Dataproc Metastore defines several Identity and access management (IAM) roles. Each predefined role contains a set of IAM permissions that allow principals to perform certain actions. You can use an IAM policy to give a principal one or more IAM roles.
Identity and Access Management (IAM) also offers the ability to create customized IAM roles. You can create custom IAM roles and assign the role one or more permissions. Then, you can grant the new role to your principals. Use custom roles to create an access control model that maps directly to your needs, alongside the available predefined roles.
This page focuses on the IAM roles relevant to Dataproc Metastore.
Before you begin
- Read the IAM documentation.
Dataproc Metastore roles
Identity and Access Management (IAM) Dataproc Metastore roles
are a bundle of one or more permissions.
You grant roles to principals to allow them to perform actions on the
Dataproc Metastore resources in your project. For example, the Dataproc Metastore User role contains the
metastore.*.get
and metastore.*.list
permissions, which allow a user to get
and list Dataproc Metastore services, metadata imports, backups, and operations in a
project.
Basic roles
The following table lists the basic roles and the permissions associated with each role:
Role ID | Permissions |
---|---|
roles/owner |
metastore.*.create |
roles/editor |
metastore.*.create |
roles/viewer |
metastore.*.get |
Notes:
- "*" signifies resource types, such as "services," "imports," "backups," "locations," or
"operations." Some permissions are not defined on certain resource types. For
example,
create
,update
, anddelete
are not valid permissions for "locations." In addition, the only permissions associated with "operations" areget
,list
,cancel
, anddelete
. - The
owner
role allows full control of Dataproc Metastore resources and IAM policy administration. - The
editor
role allows full control of Dataproc Metastore resources. - The
viewer
role allows a user to get and list Dataproc Metastore resources and IAM policy details.
You can assign basic roles at the project level by using the IAM Project roles. Here is a summary of the permissions associated with IAM Project roles:
Project Role | Permissions |
---|---|
Project Owner | All Project Editor permissions plus permissions to manage access control for the project (get/set IamPolicy) and to set up project billing |
Project Editor | All Project Viewer permissions plus all project permissions for actions that modify state (create, delete, update, use) |
Project Viewer | All project permissions for read-only actions that preserve state (get, list) |
Predefined roles
The following table lists the Dataproc Metastore predefined (or curated) roles and the permissions associated with each role:
Role ID | Permissions |
---|---|
roles/metastore.admin |
metastore.services.create |
roles/metastore.editor |
metastore.services.create |
roles/metastore.user |
metastore.services.get |
roles/metastore.metadataOperator |
metastore.services.get |
Notes:
- Some permissions are not defined on certain resource types. For
example,
create
,update
, anddelete
are not valid permissions for "locations." In addition, the only permissions associated with "operations" areget
,list
,cancel
, anddelete
. - The
metastore.admin
role grants full access to all Dataproc Metastore resources, including IAM policy administration. - The
metastore.editor
role grants read and write access to all Dataproc Metastore resources. - The
metastore.user
role grants read access to all Dataproc Metastore resources. - The
metastore.metadataOperator
,metastore.metadataOwner
, andmetastore.metadataEditor
roles grant read and modify access to the metadata of databases and tables under those databases. - The
metastore.metadataViewer
and `metastore.metadataUser roles grant read access to the metadata of databases and tables under those databases.
Predefined roles for metadata resources
The following table lists the Dataproc Metastore predefined (or curated) roles for metadata resources and details associated with each role:
Predefined role | Description | Permissions | Operations a principal can perform when this role is assigned to them |
---|---|---|---|
Metadata Owner role (metastore.metadataOwner ) |
Grants full access to the metadata resources and their IAM policies. | metastore.services.get |
In a service:
|
Metadata Editor role (metastore.metadataEditor ) |
Grants access to a principal to create and modify metadata resources. | metastore.services.get
|
In a service:
|
Metadata Viewer role (metastore.metadataViewer )
|
Grants access to a principal to view metadata resources. | metastore.services.get |
In a service:
|
Metadata User role (metastore.metadataUser ) |
Grants access to a principal to use a Dataproc Metastore service's gRPC endpoint. Must be granted in the service-level policy or above. | metastore.services.get |
In a service:
|
Federation Accessor role (metastore.federationAccessor ) |
Grants access to the metastore federation resource. Must be granted in the service-level policy or above. | metastore.federations.use |
Grants access to the metastore federation resource. |
- "*" signifies methods, such as "create," "update," "delete," "get," or "list."
- The databases and tables permissions are used with gRPC-enabled Dataproc Metastore services. They have no effect when used with services using Thrift endpoints.
What's next
- Learn how to create custom IAM roles.
- Learn how to grant and manage roles.
- See the Dataproc Metastore IAM permissions mapping.