How Do I Use DAS to Log In to an Instance Using a Read-Only Account?
System permission policies of Data Admin Service (DAS) do not support read-only accounts. However, you can create a custom policy on the IAM console and assign the read-only permission on DAS.
Differences Between IAM Permissions and Database Permissions
As a management plane service, DAS does not allow users to add, delete, or modify instances. Only adding, deleting, and modifying instance login information are allowed on the DAS console.
IAM permission control applies to DAS only before you log in to an instance. After you have logged in to the instance, permissions are assigned by your database account.
You can use IAM Permissions Management to control whether IAM users can add, delete, and modify instance logins and whether they can log in to an instance. After a user logs in to an instance, only the database account controls whether the user can execute SQL statements.
Procedure
- Log in to the IAM console using a Huawei ID account.
- Create a custom permission policy.
- In the navigation pane, choose Permissions > Policies/Roles and click Create Custom Policy.
- Configure parameters.
Figure 1 Configuring a custom permission policy
Table 1 Parameter description Parameter
Description
Example
Policy Name
Customize a name.
das-log-database
Policy View
Select Visual editor or JSON.
Visual editor
Policy Content
Choose DAS and add the read-only permission as required.
Take the das:connections:login permission as an example. A user or user group with this permission can only log in to an instance using DAS.
das:connections:login
- Click OK. You can then view the created custom permission policy on the Policies/Roles page.
Figure 2 Viewing a Custom permission policy
- Create a user group and assign the custom permission policy created in 2 to the user group.
- In the navigation pane on the left, choose User Groups. Then, click Create User Group. In the displayed dialog box, specify the user group name and click OK.
- Locate the target user group and click Authorize in the Operation column. On the displayed page, select the custom policy created in 2.
Figure 3 Authorization
- Click Next, select All resources, click OK, and complete subsequent operations.
- Create a user and add it to the user group.
- In the navigation pane, choose Users and click Create. On the displayed page, set user basic information.
Figure 4 Setting user basic information
- Click Next to add the current user to the user group created in 3.
Figure 5 Adding a user to a user group
- Click Create User to create an IAM user. The user has only the permission to log in to the instance on DAS.
- In the navigation pane, choose Users and click Create. On the displayed page, set user basic information.
- Create a read-only account. An RDS for MySQL instance is used in this example.
- Log in to the RDS console.
- On the Instances page, locate the target instance and click its name.
- In the navigation tree on the left, choose Accounts. On the displayed page, click Create Account.
Figure 6 Creating a read-only account
You can also log in to the RDS for MySQL instance and run the following commands to create a read-only account:
CREATE USER 'db_read_only'@'%' IDENTIFIED BY '**********'; GRANT SELECT ON *.* TO 'db_read_only'@'%'; FLUSH PRIVILEGES;
- Authorize the read-only permission to the IAM user.
- Log in to the DAS console using the Huawei ID account.
- Use the read-only account to add a login.
In the navigation tree on the left, choose Development Tool. On the My DB Instance Logins tab page, click Add Login.
Figure 7 Adding a login instance
The login username is the read-only account created in 5.
- Share the login information of the read-only account with the IAM user.
Locate the target instance and click the number in the Additional Users column.
Figure 8 Sharing a login with an IAM user
Click Add User. On the displayed page, specify the expiration time, select Synchronize IAM account for Adding Method, then select the IAM account created in 4 for Users to Select, and click OK.
Figure 9 Adding a user
- Log in to DAS using the IAM account created in 4, and verify that it has the read-only permission.
Figure 10 Verifying the read-only permission
After logging in to DAS as the IAM user, choose Development Tool > DB Instance Logins Shared by Others to view the logins shared by the Huawei account. Only Log In is displayed in the Operation column.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot