權(quán)限控制
權(quán)限控制
DataHub采用阿里云RAM進(jìn)行訪問控制。用戶對(duì)DataHub資源的訪問,通過RAM進(jìn)行鑒權(quán)。阿里云主賬號(hào)擁有所屬資源的所有權(quán)限,子用戶在創(chuàng)建時(shí)并沒有任何權(quán)限,不能訪問任何資源,用戶需要在RAM中對(duì)該子用戶進(jìn)行授權(quán)操作。關(guān)于如何創(chuàng)建RAM子用戶與創(chuàng)建授權(quán)策略并進(jìn)行授權(quán)可參見RAM使用文檔。以下將介紹DataHub在RAM下的訪問控制體系。
DataHub RAM權(quán)限控制
DataHub資源
DataHub在RAM的訪問控制中的資源體系包含Project、Topic和Subscription。目前支持Project、Topic和Subscription級(jí)別的鑒權(quán),并不支持Shard的訪問控制。其中Subscription是指對(duì)某個(gè)特定Project下的Topic的一次訂閱。
| 資源 | RAM中的資源描述 |
|---|---|
| Project | acs:dhs:$region:$accountid:projects/$projectName |
| Topic | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
| Subscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
DataHub API及對(duì)應(yīng)在RAM中的授權(quán)策略
Project
| API | Action | Resource |
|---|---|---|
| CreateProject | dhs:CreateProject | acs:dhs:$region:$accountid:projects/* |
| ListProject | dhs:ListProject | acs:dhs:$region:$accountid:projects/* |
| DeleteProject | dhs:DeleteProject | acs:dhs:$region:$accountid:projects/$projectName |
| GetProject | dhs:GetProject | acs:dhs:$region:$accountid:projects/$projectName |
Topic
| API | Action | Resource |
|---|---|---|
| CreateTopic | dhs:CreateTopic | acs:dhs:$region:$accountid:projects/$projectName/topics/* |
| ListTopic | dhs:ListTopic | acs:dhs:$region:$accountid:projects/$projectName/topics/* |
| DeleteTopic | dhs:DeleteTopic | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
| GetTopic | dhs:GetTopic | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
| UpdateTopic | dhs:UpdateTopic | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
Subscription
| API | Action | Resource |
|---|---|---|
| CreateSubscription | dhs:CreateSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/* |
| DeleteSubscription | dhs:DeleteSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
| GetSubscription | dhs:GetSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
| UpdateSubscription | dhs:UpdateSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
| ListSubscription | dhs:ListSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/* |
| CommitOffset | dhs:GetSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
| GetOffset | dhs:GetSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
Connector
| API | Action | Resource |
|---|---|---|
| CreateConnector | dhs:CreateConnector | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/* |
| DeleteConnector | dhs:DeleteConnector | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/* |
| GetConnector | dhs:GetConnector | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/* |
| UpdateConnector | dhs:UpdateConnector | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/* |
| ListConnector | dhs:ListConnector | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/* |
Shard
| API | Action | Resource |
|---|---|---|
| ListShard | dhs:ListShard | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
| MergeShard | dhs:UpdateShard | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
| SplitShard | dhs:UpdateShard | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
PubSub
| API | Action | Resource |
|---|---|---|
| PutRecords | dhs:PutRecords | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
| GetRecords | dhs:GetRecords | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
| GetCursor | dhs:GetRecords | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
DataHub支持的Condition
| Condition | 功能 | 合法取值 |
|---|---|---|
| acs:SourceIp | 指定ip網(wǎng)段 | 普通ip, 支持*通配 |
| acs:SecureTransport | 是否是https協(xié)議 | true/false |
| acs:MFAPresent | 是否多設(shè)備認(rèn)證 | true/false |
| acs:CurrentTime | 指定訪問時(shí)間 | ISO8601格式 |
DataHub系統(tǒng)授權(quán)策略
DataHub授權(quán)策略在RAM系統(tǒng)中已有系統(tǒng)策略,用戶可以根據(jù)需求直接添加系統(tǒng)策略。
AliyunDataHubFullAccess
包含DataHub相關(guān)的所有權(quán)限,一般用于管理DataHub資源。
AliyunDataHubReadOnlyAccess
只讀訪問DataHub服務(wù)的權(quán)限,可以查看DataHub所有的資源情況,例如查看project詳細(xì)信息,列出project列表,讀數(shù)據(jù)等等,但是不能更新、創(chuàng)建以及寫數(shù)據(jù)。
AliyunDataHubSubscribeAccess
向DataHub訂閱數(shù)據(jù)的權(quán)限,只包含和讀數(shù)據(jù)相關(guān)的必要操作,包括GetTopic,ListShard,GetRecords以及訂閱和點(diǎn)位相關(guān)的所有接口。
AliyunDataHubPublishAccess
向DataHub發(fā)布數(shù)據(jù)的權(quán)限,只包含和寫數(shù)據(jù)相關(guān)的必要操作,包括GetTopic,ListShard以及PutRecords。
DataHub自定義授權(quán)策略
DataHub目前只有上述四種系統(tǒng)權(quán)限策略,如果無法滿足需求,用戶可以添加自定義權(quán)限策略。具體操作路徑在RAM系統(tǒng)中:策略管理->自定義授權(quán)策略->新建授權(quán)策略。下面給出幾個(gè)自定義策略示例:
WebConsole中顯示
// 為了在WebConsole中能夠顯示擁有權(quán)限的project,需要在Statement中增加如下配置
// 因?yàn)閃ebConsole需要ListProject和GetProject,才能在頁面展示project
{
"Action": ["dhs:ListProject","dhs:GetProject"],
"Resource": "acs:dhs:*:*:projects/*",
"Effect": "Allow"
}WebConsole中創(chuàng)建topic
// 在WebConsole的project頁面中顯示topic需要ListTopic和GetTopic權(quán)限
// 如希望能夠在WebConsole中的project:test下能夠創(chuàng)建topic,可以使用如下配置
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:ListProject", "dhs:GetProject"],
"Resource": "acs:dhs:*:*:projects/*",
"Effect": "Allow"
},
{
"Action": ["dhs:ListTopic", "dhs:GetTopic", "dhs:CreateTopic"],
"Resource": "acs:dhs:*:*:projects/test/topics/*",
"Effect": "Allow"
}
]
}其他自定義授權(quán)策略
//只允許用戶獲取指定Project下topic的信息
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:ListTopic", "dhs:GetTopic"],
"Resource": "acs:dhs:cn-hangzhou:12121312:projects/foo/topics/*",
"Effect": "Allow"
}
]
}
// 新訂閱功能授權(quán)Policy樣例1: 給用戶授權(quán)具有project foo下topic的所有訂閱權(quán)限
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:*Subscription"],
"Resource": "acs:dhs:cn-hangzhou:*:projects/foo/topics/*/subscriptions/*",
"Effect": "Allow"
}
]
}
// 新訂閱功能授權(quán)Policy樣例2: 給用戶授權(quán)僅具有project foo下查詢訂閱的權(quán)限
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:ListSubscription"],
"Resource": "acs:dhs:cn-hangzhou:*:projects/foo/topics/*/subscriptions/*",
"Effect": "Allow"
}
]
}
// 新訂閱功能授權(quán)Policy樣例3: 給用戶授權(quán)僅具有project foo下的topic t1特定訂閱'14985645198374IoCK'的提交點(diǎn)位權(quán)限
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:GetSubscription"],
"Resource": "acs:dhs:cn-hangzhou:*:projects/foo/topics/t1/subscriptions/14985645198374IoCK",
"Effect": "Allow"
}
]
}
// 對(duì)指定Topic進(jìn)行 Split/Merge shard, 包括ListShard, SplitShard, MergeShard
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:*Shard"],
"Resource": "acs:dhs:cn-hangzhou:12121312:projects/foo/topics/bar",
"Effect": "Allow"
}
]
}