Help Center/ Data Lake Insight/ User Guide/ Permissions Management/ Creating a Custom Policy
Updated on 2024-04-09 GMT+08:00
View PDF
Share

Creating a Custom Policy

Custom policies can be created as a supplement to the system policies of DLI. You can add actions to custom policies. For the actions supported for custom policies, see .

You can create custom policies in either of the following two ways:

  • Visual editor: Select cloud services, actions, resources, and request conditions without the need to know policy syntax.
  • JSON: Create a policy in the JSON format from scratch or based on an existing policy.

For details, see Creating a Custom Policy. This section describes common DLI custom policies.

Policy Field Description

The following example assumes that the authorized user has the permission to create tables in all databases in all regions:

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dli:database:createTable"
            ],
            "Resource": [
                "dli:*:*:database:*"
            ]
        }
    ]
}
  • Version

    1.1 indicates a fine-grained permission policy that defines permissions required to perform operations on specific cloud resources under certain conditions.

  • Effect

    The value can be Allow and Deny. If both Allow and Deny are found in statements, the Deny overrides the Allow.

  • Action

    Specific operation on a resource. A maximum of 100 actions are allowed, as shown in Figure 1.

    Figure 1 DLI actions
    • The format is Service name:Resource type:Action, for example, dli:queue:submit_job.
    • Service name: product name, such as dli, evs, and vpc. Only lowercase letters are allowed. Resource types and operations are not case-sensitive. You can use an asterisk (*) to represent all operations.
    • Resource type: For details, see Table 4.
    • Action: action registered in IAM.
  • Condition

    Conditions determine when a policy takes effect. A condition consists of a condition key and operator.

    A condition key is a key in the Condition element of a statement. There are global and service-level condition keys.

    • Global condition keys (prefixed with g:) apply to all actions. For details, see condition key description in Policy Syntax.
    • Service-level condition keys apply only to operations of the specific service.

    An operator is used together with a condition key to form a complete condition statement. For details, see Table 1.

    IAM provides a set of DLI predefined condition keys. The following table lists the predefined condition keys of DLI.

    Table 1 DLI request conditions

    Condition Key

    Type

    Operator

    Description

    g:CurrentTime

    Global

    Date and time

    Time when an authentication request is received

    NOTE:

    The time is expressed in the format defined by ISO 8601, for example, 2012-11-11T23:59:59Z.

    g:MFAPresent

    Global

    Boolean

    Whether multi-factor authentication is used during user login

    g:UserId

    Global

    String

    ID of the current login user

    g:UserName

    Global

    String

    Current login user

    g:ProjectName

    Global

    String

    Project that you have logged in to

    g:DomainName

    Global

    String

    Domain that you have logged in to

    g:ResourceTag

    Global

    StringEquals

    Resource tag value.
  • Resource

    The format is Service name:Region:Domain ID:Resource type:Resource path. The wildcard (*) indicates all options. For details about the resource types and path, see Table 4.

    Example:

    dli:*:*:queue:* indicates all queues.

Creating a Custom Policy

You can set actions and resources of different levels based on scenarios.

  1. Define an action.

    The format is Service name:Resource type:Action. The wildcard is *. Example:

    Table 2 Action

    Action

    Description

    dli:queue:submit_job

    Submission operations on a DLI queue

    dli:queue:*

    All operations on a DLI queue

    dli:*:*

    All operations on all DLI resource types

    For more information about the relationship between operations and system permissions, see Common Operations Supported by DLI System Policy.

  2. Define a resource.

    The format is Service name:Region:Domain ID:Resource type:Resource path. The wildcard (*) indicates all resources. The five fields can be flexibly set. Different levels of permission control can be set for resource paths based on scenario requirements. If you need to set all resources of the service, you do not need to specify this field. For details about the definition of Resource, see Table 3. For details about the resource types and paths in Resource, see Table 4.

    Table 3 Resource

    Resource

    Description

    DLI:*:*:table:databases.dbname.tables.*

    DLI, any region, any account ID, all table resources of database dbname

    DLI:*:*:database:databases.dbname

    DLI, any region, any account ID, resource of database dbname

    DLI:*:*:queue:queues.*

    DLI, any region, any account ID, any queue resource

    DLI:*:*:jobs:jobs.flink.1

    DLI, any region, any account ID, Flink job whose ID is 1
    Table 4 DLI resources and their paths

    Resource Type

    Resource Names

    Path

    queue

    DLI queue

    queues.queuename

    database

    DLI database

    databases.dbname

    table

    DLI table

    databases.dbname.tables.tbname

    column

    DLI column

    databases.dbname.tables.tbname.columns.colname

    jobs

    DLI Flink job

    jobs.flink.jobid

    resource

    DLI package

    resources.resourcename

    group

    DLI package group

    groups.groupname

    datasourceauth

    DLI cross-source authentication information

    datasourceauth.name

    edsconnections

    Enhanced datasource connection

    edsconnections.connection ID
    • Specific resources:
      Figure 2 Specific resources
    • All resources: all resources of the service
      Figure 3 All resources
  3. Combine all the preceding fields into a JSON file to form a complete policy. You can set multiple actions and resources. You can also create a policy on the visualized page provided by IAM. For example:

    Create a policy that grants users the permission to create and delete databases, submit jobs for any queue, and delete tables under any account ID in any region of DLI.

    {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": " Allow",
            "Action": [
                  "dli:database:createDatabase",
                  "dli:database:dropDatabase",
                  "dli:queue:submitJob",
                  "dli:table:dropTable"
            ],
            "Resource": [
                  "dli:*:*:database:*",
                  "dli:*:*:queue:*",
                  "dli:*:*:table:*"
            ]
        }
    ]
}

Example Custom Policies

  • Example 1: Allow policies
    • Allow users to create tables across all databases in all regions: 
      {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dli:database:createTable"
            ],
            "Resource": [
                "dli:*:*:database:*"
            ]
        }
    ]
}
    • Allow users to query column col in the table tb of the database db in the region where the user is located: 
      {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dli:column:select"
            ],
            "Resource": [
                "dli:xxx:*:column:databases.db.tables.tb.columns.col"
            ]
        }
    ]
}
  • Example 2: Deny policies

    A deny policy must be used together with other policies. That is, a user can set a deny policy only after being assigned some operation permissions. Otherwise, the deny policy does not take effect.

    If the permissions assigned to a user contain both Allow and Deny actions, the Deny actions take precedence over the Allow actions.

    • Deny users to create or delete databases, submit jobs (except the default queue), or delete tables. 
      {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "dli:database:createDatabase",
                "dli:database:dropDatabase",
                "dli:queue:submitJob",
                "dli:table:dropTable"
            ],
            "Resource": [
                "dli:*:*:database:*",
                "dli:*:*:queue:*",
                "dli:*:*:table:*"
            ]
        }
    ]
}
    • Deny users to submit jobs in the demo queue. 
      {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "dli:queue:submitJob"
            ],
            "Resource": [
                "dli:*:*:queue:queues.demo"
            ]
        }
    ]
}
  • Example 3: Tag authentication. You need to specify an action and bind it to a condition, and specify the key and value of g:ResourceTag.

    Condition g: ResourceTag indicates a resource with the key=value tag. Only the operation on this resource contained in the policy action list is allowed.

    The key is case insensitive. Fuzzy match for the value is not supported. 
    {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dli:database:dropDatabase",
                "dli:table:select",
                "dli:database:createTable",
                "dli:table:dropTable"
            ],
            "Condition": {
                "StringEquals": {
                    "g:ResourceTag/key": [
                        "value"
                    ]
                }
            }
        }
    ]
}
Parent topic: Permissions Management