Help Center/ Data Lake Insight/ Service Overview/ Security/ Identity Authentication and Access Control
Updated on 2024-02-07 GMT+08:00

Identity Authentication and Access Control

Identity Authentication

You can access DLI through the DLI console or open APIs. In either way, access requests are sent through the RESTful APIs provided by DLI.

DLI APIs can be accessed upon successful authentication. Requests sent through the DLI console and requests for calling APIs can both be authenticated using tokens.

Access Control

You can use Identity and Access Management (IAM) to implement fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your Huawei Cloud resources.

For more information about IAM, see IAM Service Overview.

You can grant users permissions by using roles and policies.

  • Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. Only a limited number of service-level roles are available. When using roles to grant permissions, you need to also assign other roles on which the permissions depend to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
  • Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, a specific user group is not allowed to delete a cluster. Only basic DLI operations (such as creating and querying jobs) are allowed.

    For details about DLI permissions, see Permission Management Overview.

The following table lists all the system permissions of DLI.

Role/Policy Name

Description

Category

Authorization Method

DLI FullAccess

Full permissions for DLI.

System-defined policy

For details about the authorization mode, see Creating an IAM User and Granting Permissions, Creating an IAM User, and Policies.

DLI ReadOnlyAccess

Read-only permissions for DLI.

System-defined policy

Tenant Administrator

Tenant administrator

  • Administer permissions for managing and accessing all cloud services. After a database or a queue is created, the user can use the ACL to assign rights to other users.
  • Scope: project-level service

System-defined role

DLI Service Administrator

DLI administrator

  • Administer permissions for managing and accessing the queues and data of DLI. After a database or a queue is created, the user can use the ACL to assign rights to other users.
  • Scope: project-level service

System-defined role