Help Center/ Data Admin Service/ Best Practices/ How Do I Use DAS to Log In to an Instance Using a Read-Only Account?
Updated on 2024-08-26 GMT+08:00

How Do I Use DAS to Log In to an Instance Using a Read-Only Account?

System permission policies of Data Admin Service (DAS) do not support read-only accounts. However, you can create a custom policy on the IAM console and assign the read-only permission on DAS.

Differences Between IAM Permissions and Database Permissions

As a management plane service, DAS does not allow users to add, delete, or modify instances. Only adding, deleting, and modifying instance login information are allowed on the DAS console.

IAM permission control applies to DAS only before you log in to an instance. After you have logged in to the instance, permissions are assigned by your database account.

You can use IAM Permissions Management to control whether IAM users can add, delete, and modify instance logins and whether they can log in to an instance. After a user logs in to an instance, only the database account controls whether the user can execute SQL statements.

Procedure

  1. Log in to the IAM console using a Huawei ID account.
  2. Create a custom permission policy.

    1. In the navigation pane, choose Permissions > Policies/Roles and click Create Custom Policy.
    2. Configure parameters.
      Figure 1 Configuring a custom permission policy
      Table 1 Parameter description

      Parameter

      Description

      Example

      Policy Name

      Customize a name.

      das-log-database

      Policy View

      Select Visual editor or JSON.

      Visual editor

      Policy Content

      Choose DAS and add the read-only permission as required.

      Take the das:connections:login permission as an example. A user or user group with this permission can only log in to an instance using DAS.

      das:connections:login

    3. Click OK. You can then view the created custom permission policy on the Policies/Roles page.
      Figure 2 Viewing a Custom permission policy

  3. Create a user group and assign the custom permission policy created in 2 to the user group.

    1. In the navigation pane on the left, choose User Groups. Then, click Create User Group. In the displayed dialog box, specify the user group name and click OK.
    2. Locate the target user group and click Authorize in the Operation column. On the displayed page, select the custom policy created in 2.
      Figure 3 Authorization
    3. Click Next, select All resources, click OK, and complete subsequent operations.

  4. Create a user and add it to the user group.

    1. In the navigation pane, choose Users and click Create. On the displayed page, set user basic information.
      Figure 4 Setting user basic information
    2. Click Next to add the current user to the user group created in 3.
      Figure 5 Adding a user to a user group
    3. Click Create User to create an IAM user. The user has only the permission to log in to the instance on DAS.

  5. Create a read-only account. An RDS for MySQL instance is used in this example.

    1. Log in to the RDS console.
    2. On the Instances page, locate the target instance and click its name.
    3. In the navigation tree on the left, choose Accounts. On the displayed page, click Create Account.
      Figure 6 Creating a read-only account

      You can also log in to the RDS for MySQL instance and run the following commands to create a read-only account:

      CREATE USER 'db_read_only'@'%' IDENTIFIED BY '**********';
      GRANT SELECT ON *.* TO 'db_read_only'@'%';
      FLUSH PRIVILEGES;

  6. Authorize the read-only permission to the IAM user.

    1. Log in to the DAS console using the Huawei ID account.
    2. Use the read-only account to add a login.

      In the navigation tree on the left, choose Development Tool. On the My DB Instance Logins tab page, click Add Login.

      Figure 7 Adding a login instance

      The login username is the read-only account created in 5.

    3. Share the login information of the read-only account with the IAM user.

      Locate the target instance and click the number in the Additional Users column.

      Figure 8 Sharing a login with an IAM user

      Click Add User. On the displayed page, specify the expiration time, select Synchronize IAM account for Adding Method, then select the IAM account created in 4 for Users to Select, and click OK.

      Figure 9 Adding a user

  7. Log in to DAS using the IAM account created in 4, and verify that it has the read-only permission.

    Figure 10 Verifying the read-only permission

    After logging in to DAS as the IAM user, choose Development Tool > DB Instance Logins Shared by Others to view the logins shared by the Huawei account. Only Log In is displayed in the Operation column.