检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Creating a User and Assigning Permissions This chapter describes how to use What Is IAM? to implement fine-grained permissions control for your LakeFormation instances. With IAM, you can: Create IAM users for employees based on your enterprise's organizational structure.
Identity Authentication and Access Control Identity Authentication IAM users of the current tenant access LakeFormation on the console. LakeFormation authenticates IAM tokens in HTTPS requests delivered by the console to identify tenants and IAM users.
Policies that contain actions only for IAM projects can be used and applied to IAM only. Parent topic: Permissions and Supported Actions
If your HUAWEI CLOUD account does not need individual IAM users for permission management, you may skip this section. IAM is a free service. You only pay for the resources in your account. For more information about IAM, see What Is IAM?.
Custom User Information Obtaining Class The AuthenticationManager class is used to obtain the information of the user who accesses LakeFormation, which may be an IAM user or a local LDAP user.
Custom Authentication Information Obtaining Class The IdentityGenerator class is used to obtain IAM authentication information (token, permanent AK/SK, and temporary AK/SK and securityToken) for accessing LakeFormation.
For example, to obtain an IAM token in the CN-Hong Kong region, use the endpoint of IAM (iam.ap-southeast-1.myhuaweicloud.com) for this region and resource-path (/v3/auth/tokens) in the URI of the API used to obtain a user token.
Constraints and Limitations After a IAM user group is deleted, you need to manually delete the related permission policies in LakeFormation data permissions.
Supported Actions in ABAC IAM provides system-defined policies to define common actions supported by cloud services. You can also create custom policies using the actions supported by cloud services for more refined access control.
Table 1 Relationships with other services Service Name Relationships Identity and Access Management (IAM) IAM authenticates IAM users or agencies and controls some access. Cloud Trace Service (CTS) CTS records LakeFormation operations for query, auditing, or backtracking.
After cloud service authorization, LakeFormation will create an agency named lakeformation_admin_trust in Identity and Access Management (IAM). Do not delete the agency when using LakeFormation.
If the migration type is set to DLF, the mapping and migration policies are as follows: RAM user: IAM user (If the corresponding IAM user does not exist, the permission policy will not be migrated.)
IAM: cloud user SAML: SAML-based federation LDAP: ID user LOCAL: local user AGENTTENANT: agency OTHER: others Enumeration values: IAM SAML LDAP LOCAL AGENTTENANT OTHER principal_name String Entity name. The value can contain 1 to 49 characters.
IAM users and user groups can also be associated with fine-grained permission policies of LakeFormation for authorization. For details, see Creating a Custom Policy.
The values are IAM (cloud user), SAML (SAML-based federation), LDAP (ID user), and LOCAL (local user). Enumeration values: IAM SAML LDAP LOCAL limit No Integer Number of returned records. The default value is 1000.
For example, the IAM user group has been created. You can centrally manage permissions on resources in the data lake on the LakeFormation console. IAM users and user groups can also be associated with fine-grained permission policies of LakeFormation for authorization.
The options are IAM (cloud user), SAML (SAML-based federation), LDAP (lD user), LOCAL (local user), AGENTTENANT (agency), and OTHER (others). Enumeration values: IAM SAML LDAP LOCAL AGENTTENANT OTHER type No String Catalog type.
The options are IAM (cloud user), SAML (SAML-based federation), LDAP (lD user), LOCAL (local user), AGENTTENANT (agency), and OTHER (others). Enumeration values: IAM SAML LDAP LOCAL AGENTTENANT OTHER type No String Catalog type.
--SecurityToken for accessing lakeformation IAM authentication information. This parameter is optional.
The API for obtaining a project ID is GET https://{Endpoint}/v3/projects, where {Endpoint} indicates the IAM endpoint. You can obtain the IAM endpoint from Regions and Endpoints. For details about API authentication, see Authentication. The following is an example response.
