更新时间:2024-08-27 GMT+08:00
常见场景的委托权限策略
本节操作提供了DLI常见场景的委托权限策略,用于用户自定义权限时配置委托的权限策略。委托策略中的“Resource”根据需要具体情况进行替换。
数据清理委托权限配置
适用场景:数据清理委托,表生命周期清理数据及lakehouse表数据清理使用。该委托需新建后自定义权限,但委托名称固定为dli_data_clean_agency。
请在设置委托的授权范围时分别对OBS权限和DLI权限授权范围:
- OBS权限请选择“全局服务资源”
- DLI权限选择“指定区域项目资源”
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"obs:object:GetObject",
"obs:object:DeleteObject",
"obs:bucket:HeadBucket",
"obs:bucket:ListBucket",
"obs:object:PutObject"
]
}
]
}
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dli:table:showPartitions",
"dli:table:select",
"dli:table:dropTable",
"dli:table:alterTableDropPartition"
]
}
]
}
访问和使用OBS的权限策略
适用场景:DLI Flink作业下载OBS对象、OBS/DWS数据源(外表)、日志转储、使用savepoint、开启checkpoint,DLI Spark作业下载OBS对象、读写OBS外表。
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"obs:bucket:GetBucketPolicy",
"obs:bucket:GetLifecycleConfiguration",
"obs:bucket:GetBucketLocation",
"obs:bucket:ListBucketMultipartUploads",
"obs:bucket:GetBucketLogging",
"obs:object:GetObjectVersion",
"obs:bucket:GetBucketStorage",
"obs:bucket:GetBucketVersioning",
"obs:object:GetObject",
"obs:object:GetObjectVersionAcl",
"obs:object:DeleteObject",
"obs:object:ListMultipartUploadParts",
"obs:bucket:HeadBucket",
"obs:bucket:GetBucketAcl",
"obs:bucket:GetBucketStoragePolicy",
"obs:object:AbortMultipartUpload",
"obs:object:DeleteObjectVersion",
"obs:object:GetObjectAcl",
"obs:bucket:ListBucketVersions",
"obs:bucket:ListBucket",
"obs:object:PutObject"
],
"Resource": [
"OBS:*:*:bucket:bucketName",//请替换bucketName为对应的桶名称
"OBS:*:*:object:*"
]
},
{
"Effect": "Allow",
"Action": [
"obs:bucket:ListAllMyBuckets"
]
}
]
}
使用DEW加密功能的权限
适用场景:DLI Flink、Spark作业场景使用DEW-CSMS凭证管理能力。
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"csms:secretVersion:get",
"csms:secretVersion:list",
"kms:dek:decrypt"
]
}
]
}
访问DLI Catalog元数据的权限
适用场景:DLI Flink、Spark作业场景,授权DLI访问DLI元数据。
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dli:table:showPartitions",
"dli:table:alterTableAddPartition",
"dli:table:alterTableAddColumns",
"dli:table:alterTableRenamePartition",
"dli:table:delete",
"dli:column:select",
"dli:database:dropFunction",
"dli:table:insertOverwriteTable",
"dli:table:describeTable",
"dli:database:explain",
"dli:table:insertIntoTable",
"dli:database:createDatabase",
"dli:table:alterView",
"dli:table:showCreateTable",
"dli:table:alterTableRename",
"dli:table:compaction",
"dli:database:displayAllDatabases",
"dli:database:dropDatabase",
"dli:table:truncateTable",
"dli:table:select",
"dli:table:alterTableDropColumns",
"dli:table:alterTableSetProperties",
"dli:database:displayAllTables",
"dli:database:createFunction",
"dli:table:alterTableChangeColumn",
"dli:database:describeFunction",
"dli:table:showSegments",
"dli:database:createView",
"dli:database:createTable",
"dli:table:showTableProperties",
"dli:database:showFunctions",
"dli:database:displayDatabase",
"dli:table:alterTableRecoverPartition",
"dli:table:dropTable",
"dli:table:update",
"dli:table:alterTableDropPartition"
]
}
]
}
访问LakeFormation Catalog元数据的权限
适用场景:DLI Spark作业场景,授权DLI访问LakeFormation Catalog元数据。
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lakeformation:table:drop",
"lakeformation:table:create",
"lakeformation:policy:create",
"lakeformation:database:create",
"lakeformation:database:drop",
"lakeformation:database:describe",
"lakeformation:catalog:alter",
"lakeformation:table:alter",
"lakeformation:database:alter",
"lakeformation:catalog:create",
"lakeformation:function:describe",
"lakeformation:catalog:describe",
"lakeformation:function:create",
"lakeformation:table:describe",
"lakeformation:function:drop",
"lakeformation:transaction:operate"
]
}
]
}
父主题: 配置DLI访问其他云服务的委托权限
