all Dataproc Metastore resources.

metastore.backups.*

metastore.backups.create
metastore.backups.delete
metastore.backups.get
metastore.backups.getIamPolicy
metastore.backups.list
metastore.backups.setIamPolicy
metastore.backups.use

metastore.federations.*

metastore.federations.create
metastore.federations.delete
metastore.federations.get
metastore.federations.getIamPolicy
metastore.federations.list
metastore.federations.setIamPolicy
metastore.federations.update
metastore.federations.use

metastore.imports.*

metastore.imports.create
metastore.imports.get
metastore.imports.list
metastore.imports.update

metastore.locations.*

metastore.locations.get
metastore.locations.list

metastore.migrations.*

metastore.migrations.cancel
metastore.migrations.complete
metastore.migrations.delete
metastore.migrations.get
metastore.migrations.list
metastore.migrations.start

metastore.operations.*

metastore.operations.cancel
metastore.operations.delete
metastore.operations.get
metastore.operations.list

metastore.services.create

metastore.services.delete

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.restore

metastore.services.setIamPolicy

metastore.services.update

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Metastore Editor

(roles/metastore.editor)

Read and write access to all Dataproc Metastore resources.

metastore.backups.create

metastore.backups.delete

metastore.backups.get

metastore.backups.list

metastore.backups.use

metastore.federations.create

metastore.federations.delete

metastore.federations.get

metastore.federations.list

metastore.federations.update

metastore.imports.*

metastore.imports.create
metastore.imports.get
metastore.imports.list
metastore.imports.update

metastore.locations.*

metastore.locations.get
metastore.locations.list

metastore.migrations.*

metastore.migrations.cancel
metastore.migrations.complete
metastore.migrations.delete
metastore.migrations.get
metastore.migrations.list
metastore.migrations.start

metastore.operations.*

metastore.operations.cancel
metastore.operations.delete
metastore.operations.get
metastore.operations.list

metastore.services.create

metastore.services.delete

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.restore

metastore.services.update

resourcemanager.projects.get

resourcemanager.projects.list

Metastore Federation Accessor

(roles/metastore.federationAccessor)

Access to the Metastore Federation resource.

metastore.federations.use

Dataproc Metastore Metadata Editor

(roles/metastore.metadataEditor)

Access to read and modify the metadata of databases and tables under those databases.

metastore.databases.create

metastore.databases.delete

metastore.databases.get

metastore.databases.getIamPolicy

metastore.databases.list

metastore.databases.update

metastore.services.get

metastore.services.use

metastore.tables.create

metastore.tables.delete

metastore.tables.get

metastore.tables.getIamPolicy

metastore.tables.list

metastore.tables.update

Dataproc Metastore Metadata Mutate Admin

(roles/metastore.metadataMutateAdmin)

Access to mutate metadata from a Dataproc Metastore service's underlying metadata store.

metastore.services.mutateMetadata

Dataproc Metastore Metadata Operator

(roles/metastore.metadataOperator)

Read-only access to Dataproc Metastore resources with additional metadata operations permission.

metastore.backups.create

metastore.backups.delete

metastore.backups.get

metastore.backups.list

metastore.backups.use

metastore.imports.*

metastore.imports.create
metastore.imports.get
metastore.imports.list
metastore.imports.update

metastore.locations.*

metastore.locations.get
metastore.locations.list

metastore.operations.get

metastore.operations.list

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.restore

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Metastore Data Owner

(roles/metastore.metadataOwner)

Full access to the metadata of databases and tables under those databases.

metastore.databases.*

metastore.databases.create
metastore.databases.delete
metastore.databases.get
metastore.databases.getIamPolicy
metastore.databases.list
metastore.databases.setIamPolicy
metastore.databases.update

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.use

metastore.tables.*

metastore.tables.create
metastore.tables.delete
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list
metastore.tables.setIamPolicy
metastore.tables.update

Dataproc Metastore Metadata Query Admin

(roles/metastore.metadataQueryAdmin)

Access to query metadata from a Dataproc Metastore service's underlying metadata store.

metastore.services.queryMetadata

Dataproc Metastore Metadata User

(roles/metastore.metadataUser)

Access to the Dataproc Metastore gRPC endpoint

metastore.databases.get

metastore.databases.list

metastore.services.get

metastore.services.use

Dataproc Metastore Metadata Viewer

(roles/metastore.metadataViewer)

Access to read the metadata of databases and tables under those databases

metastore.databases.get

metastore.databases.getIamPolicy

metastore.databases.list

metastore.services.get

metastore.services.use

metastore.tables.get

metastore.tables.getIamPolicy

metastore.tables.list

Dataproc Metastore Managed Migration Admin

(roles/metastore.migrationAdmin)

Access to Dataproc Metastore Managed Migration resources and workflow.

cloudsql.instances.connect

cloudsql.instances.get

cloudsql.instances.login

compute.autoscalers.create

compute.autoscalers.delete

compute.disks.create

compute.disks.delete

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.use

compute.instanceGroupManagers.create

compute.instanceGroupManagers.delete

compute.instanceGroupManagers.use

compute.instanceGroups.delete

compute.instanceGroups.use

compute.instanceTemplates.create

compute.instanceTemplates.delete

compute.instanceTemplates.get

compute.instanceTemplates.useReadOnly

compute.instances.create

compute.instances.delete

compute.instances.get

compute.instances.setMetadata

compute.machineTypes.list

compute.regionBackendServices.create

compute.regionBackendServices.delete

compute.regionBackendServices.use

compute.regionHealthChecks.create

compute.regionHealthChecks.delete

compute.regionHealthChecks.use

compute.regionHealthChecks.useReadOnly

compute.serviceAttachments.create

compute.serviceAttachments.delete

compute.subnetworks.get

compute.subnetworks.use

compute.zones.list

datastream.connectionProfiles.create

datastream.connectionProfiles.delete

datastream.objects.*

datastream.objects.get
datastream.objects.list
datastream.objects.startBackfillJob
datastream.objects.stopBackfillJob

datastream.operations.get

datastream.privateConnections.create

datastream.privateConnections.delete

datastream.streams.create

datastream.streams.delete

datastream.streams.get

datastream.streams.update

Dataproc Metastore Viewer

(roles/metastore.user)

Read-only access to all Dataproc Metastore resources.

metastore.backups.get

metastore.backups.list

metastore.federations.get

metastore.federations.getIamPolicy

metastore.federations.list

metastore.imports.get

metastore.imports.list

metastore.locations.*

metastore.locations.get
metastore.locations.list

metastore.operations.get

metastore.operations.list

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Metastore IAM ロール

始める前に

Dataproc Metastore のロール

Dataproc Metastore Admin

Dataproc Metastore Editor

Metastore Federation Accessor

Dataproc Metastore Metadata Editor

Dataproc Metastore Metadata Mutate Admin

Dataproc Metastore Metadata Operator

Dataproc Metastore Data Owner

Dataproc Metastore Metadata Query Admin

Dataproc Metastore Metadata User

Dataproc Metastore Metadata Viewer

Dataproc Metastore Managed Migration Admin

Dataproc Metastore Viewer

次のステップ