自定義授權(quán)DLF
MaxCompute項(xiàng)目所在RAM用戶未經(jīng)授權(quán)無法訪問數(shù)據(jù)湖構(gòu)建DLF和對象存儲(chǔ)OSS,您可以通過為RAM用戶添加信任策略以及權(quán)限策略進(jìn)行自定義授權(quán)。本文為您介紹如何通過自定義授權(quán)方式對MaxCompute項(xiàng)目RAM用戶進(jìn)行授權(quán)。
背景信息
在MaxCompute與DLF和OSS構(gòu)建湖倉一體場景中,MaxCompute項(xiàng)目的RAM用戶未經(jīng)授權(quán)無法訪問DLF。
MaxCompute項(xiàng)目RAM賬號和部署DLF的賬號相同時(shí),添加信任策略時(shí)需要將service配置成
odps.aliyuncs.com
。MaxCompute項(xiàng)目RAM賬號和部署DLF的賬號不同時(shí),添加信任策略時(shí)需要將service配置成
<MaxCompute項(xiàng)目的Owner云賬號id>@odps.aliyuncs.com
。您可以在個(gè)人信息中獲取MaxCompute的Owner云賬號id。
操作步驟
登錄RAM訪問控制臺(tái)創(chuàng)建可信實(shí)體為阿里云賬號的RAM角色。
操作詳情,請參見創(chuàng)建可信實(shí)體為阿里云賬號的RAM角色。
通過RAM控制臺(tái)修改新建RAM角色的信任策略。
操作詳情,請參見修改RAM角色的信任策略。信任策略內(nèi)容如下:
創(chuàng)建MaxCompute項(xiàng)目的賬號和部署DLF的賬號是同一個(gè)賬號:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "odps.aliyuncs.com" ] } } ], "Version": "1" }
創(chuàng)建MaxCompute項(xiàng)目的賬號和部署DLF的賬號不是同一個(gè)賬號:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "<MaxCompute項(xiàng)目的Owner云賬號id>@odps.aliyuncs.com" ] } } ], "Version": "1" }
通過RAM控制臺(tái),為新建的RAM角色自定義權(quán)限策略。
操作詳情,請參見創(chuàng)建自定義權(quán)限策略。自定義權(quán)限內(nèi)容如下:
{ "Version": "1", "Statement": [ { "Action": [ "oss:ListBuckets", "oss:GetObject", "oss:ListObjects", "oss:PutObject", "oss:DeleteObject", "oss:AbortMultipartUpload", "oss:ListParts" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "dlf:CreateFunction", "dlf:BatchGetPartitions", "dlf:ListDatabases", "dlf:CreateLock", "dlf:UpdateFunction", "dlf:BatchUpdateTables", "dlf:DeleteTableVersion", "dlf:UpdatePartitionColumnStatistics", "dlf:ListPartitions", "dlf:DeletePartitionColumnStatistics", "dlf:BatchUpdatePartitions", "dlf:GetPartition", "dlf:BatchDeleteTableVersions", "dlf:ListFunctions", "dlf:DeleteTable", "dlf:GetTableVersion", "dlf:AbortLock", "dlf:GetTable", "dlf:BatchDeleteTables", "dlf:RenameTable", "dlf:RefreshLock", "dlf:DeletePartition", "dlf:UnLock", "dlf:GetLock", "dlf:GetDatabase", "dlf:GetFunction", "dlf:BatchCreatePartitions", "dlf:ListPartitionNames", "dlf:RenamePartition", "dlf:CreateTable", "dlf:BatchCreateTables", "dlf:UpdateTableColumnStatistics", "dlf:ListTableNames", "dlf:UpdateDatabase", "dlf:GetTableColumnStatistics", "dlf:ListFunctionNames", "dlf:ListPartitionsByFilter", "dlf:GetPartitionColumnStatistics", "dlf:CreatePartition", "dlf:CreateDatabase", "dlf:DeleteTableColumnStatistics", "dlf:ListTableVersions", "dlf:BatchDeletePartitions", "dlf:ListCatalogs", "dlf:UpdateTable", "dlf:ListTables", "dlf:DeleteDatabase", "dlf:BatchGetTables", "dlf:DeleteFunction" ], "Resource": "*", "Effect": "Allow" } ] }
將自定義的權(quán)限策略,授權(quán)給新建的RAM角色。
操作詳情,請參見為RAM角色授權(quán)。