Help Center/ GaussDB/ Service Overview/ Permissions Management
Updated on 2024-12-25 GMT+08:00
View PDF
Share

Permissions Management

If you need to assign different permissions to employees in your company to access your GaussDB resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely manage access to your resources.

If your account does not need individual IAM users for permissions management, you can skip this section.

With IAM, you can use your account to create IAM users for your employees, and assign specific permissions to different users to control their access to specific resource types. For example, you can grant software developers in your company permissions to use GaussDB resources but not the permissions needed to delete them or perform any high-risk operations.

IAM can be used for free. You pay only for the resources in your account. For more information about IAM, see IAM Service Overview.

GaussDB Permissions

By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and attach permission policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services.

GaussDB is a project-level service deployed for specific regions. To assign GaussDB permissions to a user group, specify the scope as region-specific projects and select the project for the permissions to take effect. If All projects is selected, the permissions will be granted to the user group in all region-specific projects. When accessing GaussDB, the users need to switch to the authorized region.

You can use roles and policies to manage user permissions.
  • Roles: A coarse-grained way of granting permissions related to users responsibilities. Only a limited number of service-level roles for authorization are available. When using roles to grant permissions, you may need to assign additional roles because of the different dependencies involved with role-based permissions. Roles are not ideal for fine-grained authorization and least privilege access.
  • Policies: A more fine-grained system. Policies let you define permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization on a principle of least privilege (PoLP) basis. For example, you can grant IAM users only the permissions needed to manage a certain type of GaussDB resources. Most policies define permissions based on APIs.

Table 1 lists all the system-defined policies supported by GaussDB.

Table 1 System-defined permissions for GaussDB

Policy Name

Description

Category

Dependency Configuration

GaussDB FullAccess

Full permissions for GaussDB

System-defined policy

To use storage autoscaling, create DR tasks, reset DR configurations, and rectify agency permissions, configure the following actions for IAM users:

  • Actions required for creating a custom policy:
    • iam:agencies:listAgencies
    • iam:agencies:createAgency
    • iam:permissions:listRolesForAgencyOnProject
    • iam:permissions:grantRoleToGroupOnProject
    • iam:roles:listRoles
    • iam:permissions:listRolesForAgencyOnDomain
    • iam:permissions:revokeRoleFromAgencyOnProject
    • iam:permissions:revokeRoleFromAgencyOnDomain
  • Adding system role Security Administrator:
    1. Select a user group to which the user belongs.
    2. Click Authorize in the Operation column.
    3. Add the Security Administrator role.
Actions required for creating a yearly/monthly instance using a RAM-based shared KMS key:
  • iam:agencies:listAgencies
  • iam:roles:listRoles
  • iam:agencies:pass
  • iam:agencies:createAgency
  • iam:permissions:grantRoleToAgency

GaussDB FullAccess already contains the iam:agencies:listAgencies, iam:roles:listRoles, and iam:agencies:pass actions.

GaussDB is a region-level service, and IAM is a global service. If you want to grant GaussDB FullAccess to a project, grant BSS ServiceAgencyReadPolicy (global service) to it as well. Granting GaussDB FullAccess to all projects eliminates the need for additional configuration when using IAM actions.

BSS ServiceAgencyCreatePolicy contains the following actions: iam:agencies:createAgency and iam:permissions:grantRoleToAgency.

GaussDB ReadOnlyAccess

Read-only permissions for GaussDB

System-defined policy

None

Table 2 lists the common operations supported by each system policy of GaussDB. Choose appropriate system policies based on this table.

Table 2 Common operations supported by the GaussDB system policies

Operation

GaussDB FullAccess

GaussDB ReadOnlyAccess

Creating a GaussDB instance

x

Deleting a GaussDB instance

x

Querying GaussDB instances

Table 3 Common operations and supported actions

Operation

Action

Remarks

Creating a DB instance

gaussdb:instance:create

gaussdb:param:list

To select a VPC, subnet, and security group, configure the following actions:

vpc:vpcs:list

vpc:vpcs:get

vpc:subnets:get

vpc:securityGroups:get

To create a yearly/monthly instance, configure the following actions:

bss:order:update

bss:order:view

bss:balance:view

To create an encrypted instance, configure the following actions for the project:

kms:cmk:get

kms:cmk:list

To report event monitoring of a failed operation, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create"

Changing instance specifications

gaussdb:instance:modifySpec

To report event monitoring of a failed operation, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create"

Adding nodes

gaussdb:instance:modifySpec

To report event monitoring of a failed operation, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create"

Scaling up storage space

gaussdb:instance:modifySpec

To report event monitoring of a failed operation, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create"

Rebooting a DB instance

gaussdb:instance:restart

To report event monitoring of a failed operation, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create"

Deleting a DB instance

gaussdb:instance:delete

To unsubscribe from a yearly/monthly instance, configure the following actions:

"bss:unsubscribe:update"

To report event monitoring of a failed operation, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create"

Querying instances

gaussdb:instance:list

None

Querying instance details

gaussdb:instance:list

If the VPC, subnet, and security group are displayed in the instance list, configure vpc:*:get and vpc:*:list. If the used disk is displayed, configure ces:*:list.

Changing a DB instance password

gaussdb:instance:modify

To report event monitoring of a failed operation, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create"

Changing a DB instance name

gaussdb:instance:modify

None

Binding or unbinding an EIP

gaussdb:instance:modify

To display EIPs on the console, configure the following actions:

vpc:publicIps:get

vpc:publicIps:list

To report event monitoring of a failed operation, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create"

Creating a parameter template

gaussdb:param:create

gaussdb:param:list

None

Modifying a parameter template

gaussdb:param:modify

None

Obtaining parameter templates

gaussdb:param:list

None

Applying a parameter template

gaussdb:param:apply

To report event monitoring of a failed operation, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create

Deleting a parameter template

gaussdb:param:delete

None

Creating a manual backup

gaussdb:backup:create

To report event monitoring of a failed operation, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create"

Obtaining backups

gaussdb:backup:list

None

Modifying the backup policy

gaussdb:instance:modifyBackupPolicy

None

Deleting a manual backup

gaussdb:backup:delete

To report event monitoring of a failed operation, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create"

Restoring data to a new DB instance

gaussdb:instance:create

To select a VPC, subnet, and security group, configure the following actions:

vpc:vpcs:list

vpc:vpcs:get

vpc:subnets:get

vpc:securityGroups:get

To report event monitoring of a failed operation, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create

Querying project tags

gaussdb:tag:list

None

Adding or deleting project tags in batches

gaussdb:instance:dealTag

None

Modifying quotas

gaussdb:quota:modify

None

Querying predefined tags

gaussdb:instance:list

To query predefined tags, configure the following action:

tms:resourceTags:list

Querying configured log groups

-

To query configured log groups, configure the following action:

lts:groups:get

Querying configured log streams

-

To query configured log streams, configure the following action:

lts:topics:get

Viewing metrics

-

ces:metric:listGroups

ces:metric:listConfig

Enabling autoscaling

gaussdb:instance:autoEnlargePolicy

To enable autoscaling, configure the following actions for the IAM users instead of your Huawei account:

  • iam:agencies:listAgencies
  • iam:agencies:createAgency
  • iam:permissions:listRolesForAgencyOnProject
  • iam:permissions:grantRoleToGroupOnProject
  • iam:roles:listRoles
  • iam:permissions:listRolesForAgencyOnDomain
  • iam:permissions:revokeRoleFromAgencyOnProject
  • iam:permissions:revokeRoleFromAgencyOnDomain
  • Adding system role Security Administrator:
    1. Select a user group to which the user belongs.
    2. Click Authorize in the Operation column.
    3. Add the Security Administrator role.

Querying advanced features

gaussdb:instance:listFeatures

None

Enabling advanced features

gaussdb:instance:updateFeatures

None
Table 4 DR operations and supported actions

Operation

Action

Remarks

Querying instances that can establish a DR relationship with a primary instance

gaussdb:disasterRecovery:list

gaussdb:instance:listAll

None

Querying the real-time DR monitoring status of an instance

gaussdb:disasterRecovery:list

gaussdb:disasterRecovery:get

None

Querying instances that have established a DR relationship

gaussdb:disasterRecovery:list

gaussdb:disasterRecovery:listAll

None

Resetting the DR relationship

gaussdb:disasterRecovery:construct

gaussdb:disasterRecovery:create

To enable the DR operation, configure the following actions for the IAM users instead of your Huawei account:

  • iam:agencies:listAgencies
  • iam:agencies:createAgency
  • iam:permissions:listRolesForAgencyOnProject
  • iam:permissions:grantRoleToGroupOnProject
  • iam:roles:listRoles
  • iam:permissions:listRolesForAgencyOnDomain
  • iam:permissions:revokeRoleFromAgencyOnProject
  • iam:permissions:revokeRoleFromAgencyOnDomain
  • Adding system role Security Administrator:
    1. Select a user group to which the user belongs.
    2. Click Authorize in the Operation column.
    3. Add the Security Administrator role.

An agency RDSAccessProjectResource (including the policy DBS AgencyPolicy) will be automatically created in the current region.

Establishing a DR relationship

gaussdb:disasterRecovery:construct

gaussdb:disasterRecovery:create

To enable the DR operation, configure the following actions for the IAM users instead of your Huawei account:

  • iam:agencies:listAgencies
  • iam:agencies:createAgency
  • iam:permissions:listRolesForAgencyOnProject
  • iam:permissions:grantRoleToGroupOnProject
  • iam:roles:listRoles
  • iam:permissions:listRolesForAgencyOnDomain
  • iam:permissions:revokeRoleFromAgencyOnProject
  • iam:permissions:revokeRoleFromAgencyOnDomain
  • Adding system role Security Administrator:
    1. Select a user group to which the user belongs.
    2. Click Authorize in the Operation column.
    3. Add the Security Administrator role.

An agency RDSAccessProjectResource (including the policy DBS AgencyPolicy) will be automatically created in the current region.

Promoting the DR instance to primary

gaussdb:disasterRecovery:failover

The RDSAccessProjectResource agency is required.

Removing a DR relationship

gaussdb:disasterRecovery:release

The RDSAccessProjectResource agency is required.

Switching roles of primary and DR instances

gaussdb:disasterRecovery:switchover

The RDSAccessProjectResource agency is required.

Re-establishing a DR relationship

gaussdb:disasterRecovery:construct

gaussdb:disasterRecovery:create

The RDSAccessProjectResource agency is required.

Performing a DR drill

gaussdb:disasterRecovery:simulation

The RDSAccessProjectResource agency is required.

Caching logs for DR

gaussdb:disasterRecovery:keeplog

None

Querying operation records

gaussdb:instance:listRecord

None

In DR scenarios, you also need to configure permissions and actions on the cloud where the DR instance resides before performing DR-related operations.