El contenido no se encuentra disponible en el idioma seleccionado. Estamos trabajando continuamente para agregar más idiomas. Gracias por su apoyo.

Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
Software Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
On this page

Show all

Permissions Management

Updated on 2024-10-08 GMT+08:00

If your account does not need individual IAM users for permissions management, you may skip over this section.

If you need to assign different permissions to employees in your enterprise to access your DDM resources, IAM is a good choice for fine-grained permissions management. IAM provides functions like identity authentication, permissions management, and access control, helping you secure access to your cloud resources.

You can create IAM users for your employees, and assign permissions to these users to control their access to specific types of resources. For example, you can create IAM users for software developers and assign specific permissions to allow them to use DDM resources but disallow them to delete the resources or perform any high-risk operations.

IAM is a free service. You pay only for the resources in your account.

DDM Permissions

By default, new IAM users do not have any permissions assigned. To assign permissions to these new users, you need to add them to one or more groups, and attach permissions policies or roles to these groups.

DDM is a project-level service deployed in specific physical regions. When you assign DDM permissions to a user group, you need to specify region-specific projects where the permissions will take effect. If you select All projects, the permissions will be granted for all region-specific projects. To access DDM, you need to switch to the region where you are authorized.

You can grant users permissions using roles and policies.
  • Roles: A type of coarse-grained authorization mechanism that provides only a limited number of service-level roles. When using roles to grant permissions, you also need to assign other dependent roles. Roles are not ideal for fine-grained authorization and secure access control.
  • Policies: A fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and more secure access control. For example, you can grant IAM users only the permissions for managing a certain type of DDM resources.
    Table 1 System-defined policies

    Policy Name

    Description

    Type

    Dependency

    DDM FullAccess

    Full permissions for Distributed Database Middleware

    System-defined policy

    None

    DDM CommonOperations

    Common permissions for Distributed Database Middleware, excluding the permissions to create, delete, and add nodes, configure shards, and roll back shard configuration tasks

    System-defined policy

    None

    DDM ReadOnlyAccess

    Read-only permissions for Distributed Database Middleware

    System-defined policy

    None

The following are permission configurations of supported system-defined policies:
  • DDM FullAccess
    {
          "Version": "1.1",
           "Statement": [{
    	    "Action": ["ddm:*:*",
    	    "rds:instance:list",
                "rds:instance:modify",
                "rds:instance:modifyParameter",
    	    "vpc:*:*",
                "ecs:*:get*",
                "ecs:*:list*",
                "ecs:cloudServerNics:update",
                "ecs:serverInterfaces:use"],
    	     "Effect": "Allow"
    		}]
    	}
  • DDM CommonOperations
    {
    	"Version": "1.1",
    	"Statement": [{
    				"Action": [
    					"vpc:*:*list*",
    					"vpc:*:*get*",
    					"vpc:ports:update",
    					"ecs:*:get*",
    					"ecs:*:list*",
    					"rds:instance:list",
    					"rds:instance:modify",
    					"rds:instance:modifyParameter"
    				],
    				"Effect": "Allow"
    				},
    				{
    					"Condition": {
    						"StringEqualsIgnoreCase": {
    							"g:ServiceName": [
    								"ddm"
    							]
    						}
    					},
    					"NotAction": [
    						"ddm:instance:create",
    						"ddm:instance:delete",
    						"ddm:database:migrate*",
    						"ddm:instance:resize",
    						"ddm:instance:extendNode"
    					],
    					"Effect": "Allow"
    		}]
    	}
  • DDM ReadOnlyAccess
    {
         "Version": "1.1",
         "Statement": [{
                        "Action": [
                            "rds:instance:list",
                            "vpc:*:*list*",
                            "vpc:*:*get*",
                            "ecs:*:get*",
                            "ecs:*:list*",
                            "ddm:*:list",
                            "ddm:*:get",
                            "ddm:instance:listParameter",
                            "ddm:instance:listRwInfo",
                            "ddm:instance:listSlowSqlInfo",
                            "ddm:rds:connectivity"
                        ],
                        "Effect": "Allow"
    		}]
    	}
Table 2 lists the common operations supported by each DDM system-defined policy. Choose appropriate system-defined policies based on your requirements.
Table 2 Common operations supported by each system-defined policy

Operation

DDM FullAccess

DDM CommonOperations

DDM ReadOnlyAccess

Querying DDM instances

Supported

Supported

Supported

Querying details of a DDM instance

Supported

Supported

Supported

Modifying instance information, including the name and security group

Supported

Supported

Not supported

Restarting a DDM instance

Supported

Supported

Not supported

Creating a DDM instance

Supported

Not supported

Not supported

Deleting a DDM Instance

Supported

Not supported

Not supported

Changing node class

Supported

Not supported

Not supported

Scaling out a DDM instance

Supported

Not supported

Not supported

Creating a schema

Supported

Supported

Not supported

Querying schemas

Supported

Supported

Supported

Querying details of a schema

Supported

Supported

Supported

Performing a rollback if configuring shards fails

Deleting source data if configuring shards fails

Retrying if configuring shards fails

Supported

Not supported

Not supported

Deleting a schema

Supported

Supported

Not supported

Querying accounts

Supported

Supported

Supported

Creating an account

Supported

Supported

Not supported

Modifying an account

Supported

Supported

Not supported

Resetting a password

Supported

Supported

Not supported

Deleting an account

Supported

Supported

Not supported

Synchronizing data node information

Supported

Supported

Not supported

Querying data nodes

Supported

Supported

Supported

Querying details of a data node

Supported

Supported

Supported

Modifying the read policy of a data node

Supported

Supported

Not supported

Viewing products

Supported

Supported

Supported

Creating a parameter template

Supported

Supported

Not supported

Deleting a parameter template

Supported

Supported

Not supported

Applying a parameter template

Supported

Supported

Not supported

Modifying a parameter template

Supported

Supported

Not supported

Replicating a parameter template

Supported

Supported

Not supported

Comparing two parameter templates

Supported

Supported

Supported

Querying parameter templates

Supported

Supported

Supported

Viewing all tags

Supported

Supported

Supported

Adding, modifying, or deleting a tag

Supported

Supported

Not supported

Querying a session

Supported

Supported

Supported

Killing a session

Supported

Supported

Not supported

Table 3 Common operations and supported actions

Operation Category

Operation

Action

DDM routine operations

Buying a pay-per-use DDM instance

Buying a yearly/monthly DDM instance

ddm:instance:create

Before you buy a DDM instance, obtain the following dependent permissions:

  • ecs:*:get*
  • ecs:*:list*
  • vpc:vpcs:list
  • vpc:securityGroups:get
  • vpc:subnets:get
  • ecs:cloudServerNics:update
  • ecs:serverInterfaces:use
  • vpc:ports:* for a global or regional DDM instance
  • BSS Finance and BSS Operator policies

    This permission is required only when you buy yearly/monthly DDM instances.

Querying DDM instances

ddm:instance:list

Querying details of a DDM instance

ddm:instance:get

To view details of a DDM instance, you need to configure the following permissions:

  • vpc:*:get*
  • vpc:*:list*

Modifying instance information, including modifying the name, changing the security group, or adding, modifying, or deleting a tag of a DDM instance

ddm:instance:modify

To modify a security group, you need to configure the following permissions:
  • vpc:*:get*
  • vpc:*:list*
  • vpc:ports:update

Restarting a DDM instance

ddm:instance:reboot

Deleting a DDM instance

ddm:instance:delete

vpc:ports:delete

Changing node class

ddm:instance:resize

Scaling out a DDM instance

ddm:instance:extendNode

Monitoring the read/write ratio

ddm:instance:listRwInfo

Querying slow query logs

ddm:instance:listSlowSqlInfo

DDM routine operations

Auto-renew (for yearly/monthly instances)

Configure policies BSS Finance and BSS Operator as follows:

  1. Log in to the IAM console.
  2. In the navigation pane, click User Groups.
  3. Choose More > Assign Permissions.
  4. Click Attach Policy in the same row as the project for which you want to edit the permissions.
  5. In the Available Policies area, select BSS Finance and BSS Operator.

DDM routine operations

Changing to yearly/monthly billing

Configure policies BSS Finance and BSS Operator. The procedure is the same as that for renewing an instance.

Schema operations

Creating a schema

ddm:database:create

Querying schemas

ddm:database:list

Querying details of a schema

ddm:database:get

Performing a rollback if configuring shards fails

Deleting source data if configuring shards fails

Retrying if configuring shards fails

ddm:database:migrateRollback

Deleting a schema

ddm:database:delete

DDM account operations

Querying accounts

ddm:user:list

Creating an account

ddm:user:create

Modifying an account

ddm:user:modify

Resetting a password

ddm:user:modify

Deleting an account

ddm:user:delete

Data node management (using an RDS for MySQL instance as an example)

Synchronizing data node information

ddm:rds:synchro

To synchronize data node information, you need to configure the following permissions:

  • rds:instance:list
  • rds:instance:modify
  • rds:instance:modifyParameter

Querying data nodes

ddm:rds:list

Querying details of a data node

ddm:rds:get

Modifying the read policy of a data node

ddm:rds:modifyReadPolicy

DDM product operations

Viewing products

ddm:product:list

Parameter template operations

Creating a parameter template

ddm:param:create

Deleting a parameter template

ddm:param:delete

Applying a parameter template

ddm:param:apply

Modifying a parameter template

ddm:param:update

Replicating a parameter template

ddm:param:create

Comparing two parameter templates

ddm:param:list

Querying parameter templates

ddm:param:list

Tag operations

Querying the tag list

ddm:tag:list

Adding, modifying, or deleting a tag

ddm:tag:modify

Session operations

Querying a session

ddm:instance:queryProcessList

Killing a session

ddm:instance:killProcessList

Utilizamos cookies para mejorar nuestro sitio y tu experiencia. Al continuar navegando en nuestro sitio, tú aceptas nuestra política de cookies. Descubre más

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback