Permissions
If you need to assign different permissions to personnel in your enterprise to access your TaurusDB resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your Huawei Cloud resources. If your Huawei Cloud account does not require IAM for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account.
With IAM, you can control access to specific Huawei Cloud resources. For example, if you want some software developers in your enterprise to be able to use TaurusDB resources but do not want them to be able to delete TaurusDB resources or perform any other high-risk operations, you can create IAM users and grant permission to use TaurusDB resources but not permission to delete them.
IAM supports role/policy-based authorization and identity policy-based authorization.
The following table describes the differences between these two authorization models.
|
Authorization Model |
Core Relationship |
Permissions |
Authorization Method |
Scenario |
|---|---|---|---|---|
|
Role/Policy |
User-permission-authorization scope |
|
Assigning roles or policies to principals |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises. |
|
Identity policy |
User-policy |
|
|
You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises. |
Assume that you want to grant IAM users the permissions needed to create TaurusDB instances in CN North-Beijing4 and OBS buckets in CN South-Guangzhou. With role/policy-based authorization, the administrator needs to create two custom policies and attach both to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom policy and configure the condition key g:RequestedRegion for the policy, and then attach the policy to the users or grant the users the access permissions to the specified regions. Identity policy-based authorization is more flexible than role/policy-based authorization.
Policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model. For details about system-defined permissions, see Role/Policy-based Authorization and Identity Policy-based Authorization.
For more information about IAM, see IAM Service Overview.
Role/Policy-based Authorization
TaurusDB supports role/policy-based authorization. New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
TaurusDB is a project-level service deployed for specific regions. When you set Scope to Region-specific projects and select the specified projects (for example, ap-southeast-2) in the specified regions (for example, AP-Bangkok), the users only have permissions for TaurusDB instances in the selected projects. If you set Scope to All resources, the users have permissions for TaurusDB instances in all region-specific projects. When accessing TaurusDB instances, the users need to switch to the authorized region.
Table 2 lists all the system-defined permissions for TaurusDB. System-defined policies in role/policy-based authorization are not interoperable with those in identity policy-based authorization.
|
Role/Policy Name |
Description |
Type |
Dependencies |
|---|---|---|---|
|
TaurusDB FullAccess |
Full permissions for TaurusDB. |
System-defined policy |
None |
|
TaurusDB ReadOnlyAccess |
Read-only permissions for TaurusDB. |
System-defined policy |
None |
Table 3 lists the common operations supported by system-defined permissions for TaurusDB.
| Operation | TaurusDB FullAccess | TaurusDB ReadOnlyAccess |
|---|---|---|
|
Creating a TaurusDB instance |
Supported |
Not supported |
|
Deleting a TaurusDB instance |
Supported |
Not supported |
|
Querying TaurusDB instances |
Supported |
Supported |
|
Modifying parameters in a parameter template |
Supported |
Not supported |
|
Changing DB instance specifications |
Supported |
Not supported |
|
Creating a manual backup |
Supported |
Not supported |
|
Querying backups |
Supported |
Supported |
|
Querying error logs |
Supported |
Supported |
|
Rebooting a DB instance |
Supported |
Not supported |
|
Querying DB instances |
Supported |
Supported |
|
Creating a parameter template |
Supported |
Not supported |
|
Deleting a parameter template |
Supported |
Not supported |
|
Modifying a backup policy |
Supported |
Not supported |
|
Viewing parameter templates |
Supported |
Supported |
|
Deleting a DB instance |
Supported |
Not supported |
|
Deleting a manual backup |
Supported |
Not supported |
|
Querying project tags |
Supported |
Supported |
|
Applying a parameter template |
Supported |
Not supported |
|
Adding or deleting project tags in batches |
Supported |
Not supported |
|
Changing quotas |
Supported |
Not supported |
|
Upgrading a DB instance version |
Supported |
Not supported |
|
Promoting a read replica to primary |
Supported |
Not supported |
|
Changing a database port |
Supported |
Not supported |
|
Changing a security group |
Supported |
Not supported |
|
Changing a private IP address |
Supported |
Not supported |
|
Enabling or disabling SSL |
Supported |
Not supported |
|
Changing a DB instance name |
Supported |
Not supported |
|
Adding a read replica |
Supported |
Not supported |
|
Deleting a read replica |
Supported |
Not supported |
|
Scaling storage space |
Supported |
Not supported |
|
Changing a DB instance password |
Supported |
Not supported |
|
Binding an EIP |
Supported |
Not supported |
|
Unbinding an EIP |
Supported |
Not supported |
|
Modifying a monitoring policy |
Supported |
Not supported |
|
Changing a failover priority |
Supported |
Not supported |
|
Changing a maintenance window |
Supported |
Not supported |
|
Isolating nodes |
Supported |
Not supported |
|
Enabling or disabling SQL Explorer |
Supported |
Not supported |
|
Querying HTAP instances |
Supported |
Supported |
|
Creating an HTAP instance |
Supported |
Not supported |
|
Modifying an HTAP instance |
Supported |
Not supported |
|
Deleting an HTAP instance |
Supported |
Not supported |
|
Changing an HTAP instance name |
Supported |
Not supported |
|
Rebooting an HTAP instance |
Supported |
Not supported |
|
Upgrading an HTAP instance version |
Supported |
Not supported |
|
Promoting a read replica of an HTAP instance to primary |
Supported |
Not supported |
|
Changing the specifications of an HTAP instance |
Supported |
Not supported |
|
Scaling up storage of an HTAP instance |
Supported |
Not supported |
|
Binding an EIP to an HTAP instance |
Supported |
Not supported |
|
Unbinding an EIP from an HTAP instance |
Supported |
Not supported |
|
Changing the port of an HTAP instance |
Supported |
Not supported |
|
Changing an HTAP instance password |
Supported |
Not supported |
|
Creating an HTAP data synchronization task |
Supported |
Not supported |
|
Modifying an HTAP data synchronization task |
Supported |
Not supported |
|
Deleting an HTAP data synchronization task |
Supported |
Not supported |
|
Adding or repairing an HTAP data synchronization table |
Supported |
Supported |
|
Creating a proxy instance |
Supported |
Not supported |
|
Changing a proxy address |
Supported |
Not supported |
|
Changing the read weights of a proxy instance |
Supported |
Not supported |
|
Changing the port of a proxy instance |
Supported |
Not supported |
|
Enabling or disabling access control for a proxy instance |
Supported |
Not supported |
|
Deleting a proxy instance |
Supported |
Not supported |
|
Querying proxy instances |
Supported |
Supported |
|
Upgrading a proxy instance version |
Supported |
Not supported |
|
Changing a proxy instance name |
Supported |
Not supported |
|
Adding proxy nodes |
Supported |
Not supported |
|
Deleting proxy nodes |
Supported |
Not supported |
|
Changing the specifications of a proxy instance |
Supported |
Not supported |
|
Applying for a private domain name for a proxy instance |
Supported |
Not supported |
|
Changing the domain name of a proxy instance |
Supported |
Not supported |
|
Deleting the domain name of a proxy instance |
Supported |
Not supported |
|
Changing the routing policy of a proxy instance |
Supported |
Not supported |
|
Enabling or disabling SSL for a proxy instance |
Supported |
Not supported |
|
Creating a database user |
Supported |
Not supported |
|
Deleting a database user |
Supported |
Not supported |
|
Changing the password of a database user |
Supported |
Not supported |
|
Querying database users |
Supported |
Supported |
|
Granting permissions to a database user |
Supported |
Not supported |
|
Revoking permissions from a database user |
Supported |
Not supported |
|
Creating a database |
Supported |
Not supported |
|
Deleting a database |
Supported |
Not supported |
|
Querying databases |
Supported |
Supported |
|
Querying predefined tags |
Supported |
Not supported |
|
Querying configured log groups |
Supported |
Not supported |
|
Querying configured log streams |
Supported |
Not supported |
|
Configuring an auto scaling policy |
Supported |
Not supported |
|
Configuring an audit log policy |
Supported |
Not supported |
|
Querying an audit log policy |
Supported |
Supported |
|
Querying audit logs |
Supported |
Supported |
|
Obtaining the link for downloading an audit log |
Supported |
Supported |
|
Querying and modifying a serverless compute policy |
Supported |
Not supported |
|
Querying and modifying a serverless scale-up policy |
Supported |
Not supported |
Identity Policy-based Authorization
TaurusDB supports identity policy-based authorization. Table 4 lists all the system-defined identity policies for TaurusDB. System-defined policies in identity policy-based authorization are not interoperable with those in role/policy-based authorization.
|
System-defined Policy |
Description |
Type |
|---|---|---|
|
TaurusDBFullAccessPolicy |
Full permissions for TaurusDB. |
System-defined identity policy |
|
TaurusDBReadOnlyAccessPolicy |
Read-only permissions for TaurusDB. |
System-defined identity policy |
Table 5 lists the common operations supported by system-defined policies for TaurusDB.
| Operation | TaurusDBFullAccessPolicy | TaurusDBReadOnlyAccessPolicy |
|---|---|---|
|
Creating a TaurusDB instance |
Supported |
Not supported |
|
Deleting a TaurusDB instance |
Supported |
Not supported |
|
Querying TaurusDB instances |
Supported |
Supported |
|
Modifying parameters in a parameter template |
Supported |
Not supported |
|
Changing DB instance specifications |
Supported |
Not supported |
|
Creating a manual backup |
Supported |
Not supported |
|
Querying backups |
Supported |
Supported |
|
Querying error logs |
Supported |
Supported |
|
Rebooting a DB instance |
Supported |
Not supported |
|
Querying DB instances |
Supported |
Supported |
|
Creating a parameter template |
Supported |
Not supported |
|
Deleting a parameter template |
Supported |
Not supported |
|
Modifying a backup policy |
Supported |
Not supported |
|
Viewing parameter templates |
Supported |
Supported |
|
Deleting a DB instance |
Supported |
Not supported |
|
Deleting a manual backup |
Supported |
Not supported |
|
Querying project tags |
Supported |
Supported |
|
Applying a parameter template |
Supported |
Not supported |
|
Adding or deleting project tags in batches |
Supported |
Not supported |
|
Changing quotas |
Supported |
Not supported |
|
Upgrading a DB instance version |
Supported |
Not supported |
|
Promoting a read replica to primary |
Supported |
Not supported |
|
Changing a database port |
Supported |
Not supported |
|
Changing a security group |
Supported |
Not supported |
|
Changing a private IP address |
Supported |
Not supported |
|
Enabling or disabling SSL |
Supported |
Not supported |
|
Changing a DB instance name |
Supported |
Not supported |
|
Adding a read replica |
Supported |
Not supported |
|
Deleting a read replica |
Supported |
Not supported |
|
Scaling storage space |
Supported |
Not supported |
|
Changing a DB instance password |
Supported |
Not supported |
|
Binding an EIP |
Supported |
Not supported |
|
Unbinding an EIP |
Supported |
Not supported |
|
Modifying a monitoring policy |
Supported |
Not supported |
|
Changing a failover priority |
Supported |
Not supported |
|
Changing a maintenance window |
Supported |
Not supported |
|
Isolating nodes |
Supported |
Not supported |
|
Enabling or disabling SQL Explorer |
Supported |
Not supported |
|
Querying HTAP instances |
Supported |
Supported |
|
Creating an HTAP instance |
Supported |
Not supported |
|
Modifying an HTAP instance |
Supported |
Not supported |
|
Deleting an HTAP instance |
Supported |
Not supported |
|
Changing an HTAP instance name |
Supported |
Not supported |
|
Rebooting an HTAP instance |
Supported |
Not supported |
|
Upgrading an HTAP instance version |
Supported |
Not supported |
|
Promoting a read replica of an HTAP instance to primary |
Supported |
Not supported |
|
Changing the specifications of an HTAP instance |
Supported |
Not supported |
|
Scaling up storage of an HTAP instance |
Supported |
Not supported |
|
Binding an EIP to an HTAP instance |
Supported |
Not supported |
|
Unbinding an EIP from an HTAP instance |
Supported |
Not supported |
|
Changing the port of an HTAP instance |
Supported |
Not supported |
|
Changing an HTAP instance password |
Supported |
Not supported |
|
Creating an HTAP data synchronization task |
Supported |
Not supported |
|
Modifying an HTAP data synchronization task |
Supported |
Not supported |
|
Deleting an HTAP data synchronization task |
Supported |
Not supported |
|
Adding or repairing an HTAP data synchronization table |
Supported |
Supported |
|
Creating a proxy instance |
Supported |
Not supported |
|
Changing a proxy address |
Supported |
Not supported |
|
Changing the read weights of a proxy instance |
Supported |
Not supported |
|
Changing the port of a proxy instance |
Supported |
Not supported |
|
Enabling or disabling access control for a proxy instance |
Supported |
Not supported |
|
Deleting a proxy instance |
Supported |
Not supported |
|
Querying proxy instances |
Supported |
Supported |
|
Upgrading a proxy instance version |
Supported |
Not supported |
|
Changing a proxy instance name |
Supported |
Not supported |
|
Adding proxy nodes |
Supported |
Not supported |
|
Deleting proxy nodes |
Supported |
Not supported |
|
Changing the specifications of a proxy instance |
Supported |
Not supported |
|
Applying for a private domain name for a proxy instance |
Supported |
Not supported |
|
Changing the domain name of a proxy instance |
Supported |
Not supported |
|
Deleting the domain name of a proxy instance |
Supported |
Not supported |
|
Changing the routing policy of a proxy instance |
Supported |
Not supported |
|
Enabling or disabling SSL for a proxy instance |
Supported |
Not supported |
|
Creating a database user |
Supported |
Not supported |
|
Deleting a database user |
Supported |
Not supported |
|
Changing the password of a database user |
Supported |
Not supported |
|
Querying database users |
Supported |
Supported |
|
Granting permissions to a database user |
Supported |
Not supported |
|
Revoking permissions from a database user |
Supported |
Not supported |
|
Creating a database |
Supported |
Not supported |
|
Deleting a database |
Supported |
Not supported |
|
Querying databases |
Supported |
Supported |
|
Querying predefined tags |
Supported |
Not supported |
|
Querying configured log groups |
Supported |
Not supported |
|
Querying configured log streams |
Supported |
Not supported |
|
Configuring an auto scaling policy |
Supported |
Not supported |
|
Configuring an audit log policy |
Supported |
Not supported |
|
Querying an audit log policy |
Supported |
Supported |
|
Querying audit logs |
Supported |
Supported |
|
Obtaining the link for downloading an audit log |
Supported |
Supported |
|
Querying and modifying a serverless compute policy |
Supported |
Not supported |
|
Querying and modifying a serverless scale-up policy |
Supported |
Not supported |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
