Configuring LakeFormation Metadata Permissions
Overview
LakeFormation permissions can be configured in three dimensions: database, table, and function.
Cloud service administrators can configure permissions of different user groups for objects to centrally manage data lake resources.
For IAM users or user groups, you can associate them with fine-grained permission policies of LakeFormation to implement feature availability control. For details, see Creating a LakeFormation Custom Policy. If there are a large amount of data resources in a data lake, you are advised to use the LakeFormation console to centrally manage permissions for these resources.
The following table lists the main elements in LakeFormation permission configuration.
Element |
Description |
---|---|
Authorization Entity |
An entity to which permissions are granted. The entity can be a user group, role, IAM user, or agency. The name of an authorization entity cannot contain hyphens (-). |
Granted To |
|
Operation Type |
Access permission on the authorization object that the authorization entity has. Different authorization objects support different operations. For details, see Table 2. |
Grant Authorization Permission |
Whether to grant the authorization permission. After the authorization permission is granted, the authorization entity can grant the permission to other authorization entities. |
Authorization Object |
Operation Type |
Permissions Description |
---|---|---|
Catalog |
ALL |
Perform all operations on catalogs. |
ALTER |
Modify catalogs. |
|
CREATE_DATABASE |
Create databases. |
|
DROP |
Delete catalogs. |
|
DESCRIBE |
Check the metadata of catalogs or switch catalogs. |
|
LIST_DATABASE |
View the resources in a catalog. |
|
Database |
ALL |
Perform all operations on databases. |
ALTER |
Modify databases. |
|
DROP |
Delete databases. |
|
DESCRIBE |
Check the metadata of databases or switch databases. |
|
LIST_TABLE |
View the resources in a database. |
|
LIST_FUNC |
View functions in a database. |
|
CREATE_TABLE |
Create a table in a database. |
|
CREATE_FUNC |
Create a function in a database. |
|
Table |
ALL |
Perform all operations on tables. |
ALTER |
Modify tables. |
|
DROP |
Delete tables. |
|
DESCRIBE |
Check the metadata of tables. |
|
UPDATE |
Update data of a table. |
|
INSERT |
Insert data into a table. |
|
SELECT |
Query data in a table. |
|
DELETE |
Delete data from a table. |
|
Column |
SELECT |
Query column data in a table. |
Function |
ALL |
Perform all operations on functions. |
ALTER |
Modify functions. |
|
DROP |
Delete functions. |
|
DESCRIBE |
Check the metadata of functions. |
|
EXEC |
Execute functions. |
|
Path |
READ |
Read files stored in a path. |
WRITE |
Write data into the files stored in a path. |
System permission administrators vs. Service permission administrators
They have different IAM permission requirements and scopes of permission management.
- System permission administrators
- IAM operation permissions required: lakeformation:policy:describe, lakeformation:policy:create, and lakeformation:policy:drop.
- Permission management scope: They can assign metadata permissions to other authorization entities and revoke the assigned permissions as well.
- Service permission administrators
- IAM operation permissions required: lakeformation:policy:describe and lakeformation:policy:delegate.
- Permission management scope: They are authorized to assign and revoke metadata permissions only after they have received the requisite permissions from the service permission administrators.
Assume that there are system permission administrator (User A), service permission administrator (User B), and common user (User C). After User A grants the ALL permissions on Catalog1 and authorization permissions to User B, User B can grant the DESC permission on Catalog1 to User C. However, User B cannot grant the permissions on other catalogs to User C.
Constraints
- The name of an authorization entity cannot contain hyphens (-).
- A maximum of 256 permission policies can be granted to a single table.
Prerequisites
Before authorization, ensure that the entity to be authorized exists. For example, the IAM user group has been created.
Adding an Authorization Policy
- Log in to the LakeFormation console.
- Select the target LakeFormation instance from the drop-down list box on the left and choose Data Permissions > Data Authorization.
- Click Authorize. In the displayed dialog box, set parameters by referring to the following table and click OK.
Table 3 Data authorization parameters Parameter
Description
Entity Type
Type of the entity to be authorized. Options:
- User group
- Role
- IAM user
- Agency
Select User Group/Role/Select IAM user/Select Agency
Name of the entity to be authorized. The name cannot contain hyphens (-). Otherwise, the operation may fail.
- Select User Group: Select the user group to be authorized, for example, IAM user group. You can create one on the IAM console in advance.
- Role: Select the role to be authorized. You can create roles in advance by following the instructions provided in Creating a Role and Granting Permissions.
- Select IAM user: Select an IAM user to be authorized.
- Select Agency: Select an agency to be authorized.
Granted To
- Resources: Indicates that the authorization objects are resources in LakeFormation instances.
- Paths: Indicates that the authorization objects are OBS paths. This authorization type is used to grant permissions to foreign tables or functions.
Resource Type
Type of the resource to be authorized. This parameter is displayed when Granted To is set to Resources.
Select the catalog, database, table, column, and function to be authorized based on site requirements.
Row Filter Criterion
Whether to set row filtering criteria for the permission policy. This parameter is displayed when Resource Type is set to Table or Column. After this parameter is set, Column Masking Type and Column Masking Parameters cannot be set.
- The format is as follows: Column name Operator Column value
The following operators are supported: =, <=, <, >, >=, and like.
For example, if the row filter criterion is set to "department = financial", the row whose value is financial in the department column is selected.
- After the row filter criteria are set, the operation type can only be SELECT.
Column Masking Type
Select the column masking type. This parameter is available when Resource Type is set to Column. After this parameter is set, Row Filter Condition cannot be set.
- PARTIAL_MASK: Mask some data.
- REDACT: Modify the data in the original column.
- HASH: Use the hash algorithm for encryption.
- NULLIFY: Replace the original value with the NULL value.
- UNMASKED: Display the original information.
- DATA_ONLY_SHOW_YEAR: Display only the year part of a date string.
- CUSTOM: Use user-defined masking rules.
NOTE:LakeFormation provides only the functions of managing and obtaining dynamic masking policies. LakeFormation does not handle conflicts involving dynamic masking policies.
Column Masking Parameters
An option of the column masking type. You can configure the parameters by referring to Table 4. This parameter is available when Resource Type is set to Column. After this parameter is set, Row Filter Condition cannot be set.
Path
This parameter is displayed when Granted To is set to Paths.
Click
and select the OBS path to be authorized. You can select a maximum of 10 paths.
You cannot select a path that has been authorized by another LakeFormation instance to avoid permission conflicts.
Operation Type
Operation type to be authorized. Options vary depending on the value you selected for Granted To. For details, see Table 2.
- When granting the SELECT permission to a table, you need to configure Column. For example, set it to *.
- After Column Masking Type is set, the operation type can only be SELECT.
Grant Authorization Permission
Whether to grant the authorization permission.
After authorization permission is granted, an authorization entity has the permission to authorize an object to other authorization entities.
Table 4 Column masking parameters Column Masking Type
Column Masking Parameter (example)
Masking Description
PARTIAL_MASK
show last 4
Display only the last four characters, for example, *******1234.
show first 4
Display only the first four characters, for example, 1234*******.
REDACT
#
Use the number sign (#) to modify the data in the original column, for example, ###########.
*
Use asterisks (*) to modify the data in the original column, for example, ***********.
HASH
hash256
Use the hash256 algorithm to encrypt data in a column.
NULLIFY
None
Replace the original value with NULL.
UNMASKED
None
Display the original information.
DATA_ONLY_SHOW_YEAR
None
Display only the year part of a date string.
CUSTOM
Custom
Use user-defined masking rules.
- Click Cancel Authorization in the Operation column and click OK to cancel the authorization.
Cancelled authorizations cannot be recovered.
- To modify the row filter criteria, click More in the Operation column and click Edit Row Filter. This operation is supported only when row filter criteria are configured.
- To modify the column masking configuration, click More in the Operation column and click Edit Column Masking Parameter. This operation is supported only when column masking is configured.
Adding Permissions for a Specified Resource
You can add permissions for a specified resource (database or table).
- Log in to the LakeFormation console.
- Select the target LakeFormation instance from the drop-down list box on the left.
- Access the page for granting permissions to a specified resource.
- Catalog: In the navigation pane, choose Metadata > Catalog. In the Operation column of the catalog to be authorized, choose More > Authorize.
- Database: In the navigation pane on the left, choose Metadata > Database. In the upper right corner, select the name of the catalog to which the target database belongs from the Catalog drop-down list, and choose More > Authorize in the Operation column of the database.
- Data Table: In the navigation pane, choose Metadata > Table. In the upper right corner, select the catalog to which the target data table belongs and the database name from the Catalog and Database drop-down lists. Click Authorize in the Operation column of the data table.
- Function: In the navigation pane on the left, choose Metadata > Function. In the upper right corner, select the catalog to which the target function belongs and the name of the database from the Catalog and Database drop-down lists. Click Authorize in the Operation column of the function.
- Configure related information by referring to Table 3 and click OK.
- Choose Data Permissions > Data Authorization to view the authorization information.
After the authorization is complete, users in the selected user group or users or user groups with the selected role can perform operations on the current resource.
Reference
- For details about how to create a LakeFormation role, see Creating a LakeFormation Role and Granting Permissions.
- For details about how to bind a role to an IAM user, see Adding a LakeFormation Role to a User.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot