在本文為主要介紹DLA服務關聯角色(AliyunServiceRoleForOpenAnalytics)的應用場景以及如何刪除服務關聯角色。

背景信息

DLA服務關聯角色(AliyunServiceRoleForOpenAnalytics)是在某些情況下,為了完成DLA自身的某個功能,需要獲取其他各種各樣的云服務的訪問權限,而提供的RAM角色。更多信息請參見服務關聯角色

應用場景

DLA作為阿里云數據湖分析產品,提供Serverless Presto和Spark的核心產品功能,需要為用戶打通、連接、關聯各種各樣的阿里云數據源和各種云服務產品(OSS、OTS、RDS、ADS、ODPS、ECS、VPC、RAM、MQ等),從而實現數據湖的各種各樣的功能。因此,DLA會在用戶開通DLA服務的時候,自動化的幫助用戶在DLA內部創建好服務關聯角色,從而極大的提高用戶體驗。

查看DLA服務關聯角色

  1. 登錄Data Lake Analytics管理控制臺
  2. 概覽頁面右上角單擊選項按鈕。
  3. 跨云服務授權頁面查看DLA服務關聯角色信息:
    • 角色名稱:AliyunServiceRoleForOpenAnalytics
    • 角色權限策略:AliyunServiceRolePolicyForOpenAnalytics
    • 權限說明如下:
      ?{
  "Version": "1",
  "Statement": [
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "openanalytics.aliyuncs.com"
        }
      }
    },
    {
      "Action": [
        "ram:ListUsers",
        "ram:GenerateCredentialReport"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "oss:GetBucket",
        "oss:GetBucketAcl",
        "oss:GetBucketLocation",
        "oss:GetBucketInfo",
        "oss:GetBucketLogging",
        "oss:GetBucketWebsite",
        "oss:GetBucketReferer",
        "oss:GetBucketLifecycle",
        "oss:GetBucketEncryption",
        "oss:GetBucketStat",
        "oss:GetBucketMetadata",
        "oss:GetBucketTagging",
        "oss:GetBucketVersioning",
        "oss:GetSimplifiedObjectMeta",
        "oss:GetObjectMetadata",
        "oss:GetBucketStorageCapacity",
        "oss:GetBucketEncryption",
        "oss:GetObject",
        "oss:GetObjectMeta",
        "oss:GetObjectAcl",
        "oss:GetSymlink",
        "oss:GetObjectTagging",
        "oss:GetService",
        "oss:ListObjects",
        "oss:ListMultipartUploads",
        "oss:ListParts",
        "oss:ListBuckets",
        "oss:ListVpcip",
        "oss:ListVersions",
        "oss:GetBucketCname",
        "oss:GetBucketRequestPayment",
        "oss:GetBucketVpcip",
        "oss:DoesBucketExist",
        "oss:DoesObjectExist",
        "oss:ListObjectsV2",
        "oss:SelectObject",
        "oss:HeadObject",
        "oss:PutBucket",
        "oss:PutObject",
        "oss:PutObjectTagging",
        "oss:CopyObject",
        "oss:InitiateMultipartUpload",
        "oss:UploadPart",
        "oss:UploadPartCopy",
        "oss:CompleteMultipartUpload",
        "oss:AbortMultipartUpload",
        "oss:RestoreObject",
        "oss:PostObject",
        "oss:UploadFile",
        "oss:DownloadFile",
        "oss:AppendObject",
        "oss:DeleteObject",
        "oss:DeleteObjects"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "alikafka:PUB"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "rds:DescribeDBInstances",
        "rds:DescribeDBInstanceAttribute",
        "rds:DescribeDBInstanceNetInfo",
        "rds:DescribeDBInstanceHAConfig",
        "rds:DescribeDBInstanceIPArrayList",
        "rds:ModifySecurityIps",
        "dds:DescribeDBInstances",
        "dds:DescribeDBInstanceAttribute",
        "dds:DescribeSecurityIps",
        "dds:ModifySecurityIps",
        "polardb:DescribeDBClusters",
        "polardb:DescribeDBClusterAttribute",
        "polardb:DescribeDBClusterEndpoints",
        "polardb:DescribeDBClusterAccessWhitelist",
        "polardb:ModifyDBClusterAccessWhitelist"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "mns:GetQueueAttributes",
        "mns:GetTopicAttributes",
        "mns:GetSubscriptionAttributes",
        "mns:ListQueue",
        "mns:ListTopic",
        "mns:ListSubscriptionByTopic",
        "mns:SendMessage",
        "mns:PublishMessage"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "mq:PUB"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dbs:DescribeBackupPlanList",
        "dbs:DescribeFullBackupList",
        "dbs:DescribeIncrementBackupList",
        "dbs:DescribeRestoreTaskList",
        "dbs:DescribeBackupGatewayList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ots:GetRow",
        "ots:BatchGetRow",
        "ots:GetRange",
        "ots:GetShardIterator",
        "ots:GetStreamRecord",
        "ots:ListStream",
        "ots:ListTable",
        "ots:ListSearchIndex",
        "ots:DescribeStream",
        "ots:DescribeTable",
        "ots:DescribeSearchIndex",
        "ots:ComputeSplitPointsBySize",
        "ots:CreateTable",
        "ots:UpdateTable",
        "ots:DeleteTable",
        "ots:PutRow",
        "ots:UpdateRow",
        "ots:DeleteRow",
        "ots:BatchWriteRow",
        "ots:CreateIndex",
        "ots:DropIndex",
        "ots:CreateSearchIndex",
        "ots:DeleteSearchIndex",
        "ots:Search"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:ListProject",
        "log:ListLogStores",
        "log:ListShipper",
        "log:GetCursorOrData",
        "log:BatchGetLog",
        "log:GetShipper",
        "log:GetShipperConfig",
        "log:BatchGetLog",
        "log:DeleteShipper",
        "log:CreateShipper"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:CreateNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:DescribeSecurityGroups"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVSwitches",
        "vpc:DescribeVpcs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}?

刪除服務關聯角色

當您嘗試刪除服務關聯角色(AliyunServiceRoleForOpenAnalytics)時,您需要進行如下操作:
  • 關閉當前Region和其他所有Region的DLA服務,因為DLA是以用戶賬號維度來判斷SLR的關聯性。
  • 刪除服務關聯角色,具體操作請參見服務關聯角色