Access management in Data Proc
Yandex Cloud users can only perform operations on resources that are allowed by the roles assigned to them. If a user does not have any roles assigned, almost all operations are forbidden.
To allow access to Data Proc resources (clusters or subclusters), assign the Yandex account, service account, federated users, user group, or system group the required roles from the list below. Currently, a role can only be assigned to a parent resource (folder or cloud). Roles are inherited by nested resources.
Only users with the admin
, resource-manager.clouds.owner
, or organization-manager.organizations.owner
role for a resource can assign roles for this resource.
Note
For more information about role inheritance, see Inheritance of access rights in the Yandex Resource Manager documentation.
Assigning roles
To assign a user a role:
- Add the required user if needed.
- In the management console
, select the appropriate cloud in the list on the left. - Go to the Access bindings tab.
- Click Assign bindings.
- In the Configuring access bindings window, click
- Select a user from the list or search by user.
- Click
- Select a role in the cloud.
- Click Save.
Which roles exist in the service
The list below shows all roles that are considered when verifying access rights in the Data Proc service.
Service roles
dataproc.agent
The dataproc.agent
role allows the service account assigned to the Data Proc cluster to notify the service of the status of each host in the cluster.
This role must be assigned to the service account specified when creating the cluster.
Currently, this role can only be assigned for working with a folder or a cloud.
mdb.dataproc.agent
The mdb.dataproc.agent
role will soon be discontinued. Users with this role will automatically be assigned the dataproc.agent
role with the same rights. We do not recommend using this role.
Currently, this role can only be assigned for working with a folder or a cloud.
dataproc.auditor
The dataproc.auditor
role enables you to view information about clusters and jobs (with no access to job content).
dataproc.viewer
The dataproc.viewer
role enables you to view information about clusters and quotas.
dataproc.user
The dataproc.user
role provides access to the Data Proc component web interfaces and enables you to create jobs. It includes the dataproc.viewer
role.
dataproc.provisioner
The dataproc.provisioner
role grants access to the API to create, update, and delete Data Proc cluster objects.
dataproc.editor
The dataproc.editor
role enables you to create, edit, and delete clusters and jobs, view information about them, and provides access to the Data Proc component web interfaces. It includes the dataproc.viewer
role.
dataproc.admin
The dataproc.admin
role enables you to create, edit, and delete clusters and jobs, view information about them, provides access to the Data Proc component web interfaces, and manages access to clusters. It includes the dataproc.editor
role.
managed-metastore.auditor
The managed-metastore.auditor
role enables you to view information about clusters and quotas.
managed-metastore.viewer
The managed-metastore.viewer
role enables you to view information about clusters, their runtime logs, and quotas.
managed-metastore.editor
The managed-metastore.editor
role enables you to edit and delete clusters, view information about clusters, their runtime logs, and quotas. This role includes the managed-metastore.viewer
role. To create clusters, you also need the vpc.user
role.
managed-metastore.admin
The managed-metastore.admin
role enables you to edit and delete clusters, view information about clusters, their runtime logs, and quotas, as well as manage cluster access. This role includes the managed-metastore.editor
role. To create clusters, you also need the vpc.user
role.
mdb.auditor
The mdb.auditor
role grants the minimum permissions required to view information about managed database clusters (without access to data or runtime logs).
Users with this role can view information about managed database clusters, quotas, and folders.
It includes the permissions of the managed-elasticsearch.auditor
, managed-opensearch.auditor
, managed-kafka.auditor
, managed-mysql.auditor
, managed-sqlserver.auditor
, managed-postgresql.auditor
, managed-greenplum.auditor
, managed-clickhouse.auditor
, managed-redis.auditor
, and managed-mongodb.auditor
roles.
mdb.viewer
The mdb.viewer
role grants read access to managed database clusters and cluster runtime logs.
Users with this role can read from databases, inspect the logs of managed database clusters, and view information about clusters, quotas, and folders.
It includes the permissions of the mdb.auditor
, managed-elasticsearch.viewer
, managed-opensearch.viewer
, managed-kafka.viewer
, managed-mysql.viewer
, managed-sqlserver.viewer
, managed-postgresql.viewer
, managed-greenplum.viewer
, managed-clickhouse.viewer
, managed-redis.viewer
, managed-mongodb.viewer
, and dataproc.viewer
roles.
mdb.admin
The mdb.admin
role grants full access to managed database clusters.
Users with this role can create, edit, delete, run, and stop managed database clusters, manage cluster access, read and write to databases, and view information about clusters, runtime logs, quotas, and folders.
It includes the permissions of the mdb.viewer
, vpc.user
, managed-elasticsearch.admin
, managed-opensearch.admin
, managed-kafka.admin
, managed-mysql.admin
, managed-sqlserver.admin
, managed-postgresql.admin
, managed-greenplum.admin
, managed-clickhouse.admin
, managed-redis.admin
, managed-mongodb.admin
, and dataproc.admin
roles.
Primitive roles
auditor
Grants permission to view service configuration and metadata without access to data.
viewer
Enables you to view information about resources.
editor
Allows you to manage resources, e.g., create, edit, and delete them.
admin
Allows you to manage your resources and access to them.
For more information about primitive roles, see Roles.