Dataproc Metastore IAM 角色

Dataproc Metastore 定义了多个 Identity and Access Management (IAM) 角色。每个预定义角色都包含一组允许主帐号执行特定操作的 IAM 权限。您可以使用 IAM 政策为主帐号指定一个或多个 IAM 角色。

Identity and Access Management (IAM) 还提供创建自定义 IAM 角色的功能。您可以创建自定义 IAM 角色,并为该角色分配一项或多项权限。然后,您可以将新创建的角色授予主帐号。使用自定义角色可创建访问权限控制模型,该模型将直接映射到您的需求以及可用的预定义角色。

本页面重点介绍与 Dataproc Metastore 相关的 IAM 角色。

准备工作

  • 阅读 IAM 文档。

Dataproc Metastore 角色

Identity and Access Management (IAM) Dataproc Metastore 角色是一个或多个权限的集合。您为主帐号授予角色,以允许他们对项目中的 Dataproc Metastore 资源执行操作。例如,Dataproc Metastore User 角色包含 metastore.*.getmetastore.*.list 权限,这些权限允许用户获取和列出项目中的 Dataproc Metastore 服务、元数据导入、备份和操作。

下表列出了所有 Dataproc Metastore 角色以及与每个角色关联的权限:

角色 权限

(roles/metastore.admin)

拥有对所有 Dataproc Metastore 资源的完整访问权限。

metastore.backups.*

  • metastore.backups.create
  • metastore.backups.delete
  • metastore.backups.get
  • metastore.backups.getIamPolicy
  • metastore.backups.list
  • metastore.backups.setIamPolicy
  • metastore.backups.use

metastore.federations.*

  • metastore.federations.create
  • metastore.federations.delete
  • metastore.federations.get
  • metastore.federations.getIamPolicy
  • metastore.federations.list
  • metastore.federations.setIamPolicy
  • metastore.federations.update
  • metastore.federations.use

metastore.imports.*

  • metastore.imports.create
  • metastore.imports.get
  • metastore.imports.list
  • metastore.imports.update

metastore.locations.*

  • metastore.locations.get
  • metastore.locations.list

metastore.operations.*

  • metastore.operations.cancel
  • metastore.operations.delete
  • metastore.operations.get
  • metastore.operations.list

metastore.services.create

metastore.services.delete

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.restore

metastore.services.setIamPolicy

metastore.services.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/metastore.editor)

拥有对所有 Dataproc Metastore 资源的读取和写入权限。

metastore.backups.create

metastore.backups.delete

metastore.backups.get

metastore.backups.list

metastore.backups.use

metastore.federations.create

metastore.federations.delete

metastore.federations.get

metastore.federations.list

metastore.federations.update

metastore.imports.*

  • metastore.imports.create
  • metastore.imports.get
  • metastore.imports.list
  • metastore.imports.update

metastore.locations.*

  • metastore.locations.get
  • metastore.locations.list

metastore.operations.*

  • metastore.operations.cancel
  • metastore.operations.delete
  • metastore.operations.get
  • metastore.operations.list

metastore.services.create

metastore.services.delete

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.restore

metastore.services.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/metastore.federationAccessor)

拥有对 Metastore Federation 资源的访问权限。

metastore.federations.use

roles/metastore.metadataEditor

拥有读取和修改数据库元数据以及这些数据库下各个表的权限。

metastore.databases.create

metastore.databases.delete

metastore.databases.get

metastore.databases.getIamPolicy

metastore.databases.list

metastore.databases.update

metastore.services.get

metastore.services.use

metastore.tables.create

metastore.tables.delete

metastore.tables.get

metastore.tables.getIamPolicy

metastore.tables.list

metastore.tables.update

(roles/metastore.metadataMutateAdmin)

可以更改 Dataproc Metastore 服务的底层元数据存储区中的元数据。

metastore.services.mutateMetadata

(roles/metastore.metadataOperator)

拥有对 Dataproc Metastore 资源的只读权限以及其他元数据操作权限。

metastore.backups.create

metastore.backups.delete

metastore.backups.get

metastore.backups.list

metastore.backups.use

metastore.imports.*

  • metastore.imports.create
  • metastore.imports.get
  • metastore.imports.list
  • metastore.imports.update

metastore.locations.*

  • metastore.locations.get
  • metastore.locations.list

metastore.operations.get

metastore.operations.list

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.restore

resourcemanager.projects.get

resourcemanager.projects.list

roles/metastore.metadataOwner

拥有对数据库元数据以及这些数据库下各个表的完整访问权限。

metastore.databases.*

  • metastore.databases.create
  • metastore.databases.delete
  • metastore.databases.get
  • metastore.databases.getIamPolicy
  • metastore.databases.list
  • metastore.databases.setIamPolicy
  • metastore.databases.update

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.use

metastore.tables.*

  • metastore.tables.create
  • metastore.tables.delete
  • metastore.tables.get
  • metastore.tables.getIamPolicy
  • metastore.tables.list
  • metastore.tables.setIamPolicy
  • metastore.tables.update

(roles/metastore.metadataQueryAdmin)

可以查询 Dataproc Metastore 服务的底层元数据存储区中的元数据。

metastore.services.queryMetadata

roles/metastore.metadataUser

拥有对 Dataproc Metastore gRPC 端点的访问权限

metastore.databases.get

metastore.databases.list

metastore.services.get

metastore.services.use

roles/metastore.metadataViewer

拥有读取数据库元数据以及这些数据库下各个表的权限

metastore.databases.get

metastore.databases.getIamPolicy

metastore.databases.list

metastore.services.get

metastore.services.use

metastore.tables.get

metastore.tables.getIamPolicy

metastore.tables.list

(roles/metastore.user)

拥有对所有 Dataproc Metastore 资源的只读权限。

metastore.backups.get

metastore.backups.list

metastore.federations.get

metastore.federations.getIamPolicy

metastore.federations.list

metastore.imports.get

metastore.imports.list

metastore.locations.*

  • metastore.locations.get
  • metastore.locations.list

metastore.operations.get

metastore.operations.list

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

resourcemanager.projects.get

resourcemanager.projects.list

后续步骤