Permissions Management
If you need to assign different permissions to employees in your enterprise to access your GaussDB(for MySQL) resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your HUAWEI CLOUD resources.
With IAM, you can use your HUAWEI CLOUD account to create IAM users for your employees, and assign permissions to the users to control their access to specific resource types. For example, some software developers in your enterprise need to use GaussDB(for MySQL) resources but must not delete them or perform any high-risk operations. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using GaussDB(for MySQL) resources.
If your HUAWEI CLOUD account does not need individual IAM users for permissions management, you may skip over this chapter.
IAM can be used free of charge. You pay only for the resources in your account. For more information about IAM, see the IAM Service Overview.
GaussDB(for MySQL) Permissions
By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.
GaussDB(for MySQL) is a project-level service deployed in specific physical regions. To assign GaussDB(for MySQL) permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing GaussDB(for MySQL), the users need to switch to a region where they have been authorized to use this service.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant GaussDB(for MySQL) users only the permissions for managing a certain type of database resources.
Table 1 lists all the system-defined roles and policies supported by GaussDB(for MySQL).
|
Policy Name |
Description |
Type |
|---|---|---|
|
GaussDB FullAccess |
Full permissions for GaussDB |
System-defined policy |
|
GaussDB ReadOnlyAccess |
Read-only permissions for GaussDB |
System-defined policy |
Table 2 lists the common operations supported by each system-defined policy or role of GaussDB(for MySQL). Select the policies or roles as required.
|
Operation |
GaussDB FullAccess |
GaussDB ReadOnlyAccess |
|---|---|---|
|
Creating DB instances |
√ |
x |
|
Deleting DB instances |
√ |
x |
|
Querying a DB instance list |
√ |
√ |
|
Operation |
Action |
Remarks |
|---|---|---|
|
Creating DB instances |
gaussdb:instance:create gaussdb:param:list |
To select a VPC, subnet, and security group, configure the following actions: vpc:vpcs:list vpc:vpcs:get vpc:subnets:get vpc:securityGroups:get To create an encrypted DB instance, you need to configure the KMS Administrator permission for the project. |
|
Changing DB instance specifications |
gaussdb:instance:modifySpec |
N/A |
|
Rebooting DB instances |
gaussdb:instance:restart |
N/A |
|
Deleting DB instances |
gaussdb:instance:delete |
N/A |
|
Querying a DB instance list |
gaussdb:instance:list |
N/A |
|
Querying DB instance details |
gaussdb:instance:list |
If the VPC, subnet, and security group are displayed in the DB instance list, you need to configure vpc:*:get and vpc:*:list. |
|
Changing DB instance passwords |
gaussdb:instance:modify |
N/A |
|
Changing database ports |
gaussdb:instance:modify |
N/A |
|
Changing DB instance names |
gaussdb:instance:modify |
N/A |
|
Changing maintenance windows |
gaussdb:instance:modify |
N/A |
|
Changing security groups |
gaussdb:instance:modify |
N/A |
|
Binding or unbinding EIPs |
gaussdb:instance:modify |
To display public IP addresses on the console, configure the following actions: vpc:publicIps:get vpc:publicIps:list |
|
Creating parameter templates |
gaussdb:param:create |
N/A |
|
Modifying parameters in a parameter template |
gaussdb:param:modify |
N/A |
|
Obtaining a parameter template list |
gaussdb:param:list |
N/A |
|
Applying parameter templates |
gaussdb:param:apply |
N/A |
|
Deleting parameter templates |
gaussdb:param:delete |
N/A |
|
Creating manual backups |
gaussdb:backup:create |
N/A |
|
Deleting manual backups |
gaussdb:backup:delete |
N/A |
|
Obtaining a backup list |
gaussdb:backup:list |
N/A |
|
Modifying backup policies |
gaussdb:instance:modifyBackupPolicy |
N/A |
|
Deleting manual backups |
gaussdb:backup:delete |
N/A |
|
Querying restoration time ranges |
gaussdb:instance:list |
N/A |
|
Restoring data to new DB instances |
gaussdb:instance:create |
To select a VPC, subnet, and security group, configure the following actions: vpc:vpcs:list vpc:vpcs:get vpc:subnets:get vpc:securityGroups:get |
|
Querying error logs |
gaussdb:log:list |
N/A |
|
Querying project tags |
gaussdb:tag:list |
N/A |
|
Adding or deleting project tags in batches |
gaussdb:instance:dealTag |
N/A |
|
Modifying quotas |
gaussdb:quota:modify |
N/A |
|
Creating a read replica |
gaussdb:instance:create |
N/A |
|
Deleting a read replica |
gaussdb:instance:delete |
N/A |
|
Changing the billing mode from pay-per-use to yearly/monthly |
gaussdb:instance:modify |
N/A |
|
Promoting a read replica to the new primary node |
gaussdb:instance:modify |
N/A |
|
Changing failover priority |
gaussdb:instance:modify |
N/A |
Last Article: Read/Write Splitting
Next Article: Constraints
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.