Configuring DataArtsFabric Service Agency Permissions
Current cloud services provide multiple functions. Different functions require different agency permissions. For details, see Table 1.
Prerequisites
You have a valid Huawei Cloud account.
Procedure
- Log in to DataArtsFabric Workspace Management Console and click Service Authorization.
- Authorize an agency on the Service Authorization page. You can configure the agency permissions based on the policy as required.
Table 1 Agency policy Agency Policy Name
Permission Item
Mandatory (Yes/No)
Function
FABRIC_COMMON_POLICY
iam:agencies:listAgencies
iam:roles:getRole
iam:permissions:listRolesForAgency
obs:bucket:ListAllMyBuckets
obs:bucket:ListBucket
obs:object:GetObjectVersion
obs:object:GetObject
Yes
- IAM permissions: Only some read-only permissions are assigned to enable the service to compare the user's agency with the required agency. The user will be prompted to update the agency if necessary.
- OBS permissions: All services, including jobs and inference, require the permission to read OBS files. With this permission, job files can be pulled from the user's OBS bucket for execution and model files can be deployed. For OBS permissions, the user can manually modify the OBS-related part in the fabric_admin_trust agency on the IAM agency page to restrict the access to OBS resources. For details, see the Example Custom Policies part in IAM Permissions.
FABRIC_LTS_POLICY
lts:groups:create
lts:groups:get
lts:groups:list
lts:topics:create
lts:topics:get
lts:topics:list
Yes
Permissions required by the DataArtsFabric service to configure dumping logs.
FABRIC_SELF_POLICY
DataArtsFabric:workspace:list
DataArtsFabric:workspace:listRoute
DataArtsFabric:workspace:showSession
DataArtsFabric:workspace:listMessagePolicy
DataArtsFabric:endpoint:show
DataArtsFabric:endpoint:list
DataArtsFabric:job:dropJobInstance
DataArtsFabric:job:listJobInstance
Yes
Permissions required by the DataArtsFabric service to help users manage resources.
FABRIC_LAKEFORMATION_POLICY
lakeformation:accessTenant:grant
lakeformation:access:delete
lakeformation:access:create
lakeformation:access:describe
lakeformation:agreement:grant
lakeformation:agreement:describe
lakeformation:agreement:cancel
lakeformation:agency:create
lakeformation:agency:drop
lakeformation:agency:describe
No
Permissions required by the DataArtsFabric service to use LakeFormation. If LakeFormation needs to be interconnected, enable this policy.
FABRIC_SMN_POLICY
smn:topic:publish
No
Permissions required by the DataArtsFabric service to use simple message notification service. If the message notification capability is required, enable this policy.
FABRIC_SWR_POLICY
swr:repo:listRepoDomains
swr:repo:listRepoTags
swr:repo:createRepoDomain
No
Permissions required by the DataArtsFabric service to use images shared by users.
FABRIC_VPCEP_POLICY
vpcep:epservices:get
vpcep:connections:update
vpcep:permissions:update
vpcep:permissions:list
No
Permissions required by the DataArtsFabric service to connect to the user network.
FABRIC_OBS_POLICY
obs:bucket:PutLifecycleConfiguration
obs:bucket:ListBucketMultipartUploads
obs:object:GetObject
obs:bucket:HeadBucket
obs:bucket:DeleteBucket
obs:bucket:CreateBucket
obs:bucket:ListAllMyBuckets
obs:bucket:ListBucket
obs:object:PutObject
No
Permissions required by the DataArtsFabric service to use the OBS bucket.
All agency permissions except the mandatory ones can be canceled.
- Add an agency to the bucket policy.
The DataArtsFabric service uses the fabric_admin_trust agency to access files in the OBS bucket of the user. Therefore, the agency needs to access the OBS bucket of the user.
Users need to check whether a bucket policy is configured for the OBS bucket used by the DataArtsFabric service. If a bucket policy is configured, ensure that the agency is not denied by the existing bucket policy and perform the following steps to add the agency to the bucket policy:
- Log in to OBS Console and choose Resources > Buckets in the navigation pane on the left.
- On the Buckets page, click the bucket name to access its Objects tab page.
- In the navigation pane on the left, choose Permissions > Bucket Policies. Then, click Create.
- On the Create Bucket Policy page, customize the policy name, set Principal to Other accounts, and enter the agency account (in the format of Account ID/Agency name). The agency name is fabric_admin_trust. Example: s3a7973a07cf4725abf5ba0b6d7*****/fabric_admin_trust.
- Check whether server-side encryption is configured for OBS.
If server-side encryption is configured for the OBS bucket and the encryption mode is SSE-KMS, add the KMS Administrator permission to the agency fabric_admin_trust. For details, see Why Cannot an Authorized Account or User Upload or Download KMS Encrypted Objects?
Due to security management requirements, DataArtsFabric cannot directly configure the KMS Administrator permission for users. Users need to perform the following steps to confirm and add the permission:
- Log in to OBS Console and choose Resources > Buckets in the navigation pane on the left.
- On the Buckets page, click the bucket name to access its Objects tab page.
- In the navigation pane on the left, choose Overview.
- In the Basic Configurations area, check whether Server-Side Encryption is configured and Encryption Method is SSE-KMS.
- If Encryption Mode is not SSE-KMS, skip the following steps.
- If Encryption Mode is SSE-KMS, go to the next step.
- Configure the KMS Administrator permission.
- In the upper right corner of OBS Console, hover the mouse over the username and click Identity and Access Management.
- In the navigation pane of the Identity and Access Management console, click Agencies.
- On the Agencies page, search for the agency name fabric_admin_trust in the text box. On the right of the fabric_admin_trust agency, click Authorize.
- In the text box in the upper right corner of the Authorize Agency page, search for the policy name KMS Administrator, select the policy, click Next, and click OK to complete the authorization.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot