更新时间:2024-09-27 GMT+08:00
常见场景的委托权限策略
本节操作提供了DLI常见场景的委托权限策略,用于用户自定义权限时配置委托的权限策略。委托策略中的“Resource”根据需要具体情况进行替换。
数据清理委托权限配置
适用场景:数据清理委托,表生命周期清理数据及lakehouse表数据清理使用。该委托需新建后自定义权限,但委托名称固定为dli_data_clean_agency。
请在设置委托的授权范围时分别对OBS权限和DLI权限授权范围:
- OBS权限请选择“全局服务资源”
- DLI权限选择“指定区域项目资源”
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "obs:object:GetObject", "obs:object:DeleteObject", "obs:bucket:HeadBucket", "obs:bucket:ListBucket", "obs:object:PutObject" ] } ] }
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "dli:table:showPartitions", "dli:table:select", "dli:table:dropTable", "dli:table:alterTableDropPartition" ] } ] }
访问和使用OBS的权限策略
适用场景:DLI Flink作业下载OBS对象、OBS/DWS数据源(外表)、日志转储、使用savepoint、开启checkpoint,DLI Spark作业下载OBS对象、读写OBS外表。
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "obs:bucket:GetBucketPolicy", "obs:bucket:GetLifecycleConfiguration", "obs:bucket:GetBucketLocation", "obs:bucket:ListBucketMultipartUploads", "obs:bucket:GetBucketLogging", "obs:object:GetObjectVersion", "obs:bucket:GetBucketStorage", "obs:bucket:GetBucketVersioning", "obs:object:GetObject", "obs:object:GetObjectVersionAcl", "obs:object:DeleteObject", "obs:object:ListMultipartUploadParts", "obs:bucket:HeadBucket", "obs:bucket:GetBucketAcl", "obs:bucket:GetBucketStoragePolicy", "obs:object:AbortMultipartUpload", "obs:object:DeleteObjectVersion", "obs:object:GetObjectAcl", "obs:bucket:ListBucketVersions", "obs:bucket:ListBucket", "obs:object:PutObject" ], "Resource": [ "OBS:*:*:bucket:bucketName",//请替换bucketName为对应的桶名称 "OBS:*:*:object:*" ] }, { "Effect": "Allow", "Action": [ "obs:bucket:ListAllMyBuckets" ] } ] }
使用DEW加密功能的权限
适用场景:DLI Flink、Spark作业场景使用DEW-CSMS凭证管理能力。
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "csms:secretVersion:get", "csms:secretVersion:list", "kms:dek:decrypt" ] } ] }
访问DLI Catalog元数据的权限
适用场景:DLI Flink、Spark作业场景,授权DLI访问DLI元数据。
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "dli:table:showPartitions", "dli:table:alterTableAddPartition", "dli:table:alterTableAddColumns", "dli:table:alterTableRenamePartition", "dli:table:delete", "dli:column:select", "dli:database:dropFunction", "dli:table:insertOverwriteTable", "dli:table:describeTable", "dli:database:explain", "dli:table:insertIntoTable", "dli:database:createDatabase", "dli:table:alterView", "dli:table:showCreateTable", "dli:table:alterTableRename", "dli:table:compaction", "dli:database:displayAllDatabases", "dli:database:dropDatabase", "dli:table:truncateTable", "dli:table:select", "dli:table:alterTableDropColumns", "dli:table:alterTableSetProperties", "dli:database:displayAllTables", "dli:database:createFunction", "dli:table:alterTableChangeColumn", "dli:database:describeFunction", "dli:table:showSegments", "dli:database:createView", "dli:database:createTable", "dli:table:showTableProperties", "dli:database:showFunctions", "dli:database:displayDatabase", "dli:table:alterTableRecoverPartition", "dli:table:dropTable", "dli:table:update", "dli:table:alterTableDropPartition" ] } ] }
访问LakeFormation Catalog元数据的权限
适用场景:DLI Spark作业场景,授权DLI访问LakeFormation Catalog元数据。
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "lakeformation:table:drop", "lakeformation:table:create", "lakeformation:policy:create", "lakeformation:database:create", "lakeformation:database:drop", "lakeformation:database:describe", "lakeformation:catalog:alter", "lakeformation:table:alter", "lakeformation:database:alter", "lakeformation:catalog:create", "lakeformation:function:describe", "lakeformation:catalog:describe", "lakeformation:function:create", "lakeformation:table:describe", "lakeformation:function:drop", "lakeformation:transaction:operate" ] } ] }
父主题: 配置DLI访问其他云服务的委托权限