权限管理-九游平台
如果您需要对购买的dataarts studio资源,给企业中的员工设置不同的访问权限,以达到不同员工之间的权限隔离,您可以使用统一身份认证服务(identity and access management,简称iam)进行精细的权限管理。该服务提供用户身份认证、权限分配、访问控制等功能,可以帮助您安全的控制华为云资源的访问。
通过iam,您可以在华为云账号中给员工创建iam用户,并授权来控制他们对华为云资源的访问范围。例如您的员工中有负责软件开发的人员,您希望他们拥有dataarts studio的使用权限,但是不希望他们拥有删除工作空间等高危操作的权限,那么您可以使用iam为开发人员创建用户,通过授予仅能使用dataarts studio服务,但是不允许删除工作空间的权限,控制他们对dataarts studio资源的使用范围。
iam是华为云提供权限管理的基础服务,无需付费即可使用,您只需要为您账号中的资源进行付费。关于iam的详细介绍,请参见iam产品介绍。
dataarts studio权限
默认情况下,管理员创建的iam用户没有任何权限,需要将其加入用户组,并给用户组授予策略或角色,才能使得用户组中的用户获得对应的权限,这一过程称为授权。授权后,用户就可以基于被授予的权限对云服务进行操作。
dataarts studio部署时通过物理区域划分,为项目级服务。授权时,“作用范围”需要选择“区域级项目”,然后在指定区域对应的项目中设置相关权限,并且该权限仅对此项目生效;如果在“所有项目”中设置权限,则该权限在所有区域项目中都生效。访问dataarts studio时,需要先切换至授权区域。
dataarts studio仅支持基于系统角色的授权,不支持策略授权。为了实现精细的权限管控,dataarts studio提供了系统角色 工作空间角色授权的能力,由工作空间角色授权具体的操作权限,并支持自定义不同权限点的工作空间角色。
- iam角色:iam最初提供的一种根据用户的工作职能定义权限的粗粒度授权机制。该机制以服务为粒度,提供有限的服务相关角色用于授权。传统的iam角色并不能满足用户对精细化授权的要求,无法完全达到企业对权限最小化的安全管控要求。
- iam策略:iam最新提供的一种细粒度授权的能力,可以精确到具体服务的操作、资源以及请求条件等。基于策略的授权是一种更加灵活的授权方式,能够满足企业对权限最小化的安全管控要求。
|
系统角色名称 |
描述 |
类别 |
|---|---|---|
|
dayu administrator |
实例管理员,拥有对dataarts studio实例及工作空间的所有管理权限、依赖服务权限,以及所有工作空间内的所有业务操作权限。
说明:
tenant administrator具有除统一身份认证服务外,其他所有服务的所有执行权限。即tenant administrator权限的用户也拥有对dataarts studio的所有执行权限。 |
系统角色 |
|
dayu user |
普通用户,具备dataarts studio实例及工作空间的查看权限,以及依赖服务权限。普通用户需要被授予任一工作空间角色后,才能拥有对应角色的业务操作权限。
工作空间有管理员、开发者、部署者、运维者和访客五种预置角色和自定义角色,每种角色的介绍如下,具体操作权限请参见权限列表。
|
系统角色 |
dataarts studio控制台功能依赖的角色或策略
dataarts studio服务各组件功能所需依赖服务的权限如表2所示。在实际授权场景中,推荐为开发者用户配置dataarts studio服务级别的依赖服务最小权限(可参考,为用户配置最小权限),开发者用户的最小依赖服务权限如表3所示。
在实际授权场景中,dayu administrator和dayu user系统角色已经预置了依赖服务的管理员权限。为了避免普通用户/用户组被授予dayu user系统角色导致其拥有的依赖服务权限过大的风险,您可以在为用户组授权dayu user系统角色后,手动删除用户组的周边依赖权限,再为用户组授予所需依赖服务的最小权限合集。
|
控制台功能 |
依赖服务 |
需配置角色/策略 |
具体功能 |
|---|---|---|---|
|
管理中心 |
bss |
bss:coupon:view bss:renewal:update bss:discount:view bss:order:view bss:order:pay bss:order:update |
创建增量包或dataarts studio实例 |
|
kms |
kms:cmk:get kms:cmk:list kms:cmk:create kms:cmk:decrypt kms:cmk:encrypt kms:dek:create kms:dek:encrypt kms:dek:decrypt |
创建数据连接时,使用kms加解密 |
|
|
dws |
dws:cluster:list dws:cluster:getdetail dws:openapicluster:getdetail |
创建dws数据连接 |
|
|
mrs |
mrs:cluster:get mrs:cluster:list |
创建mrs数据连接 |
|
|
vpc |
vpc:publicips:get vpc:publicips:list vpc:vpcs:get vpc:subnets:get |
创建mrs数据连接 |
|
|
rds |
rds:*:get rds:*:list |
创建rds数据连接 |
|
|
数据集成 |
vpc |
vpc:publicips:get vpc:publicips:list vpc:vpcs:get vpc:vpcs:list vpc:subnets:get vpc:securitygroups:get vpc:firewalls:list vpc:routetables:list vpc:subnetworkinterfaces:list |
创建cdm集群或dataarts studio实例 |
|
ecs |
ecs:flavors:get ecs:cloudserverflavors:get ecs:availabilityzones:list |
创建cdm集群或dataarts studio实例 |
|
|
cdm |
cdm:cluster:create |
创建cdm集群 |
|
|
kms |
kms:cmk:get kms:cmk:list kms:cmk:create kms:cmk:decrypt kms:cmk:encrypt kms:dek:create kms:dek:encrypt kms:dek:decrypt |
创建数据连接时,使用kms加解密 |
|
|
mrs |
mrs:cluster:get mrs:cluster:list mrs:job:get mrs:job:list |
创建mrs数据连接 |
|
|
dws |
dws:cluster:list dws:cluster:getdetail dws:openapicluster:getdetail |
创建dws数据连接 |
|
|
cdm |
cdm:cluster:get cdm:cluster:list cdm:link:operate cdm:job:operate |
通过cdm控制台操作时,需要cdm服务权限 |
|
|
ces |
ces:*:get ces:*:list |
查看ces监控 |
|
|
css |
css:*:get css:*:list |
创建css连接 |
|
|
cloudtable |
cloudtable:*:get cloudtable:*:list |
创建cloudtable连接 |
|
|
rds |
rds:*:get rds:*:list |
创建rds连接 |
|
|
config |
rms:resources:list |
创建cdm集群 |
|
|
数据开发 |
obs |
obs:object:getobject obs:object:putobject obs:bucket:getbucketlocation obs:bucket:listallmybuckets obs:bucket:listbucket obs:bucket:createbucket |
运行脚本、运行作业以及备份作业 |
|
smn |
smn:topic:publish smn:topic:list |
作业通知 |
|
|
kms |
kms:cmk:get kms:cmk:list kms:cmk:create kms:cmk:decrypt kms:cmk:encrypt kms:dek:create kms:dek:encrypt kms:dek:decrypt |
创建数据连接时,使用kms加解密 |
|
|
mrs |
mrs:cluster:get mrs:cluster:list mrs:job:submit mrs:job:delete mrs:job:stop mrs:sql:execute mrs:sql:cancel mrs:job:get mrs:job:list |
mrs类型作业节点运行: mrs presto sql、mrs spark、mrs spark python、mrs flink job、 mrs mapreduce mrs spark sql、mrs hive sql |
|
|
dli |
dli:queue:submitjob dli:jobs:create dli:jobs:update dli:jobs:get dli:jobs:list dli:jobs:listall |
dli类型作业节点运行: dli sql、dli spark |
|
|
obs |
obs:object:getobject obs:object:putobject obs:object:deleteobject obs:bucket:getbucketlocation obs:bucket:listallmybuckets obs:bucket:listbucket obs:bucket:listbucketversions obs:bucket:createbucket obs:bucket:deletebucket |
obs类型作业节点运行: create obs、delete obs、obs manager |
|
|
dws |
dws:cluster:list dws:cluster:getdetail dws:openapicluster:getdetail |
创建dws数据连接 |
|
|
cdm |
cdm:cluster:get cdm:cluster:list cdm:job:operate |
数据连接需要agent的相关脚本、作业,以及cdm作业运行: rds sql、dws sql、hive sql、spark sql、shell、python |
|
|
ces |
ces:metricdata:list |
运维概览,查询dli队列cpu |
|
|
ges |
ges:graph:access ges:graph:operate ges:graph:list ges:graph:getdetail ges:metadata:create ges:metadata:operate ges:metadata:delete ges:metadata:list ges:metadata:getdetail ges:jobs:list ges:jobs:getdetail |
import ges作业节点运行 |
|
|
ecs |
ecs:servers:list ecs:servers:get ecs:servers:stop ecs:servers:start ecs:cloudservers:list |
open/close resource作业节点运行,创建主机连接 |
|
|
dli |
dli:queue:submitjob dli:queue:canceljob dli:group:usegroup dli:group:getgroup dli:group:updategroup dli:group:deletegroup dli:group:listallgroup dli:database:createdatabase dli:database:dropdatabase dli:database:displaydatabase dli:database:displayalldatabases dli:database:explain dli:database:createview dli:database:createtable dli:database:displayalltables dli:database:createfunction dli:database:describefunction dli:database:showfunctions dli:database:dropfunction dli:table:select dli:table:update dli:table:delete dli:table:droptable dli:table:describetable dli:table:showcreatetable dli:table:showpartitions dli:table:showsegments dli:table:showtableproperties dli:table:insertoverwritetable dli:table:insertintotable dli:table:compaction dli:table:truncatetable dli:table:alterview dli:table:altertablerename dli:table:altertableaddcolumns dli:table:altertabledropcolumns dli:table:altertablechangecolumn dli:table:altertablesetlocation dli:table:altertableaddpartition dli:table:altertablerenamepartition dli:table:altertablesetproperties dli:table:altertablerecoverpartition dli:table:altertabledroppartition dli:column:select dli:jobs:create dli:jobs:delete dli:jobs:start dli:jobs:stop dli:jobs:update dli:jobs:export dli:jobs:get dli:jobs:list dli:jobs:listall dli:resource:useresource dli:resource:updateresource dli:resource:deleteresource dli:resource:getresource dli:resource:listallresource dli:variable:update dli:variable:delete |
dli类型作业/脚本运行 |
|
|
iam |
iam:agencies:listagencies |
获取作业委托 |
|
|
dis |
dis operator dis user |
dis类型作业节点运行: dis stream、dis dump、dis client |
|
|
swr |
swr admin |
仅当在数据开发组件作业中使用dli spark节点选择自定义镜像时,需要容器镜像服务中的镜像读取权限。 推荐通过镜像授权管理,添加所需镜像的读取权限。不推荐直接为用户授予swr admin系统角色, 可能存在权限过大的风险。 |
|
|
数据目录 |
obs |
obs:object:getobject obs:bucket:getbucketstorage obs:bucket:getbucketlocation obs:bucket:listallmybuckets obs:bucket:listbucket |
obs元数据采集 |
|
dis |
dis:streams:list dis:transfertasks:list |
dis元数据采集 |
|
|
css |
css:cluster:list |
css元数据采集 |
|
|
ges |
ges:graph:list ges:graph:getdetail ges:metadata:list ges:metadata:getdetail |
ges元数据采集 |
|
|
dli |
dli:database:displaydatabase dli:database:displayalldatabases dli:table:select dli:table:describetable dli:table:showpartitions dli:table:showtableproperties dli:jobs:create dli:jobs:get |
dli元数据采集&数据概要分析 |
|
|
cdm |
cdm:cluster:list |
css元数据采集 |
|
|
数据质量 |
smn |
smn:topic:publish smn:topic:list |
配置作业通知 |
|
obs |
obs:object:getobject obs:object:putobject obs:bucket:getbucketlocation obs:bucket:listallmybuckets obs:bucket:listbucket obs:bucket:createbucket |
导出质量报告 |
|
|
mrs |
mrs:job:submit mrs:sql:execute mrs:sql:cancel mrs:job:get |
mrs质量作业运行 |
|
|
dli |
dli:queue:submitjob dli:jobs:get dli:jobs:listall |
dli质量作业运行 |
|
|
数据安全 |
dli |
dli:queue:submitjob dli:queue:canceljob dli:database:displaydatabase dli:database:displayalldatabases dli:database:displayalltables dli:table:describetable dli:jobs:create dli:jobs:stop dli:jobs:get dli:resource:deleteresource dli:resource:getresource dli:resource:listallresource |
dli权限管控 |
|
dws |
dws:cluster:list dws:cluster:getdetail dws:openapicluster:getdetail |
dws权限管控 |
|
|
mrs |
mrs:cluster:list mrs:job:submit mrs:job:stop |
mrs权限管控 |
|
|
kms |
kms:cmk:list kms:cmk:encrypt kms:cmk:decrypt |
使用kms加解密 |
|
|
cdm |
任意cdm权限,例如cdm:cluster:get |
dws和mrs权限管控 |
|
权限类型 |
角色与策略权限-系统角色 |
角色与策略权限-自定义策略 |
角色与策略权限-自定义策略 |
|---|---|---|---|
|
是否必配 |
必配 |
必配 |
必配 |
|
权限 |
|
依赖的全局级(global级)云服务的自定义策略dataartsstudio_permissionsofdependentservices_global:
{
"version": "1.1",
"statement": [
{
"effect": "allow",
"action": [
"obs:object:getobject",
"obs:object:putobject",
"obs:object:deleteobject",
"obs:bucket:getbucketstorage",
"obs:bucket:getbucketlocation",
"obs:bucket:listallmybuckets",
"obs:bucket:listbucket",
"obs:bucket:listbucketversions",
"obs:bucket:createbucket",
"obs:bucket:deletebucket",
"rms:resources:list",
"iam:agencies:listagencies"
]
}
]
}
|
依赖的项目级(region级)云服务的自定义策略dataartsstudio_permissionsofdependentservices_region:
{
"version": "1.1",
"statement": [
{
"effect": "allow",
"action": [
"cdm:cluster:get",
"cdm:cluster:list",
"cdm:cluster:create",
"cdm:link:operate",
"cdm:job:operate",
"ces:*:get",
"ces:*:list",
"cloudtable:*:get",
"cloudtable:*:list",
"css:*:get",
"css:*:list",
"dis:streams:list",
"dis:transfertasks:list",
"dli:queue:submitjob",
"dli:queue:canceljob",
"dli:table:insertoverwritetable",
"dli:table:insertintotable",
"dli:table:alterview",
"dli:table:altertablerename",
"dli:table:compaction",
"dli:table:truncatetable",
"dli:table:altertabledropcolumns",
"dli:table:altertablesetproperties",
"dli:table:altertablechangecolumn",
"dli:table:showsegments",
"dli:table:altertablerecoverpartition",
"dli:table:droptable",
"dli:table:update",
"dli:table:altertabledroppartition",
"dli:table:altertableaddpartition",
"dli:table:altertableaddcolumns",
"dli:table:altertablerenamepartition",
"dli:table:delete",
"dli:table:altertablesetlocation",
"dli:table:describetable",
"dli:table:showpartitions",
"dli:table:showcreatetable",
"dli:table:showtableproperties",
"dli:table:select",
"dli:resource:updateresource",
"dli:resource:useresource",
"dli:resource:getresource",
"dli:resource:listallresource",
"dli:resource:deleteresource",
"dli:database:explain",
"dli:database:createdatabase",
"dli:database:dropfunction",
"dli:database:createfunction",
"dli:database:displayalldatabases",
"dli:database:displayalltables",
"dli:database:displaydatabase",
"dli:database:describefunction",
"dli:database:createview",
"dli:database:createtable",
"dli:database:showfunctions",
"dli:database:dropdatabase",
"dli:group:usegroup",
"dli:group:updategroup",
"dli:group:listallgroup",
"dli:group:getgroup",
"dli:group:deletegroup",
"dli:column:select",
"dli:jobs:start",
"dli:jobs:export",
"dli:jobs:update",
"dli:jobs:list",
"dli:jobs:listall",
"dli:jobs:get",
"dli:jobs:delete",
"dli:jobs:create",
"dli:jobs:stop",
"dli:variable:update",
"dli:variable:delete",
"dws:cluster:list",
"dws:cluster:getdetail",
"dws:openapicluster:getdetail",
"ecs:servers:get",
"ecs:servers:list",
"ecs:servers:stop",
"ecs:servers:start",
"ecs:flavors:get",
"ecs:cloudserverflavors:get",
"ecs:cloudservers:list",
"ecs:availabilityzones:list",
"ges:graph:access",
"ges:metadata:create",
"ges:jobs:list",
"ges:graph:operate",
"ges:jobs:getdetail",
"ges:graph:getdetail",
"ges:graph:list",
"ges:metadata:list",
"ges:metadata:getdetail",
"ges:metadata:delete",
"ges:metadata:operate",
"kms:cmk:get",
"kms:cmk:list",
"kms:cmk:create",
"kms:cmk:decrypt",
"kms:cmk:encrypt",
"kms:dek:create",
"kms:dek:encrypt",
"kms:dek:decrypt",
"mrs:cluster:get",
"mrs:cluster:list",
"mrs:job:get",
"mrs:job:list",
"mrs:job:submit",
"mrs:job:stop",
"mrs:job:delete",
"mrs:sql:execute",
"mrs:sql:cancel",
"rds:*:get",
"rds:*:list",
"smn:topic:publish",
"smn:topic:list",
"vpc:publicips:list",
"vpc:publicips:get",
"vpc:vpcs:get",
"vpc:vpcs:list",
"vpc:subnets:get",
"vpc:securitygroups:get",
"vpc:firewalls:list",
"vpc:routetables:list",
"vpc:subnetworkinterfaces:list"
]
}
]
}
|
相关链接
相关文档
意见反馈
文档内容是否对您有帮助?
如您有其它疑问,您也可以通过华为云社区问答频道来与我们联系探讨
