Get started
Yandex Data Proc

Access management

Yandex.Cloud users can only perform operations on resources that are permitted under the roles assigned to them. If a user doesn't have any roles assigned, almost all operations are forbidden.

To allow access to Data Proc service resources (clusters and subclusters), assign the user the required roles from the list below. For now, a role can only be assigned for a parent resource (folder or cloud), and roles are inherited by nested resources.

Note

For more information about role inheritance, see Inheritance of access rights in the Yandex Resource Manager documentation.

Assigning roles

To assign a user a role:

  1. Open the Access management page for the selected cloud. If necessary, switch to another cloud.

  2. Select the user to assign the role to, click , and choose Configure roles.

  3. To add a cloud role, click in the Roles for cloud section.

    To add a folder role, select the folder and click Assign role in the Roles in folders section.

  4. Choose a role from the list.

Roles

The list below shows all the roles used when verifying access rights in
Data Proc.

resource-manager.clouds.member

When a new user is added to the cloud, they are automatically assigned the role of cloud member: resource-manager.clouds.member.

Everyone needs this role to access the cloud resources, except the cloud owners and service accounts.

This role alone doesn't give you the right to perform any operations and is only used in combination with other roles, such as admin, editor, or viewer.

resource-manager.clouds.owner

Theresource-manager.clouds.owner is assigned for the cloud and makes the user the owner of the cloud. The owner can perform any operation with the cloud and its resources.

Only the cloud owner can assign users the resource-manager.clouds.owner role.

A cloud must have at least one owner. The sole owner of a cloud may not give up this role.

dataproc.agent

The dataproc.agent role allows the service account assigned to the Data Proc cluster to notify the service of the status of each host in the cluster.

This role must be assigned to the service account specified when creating the cluster.

Currently, this role can only be assigned for a folder or cloud.

mdb.dataproc.agent

Warning

The mdb.dataproc.agent role will soon be discontinued. Users with this role will automatically be assigned the dataproc.agent role with the same rights.

An obsolete role granting the same rights as dataproc.agent. We don't recommend using it.

Currently, this role can only be assigned for a folder or cloud.

viewer

Users with the viewer role can connect to hosts in the Data Proc cluster if its SSH keys are linked to this cluster.

editor

Users with the editor role can manage any resource, including creating clusters and creating and deleting their subclusters.

The editor role also includes all viewer role permissions.

admin

Users with the admin role can manage resource access rights, including allowing other users to create Data Proc clusters and to view information about user rights.

The admin role also includes all editor role permissions.

In this article: