Creating a Custom Policy
Custom policies can be created as a supplement to the system policies of DLI. You can add actions to custom policies. For the actions supported for custom policies, see "Permissions Policies and Supported Actions" in the Elastic Volume Service API Reference.
You can create custom policies in either of the following two ways:
- Visual editor: Select cloud services, actions, resources, and request conditions without the need to know policy syntax.
- JSON: Create a policy in the JSON format from scratch or based on an existing policy.
. This section describes common DLI custom policies.
Policy Field Description
The following example assumes that the authorized user has the permission to create tables in all databases in all regions:
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "dli:database:create_table" ], "Resource": [ "dli:*:*:database:*" ] } ] }
- Version
1.1 indicates a fine-grained permission policy that defines permissions required to perform operations on specific cloud resources under certain conditions.
- Effect
The value can be Allow and Deny. If both Allow and Deny are found in statements, the Deny overrides the Allow.
- Action
Specific operation on a resource. A maximum of 100 actions are allowed.
- The format is Service name:Resource type:Action, for example, dli:queue:submit_job.
- Service name: product name, such as dli, evs, and vpc. Only lowercase letters are allowed. Resource types and operations are not case-sensitive. You can use an asterisk (*) to represent all operations.
- Resource type: For details, see Table 4.
- Action: action registered in IAM.
- Condition
Conditions determine when a policy takes effect. A condition consists of a condition key and operator.
A condition key is a key in the Condition element of a statement. There are global and service-level condition keys.
- Global condition keys (prefixed with g:) apply to all actions. For details, see condition key description in Policy Syntax.
- Service-level condition keys (prefixed with the abbreviation of a service, for example, dli:. Currently, DLI does not provide service-level condition keys.) apply only to the actions of the corresponding service.
An operator is used together with a condition key to form a complete condition statement. For details, see Table 1.
IAM provides a set of DLI predefined condition keys. The following table lists the predefined condition keys of DLI.
Table 1 DLI request conditions Condition Key
Operator
Description
g:CurrentTime
Date and time
Time when an authentication request is received
NOTE:The time is expressed in the format defined by ISO 8601, for example, 2012-11-11T23:59:59Z.
g:MFAPresent
Boolean
Whether multi-factor authentication is used during user login
g:UserId
String
ID of the current login user
g:UserName
String
Current login user
g:ProjectName
String
Project that you have logged in to
g:DomainName
String
Domain that you have logged in to
- Resource
The format is Service name:Region:Domain ID:Resource type:Resource path. The wildcard (*) indicates all options. For details about the resource types and path, see Table 4.
Example:
dli:*:*:queue:* indicates all queues.
Creating a Custom Policy
You can set actions and resources of different levels based on scenarios.
- Define an action.
The format is Service name:Resource type:Action. The wildcard is *. Example:
Table 2 Action Action
Description
dli:queue:submit_job
Submission operations on a DLI queue
dli:queue:*
All operations on a DLI queue
dli:*:*
All operations on all DLI resource types
For more information about the relationship between operations and system permissions, see Common Operations Supported by DLI System Policy.
- Define a resource.
The format is Service name:Region:Domain ID:Resource type:Resource path. The wildcard (*) indicates all resources. The five fields can be flexibly set. Different levels of permission control can be set for resource paths based on scenario requirements. If you need to set all resources of the service, you do not need to specify this field. For details about the definition of Resource, see Table 3. For details about the resource types and paths in Resource, see Table 4.
Table 3 Resource Resource
Description
DLI:*:*:table:databases.dbname.tables.*
DLI, any region, any account ID, all table resources of database dbname
DLI:*:*:database:databases.dbname
DLI, any region, any account ID, queue of database dbname
DLI:*:*:queue:queues.*
DLI, any region, any account ID, any queue resource
DLI:*:*:jobs:jobs.flink.1
DLI, any region, any account ID, Flink job whose ID is 1
Table 4 DLI resources and their paths Resource Type
Resource Names
Path
queue
DLI queue
queues.queuename
database
DLI database
databases.dbname
table
DLI table
databases.dbname.tables.tbname
column
DLI column
databases.dbname.tables.tbname.columns.colname
jobs
DLI Flink job
jobs.flink.jobid
resource
DLI package
resources.resourcename
group
DLI package group
groups.groupname
datasourceauth
DLI cross-source authentication information
datasourceauth.name
- Combine all the preceding fields into a JSON file to form a complete policy. You can set multiple actions and resources. You can also create a policy on the visualized page provided by IAM. For example:
The authorized user has the permission to create and delete any database, submit jobs for any queue, and delete any table under any account ID in any region of DLI.
{ "Version": "1.1", "Statement": [ { "Effect": " Allow", "Action": [ "dli:database:create_database", "dli:database:drop_database", "dli:queue:submit_job", "dli:table:drop_table" ], "Resource": [ "dli:*:*:database:*", "dli:*:*:queue:*", "dli:*:*:table:*" ] } ] }
Example Custom Policies
- Example 1: Allow policies
- Allow users to create tables in all databases of all regions:
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "dli:database:create_table" ], "Resource": [ "dli:*:*:database:*" ] } ] }
- Allow users to query column col in the table tb of the database db:
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "dli:column:select" ], "Resource": [ "dli:*:*:column:databases.db.tables.tb.columns.col" ] } ] }
- Allow users to create tables in all databases of all regions:
- Example 2: Deny policies
A deny policy must be used in conjunction with other policies to take effect. If the permissions assigned to a user contain both Allow and Deny actions, the Deny actions take precedence over the Allow actions.
- Deny users to create or delete databases, submit jobs (except the default queue), or delete tables.
{ "Version": "1.1", "Statement": [ { "Effect": "Deny", "Action": [ "dli:database:create_database", "dli:database:drop_database", "dli:queue:submit_job", "dli:table:drop_table" ], "Resource": [ "dli:*:*:database:*", "dli:*:*:queue:*", "dli:*:*:table:*" ] } ] }
- Deny users to submit jobs in the demo queue.
{ "Version": "1.1", "Statement": [ { "Effect": "Deny", "Action": [ "dli:queue:submit_job" ], "Resource": [ "dli:*:*:queue:queues.demo" ] } ] }
- Deny users to create or delete databases, submit jobs (except the default queue), or delete tables.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot