我正在尝试使用https://github.com/googleapis/java-dataproc库创建一个数据过程集群,下面的示例如下:https://github.com/googleapis/java-dataproc/blob/main/samples/snippets/src/main/java/CreateCluster.java
我的(翻译成scala)代码:
import com.google.cloud.dataproc.v1._
object CreateCluster extends App {
val projectId = "my-project-id"
val region = "europe-west1"
val clusterName = "test-cluster"
val regionEndpoint = s"$region-dataproc.googleapis.com:443"
val clusterControllerSettings = ClusterControllerSettings.newBuilder()
.setEndpoint(regionEndpoint)
.build()
val clusterControllerClient = ClusterControllerClient.create(clusterControllerSettings)
val masterConfig = InstanceGroupConfig.newBuilder.setMachineTypeUri("n1-standard-2").setNumInstances(1).build
val workerConfig = InstanceGroupConfig.newBuilder.setMachineTypeUri("n1-standard-2").setNumInstances(2).build
val clusterConfig = ClusterConfig.newBuilder.setMasterConfig(masterConfig).setWorkerConfig(workerConfig).build
val cluster = Cluster.newBuilder().setClusterName(clusterName).setConfig(clusterConfig).build()
val createClusterAsyncRequest = clusterControllerClient.createClusterAsync(projectId, region, cluster)
val createResponse: Cluster = createClusterAsyncRequest.get()
println(s"Created cluster: ${createResponse.getClusterName}")
clusterControllerClient.close()
}
我得到了io.grpc.StatusRuntimeException: PERMISSION_DENIED: Required 'compute.regions.get' permission for 'projects/my-project/regions/europe-west1'。
我不清楚这里到底是什么意思:https://github.com/googleapis/java-dataproc#authorization。我想让它在我的桌面上工作,所以我所做的是运行gcloud auth application-default login --scopes https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/compute,https://www.googleapis.com/auth/compute.readonly。
我确信我的"正常"用户具有必要的权限,因为我已经执行了一个"区域"。从这个页面:https://cloud.google.com/compute/docs/reference/rest/v1/regions/get获取'为我的项目/地区,并可以创建dataproc集群不使用Java库没有问题。
我显然错过了一些东西,可能是一些明显的东西,但我卡住了,所以任何帮助都会非常感激!
编辑1:
gcloud auth application-default login不指定——scope会导致相同的权限错误
编辑2:
我仍然不知道为什么我得到compute.regions.get权限缺失错误。
我已经写了一些代码,似乎表明我有必要的权限时,使用getApplicationDefault:
import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport
import com.google.api.client.json.gson.GsonFactory
import com.google.api.services.compute.Compute
import com.google.auth.http.HttpCredentialsAdapter
import com.google.auth.oauth2.GoogleCredentials.getApplicationDefault
object GetRegions extends App {
val project = "my-project-id"
val region = "europe-west1"
val httpTransport = GoogleNetHttpTransport.newTrustedTransport
val jsonFactory = GsonFactory.getDefaultInstance
val httpCredentials = new HttpCredentialsAdapter(getApplicationDefault)
val computeService = new Compute.Builder(httpTransport, jsonFactory, httpCredentials).build
val request = computeService.regions.get(project, region)
val response = request.execute
System.out.println(response) // This successfully prints out details
}
结果是缺少此权限的是dataproc服务代理的权限,而不是我的用户(这些权限已从默认权限修改)。
看到https://cloud.google.com/dataproc/docs/concepts/iam/dataproc-principals service_agent_control_plane_identity .
在创建集群时未显式设置zone似乎意味着该服务帐户需要compute.regions.get权限。显式设置一个区域意味着它没有。