All Products
Search
Document Center

AnalyticDB:Perform authorization

Last Updated:Nov 04, 2024

Before you access cloud resources within an Alibaba Cloud account or across Alibaba Cloud accounts as a Resource Access Management (RAM) user, you must perform authorization based on different scenarios. To access cloud resources within an Alibaba Cloud account, you must grant the AliyunADBSparkProcessingDataRole permission to the RAM user. To access cloud resources across Alibaba Cloud accounts, you must grant permissions to other Alibaba Cloud accounts. This topic describes how to perform authorization within an Alibaba Cloud account and across Alibaba Cloud accounts.

Prerequisites

An AnalyticDB for MySQL Data Lakehouse Edition (V3.0) cluster is created. For more information, see Create a cluster.

Permissions that are required for Spark jobs

When you submit a Spark job, you must have the following permissions:

  • AliyunADBFullAccess: allows RAM users to manage AnalyticDB for MySQL clusters. For more information, see the "Grant permissions to a RAM user" section of the Manage RAM users and permissions topic.

  • Permissions to read and write AnalyticDB for MySQL databases and tables: By default, AnalyticDB for MySQL uses database accounts to manage databases and tables. When you submit a Spark job that needs to read or write data as a RAM user, you must associate a standard database account with the RAM user. For more information, see Associate or disassociate a database account with or from a RAM user.

  • AliyunADBSparkProcessingDataRole: allows AnalyticDB for MySQL Spark to access other cloud resources such as Object Storage Service (OSS) and Tablestore. For more information, see the "Perform authorization within an Alibaba Cloud account" section of this topic.

Perform authorization within an Alibaba Cloud account

Before you perform authorization within an Alibaba Cloud account, you must create a RAM user. For more information, see Create a RAM user.

  1. Go to the Perform authorization.

  2. In the lower-left corner of the page, click Agree to Authorization to grant the AliyunADBSparkProcessingDataRole permission to the RAM role.

    After you grant the permission to the RAM role, a service role named AliyunADBSparkProcessingDataRole is automatically created to allow AnalyticDB for MySQL to access other cloud resources.

Important

Only Alibaba Cloud accounts are allowed to grant the preceding permission to RAM users.

Perform authorization across Alibaba Cloud accounts

AnalyticDB for MySQL Spark allows you to access all cloud resources of other Alibaba Cloud accounts. This topic describes how to authorize a Resource Access Management (RAM) user that belongs to Alibaba Cloud account A (ID: testAccountID) to access data of Alibaba Cloud account B (ID: testAccountID1).

Step 1: Create a RAM role for Alibaba Cloud account B and grant permissions to the role

  1. Create a RAM role and allow Alibaba Cloud account A to assume the RAM role.

    Note

    If you already created a RAM role and allowed Alibaba Cloud account A to assume the role, you can skip this step.

    1. Use Alibaba Cloud account B or the RAM administrator to log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click Create Role.

    4. On the Create Role page, select Alibaba Cloud Account for the Select Trusted Entity parameter and click Next.

    5. Configure the RAM role.

      1. Specify the RAM Role Name parameter. In this example, set the RAM role name to admin-oss.

      2. (Optional) Specify the Note parameter.

      3. Select Other Alibaba Cloud Account for the Select Trusted Alibaba Cloud Account parameter and enter the ID of Alibaba Cloud account A (testAccountID).

    6. Click OK.

  2. Grant permissions to the RAM role.

    1. Find the RAM role and click Input and Attach in the Actions column.

    2. In the Precise Permission panel, set Type to System Policy or Custom Policy and enter a policy name.

      If you want to access a resource in a specific virtual private cloud (VPC), you must create a custom policy and use the Resource parameter to specify the security group to which the resource belongs and the vSwitch to which the resource is connected. For information about how to create a custom policy, see Create custom policies.

      In this example, a custom policy named eni_policy that allows you to access only an ApsaraDB RDS for MySQL instance in a specific VPC is created.

      Note

      You must add the ApsaraDB RDS for MySQL instance to a security group and configure inbound and outbound security group rules that allow requests from the port of the ApsaraDB RDS for MySQL instance.

      {
          "Version": "1",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": "ecs:*",
                  "Resource": "acs:ecs:*:*:securitygroup/<ID of the security group to which the ApsaraDB RDS for MySQL instance belongs>"
              },
              {
                  "Effect": "Allow",
                  "Action": "vpc:*",
                  "Resource": "acs:vpc:*:*:vswitch/<ID of the vSwitch to which the ApsaraDB RDS for MySQL instance is connected>"
              }
          ]
      }
    3. Click OK.

    4. Click Close.

  3. Modify the trust policy to allow a RAM user that belongs to Alibaba Cloud account A to assume the RAM role.

    1. In the left-side navigation pane, choose Identities > Roles.

    2. On the Roles page, click the name of the RAM role.

    3. On the Trust Policy tab, click Edit Trust Policy.

    4. Modify the content of the trust policy and click Save trust policy document.

      {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "RAM": [
                "acs:ram::testAccountID:root"
              ]
            }
          },
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "testAccountID@ads.aliyuncs.com"
              ]
            }
          }
        ],
        "Version": "1"
      }

Step 2: Create a RAM user for Alibaba Cloud account A and allow the RAM user to assume the RAM role

  1. Create a RAM user.

    1. Use Alibaba Cloud account A or the RAM administrator to log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, click Create User.

    4. In the User Account Information section of the Create User page, configure the following parameters:

      • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).

      • Display Name: The display name can be up to 128 characters in length.

      • Tag: Click the edit icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.

      Note

      You can click Add User to create multiple RAM users at a time.

    5. In the Access Mode section, select Console Password Logon and configure the logon security settings. The settings specify whether to use a system-generated or custom logon password, reset the password upon the next logon, and enable multi-factor authentication (MFA). For more information, see the "Console Access" section of the Create a RAM user topic.

    6. Click OK.

  2. Create a policy that allows the RAM user to assume any role.

    1. In the left-side navigation pane, choose Permissions > Policies.

    2. On the Policies page, click Create Policy.

    3. On the Create Policy page, click the JSON tab.

    4. Enter the following policy content in the code editor and click Next to edit policy information.

      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "ram:PassRole",
                  "Resource": "*",
                  "Effect": "Allow"
              }
          ]
      }
    5. Configure the Name and Description parameters.

    6. Click OK.

  3. Attach the policy to the RAM user.

    1. In the left-side navigation pane, choose Identities > Users.

    2. On the Users page, find the RAM user that you created, and click Add Permissions in the Actions column.

    3. In the Add Permissions panel, add the created policy to the Selected section.

    4. Click Grant permissions.

    5. Click Close.

References