Google Cloud Data Fusion instance level access control

Overview

This document is to describe the best practice of Cloud Data Fusion instance level access control (based on the ACL capability that Cloud Data Fusion is providing the time when this article is created).

Goals to achieve

  • Project admin can create, update, upgrade and delete CDF instances.

  • Project admin can grant individual user access permission to an instance to view details of CDF instance and create and run pipelines in the instance.

  • All other users can see all CDF instances of the project but can only access the instances they have permissions to (granted by project admin)

How to achieve the Goals

  • Grant the project admin the Owner role of the project

If the project admin is the one who create the project then they are already granted “Owner” role on the project by default. Othewise the creator can assign the “Owner” role to the project admin on the project on IAM & Admin page

refer using basic roles for details

  • Create a custom role that contains only “datafusion.instances.list” and grant it to all users on the project

Project admin creates a custom role which only contains “datafusion.instances.list” permission:

note, to create a custom role, you need to select an existing role as the template and choose the permission it contains. Here we use “Cloud Data Fusion Viewer” role as the template.

Refer Creating and managing custom roles for details.

Grant this role to all the other users on IAM & Admin page so that they can see(list) all the CDF instances in the project. (It doesn’t mean they can see the details or access CDF UI of the CDF instance)

 

  • Create a custom role that contains only “datafusion.instance.get” and grant it to individual users on individual CDF instances

Project admin creates a custom role which only contains “datafusion.instances.get” permission. It can be done similarly as above tip. This permission allows the user to see the details and access CDF UI of the CDF instance (to create and run pipelines).

Similarly as above step, please Creating and managing custom roles about how to create custom roles.

Then the project admin grants this role to individual users on individual CDF instances (created by the project admin). Then the individual users can only see the details or create/run pipelines on those CDF instances. This can only be done through SetIAMPolicy APIs:

resource is the resource path of the CDF instance, the format is:

projects/${project-id}/locations/${instance-region}/instances/${instance-id}

project-id can be found on Dashboard

 

instance-region and instance-id can be found on Instance Details page:

role-id can be found on role details page :

setIAMPolicy API will override the whole bindings by default, so every time when you grant a new user the role, please also including the existing users in the members list. You can get existing bindings by getIAMPolicy API