This document is to describe the best practice of Cloud Data Fusion instance level access control (based on the ACL capability that Cloud Data Fusion is providing the time when this article is created).
Goals to achieve
Project admin can create, update, upgrade and delete CDF instances.
Project admin can grant individual user access permission to an instance to view details of CDF instance and create and run pipelines in the instance.
All other users can see all CDF instances of the project but can only access the instances they have permissions to (granted by project admin)
How to achieve
Project admin can be the one who create the project. Or we can assign the “Owner” role to an admin on the project on IAM & Admin page
Project admin creates a custom role which only contains “datafusion.instances.list” permission:
note, to create a custom role, you need to select an existing role as the template and choose the permission it contains. Here we use “Cloud Data Fusion Viewer” role as the template.
Grant this role to all the other users on IAM & Admin page so that they can see all the CDF instances in the project. (It doesn’t mean they can see the details or access CDF UI of the CDF instance)
Project admin creates a custom role which only contains “datafusion.instances.get” permission. It can be done similarly as above tip. This permission allows the user to see the details and access CDF UI of the CDF instance (to create and run pipelines). Then Project admin grant this role to individual user on individual CDF instance. It can only be done through SetIAMPolicy APIs:
resource is the resource path of the CDF instance, the format is:
instance-region and instance-id can be found on Instance Details page:
role-id can be found on role details page :
setIAMPolicy API will override the whole bindings by default, so every time when you grant a new user the role, please also including the existing users in the members list. You can get existing bindings by getIAMPolicy API