Updated at: 2022-04-24 GMT+08:00

Permissions Management

If your account does not need individual IAM users for permissions management, you may skip over this chapter.

If you need to assign different permissions to employees in your enterprise to access your DDM resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your Huawei Cloud resources.

You can create IAM users for your employees, and assign permissions to these users to control their access to specific types of resources. For example, you can create IAM users for software developers and assign specific permissions to allow them to use DDM resources but disallow them to delete the resources or perform any high-risk operations.

IAM is free of charge. You pay only for the resources in your account.

DDM Permissions

By default, new IAM users do not have any permissions assigned. To assign permissions to these new users, you need to add them to one or more groups, and attach permissions policies or roles to these groups.

DDM is a project-level service deployed in specific physical regions. When assigning DDM permissions to a user group, you need to specify region-specific projects where the permissions will take effect. If you select All projects, the permissions will be granted for all region-specific projects. To access DDM, you need to switch to the region where you are authorized.

You can grant users permissions using roles and policies.
  • Roles: A type of coarse-grained authorization mechanism that provides only a limited number of service-level roles. When using roles to grant permissions, you also need to assign other dependent roles. Roles are not ideal for fine-grained authorization and secure access control.
  • Policies: A fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and more secure access control. For example, you can grant IAM users only the permissions for managing a certain type of DDM resources.
    Table 1 System-defined policies

    Policy Name

    Description

    Type

    Dependency

    DDM FullAccess

    Full permissions for Distributed Database Middleware

    System-defined policy

    None

    DDM CommonOperations

    Common permissions for Distributed Database Middleware, excluding the permissions to create, delete, and add nodes, configure shards, and roll back shard configuration tasks

    System-defined policy

    None

    DDM ReadOnlyAccess

    Read-only permissions for Distributed Database Middleware

    System-defined policy

    None

The following are permission configurations of supported system-defined policies:
  • DDM FullAccess
    {
          "Version": "1.1",
           "Statement": [{
    	    "Action": ["ddm:*:*",
    	    "rds:instance:list",
                "rds:instance:modify",
                "rds:instance:modifyParameter",
    	    "vpc:*:*",
                "ecs:*:get*",
                "ecs:*:list*",
                "ecs:cloudServerNics:update",
                "ecs:serverInterfaces:use"],
    	     "Effect": "Allow"
    		}]
    	}
  • DDM CommonOperations
    {
    	"Version": "1.1",
    	"Statement": [{
    				"Action": [
    					"vpc:*:*list*",
    					"vpc:*:*get*",
    					"vpc:ports:update",
    					"ecs:*:get*",
    					"ecs:*:list*",
    					"rds:instance:list",
    					"rds:instance:modify",
    					"rds:instance:modifyParameter"
    				],
    				"Effect": "Allow"
    				},
    				{
    					"Condition": {
    						"StringEqualsIgnoreCase": {
    							"g:ServiceName": [
    								"ddm"
    							]
    						}
    					},
    					"NotAction": [
    						"ddm:instance:create",
    						"ddm:instance:delete",
    						"ddm:database:migrate*",
    						"ddm:instance:resize",
    						"ddm:instance:extendNode"
    					],
    					"Effect": "Allow"
    		}]
    	}
  • DDM ReadOnlyAccess
    {
         "Version": "1.1",
         "Statement": [{
                        "Action": [
                            "rds:instance:list",
                            "vpc:*:*list*",
                            "vpc:*:*get*",
                            "ecs:*:get*",
                            "ecs:*:list*",
                            "ddm:*:list",
                            "ddm:*:get",
                            "ddm:instance:listParameter",
                            "ddm:instance:listRwInfo",
                            "ddm:instance:listSlowSqlInfo",
                            "ddm:rds:connectivity"
                        ],
                        "Effect": "Allow"
    		}]
    	}
Table 2 lists the common operations supported by each DDM system-defined policy. Choose appropriate system-defined policies based on your requirements.
Table 2 Common operations supported by each system-defined policy

Operation

DDM FullAccess

DDM CommonOperations

DDM ReadOnlyAccess

Querying DDM instances

Supported

Supported

Supported

Querying details of a DDM instance

Supported

Supported

Supported

Modifying instance information, including the name and security group

Supported

Supported

Not supported

Restarting a DDM instance

Supported

Supported

Not supported

Creating a DDM instance

Supported

Not supported

Not supported

Deleting a DDM Instance

Supported

Not supported

Not supported

Changing node class

Supported

Not supported

Not supported

Scaling out a DDM instance

Supported

Not supported

Not supported

Creating a schema

Supported

Supported

Not supported

Querying schemas

Supported

Supported

Supported

Querying details of a schema

Supported

Supported

Supported

Performing a rollback if configuring shards fails

Deleting source data if configuring shards fails

Retrying if configuring shards fails

Supported

Not supported

Not supported

Deleting a schema

Supported

Supported

Not supported

Querying accounts

Supported

Supported

Supported

Creating an account

Supported

Supported

Not supported

Modifying an account

Supported

Supported

Not supported

Resetting a password

Supported

Supported

Not supported

Deleting an account

Supported

Supported

Not supported

Synchronizing data node information

Supported

Supported

Not supported

Querying data nodes

Supported

Supported

Supported

Querying details of a data node

Supported

Supported

Supported

Modifying the read policy of a data node

Supported

Supported

Not supported

Viewing products

Supported

Supported

Supported

Creating a parameter template

Supported

Supported

Not supported

Deleting a parameter template

Supported

Supported

Not supported

Applying a parameter template

Supported

Supported

Not supported

Modifying a parameter template

Supported

Supported

Not supported

Replicating a parameter template

Supported

Supported

Not supported

Comparing two parameter templates

Supported

Supported

Supported

Querying parameter templates

Supported

Supported

Supported

Table 3 Common operations and supported actions

Operation Category

Operation

Action

DDM routine operations

As required

Buying a yearly/monthly instance

ddm:instance:create

Before buying a DDM instance, obtain the following dependent permissions:

  • ecs:*:get*
  • ecs:*:list*
  • vpc:vpcs:list
  • vpc:securityGroups:get
  • vpc:subnets:get
  • ecs:cloudServerNics:update
  • ecs:serverInterfaces:use
  • vpc:ports:* when you want to buy a global or regional DDM instance
  • BSS Finance and BSS Operator policies

    The last permission is required only when you buy yearly/monthly DDM instances.

Querying DDM instances

ddm:instance:list

Querying details of a DDM instance

ddm:instance:get

To view details of a DDM instance, you need to configure the following permissions:

  • vpc:*:get*
  • vpc:*:list*

Modifying instance information, including the name and security group

ddm:instance:modify

To modify a security group, you need to configure the following permissions:
  • vpc:*:get*
  • vpc:*:list*
  • vpc:ports:update

Restarting a DDM instance

ddm:instance:reboot

Deleting a DDM instance

ddm:instance:delete

vpc:ports:delete

Changing node class

ddm:instance:resize

Scaling out a DDM instance

ddm:instance:extendNode

Monitoring the read/write ratio

ddm:instance:listRwInfo

Monitoring slow SQL queries

ddm:instance:listSlowSqlInfo

DDM routine operations

Renewing a yearly/monthly DDM instance

Configure policies BSS Finance and BSS Operator as follows:

  1. Log in to the IAM console.
  2. In the navigation pane, click User Groups.
  3. Choose More > Assign Permissions.
  4. Click Attach Policy in the same row as the project for which you want to edit the permissions.
  5. In the Available Policies area, select BSS Finance and BSS Operator.

DDM routine operations

Changing to yearly/monthly billing

Configure policies BSS Finance and BSS Operator. The procedure is the same as that for renewing an instance.

DDM schema operations

Creating a schema

ddm:database:create

Querying schemas

ddm:database:list

Querying details of a schema

ddm:database:get

Performing a rollback if configuring shards fails

Deleting source data if configuring shards fails

Retrying if configuring shards fails

ddm:database:migrateRollback

Deleting a schema

ddm:database:delete

DDM account operations

Querying accounts

ddm:user:list

Creating an account

ddm:user:create

Modifying an account

ddm:user:modify

Resetting a password

ddm:user:modify

Deleting an account

ddm:user:delete

DDM and data node management (using an RDS for MySQL instance as an example)

Synchronizing data node information

ddm:rds:synchro

To synchronize data node information, you need to configure the following permissions:

  • rds:instance:list
  • rds:instance:modify
  • rds:instance:modifyParameter

Querying data nodes

ddm:rds:list

Querying details of a data node

ddm:rds:get

Modifying the read policy of a data node

ddm:rds:modifyReadPolicy

DDM product operations

Viewing products

ddm:product:list

DDM parameter template operations

Creating a parameter template

ddm:param:create

Deleting a parameter template

ddm:param:delete

Applying a parameter template

ddm:param:apply

Modifying a parameter template

ddm:param:update

Replicating a parameter template

ddm:param:create

Comparing two parameter templates

ddm:param:list

Querying parameter templates

ddm:param:list

close