Granting Catalog Operation Permissions to a LakeFormation Role

Scenario

This document provides step-by-step instructions to create a LakeFormation instance along with its catalog metadata, create a LakeFormation role, and grant this role the permissions to modify catalogs and create databases. Once authorized, users associated with this role will inherit these permissions.

On the Instances page of the LakeFormation management console, you can allocate granular data access rights to various authorization entities (such as user groups, roles, IAM users, and agencies) across all authorization categories (including catalogs, databases, data tables, functions, and OBS paths) under that specific instance.

Procedure

Before you start, complete the operations described in Preparations. Then, follow these steps:

1. Create a LakeFormation Instance: Create an exclusive LakeFormation instance.
2. Create an OBS Path for Storing Metadata: Create an OBS path for storing metadata.
3. Create a Catalog: Create a catalog named catalog1.
4. Create a LakeFormation Role: Create a LakeFormation role named lakeformation_role and associate the role with the current user.
5. Grant Catalog Operation Permissions to a Role: Grant the lakeformation_role role the permissions to modify catalog1 and create databases.

Preparations

• Sign up for a HUAWEI ID and complete real-name authentication.

  Before creating a LakeFormation instance, sign up for a HUAWEI ID and enable Huawei Cloud services and complete real-name authentication.

  If you already have enabled Huawei Cloud services and completed real-name authentication, skip this step.

• You have prepared an IAM user who has the permission to create LakeFormation instances. For details, see Creating an IAM User and Granting LakeFormation Permissions.

Step 1: Create a LakeFormation Instance

1. Log in to the management console as the user prepared in Preparations.
2. In the upper left corner, click and choose Analytics > LakeFormation to access the LakeFormation console.
3. On the displayed page, select the checkbox next to I have read and agree with the LakeFormation Service Statement. and click Authorize.

   If authorization has been completed, skip this step.

4. Click Buy Now or Buy Instance in the upper right corner of the Overview page.

   If a LakeFormation instance exists on the page, Buy Instance is displayed. Otherwise, Buy Now is displayed.

5. Set the parameters listed below.

   Table 1 Parameters for creating a LakeFormation instance

   Parameter	Example Value	Description
   Type	Exclusive	Select an instance type. Shared Exclusive
   Billing Mode	Pay-per-use	Billing mode of the instance.
   Project	xxx	Select the project the instance belongs to.
   Name	lakeformation-test	Name of the LakeFormation instance.
   QPS	10000	Maximum number of requests per second. You do not need to set this parameter when Type is set to Shared.
   Enterprise Project	xxx	Enterprise project the cluster belongs to. If there is no enterprise project available, click Create to create one.
   Description	-	Description of the instance.
   Label	-	Enter a tag key and value and click Add.

6. Click Buy Now, confirm the configuration, and pay.
7. Click Back to Console. You can check information about the newly created LakeFormation instance on the console.
   

   Pay attention to the quota notification when creating an instance. If the resource quota is insufficient, apply for sufficient resources as prompted and then create an instance.

   Wait until the instance status changes to Running.

Step 2: Create an OBS Path for Storing Metadata

1. Log in to the LakeFormation console.
2. Click in the upper left corner of the page and choose Storage > Object Storage Service to access the Object Storage Service console.
3. Click Parallel File Systems and click Create Parallel File System. On the displayed page, set the parameters, and click Create Now.
   • File System Name: Set the name of the parallel file system as required, for example, lakeformation-test.
   • Set other parameters based on the site requirements.

4. On the Parallel File Systems page, click the name of the created file system, that is lakeformation-test.
5. On the displayed Files tab, click Create Folder. In the dialog box that appears, enter a folder name and click OK. Click the name of the folder you just created. On the displayed page, click Create Folder to create a subfolder.

   Create a path for storing metadata, for example:

   Catalog storage path: lakeformation-test/catalog1

Step 3: Create a Catalog

1. Log in to the LakeFormation console.
2. In the upper left corner, click and choose Analytics > LakeFormation to access the LakeFormation console.
3. From the drop-down list box on the left, select the LakeFormation instance you have created, for example, lakeformation-test. Choose Metadata > Catalog in the navigation pane on the left.
4. On the displayed Catalog page, click Create. Set parameters by referring to the table below, retain the default values for other parameters, and click Submit.

   Table 2 Parameters for creating a catalog

   Parameter	Example Value	Description
   Catalog Name	catalog1	Name of the catalog to be created. The value can contain up to 256 characters. Only letters, numbers, and underscores (_) are allowed.
   Catalog Type	DEFAULT	Select a catalog type.
   Select Location	obs://lakeformation-test/catalog1	(Optional) Location where catalog data is stored in OBS. Click , select Parallel file system or Object storage bucket for Buckets, select a location, and click OK. The location you specify must start with obs:// and must include a storage object. For example, select obs://lakeformation-test/catalog1. If there is no appropriate OBS path available, click go to OBS to create one and follow Step 2: Create an OBS Path for Storing Metadata to create it. To prevent data conflicts, the path cannot be the metadata storage path that is being used by other LakeFormation instances. You are advised to select a folder that is not selected by other catalogs.
   Description	xxx	Description of the catalog to be created.

5. After the catalog is created, you can check its information on the Catalog page.

Step 4: Create a LakeFormation Role

1. Log in to the LakeFormation console.
2. In the upper left corner, click and choose Analytics > LakeFormation to access the LakeFormation console.
3. In the navigation pane on the left, select the target LakeFormation instance from the drop-down list box and choose Data Permissions > Roles.
4. On the displayed page, click Create. In the dialog box that appears, enter a role name, for example, lakeformation_role, and click OK.
5. In the role list, locate the row that contains the role you created and click Add IAM User in its Operation column. In the dialog box that appears, select the user you want to associate with the role from the drop-down list box, for example, the user prepared in Preparations, and click OK.

Step 5: Grant Catalog Operation Permissions to the Role

1. Log in to the LakeFormation console.
2. In the upper left corner, click and choose Analytics > LakeFormation to access the LakeFormation console.
3. In the navigation pane on the left, select the target LakeFormation instance from the drop-down list box and choose Data Permissions > Data Authorization.
4. On the displayed page, click Authorize. In the dialog box that appears, set parameters by referring to the table below and click OK.

   Table 3 Data authorization parameters

   Parameter	Example Value	Description
   Entity Type	Role	Type of the entity to be authorized. Options: User group Role IAM user Agency
   Role	lakeformation_role	Name of the entity to be authorized. The name cannot contain hyphens (-). Otherwise, the operation may fail. This parameter is related to the selected entity type.
   Granted To	Resources	Resources: Resources in LakeFormation instances are authorized for. Paths: OBS paths are authorized for.
   Catalog	catalog1	Select the catalog to be authorized for.
   Operation Type	ALTER, CREATE_DATABASE	Select the operation type to be authorized for. Options vary depending on the value you selected for Granted To. The operation types that catalogs support include: ALL: all operations on catalogs. ALTER: Modifies catalogs. CREATE_DATABASE: Creates databases. DROP: Deletes catalogs. DESCRIBE: Checks the metadata of catalogs or changes catalogs. LIST_DATABASE: Checks the resource list of catalogs.
   Grant Authorization Permission	-	Whether to grant the authorization permission. Once selected, an authorization entity has the permission to authorize an object to other authorization entities.