Configuring DataArtsFabric Service Agency Permissions

Prerequisites

You have a valid Huawei Cloud account.

Procedure

1. Log in to DataArtsFabric Workspace Management Console and click Service Authorization.
2. Authorize an agency on the Service Authorization page. You can configure the agency permissions based on the policy as required.

   Table 1 Agency policy

   Agency Policy Name	Permission Item	Mandatory (Yes/No)	Function
   FABRIC_COMMON_POLICY	iam:agencies:listAgencies iam:roles:getRole iam:permissions:listRolesForAgency obs:bucket:ListAllMyBuckets obs:bucket:ListBucket obs:object:GetObjectVersion obs:object:GetObject	Yes	IAM permissions: Only some read-only permissions are assigned to enable the service to compare the user's agency with the required agency. The user will be prompted to update the agency if necessary. OBS permissions: All services, including jobs and inference, require the permission to read OBS files. With this permission, job files can be pulled from the user's OBS bucket for execution and model files can be deployed. For OBS permissions, the user can manually modify the OBS-related part in the fabric_admin_trust agency on the IAM agency page to restrict the access to OBS resources. For details, see the Example Custom Policies part in IAM Permissions.
   FABRIC_LTS_POLICY	lts:groups:create lts:groups:get lts:groups:list lts:topics:create lts:topics:get lts:topics:list	Yes	Permissions required by the DataArtsFabric service to configure dumping logs.
   FABRIC_SELF_POLICY	DataArtsFabric:workspace:list DataArtsFabric:workspace:listRoute DataArtsFabric:workspace:showSession DataArtsFabric:workspace:listMessagePolicy DataArtsFabric:endpoint:show DataArtsFabric:endpoint:list DataArtsFabric:job:dropJobInstance DataArtsFabric:job:listJobInstance	Yes	Permissions required by the DataArtsFabric service to help users manage resources.
   FABRIC_LAKEFORMATION_POLICY	lakeformation:accessTenant:grant lakeformation:access:delete lakeformation:access:create lakeformation:access:describe lakeformation:agreement:grant lakeformation:agreement:describe lakeformation:agreement:cancel lakeformation:agency:create lakeformation:agency:drop lakeformation:agency:describe	No	Permissions required by the DataArtsFabric service to use LakeFormation. If LakeFormation needs to be interconnected, enable this policy.
   FABRIC_SMN_POLICY	smn:topic:publish	No	Permissions required by the DataArtsFabric service to use simple message notification service. If the message notification capability is required, enable this policy.
   FABRIC_SWR_POLICY	swr:repo:listRepoDomains swr:repo:listRepoTags swr:repo:createRepoDomain	No	Permissions required by the DataArtsFabric service to use images shared by users.
   FABRIC_VPCEP_POLICY	vpcep:epservices:get vpcep:connections:update vpcep:permissions:update vpcep:permissions:list	No	Permissions required by the DataArtsFabric service to connect to the user network.
   FABRIC_OBS_POLICY	obs:bucket:PutLifecycleConfiguration obs:bucket:ListBucketMultipartUploads obs:object:GetObject obs:bucket:HeadBucket obs:bucket:DeleteBucket obs:bucket:CreateBucket obs:bucket:ListAllMyBuckets obs:bucket:ListBucket obs:object:PutObject	No	Permissions required by the DataArtsFabric service to use the OBS bucket.

   

   All agency permissions except the mandatory ones can be canceled.

3. Add an agency to the bucket policy.

   The DataArtsFabric service uses the fabric_admin_trust agency to access files in the OBS bucket of the user. Therefore, the agency needs to access the OBS bucket of the user.

   Users need to check whether a bucket policy is configured for the OBS bucket used by the DataArtsFabric service. If a bucket policy is configured, ensure that the agency is not denied by the existing bucket policy and perform the following steps to add the agency to the bucket policy:

   1. Log in to OBS Console and choose Resources > Buckets in the navigation pane on the left.
   2. On the Buckets page, click the bucket name to access its Objects tab page.
   3. In the navigation pane on the left, choose Permissions > Bucket Policies. Then, click Create.
   4. On the Create Bucket Policy page, customize the policy name, set Principal to Other accounts, and enter the agency account (in the format of Account ID/Agency name). The agency name is fabric_admin_trust. Example: s3a7973a07cf4725abf5ba0b6d7*****/fabric_admin_trust.

4. Check whether server-side encryption is configured for OBS.

   If server-side encryption is configured for the OBS bucket and the encryption mode is SSE-KMS, add the KMS Administrator permission to the agency fabric_admin_trust. For details, see Why Cannot an Authorized Account or User Upload or Download KMS Encrypted Objects?

   Due to security management requirements, DataArtsFabric cannot directly configure the KMS Administrator permission for users. Users need to perform the following steps to confirm and add the permission:

   1. Log in to OBS Console and choose Resources > Buckets in the navigation pane on the left.
   2. On the Buckets page, click the bucket name to access its Objects tab page.
   3. In the navigation pane on the left, choose Overview.
   4. In the Basic Configurations area, check whether Server-Side Encryption is configured and Encryption Method is SSE-KMS.
      • If Encryption Mode is not SSE-KMS, skip the following steps.
      • If Encryption Mode is SSE-KMS, go to the next step.
   5. Configure the KMS Administrator permission.
      1. In the upper right corner of OBS Console, hover the mouse over the username and click Identity and Access Management.
      2. In the navigation pane of the Identity and Access Management console, click Agencies.
      3. On the Agencies page, search for the agency name fabric_admin_trust in the text box. On the right of the fabric_admin_trust agency, click Authorize.
      4. In the text box in the upper right corner of the Authorize Agency page, search for the policy name KMS Administrator, select the policy, click Next, and click OK to complete the authorization.