Fine-Grained Permissions Policies
In actual services, you may need to grant different operation permissions on resources to users of different roles. The IAM service provides fine-grained access control. An IAM administrator (a user in the admin group) can create a custom policy containing required permissions. After a policy is granted to a user group, users in the group can obtain all permissions defined by the policy. In this way, IAM implements fine-grained permission management.
To control the GaussDB(DWS) operations on resources more precisely, you can use the user management function of IAM to grant different operation permissions to users of different roles for fine-grained permission control.
GaussDB(DWS) Permissions in Fine-Grained Policies
When creating a custom policy on IAM, you can add the operations on GaussDB(DWS) resources or the permissions corresponding to RESTful APIs to the action list of the policy authorization statement so that the policy contains the operation permissions. The following table lists the GaussDB(DWS) permissions.
- RESTful APIs
For details about GaussDB(DWS) REST API actions, see "Permissions Policies and Supported Actions" in the Data Warehouse Service (DWS) API Reference.
- Management console operations
Table 1 describes the GaussDB(DWS) operations on resources and corresponding permissions.
|
Operation |
Permission |
Dependent Permission |
Scope |
|---|---|---|---|
|
Creating/Restoring clusters |
"dws:cluster:create" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "evs:*:get*", "evs:*:list*", "evs:*:create*", |
|
|
Obtaining the cluster list |
"dws:cluster:list" |
"dws:*:get*", "dws:*:list*", |
|
|
Obtaining the details of a cluster |
"dws:cluster:getDetail" |
"dws:*:get*", "dws:*:list*", |
|
|
Setting automated snapshot policy |
"dws:cluster:setAutomatedSnapshot" |
"dws:*:get*", "dws:*:list*", |
|
|
Setting security parameters/parameter groups |
"dws:cluster:setSecuritySettings" |
"dws:*:get*", "dws:*:list*", |
|
|
Restarting clusters |
"dws:cluster:restart" |
"dws:*:get*", "dws:*:list*", |
|
|
Scaling out clusters |
"dws:cluster:scaleOut" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "evs:*:get*", "evs:*:list*", "evs:*:create*", |
|
|
Resetting passwords |
"dws:cluster:resetPassword" |
"dws:*:get*", "dws:*:list*", |
|
|
Applying parameter templates to clusters |
"dws:cluster:changeParameterGroup" |
"dws:*:get*", "dws:*:list*", |
|
|
Deleting clusters |
"dws:cluster:delete" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:delete*", "vpc:*:get*", "vpc:*:list*", "vpc:*:delete*", "evs:*:get*", "evs:*:list*", "evs:*:delete*", |
|
|
Configuring maintenance windows |
"dws:cluster:setMaintainceWindow" |
"dws:*:get*", "dws:*:list*", |
|
|
Binding EIPs |
"dws:eip:operate" |
"dws:*:get*", "dws:*:list*", |
|
|
Unbinding EIPs |
"dws:eip:operate" |
"dws:*:get*", "dws:*:list*", |
|
|
Creating DNS domain names |
"dws:dns:create" |
"dws:*:get*", "dws:*:list*", |
|
|
Releasing DNS domain names |
"dws:dns:release" |
"dws:*:get*", "dws:*:list*", |
|
|
Modifying DNS domain names |
"dws:dns:edit" |
"dws:*:get*", "dws:*:list*", |
|
|
Creating MRS connections |
"dws:MRSConnection:create" |
"dws:*:get*", "dws:*:list*", |
|
|
Updating MRS connections |
"dws:MRSConnection:update" |
"dws:*:get*", "dws:*:list*", |
|
|
Deleting MRS connections |
"dws:MRSConnection:delete" |
"dws:*:get*", "dws:*:list*", |
|
|
Adding/Deleting tags |
"dws:tag:addAndDelete" |
"dws:*:get*", "dws:*:list*", |
|
|
Editing tags |
"dws:tag:edit" |
"dws:*:get*", "dws:*:list*", |
|
|
Creating snapshots |
"dws:snapshot:create" |
"dws:*:get*", "dws:*:list*", |
|
|
Obtaining the snapshot list |
"dws:snapshot:list" |
"dws:*:get*" |
|
|
Deleting snapshots |
"dws:snapshot:delete" |
"dws:snapshot:list" |
|
|
Copying snapshots |
"dws:snapshot:copy" |
"dws:snapshot:list" |
|
|
Creating parameter templates |
"dws:parameterGroup:create" |
"dws:*:get*", "dws:*:list*", |
|
|
Deleting parameter templates |
"dws:parameterGroup:delete" |
"dws:*:get*", "dws:*:list*", |
|
|
Changing parameter templates |
"dws:parameterGroup:edit" |
"dws:*:get*", "dws:*:list*", |
|
Authorization Using the Fine-Grained Permission Policy
- Log in to the IAM console and create a custom policy.
For details, see "User Guide > Fine-grained Policy Management > Creating Custom Policies" in the Identity and Access Management User Guide.
Refer to the following to create the policy:
- Use the IAM administrator account, that is, the user in the admin user group, because only the IAM administrator has the permissions to create users and user groups and modify user group permissions.
- GaussDB(DWS) is a project-level service, so its Scope must be set to Project-level services. If this policy is required to take effect for multiple projects, authorization is required to each project.
- Two GaussDB(DWS) policy templates are preconfigured on IAM. When creating a custom policy, you can select either of the following templates and modify the policy authorization statement based on the template:
- DWS Admin: has all execution permissions on GaussDB(DWS).
- DWS Viewer: has the read-only permission on GaussDB(DWS).
- You can add permissions corresponding to GaussDB(DWS) operations or RESTful APIs listed in GaussDB(DWS) Permissions in Fine-Grained Policies to the action list in the policy authorization statement, so that the policy can obtain the permissions.
For example, if dws:cluster:create is added to the action list of a policy statement, the policy has the permission to create or restore clusters.
- If you want to use other services, grant related operation permissions on these services. For details, see the help documents of related services.
For example, when creating a data warehouse cluster, you need to configure the VPC to which the cluster belongs. To obtain the VPC list, add permission vpc:*:get* to the policy statement.
Policy example:
- Example in which multiple operation permissions are supported
For example, the following policy has the permissions to create/restore/restart/delete a cluster, set security parameters, and reset passwords.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "dws:cluster:create", "dws:cluster:restart", "dws:cluster:delete", "dws:cluster:setSecuritySettings", "dws:cluster:resetPassword", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "ecs:*:delete*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "vpc:*:delete*", "evs:*:get*", "evs:*:list*", "evs:*:create*", "evs:*:delete*" ] } ] } - Example of wildcard (*) usage
- Create a user group.
For details, see "User Guide > User and User Group Management > Creating a User Group" in the Identity and Access Management User Guide.
- Add users to the user group and grant the new custom policy to the user group so that users in it can obtain the permissions defined by the policy.
For details, see "User Guide > User and User Group Management > Viewing and Modifying User Group Information" in the Identity and Access Management User Guide.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
