检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Identity Authentication and Access Control Identity Authentication DRS uses Identity and Access Management (IAM) to implement fine-grained permission management.
Policies that contain actions for both IAM and enterprise projects can be used and take effect for both IAM and Enterprise Management. Policies that only contain actions for IAM projects can be used and only take effect for IAM.
With IAM, you can: Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has their own security credentials, providing access to DRS resources. Grant only the permissions required for users to perform a specific task.
For example, to obtain the IAM token in the CN North-Beijing1 region, obtain the endpoint of IAM (iam.cn-north-1.myhuaweicloud.com) for this region and the resource-path (/v3/auth/tokens) in the URI of the API used to obtain a user token.
Management Use the Identity and Access Management (IAM) service to manage DRS permissions. Parent topic: Network and Security
IAM can be used free of charge. You pay only for the resources in your Huawei Cloud account. For more information about IAM, see IAM Service Overview. DRS Permissions By default, new IAM users do not have permissions assigned.
Task Creation Process Process of Creating a Migration Task Figure 1 Process of creating a real-time migration task Obtaining a User Token: Call an IAM API to obtain a user token. Creating Tasks in Batches: Create a migration task.
Inherit permissions from user groups: Add the IAM user to certain groups with the DRS FullAccess permission to make the user inherit their permissions. Select permissions: Directly assign the DRS FullAccess permission to the IAM user.
To better isolate and manage permissions, you are advised to configure an independent IAM administrator and grant them the permission to manage IAM policies. The IAM administrator can create different user groups based on your service requirements.
IAM User An IAM user is created using an account to use cloud services. Each IAM user has its own identity credentials (password and access keys). The account name, username, and password will be required for API authentication.
The API used to obtain a project ID is GET https://{endpoint}/v3/projects/, where {endpoint} indicates the IAM endpoint. You can obtain the IAM endpoint from Regions and Endpoints. For details about API authentication, see Authentication. The following is an example response.
Supported network types during migration to GaussDB on the current cloud: VPC VPN Direct Connect Public network IAM Identity and Access Management (IAM) manages permissions for DRS. Only users with the DRS administrator permissions can use DRS.
Fine-Grained Authorization DRS uses Identity and Access Management (IAM) to implement fine-grained permission management.
Procedure Call an IAM API to obtain a user token by referring to Authentication. Obtain the ID of the task to be queried by referring to Obtaining a Task ID.
Procedure Call an IAM API to obtain a user token by referring to Authentication. Obtain the ID of the task to be queried by referring to Obtaining a Task ID.
When using a token for authentication, cache it to prevent frequently calling the IAM API used to obtain a user token. A token specifies temporary permissions in a computer system.
Involved APIs API for obtaining tokens from IAM Obtain a token and add X-Auth-Token to the request header of API calls. API used to create a real-time migration task. Procedure Obtain the token by referring to Authentication. Obtain the DRS endpoints.
Fuzzy search is supported. domain_id No String ID of the account to which the IAM user belongs. This parameter is mandatory for the op_service permission and optional for non-op_service permissions.
The IAM username for creating required subscription tasks. setUserId(String userId) Specifies the user ID. You can obtain the user ID from My Credential on the management console. setPassword(String password) Specifies the user password.
Table 1 Service function Permission API Action IAM Project Enterprise Project Creating tasks in batches POST /v3/{project_id}/jobs/batch-creation drs:migrationJobs:create (To create an instance, you need to configure the RDS ReadOnlyAccess, VPC FullAccess, and SMN FullAccess permissions
