Using IAM Roles or Policies to Grant Access to DWS
This section applies to IAM 3.0 and earlier versions.
This section describes how to use IAM to implement role/policy-based permissions management for your DWS resources. With IAM, you can:
- Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing DWS resources.
- Grant only the permissions required for users to perform specific tasks.
- Entrust a Huawei Cloud account or a cloud service to perform professional and efficient O&M on your DWS resources.
If your Huawei Cloud account does not need individual IAM users, you may skip over this section.
Procedure shows the process flow of role/policy-based authorization.
Prerequisites
Before granting permissions to user groups, learn about DWS Permissions Management. For the system policies of other services, see System-defined Permissions.
Procedure
This section describes how to grant the DWSReadOnlyAccess permission to a user group, create a user, and add the user to the user group. If the user cannot create a DWS cluster after logging in to the console (assume that the user only has the DWSReadOnlyAccess permission), the DWSReadOnlyAccess policy has taken effect. To allow the user to create a DWS cluster or perform other operations, grant required DWS permissions to the user by referring to Figure 1. For details about DWS permissions, see DWS Permissions Management.
- On the IAM console, create a user group and grant it permissions (ECS ReadOnlyAccess as an example).
Create a user group on the IAM console, and assign the DWSReadOnlyAccess policy to the group.
- Create an IAM user and add it to the created user group.
On the IAM console, create a user and add it to the user group created in 1.
- Log in as the IAM user and verify permissions.
In the authorized region, perform the following operations:
- Choose Service List > Data Warehouse Service to enter the DWS management console, and click Create DWS Cluster to create a data warehouse cluster. If you cannot create one (assume that you only have the DWSReadOnlyAccess permission), DWSReadOnlyAccess has taken effect.
- Choose any other service in Service List. If only the DWSReadOnlyAccess policy is added and a message is displayed indicating that you have insufficient permission to access the service, DWSReadOnlyAccess has taken effect.
Example Custom Policies
Custom policies can be created as a supplement to the system policies of DWS. For the actions supported for custom policies, see Permissions Policies and Supported Actions.
You can create custom policies in either of the following ways:
- Visual editor: Select cloud services, actions, resources, and request conditions without the need to know policy syntax.
- JSON: Edit JSON policies from scratch or based on an existing policy.
For details, see Creating a Custom Policy. The following lists examples of common DWS custom policies.
- Example 1: allowing users to create, restart, and delete a cluster, configure security parameters, and reset passwords
//The TMS is a global service and needs to be configured separately as follows: { "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "tms:predefineTags:list" ] } ] } //DWS is a region-level service. The configuration is as follows: { "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "dws:checkCluster:create", "dws:cluster:create", "dws:cluster:restart", "dws:cluster:delete", "dws:cluster:setSecuritySettings", "dws:cluster:resetPassword", "dws:*:list*", "dws:*:get*", "bss:order:view", "elb:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "ecs:*:delete*", "vpc:*:get*", "vpc:*:list*", "vpc:*:update*", "vpc:*:create*", "vpc:*:delete*", "evs:*:get*", "evs:*:list*", "evs:*:create*", "evs:*:delete*" ] } ] } - Example 2: using wildcard character (*)
Here is an example policy that grants permission to perform all DWS snapshot operations, except for restoring snapshots.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "dws:snapshot:*", "dws:cluster:list", "dws:openAPISnapshot:detail", "dws:cluster:get*", "dws:cluster:check*", "ecs:*:get*", "ecs:*:list*", "vpc:*:get*", "vpc:*:list*" ] } ] } - Example 3: denying cluster deletion
A deny policy must be used in conjunction with other policies to take effect. If the permissions assigned to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.
The following method can be used if you need to assign permissions of the DWS FullAccess policy to a user but also forbid the user from deleting clusters. Create a custom policy for denying cluster deletion, and assign both policies to the group the user belongs to. Then the user can perform all operations on DWS except deleting clusters. The following is an example of a deny policy:
//The TMS is a global service and needs to be configured separately as follows: { "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "tms:predefineTags:list" ] } ] } //DWS is a region-level service. The configuration is as follows: { "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "dws:*:list*", "dws:*:get*", "bss:order:view" ] }, { "Effect": "Deny", "Action": [ "dws:cluster:delete" ] } ] } - Example 4: defining multiple actions in a policy
A custom policy can contain actions of multiple services that are all of the global or project-level type. The following is an example policy containing actions of multiple services:
//The TMS is a global service and needs to be configured separately as follows: { "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "tms:predefineTags:list" ] } ] } //DWS is a region-level service. The configuration is as follows: { "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "dws:cluster:create", "dws:cluster:restart", "dws:cluster:setSecuritySettings", "dws:*:get*", "dws:*:list*", "elb:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "evs:*:get*", "evs:*:list*", "evs:*:create*" ] }, { "Effect": "Deny", "Action": [ "dws:cluster:delete" ] } ] }
DWS Resources
Resources are objects used in services. You can select DWS cluster resources by specifying their paths when creating a custom policy.
|
Resource |
Path |
|---|---|
|
cluster |
dws:<region>:<account-id>:cluster:<cluster-name> |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
