Authorizing dlg_agency
Cloud service agencies allow DataArts Studio to perform operations such as task scheduling and resource O&M on cloud services on your behalf. When you log in to the DataArts Studio console homepage for the first time, a dialog box is displayed, prompting you to authorize other cloud services to access DataArts Studio. After the authorization is complete, DataArts Studio automatically creates an agency named dlg_agency. If you do not agree to the authorization, the dialog box will be displayed again when you access the console homepage next time.
When using an agency, DataArts Security requires higher cloud service permissions. Before using DataArts Security, you need to grant the permissions listed in Table 1 to dlg_agency.
Permission |
Purpose |
Mandatory |
Authorization Item/System Permission (Configure Either of Them) |
|
---|---|---|---|---|
IAM permission |
This permission is required for the system to obtain users or user groups, or create roles. For example, user synchronization fails if this permission is missing. |
Mandatory for MRS, GaussDB(DWS), and DLI permission management |
|
Security Administrator |
MRS/GaussDB(DWS) data connection agent permission |
This permission is required for permission synchronization. For example, if this permission is missing, permission synchronization between permission sets, role permission synchronization, or permission application approval fails. |
Mandatory for MRS and GaussDB(DWS) permission management |
Any CDM permission, for example, cdm:cluster:get |
Any CDM permission, for example, CDM Administrator |
MRS user synchronization permission |
This permission is required for MRS user synchronization. For example, MRS user synchronization fails if this permission is missing. |
Mandatory for MRS permission management |
|
MRS FullAccess |
GaussDB(DWS) user synchronization permission |
This permission is required for GaussDB(DWS) user synchronization. For example, GaussDB(DWS) user synchronization fails if this permission is missing. |
Mandatory for GaussDB(DWS) permission management |
|
DWS FullAccess |
DLI permission synchronization permission |
This permission is required for DLI permission synchronization. For example, if this permission is missing, DLI permission synchronization fails and the system displays a message indicating insufficient permissions. |
Mandatory for DLI permission management |
|
DLI FullAccess |
Prerequisites
In the dialog box displayed on the DataArts Studio console homepage, you have selected Agree to allow the system to automatically create an agency named dlg_agency.
Constraints
After the agency authorization is successful, it takes 15 to 30 minutes for the permissions to take effect. Then, you can use DataArts Security to manage access permissions.
Granting Permissions to dlg_agency
When granting permissions to dlg_agency, you need to select either an authorization item or system permission from Table 1 as needed.
This section uses the MRS permission management scenario as an example. The permissions to be granted include the IAM permission, MRS/GaussDB(DWS) data connection agent permission, and MRS user synchronization permission. The principle of least privilege is used. The operations are as follows:
- Log in to the IAM console.
- In the left navigation pane, choose Permissions > Policies/Roles and click Create Custom Policy.
Figure 1 Clicking Create Custom Policy
- On the displayed Create Custom Policy page, select JSON for Policy View, enter the IAM custom policy content required for MRS permission management, and click OK.
A custom policy can contain permissions for either global or project-level services. You need to configure IAM policies first, and then MRS and CDM policies.
- Policy Name: Enter DataArtsIamUserGroup_IAM.
- Policy View: Select JSON to switch to the JSON view.
- Policy Content: Enter the following JSON code and click OK.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "iam:users:listUsers", "iam:groups:listGroups", "iam:users:listUsersForGroup", "iam:roles:createRole", "iam:roles:deleteRole", "iam:roles:updateRole", "iam:permissions:grantRoleToGroup", "iam:permissions:listRoleAssignments", "iam:permissions:revokeRoleFromGroup" ] } ] }
Figure 2 Creating a custom policy for IAM
- Click Create Custom Policy again. On the displayed Create Custom Policy page, select JSON for Policy View, enter the MRS and CDM custom policy content required for MRS permission management, and click OK.
A custom policy can contain permissions for either global or project-level services. You need to configure IAM policies first, and then MRS and CDM policies.
- Policy Name: Enter DataArtsIamUserGroup_MRS.
- Policy View: Select JSON to switch to the JSON view.
- Policy Content: Enter the following JSON code.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "mrs:cluster:syncUser", "cdm:cluster:get" ] } ] }
Figure 3 Creating custom policies for MRS and CDM
- In the left navigation pane, choose Agencies, search for dlg_agency, and click Authorize.
Figure 4 Authorizing dlg_agency
- In the displayed dialog box, locate and select the created custom policies DataArtsIamUserGroup_IAM and DataArtsIamUserGroup_MRS, and click Next.
Figure 5 Selecting the created custom policies
- Click OK. After the authorization is complete, wait for 15 to 30 minutes. Then, you can use DataArts Security to manage MRS access permissions.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot