Dataproc Metastore defines several Identity and access management (IAM) roles. Each predefined role contains a set of IAM permissions that allow principals to perform certain actions. You can use an IAM policy to give a principal one or more IAM roles.
Identity and Access Management (IAM) also offers the ability to create customized IAM roles. You can create custom IAM roles and assign the role one or more permissions. Then, you can grant the new role to your principals. Use custom roles to create an access control model that maps directly to your needs, alongside the available predefined roles.
This page focuses on the IAM roles relevant to Dataproc Metastore.
Before you begin
- Read the IAM documentation.
Dataproc Metastore roles
Identity and Access Management (IAM) Dataproc Metastore roles
are a bundle of one or more permissions.
You grant roles to principals to allow them to perform actions on the
Dataproc Metastore resources in your project. For example, the Dataproc Metastore User role contains the
metastore.*.get and metastore.*.list permissions, which allow a user to get
and list Dataproc Metastore services, metadata imports, backups, and operations in a
project.
Basic roles
The following table lists the basic roles and the permissions associated with each role:
| Role ID | Permissions |
|---|---|
| roles/owner | metastore.*.create metastore.*.update metastore.*.delete metastore.*.get metastore.*.list metastore.*.getIamPolicy metastore.*.setIamPolicy |
| roles/editor | metastore.*.create metastore.*.update metastore.*.delete metastore.*.get metastore.*.list metastore.*.getIamPolicy |
| roles/viewer | metastore.*.get metastore.*.list metastore.*.getIamPolicy |
Notes:
- "*" signifies resource types, such as "services," "imports," "backups," "locations," or
"operations." Some permissions are not defined on certain resource types. For
example,
create,update, anddeleteare not valid permissions for "locations." - The
ownerrole allows full control of Dataproc Metastore resources and IAM policy administration. - The
editorrole allows full control of Dataproc Metastore resources. - The
viewerrole allows a user to get and list Dataproc Metastore resources and IAM policy details.
You can assign basic roles at the project level by using the IAM Project roles. Here is a summary of the permissions associated with IAM Project roles:
| Project Role | Permissions |
|---|---|
| Project Owner | All Project Editor permissions plus permissions to manage access control for the project (get/set IamPolicy) and to set up project billing |
| Project Editor | All Project Viewer permissions plus all project permissions for actions that modify state (create, delete, update, use) |
| Project Viewer | All project permissions for read-only actions that preserve state (get, list) |
Predefined roles
The following table lists the Dataproc Metastore predefined (or curated) roles and the permissions associated with each role:
| Role ID | Permissions |
|---|---|
| roles/metastore.admin | metastore.*.create metastore.*.update metastore.*.delete metastore.*.get metastore.*.list metastore.*.getIamPolicy metastore.*.setIamPolicy resourcemanager.projects.get resourcemanager.projects.list |
| roles/metastore.editor | metastore.*.create metastore.*.update metastore.*.delete metastore.*.get metastore.*.list metastore.*.getIamPolicy resourcemanager.projects.get resourcemanager.projects.list |
| roles/metastore.user | metastore.*.get metastore.*.list metastore.*.getIamPolicy resourcemanager.projects.get resourcemanager.projects.list |
| roles/metastore.metadataOperator | metastore.imports.create metastore.imports.update metastore.imports.delete metastore.services.export metastore.backups.create metastore.backups.delete metastore.backups.use metastore.services.restore metastore.*.get metastore.*.list metastore.*.getIamPolicy resourcemanager.projects.get resourcemanager.projects.list |
Notes:
- "*" signifies resource types, such as "services," "imports," "backups," "locations," or
"operations." Some permissions are not defined on certain resource types. For
example,
create,update, anddeleteare not valid permissions for "locations." In addition, the only permissions associated with "operations" areget,list, anddelete. - The
metastore.adminrole grants full access to all Dataproc Metastore resources, including IAM policy administration. - The
metastore.editorrole grants read and write access to all Dataproc Metastore resources. - The
metastore.userrole grants read access to all Dataproc Metastore resources.
What's next
- Learn how to create custom IAM roles.
- Learn how to grant and manage roles.
- See the Dataproc Metastore IAM permissions mapping.