检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Parent Topic: IAM Permission Management
IAM Permission Management Overview IAM Authorization Entity IAM Permissions Using IAM Roles or Policies to Grant Access to DLI Parent Topic: DLI Permission Management
Using IAM Roles or Policies to Grant Access to DLI The role/policy-based authorization model provided by Identity and Access Management (IAM) lets you control access to DLI resources.
However, the IAM user who runs the Flink SQL job does not have the OBS write permission. Solution Log in to the IAM console, search for the IAM user who runs the job in the upper left corner of the Users page.
IAM Permissions Elastic Resource Pool Table 1 Elastic resource pool permission set Operation Permission (service:resource:action) (Role/Policy-based Authorization) Creating an elastic resource pool dli:elasticresourcepool:create Querying all elastic resource pools / Deleting an elastic
Creating an IAM User and Granting Permissions To manage fine-grained permissions for your DLI resources using IAM, create an IAM user and grant them permissions to DLI if you are an enterprise user. For details, see Creating an IAM User and Granting Permissions.
Create a user group on the IAM console and grant the DLI ReadOnlyAccess permission to it. 2 Create a user and add them to the user group. Create a user on the IAM console and add them to the created user group. 3 Log in as the IAM user and verify permissions.
Check IAM permissions.
IAM or enterprise projects: Type of projects for which an action will take effect. Policies that contain actions supporting both IAM and enterprise projects can be assigned to user groups and take effect in both IAM and Enterprise Management.
Create IAM users. Alternatively, create IAM users to execute different types of jobs. For how to create IAM users, see Creating an IAM User. In addition, DLI also provides job management functions, including editing, starting, stopping, deleting, exporting, and importing jobs.
So, the permissions contained in the IAM ReadOnlyAccess policy are required. IAM ReadOnlyAccess is a global policy. Make sure you select this policy.
Table 2 Permissions contained in the dli_management_agency agency Policy Description IAM ReadOnlyAccess To authorize IAM users who have not logged in to DLI, you need to obtain their information. So, the permissions contained in the IAM ReadOnlyAccess policy are required.
to various IAM users.
DLI supports importing data from OBS buckets shared by IAM users under the same tenant, but not from OBS buckets shared by other tenants. This ensures data security and isolation.
Username/Project If you select User, enter the IAM username when adding a user to the database. NOTE: The username must be an existing IAM username and has been used to log in to the DLI management console.
For example, to obtain an IAM token in the CN-Hong Kong region, obtain the endpoint of IAM (iam.ap-southeast-1.myhuaweicloud.com) for this region and the resource-path (/v3/auth/tokens) in the URI of the API used to obtain a user token.
Granting permissions on packages Figure 2 Granting permissions on package groups Table 2 Permission parameters Parameter Description Username Name of the authorized IAM user. NOTE: The username is the name of an existing IAM user.
IAM is a free service. You only pay for the resources in your account. For more information about IAM, see IAM Service Overview. DLI Permissions New IAM users do not have any permissions assigned by default.
IAM Authorization Types and Use Cases IAM can authorize different enterprise users to access cloud service resources.
System-defined policy For details about the authorization mode, see Creating an IAM User and Granting Permissions, Creating an IAM User, and Policies. DLI ReadOnlyAccess Read-only permissions for DLI.
