Identity Authentication and Access Control
Identity Authentication
- IAM users of the current tenant access LakeFormation on the console.
LakeFormation authenticates IAM tokens in HTTPS requests delivered by the console to identify tenants and IAM users. If the authentication fails, the request is rejected.
- On the console, IAM users of other tenants switch to the agency role of the current tenant to access LakeFormation.
LakeFormation authenticates the IAM token in the HTTPS request delivered by the console to identify the delegating tenant, agency, delegated tenant, and delegated IAM user. If the authentication fails, the request is rejected.
- Instances or clusters of other cloud services (such as MRS) access LakeFormation as an agency of the current tenant.
LakeFormation authenticates the IAM token in the HTTPS request delivered by the console to identify the delegating tenant (local tenant), agency, delegated tenant (ECS account), and delegated IAM user (built-in user of ECS). If the authentication fails, the request is rejected.
Asset Access Control
- Metadata
When you request metadata access from the console or other cloud services, you first need to verify your identity. Then, IAM authentication checks if you have the permission to operate on the metadata in the request. Finally, fine-grained authentication further verifies your permission to operate on the specific metadata in the request. If the authentication fails, the request is rejected.
- Data permission policy
When you request metadata access from the console or other cloud services, you first need to verify your identity. Then, IAM authentication checks if you have the operation permissions specified in the request. If the authentication fails, the request is rejected.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
