数据治理中心 DataArts Studio-权限管理:DataArts Studio控制台功能依赖的角色或策略
下载数据治理中心 DataArts Studio用户手册完整版
DataArts Studio 控制台功能依赖的角色或策略
DataArts Studio服务各组件功能所需依赖服务的权限如表2所示。在实际授权场景中,推荐为开发者用户配置DataArts Studio服务级别的依赖服务最小权限(可参考如何最小化授权 IAM 用户使用DataArts Studio,为用户配置最小权限),开发者用户的最小依赖服务权限如表3所示。
在实际授权场景中,DAYU Administrator和DAYU User系统角色已经预置了依赖服务的管理员权限。为了避免普通用户/用户组被授予DAYU User系统角色导致其拥有的依赖服务权限过大的风险,您可以在为用户组授权DAYU User系统角色后,手动删除用户组的周边依赖权限,再为用户组授予所需依赖服务的最小权限合集。
|
控制台功能 |
依赖服务 |
需配置角色/策略 |
具体功能 |
|---|---|---|---|
|
管理中心 |
BSS |
bss:coupon:view bss:renewal:update bss:discount:view bss:order:view bss:order:pay bss:order:update |
创建增量包或DataArts Studio实例 |
|
KMS |
kms:cmk:get kms:cmk:list kms:cmk:create kms:cmk:decrypt kms:cmk:encrypt kms:dek:create kms:dek:encrypt kms:dek:decrypt |
创建数据连接时,使用KMS加解密 |
|
|
DWS |
dws:cluster:list dws:cluster:getDetail dws:openAPICluster:getDetail |
创建DWS数据连接 |
|
|
mrs:cluster:get mrs:cluster:list |
创建MRS数据连接 |
||
|
VPC |
vpc:publicIps:get vpc:publicIps:list vpc:vpcs:get vpc:subnets:get |
创建MRS数据连接 |
|
|
RDS |
rds:*:get rds:*:list |
创建RDS数据连接 |
|
|
数据集成 |
VPC |
vpc:publicIps:get vpc:publicIps:list vpc:vpcs:get vpc:vpcs:list vpc:subnets:get vpc:securityGroups:get vpc:firewalls:list vpc:routeTables:list vpc:subNetworkInterfaces:list |
创建 CDM 集群或DataArts Studio实例 |
|
E CS |
ecs:flavors:get ecs:cloudServerFlavors:get ecs:availabilityZones:list |
创建CDM集群或DataArts Studio实例 |
|
|
CDM |
cdm:cluster:create |
创建CDM集群 |
|
|
KMS |
kms:cmk:get kms:cmk:list kms:cmk:create kms:cmk:decrypt kms:cmk:encrypt kms:dek:create kms:dek:encrypt kms:dek:decrypt |
创建数据连接时,使用KMS加解密 |
|
|
MRS |
mrs:cluster:get mrs:cluster:list mrs:job:get mrs:job:list |
创建MRS数据连接 |
|
|
DWS |
dws:cluster:list dws:cluster:getDetail dws:openAPICluster:getDetail |
创建DWS数据连接 |
|
|
CDM |
cdm:cluster:get cdm:cluster:list cdm:link:operate cdm:job:operate |
通过CDM控制台操作时,需要CDM服务权限 |
|
|
ces:*:get ces:*:list |
查看CES监控 |
||
|
css:*:get css:*:list |
创建CSS连接 |
||
|
CloudTable |
cloudtable:*:get cloudtable:*:list |
创建CloudTable连接 |
|
|
RDS |
rds:*:get rds:*:list |
创建RDS连接 |
|
|
Config |
rms:resources:list |
创建CDM集群 |
|
|
数据开发 |
OBS |
obs:object:GetObject obs:object:PutObject obs:bucket:GetBucketLocation obs:bucket:ListAllMyBuckets obs:bucket:ListBucket obs:bucket:CreateBucket |
运行脚本、运行作业以及备份作业 |
|
smn:topic:publish smn:topic:list |
作业通知 |
||
|
KMS |
kms:cmk:get kms:cmk:list kms:cmk:create kms:cmk:decrypt kms:cmk:encrypt kms:dek:create kms:dek:encrypt kms:dek:decrypt |
创建数据连接时,使用KMS加解密 |
|
|
MRS |
mrs:cluster:get mrs:cluster:list mrs:job:submit mrs:job:delete mrs:job:stop mrs:sql:execute mrs:sql:cancel mrs:job:get mrs:job:list |
MRS类型作业节点运行: MRS Presto SQL、MRS Spark、MRS Spark Python、MRS Flink Job、 MRS MapReduce MRS Spark SQL、MRS Hive SQL |
|
|
dli:queue:submitJob dli:jobs:create dli:jobs:update dli:jobs:get dli:jobs:list dli:jobs:listAll |
DLI类型作业节点运行: DLI SQL、DLI Spark |
||
|
OBS |
obs:object:GetObject obs:object:PutObject obs:object:DeleteObject obs:bucket:GetBucketLocation obs:bucket:ListAllMyBuckets obs:bucket:ListBucket obs:bucket:ListBucketVersions obs:bucket:CreateBucket obs:bucket:DeleteBucket |
OBS类型作业节点运行: Create OBS、Delete OBS、OBS Manager |
|
|
DWS |
dws:cluster:list dws:cluster:getDetail dws:openAPICluster:getDetail |
创建DWS数据连接 |
|
|
CDM |
cdm:cluster:get cdm:cluster:list cdm:job:operate |
数据连接需要Agent的相关脚本、作业,以及CDM作业运行: RDS SQL、DWS SQL、Hive SQL、SPARK SQL、Shell、Python |
|
|
CES |
ces:metricData:list |
运维概览,查询DLI队列CPU |
|
|
GES |
ges:graph:access ges:graph:operate ges:graph:list ges:graph:getDetail ges:metadata:create ges:metadata:operate ges:metadata:delete ges:metadata:list ges:metadata:getDetail ges:jobs:list ges:jobs:getDetail |
Import GES作业节点运行 |
|
|
ECS |
ecs:servers:list ecs:servers:get ecs:servers:stop ecs:servers:start ecs:cloudServers:list |
Open/Close Resource作业节点运行,创建主机连接 |
|
|
DLI |
dli:queue:submitJob dli:queue:cancelJob dli:group:useGroup dli:group:getGroup dli:group:updateGroup dli:group:deleteGroup dli:group:listAllGroup dli:database:createDatabase dli:database:dropDatabase dli:database:displayDatabase dli:database:displayAllDatabases dli:database:explain dli:database:createView dli:database:createTable dli:database:displayAllTables dli:database:createFunction dli:database:describeFunction dli:database:showFunctions dli:database:dropFunction dli:table:select dli:table:update dli:table:delete dli:table:dropTable dli:table:describeTable dli:table:showCreateTable dli:table:showPartitions dli:table:showSegments dli:table:showTableProperties dli:table:insertOverwriteTable dli:table:insertIntoTable dli:table:compaction dli:table:truncateTable dli:table:alterView dli:table:alterTableRename dli:table:alterTableAddColumns dli:table:alterTableDropColumns dli:table:alterTableChangeColumn dli:table:alterTableSetLocation dli:table:alterTableAddPartition dli:table:alterTableRenamePartition dli:table:alterTableSetProperties dli:table:alterTableRecoverPartition dli:table:alterTableDropPartition dli:column:select dli:jobs:create dli:jobs:delete dli:jobs:start dli:jobs:stop dli:jobs:update dli:jobs:export dli:jobs:get dli:jobs:list dli:jobs:listAll dli:resource:useResource dli:resource:updateResource dli:resource:deleteResource dli:resource:getResource dli:resource:listAllResource dli:variable:update dli:variable:delete |
DLI类型作业/脚本运行 |
|
|
IAM |
iam:agencies:listAgencies |
获取作业委托 |
|
|
DIS |
DIS Operator DIS User |
DIS类型作业节点运行: DIS Stream、DIS Dump、DIS Client |
|
|
SWR |
SWR Admin |
仅当在数据开发组件作业中使用DLI Spark节点选择 自定义镜像 时,需要 容器镜像服务 中的镜像读取权限。 推荐通过镜像授权管理,添加所需镜像的读取权限。不推荐直接为用户授予SWR Admin系统角色, 可能存在权限过大的风险。 |
|
|
数据目录 |
OBS |
obs:object:GetObject obs:bucket:GetBucketStorage obs:bucket:GetBucketLocation obs:bucket:ListAllMyBuckets obs:bucket:ListBucket |
OBS元数据采集 |
|
DIS |
dis:streams:list dis:transferTasks:list |
DIS元数据采集 |
|
|
CSS |
css:cluster:list |
CSS元数据采集 |
|
|
GES |
ges:graph:list ges:graph:getDetail ges:metadata:list ges:metadata:getDetail |
GES元数据采集 |
|
|
DLI |
dli:database:displayDatabase dli:database:displayAllDatabases dli:table:select dli:table:describeTable dli:table:showPartitions dli:table:showTableProperties dli:jobs:create dli:jobs:get |
DLI元数据采集&数据概要分析 |
|
|
CDM |
cdm:cluster:list |
CSS元数据采集 |
|
|
数据质量 |
SMN |
smn:topic:publish smn:topic:list |
配置作业通知 |
|
OBS |
obs:object:GetObject obs:object:PutObject obs:bucket:GetBucketLocation obs:bucket:ListAllMyBuckets obs:bucket:ListBucket obs:bucket:CreateBucket |
导出质量报告 |
|
|
MRS |
mrs:job:submit mrs:sql:execute mrs:sql:cancel mrs:job:get |
MRS质量作业运行 |
|
|
DLI |
dli:queue:submitJob dli:jobs:get dli:jobs:listAll |
DLI质量作业运行 |
|
|
数据安全 |
DLI |
dli:queue:submitJob dli:queue:cancelJob dli:database:displayDatabase dli:database:displayAllDatabases dli:database:displayAllTables dli:table:describeTable dli:jobs:create dli:jobs:stop dli:jobs:get dli:resource:deleteResource dli:resource:getResource dli:resource:listAllResource |
DLI权限管控 |
|
DWS |
dws:cluster:list dws:cluster:getDetail dws:openAPICluster:getDetail |
DWS权限管控 |
|
|
MRS |
mrs:cluster:list mrs:job:submit mrs:job:stop |
MRS权限管控 |
|
|
KMS |
kms:cmk:list kms:cmk:encrypt kms:cmk:decrypt |
使用KMS加解密 |
|
|
CDM |
任意cdm权限,例如cdm:cluster:get |
DWS和MRS权限管控 |
|
权限类型 |
角色与策略权限-系统角色 |
角色与策略权限-自定义策略 |
角色与策略权限-自定义策略 |
|---|---|---|---|
|
是否必配 |
必配 |
必配 |
必配 |
|
权限 |
|
依赖的全局级(global级)云服务的自定义策略DataArtsStudio_PermissionsOfDependentServices_global:
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "obs:object:GetObject", "obs:object:PutObject", "obs:object:DeleteObject", "obs:bucket:GetBucketStorage", "obs:bucket:GetBucketLocation", "obs:bucket:ListAllMyBuckets", "obs:bucket:ListBucket", "obs:bucket:ListBucketVersions", "obs:bucket:CreateBucket", "obs:bucket:DeleteBucket", "rms:resources:list", "iam:agencies:listAgencies" ] } ]}
|
依赖的项目级(region级)云服务的自定义策略DataArtsStudio_PermissionsOfDependentServices_region:
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "cdm:cluster:get", "cdm:cluster:list", "cdm:cluster:create", "cdm:link:operate", "cdm:job:operate", "ces:*:get", "ces:*:list", "cloudtable:*:get", "cloudtable:*:list","css:*:get", "css:*:list", "dis:streams:list", "dis:transferTasks:list", "dli:queue:submitJob", "dli:queue:cancelJob", "dli:table:insertOverwriteTable", "dli:table:insertIntoTable", "dli:table:alterView", "dli:table:alterTableRename", "dli:table:compaction", "dli:table:truncateTable", "dli:table:alterTableDropColumns", "dli:table:alterTableSetProperties", "dli:table:alterTableChangeColumn", "dli:table:showSegments", "dli:table:alterTableRecoverPartition", "dli:table:dropTable", "dli:table:update", "dli:table:alterTableDropPartition", "dli:table:alterTableAddPartition", "dli:table:alterTableAddColumns", "dli:table:alterTableRenamePartition", "dli:table:delete", "dli:table:alterTableSetLocation", "dli:table:describeTable", "dli:table:showPartitions", "dli:table:showCreateTable", "dli:table:showTableProperties", "dli:table:select", "dli:resource:updateResource", "dli:resource:useResource", "dli:resource:getResource", "dli:resource:listAllResource", "dli:resource:deleteResource", "dli:database:explain", "dli:database:createDatabase", "dli:database:dropFunction", "dli:database:createFunction", "dli:database:displayAllDatabases","dli:database:displayAllTables", "dli:database:displayDatabase", "dli:database:describeFunction", "dli:database:createView", "dli:database:createTable", "dli:database:showFunctions", "dli:database:dropDatabase", "dli:group:useGroup", "dli:group:updateGroup", "dli:group:listAllGroup", "dli:group:getGroup", "dli:group:deleteGroup", "dli:column:select", "dli:jobs:start", "dli:jobs:export", "dli:jobs:update", "dli:jobs:list", "dli:jobs:listAll", "dli:jobs:get", "dli:jobs:delete", "dli:jobs:create", "dli:jobs:stop","dli:variable:update","dli:variable:delete", "dws:cluster:list", "dws:cluster:getDetail", "dws:openAPICluster:getDetail", "ecs:servers:get","ecs:servers:list", "ecs:servers:stop", "ecs:servers:start","ecs:flavors:get", "ecs:cloudServerFlavors:get", "ecs:cloudServers:list", "ecs:availabilityZones:list", "ges:graph:access", "ges:metadata:create", "ges:jobs:list", "ges:graph:operate", "ges:jobs:getDetail", "ges:graph:getDetail", "ges:graph:list", "ges:metadata:list", "ges:metadata:getDetail", "ges:metadata:delete", "ges:metadata:operate", "kms:cmk:get", "kms:cmk:list", "kms:cmk:create", "kms:cmk:decrypt", "kms:cmk:encrypt", "kms:dek:create", "kms:dek:encrypt", "kms:dek:decrypt", "mrs:cluster:get", "mrs:cluster:list", "mrs:job:get", "mrs:job:list", "mrs:job:submit", "mrs:job:stop", "mrs:job:delete", "mrs:sql:execute", "mrs:sql:cancel", "rds:*:get", "rds:*:list", "smn:topic:publish", "smn:topic:list","vpc:publicIps:list", "vpc:publicIps:get", "vpc:vpcs:get", "vpc:vpcs:list", "vpc:subnets:get", "vpc:securityGroups:get", "vpc:firewalls:list", "vpc:routeTables:list", "vpc:subNetworkInterfaces:list" ] } ]}
|
