Updated on 2023-01-09 GMT+08:00

Fine-Grained Permissions Policies

In actual services, you may need to grant different operation permissions on resources to users of different roles. The IAM service provides fine-grained access control. An IAM administrator (a user in the admin group) can create a custom policy containing required permissions. After a policy is granted to a user group, users in the group can obtain all permissions defined by the policy. In this way, IAM implements fine-grained permission management.

To control the GaussDB(DWS) operations on resources more precisely, you can use the user management function of IAM to grant different operation permissions to users of different roles for fine-grained permission control.

GaussDB(DWS) Permissions in Fine-Grained Policies

When creating a custom policy on IAM, you can add the operations on GaussDB(DWS) resources or the permissions corresponding to RESTful APIs to the action list of the policy authorization statement so that the policy contains the operation permissions. The following table lists the GaussDB(DWS) permissions.

  • RESTful APIs

    For details about GaussDB(DWS) REST API actions, see "Permissions Policies and Supported Actions" in the Data Warehouse Service (DWS) API Reference.

  • Management console operations

    Table 1 describes the GaussDB(DWS) operations on resources and corresponding permissions.

Table 1 GaussDB(DWS) permissions

Operation

Permission

Dependent Permission

Scope

Creating/Restoring clusters

"dws:cluster:create"

"dws:*:get*",

"dws:*:list*",

"ecs:*:get*",

"ecs:*:list*",

"ecs:*:create*",

"vpc:*:get*",

"vpc:*:list*",

"vpc:*:create*",

"evs:*:get*",

"evs:*:list*",

"evs:*:create*",

  • Includes:
    • Project

Obtaining the cluster list

"dws:cluster:list"

"dws:*:get*",

"dws:*:list*",

  • Includes:
    • Project

Obtaining the details of a cluster

"dws:cluster:getDetail"

"dws:*:get*",

"dws:*:list*",

  • Includes:
    • Project

Setting automated snapshot policy

"dws:cluster:setAutomatedSnapshot"

"dws:*:get*",

"dws:*:list*",

  • Includes:
    • Project

Setting security parameters/parameter groups

"dws:cluster:setSecuritySettings"

"dws:*:get*",

"dws:*:list*",

  • Includes:
    • Project

Restarting clusters

"dws:cluster:restart"

"dws:*:get*",

"dws:*:list*",

  • Includes:
    • Project

Scaling out clusters

"dws:cluster:scaleOut"

"dws:*:get*",

"dws:*:list*",

"ecs:*:get*",

"ecs:*:list*",

"ecs:*:create*",

"vpc:*:get*",

"vpc:*:list*",

"vpc:*:create*",

"evs:*:get*",

"evs:*:list*",

"evs:*:create*",

  • Includes:
    • Project

Resetting passwords

"dws:cluster:resetPassword"

"dws:*:get*",

"dws:*:list*",

  • Includes:
    • Project

Applying parameter templates to clusters

"dws:cluster:changeParameterGroup"

"dws:*:get*",

"dws:*:list*",

  • Includes:
    • Project

Deleting clusters

"dws:cluster:delete"

"dws:*:get*",

"dws:*:list*",

"ecs:*:get*",

"ecs:*:list*",

"ecs:*:delete*",

"vpc:*:get*",

"vpc:*:list*",

"vpc:*:delete*",

"evs:*:get*",

"evs:*:list*",

"evs:*:delete*",

  • Includes:
    • Project

Configuring maintenance windows

"dws:cluster:setMaintainceWindow"

"dws:*:get*",

"dws:*:list*",

  • Includes:
    • Project

Binding EIPs

"dws:eip:operate"

"dws:*:get*",

"dws:*:list*",

  • Includes:
    • Project

Unbinding EIPs

"dws:eip:operate"

"dws:*:get*",

"dws:*:list*",

  • Includes:
    • Project

Creating DNS domain names

"dws:dns:create"

"dws:*:get*",

"dws:*:list*",

  • Includes:
    • Project

Releasing DNS domain names

"dws:dns:release"

"dws:*:get*",

"dws:*:list*",

  • Includes:
    • Project

Modifying DNS domain names

"dws:dns:edit"

"dws:*:get*",

"dws:*:list*",

  • Includes:
    • Project

Creating MRS connections

"dws:MRSConnection:create"

"dws:*:get*",

"dws:*:list*",

  • Includes:
    • Project

Updating MRS connections

"dws:MRSConnection:update"

"dws:*:get*",

"dws:*:list*",

  • Includes:
    • Project

Deleting MRS connections

"dws:MRSConnection:delete"

"dws:*:get*",

"dws:*:list*",

  • Includes:
    • Project

Adding/Deleting tags

"dws:tag:addAndDelete"

"dws:*:get*",

"dws:*:list*",

  • Includes:
    • Project

Editing tags

"dws:tag:edit"

"dws:*:get*",

"dws:*:list*",

  • Includes:
    • Project

Creating snapshots

"dws:snapshot:create"

"dws:*:get*",

"dws:*:list*",

  • Includes:
    • Project

Obtaining the snapshot list

"dws:snapshot:list"

"dws:*:get*"

  • Includes:
    • Project

Deleting snapshots

"dws:snapshot:delete"

"dws:snapshot:list"

  • Includes:
    • Project

Copying snapshots

"dws:snapshot:copy"

"dws:snapshot:list"

  • Includes:
    • Project

Creating parameter templates

"dws:parameterGroup:create"

"dws:*:get*",

"dws:*:list*",

  • Includes:
    • Project

Deleting parameter templates

"dws:parameterGroup:delete"

"dws:*:get*",

"dws:*:list*",

  • Includes:
    • Project

Changing parameter templates

"dws:parameterGroup:edit"

"dws:*:get*",

"dws:*:list*",

  • Includes:
    • Project

Authorization Using the Fine-Grained Permission Policy

  1. Log in to the IAM console and create a custom policy.

    For details, see "User Guide > Fine-grained Policy Management > Creating Custom Policies" in the Identity and Access Management User Guide.

    Refer to the following to create the policy:

    • Use the IAM administrator account, that is, the user in the admin user group, because only the IAM administrator has the permissions to create users and user groups and modify user group permissions.
    • GaussDB(DWS) is a project-level service, so its Scope must be set to Project-level services. If this policy is required to take effect for multiple projects, authorization is required to each project.
    • Two GaussDB(DWS) policy templates are preconfigured on IAM. When creating a custom policy, you can select either of the following templates and modify the policy authorization statement based on the template:
      • DWS Admin: has all execution permissions on GaussDB(DWS).
      • DWS Viewer: has the read-only permission on GaussDB(DWS).
    • You can add permissions corresponding to GaussDB(DWS) operations or RESTful APIs listed in GaussDB(DWS) Permissions in Fine-Grained Policies to the action list in the policy authorization statement, so that the policy can obtain the permissions.

      For example, if dws:cluster:create is added to the action list of a policy statement, the policy has the permission to create or restore clusters.

    • If you want to use other services, grant related operation permissions on these services. For details, see the help documents of related services.

      For example, when creating a data warehouse cluster, you need to configure the VPC to which the cluster belongs. To obtain the VPC list, add permission vpc:*:get* to the policy statement.

    Policy example:

    • Example in which multiple operation permissions are supported
      For example, the following policy has the permissions to create/restore/restart/delete a cluster, set security parameters, and reset passwords.
      {
            "Version": "1.1",
            "Statement": [
                  {
                        "Effect": "Allow",
                        "Action": [
                              "dws:cluster:create",
                              "dws:cluster:restart",
                              "dws:cluster:delete",
                              "dws:cluster:setSecuritySettings",
                              "dws:cluster:resetPassword",
                              "ecs:*:get*",
                              "ecs:*:list*",
                              "ecs:*:create*",
                              "ecs:*:delete*",
                              "vpc:*:get*",
                              "vpc:*:list*",
                              "vpc:*:create*",
                              "vpc:*:delete*",
                              "evs:*:get*",
                              "evs:*:list*",
                              "evs:*:create*",
                              "evs:*:delete*"
                        ]
                  }
            ]
      }
    • Example of wildcard (*) usage
      For example, the following policy has all operation permissions on GaussDB(DWS) snapshots.
      {
            "Version": "1.1",
            "Statement": [
                  {
                        "Effect": "Allow",
                        "Action": [
                              "dws:snapshot:*",
                              "ecs:*:get*",
                              "ecs:*:list*",
                              "vpc:*:get*",
                              "vpc:*:list*"
                        ]
                  }
            ]
      }

  2. Create a user group.

    For details, see "User Guide > User and User Group Management > Creating a User Group" in the Identity and Access Management User Guide.

  3. Add users to the user group and grant the new custom policy to the user group so that users in it can obtain the permissions defined by the policy.

    For details, see "User Guide > User and User Group Management > Viewing and Modifying User Group Information" in the Identity and Access Management User Guide.