Permissions Management
If you need to assign different permissions to employees in your enterprise to access your DWS resources on Huawei Cloud, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your Huawei Cloud resources. If your account does not require IAM for permissions management, you can skip this section.
IAM can be used free of charge. You pay only for the resources in your account.
With IAM, you can control users' access to Huawei Cloud resources through authorization. For example, if you want some software developers in your enterprise to use DWS resources but do not want them to delete DWS clusters or perform any high-risk operations, you can create IAM users and grant permissions to them to use DWS clusters but not permissions to delete clusters.
There are two types of IAM authorization: role/policy-based authorization and identity policy-based authorization.
The following table describes the main differences.
|
Name |
Authorization Using |
Permission |
Authorization Method |
Description |
|---|---|---|---|---|
|
Role/Policy |
User-permissions-authorization scope |
|
Assigning roles or policies to principals |
To authorize a user, add it to a user group and specify the scope of authorization. It is hard to provide fine-grained permissions control using authorization granted by user groups and a limited number of condition keys. This method is suitable for small and medium-sized enterprises. |
|
Identity policy-based authorization |
User-policy |
|
|
To authorize a user, grant an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises. |
Assume that you want to grant IAM users the permissions to create DWS instances in CN North-Beijing4 and OBS buckets in CN South-Guangzhou. With role/policy-based authorization, the administrator needs to create two custom policies and attach both to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom policy, configure the condition key g:RequestedRegion for the policy, and then attach the policy to the users or grant the users the access permissions to the specified regions. Identity policy-based authorization is more flexible than role/policy-based authorization.
Policies/identity policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model. For details about system-defined permissions of the two models, see System-defined Permissions in Role/Policy-based Authorization and System-defined Permissions in Identity Policy-based Authorization.
For more information about IAM, see IAM Service Overview.
System-defined Permissions in Role/Policy-based Authorization
DWS supports authorization with policies/roles. By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services.
DWS is a project-level service deployed and accessed in specific physical regions. When you set Scope to Region-specific projects and select the specified projects (for example, ap-southeast-2) in the specified regions (for example, AP-Bangkok), the users only have permissions for RGC resources in the selected projects. If you set Scope to All resources, the users have permissions for RGC resources in all region-specific projects. When accessing DWS, the users need to switch to a region where they have been authorized to use DWS.
System policies and roles provided by DWS can only be used to manage and access DWS resources. DWS may dynamically add or delete permission dependencies on peripheral resources as needed. Therefore, these policies and roles cannot be used to access resources of other products.
|
Role/Policy Name |
Description |
Category |
Dependency |
|---|---|---|---|
|
DWS ReadOnlyAccess |
Read-only permissions for DWS. Users granted these permissions can only view DWS data. |
System-defined policy |
None |
|
DWS FullAccess |
Database administrator permissions for DWS. Users granted these permissions can perform all operations on DWS. |
System-defined policy |
None |
|
DWS Administrator |
Database administrator permissions for DWS. Users granted these permissions can perform operations on all DWS resources.
|
System-defined role |
Dependent on the Tenant Guest and Server Administrator policies, which must be assigned in the same project as the DWS Administrator policy. |
|
DWS Database Access |
Database access permissions for DWS. Users granted these permissions can generate temporary database user credentials based on IAM users to connect to databases in the data warehouse clusters. |
System-defined role |
None |
- If you use the EIP binding function for the first time in each project of each region, the system prompts you to create the DWSAccessVPC agency to authorize DWS to access VPC. After the authorization is successful, DWS can switch to a healthy VM when the VM bound with the EIP becomes faulty.
- In addition to policy permissions, you may need to grant different operation permissions on resources to users of different roles. For details about operations, such as creating snapshots and restarting clusters, see Syntax of Fine-Grained Permissions Policies.
- By default, only Huawei Cloud accounts or users with Security Administrator permissions can query and create agencies. By default, IAM users in the account do not have the permission to query and create agencies. When an EIP is bound, the binding button is shielded. In this case, you need to contact a user with the DWS Administrator permission to authorize the DWS agency on the current page. For details, see Allowing DWS to Manage Resources.
Table 3 lists the common operations supported by system-defined permissions for DWS.
|
Operation |
DWS FullAccess |
DWS ReadOnlyAccess |
DWS Administrator |
DWS Database Access |
|---|---|---|---|---|
|
Creating/Restoring clusters |
√ |
x |
√ |
x |
|
Obtaining the cluster list |
√ |
√ |
√ |
x |
|
Obtaining the details of a cluster |
√ |
√ |
√ |
x |
|
Setting automated snapshot policy |
√ |
x |
√ |
x |
|
Setting security parameters/parameter groups |
√ |
x |
√ |
x |
|
Restarting a cluster |
√ |
x |
√ |
x |
|
Scaling out a cluster |
√ |
x |
√ |
x |
|
Changing all specifications |
√ |
x |
√ |
x |
|
Resetting passwords |
√ |
x |
√ |
x |
|
Deleting clusters |
√ |
x |
√ |
x |
|
Configuring maintenance windows |
√ |
x |
√ |
x |
|
Binding EIPs |
x |
x |
√ |
x |
|
Unbinding EIPs |
x |
x |
√ |
x |
|
Creating DNS domain names |
√ |
x |
√ |
x |
|
Releasing DNS domain names |
√ |
x |
√ |
x |
|
Modifying DNS domain names |
√ |
x |
√ |
x |
|
Creating MRS connections |
√ |
x |
√ |
x |
|
Updating MRS connections |
√ |
x |
√ |
x |
|
Deleting MRS connections |
√ |
x |
√ |
x |
|
Adding/Deleting tags |
√ |
x |
√ |
x |
|
Editing tags |
√ |
x |
√ |
x |
|
Creating snapshots |
√ |
x |
√ |
x |
|
Obtaining tenant credentials |
√ |
√ |
√ |
√ |
|
Deleting snapshots |
√ |
x |
√ |
x |
|
Copying snapshots |
√ |
x |
√ |
x |
System-defined Permissions in Identity Policy-based Authorization
DWS supports identity policy-based authorization. Table 4 lists all the system-defined identity policies for DWS. System-defined identity policies in identity policy-based authorization and role/policy-based authorization are not interoperable.
|
Role/Policy Name |
Description |
Type |
Dependency |
|---|---|---|---|
|
DWSReadOnlyPolicy |
Read-only permissions for DWS. Users granted these permissions can only view DWS data. |
System-defined identity policy |
None |
|
DWSFullAccessPolicy |
Database administrator permissions for DWS. Users granted these permissions can perform all operations on DWS. |
System-defined identity policy |
None |
Role/Policy-based authorization in IAM 5.0 is compatible with role/policy-based authorization in IAM 3.0.
Table 5 lists the common operations supported by system-defined identity policies for DWS.
|
Operation |
DWSFullAccessPolicy |
DWSReadOnlyPolicy |
|---|---|---|
|
Creating/Restoring clusters |
√ |
x |
|
Obtaining the cluster list |
√ |
√ |
|
Obtaining the details of a cluster |
√ |
√ |
|
Configuring an automated snapshot policy |
√ |
x |
|
Setting security parameters/parameter groups |
√ |
x |
|
Restarting a cluster |
√ |
x |
|
Scaling out a cluster |
√ |
x |
|
Changing all specifications |
√ |
x |
|
Resetting passwords |
√ |
x |
|
Deleting a cluster |
√ |
x |
|
Configuring maintenance windows |
√ |
x |
|
Binding EIPs |
√ |
x |
|
Unbinding EIPs |
√ |
x |
|
Creating DNS domain names |
√ |
x |
|
Releasing DNS domain names |
√ |
x |
|
Modifying DNS domain names |
√ |
x |
|
Creating MRS connections |
√ |
x |
|
Updating MRS connections |
√ |
x |
|
Deleting MRS connections |
√ |
x |
|
Adding/Deleting tags |
√ |
x |
|
Editing tags |
√ |
x |
|
Creating snapshots |
√ |
x |
|
Obtaining the snapshot list |
√ |
√ |
|
Deleting snapshots |
√ |
x |
|
Copying snapshots |
√ |
x |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
