Access control
DataHub uses Resource Access Management (RAM) for access control. Only RAM users that have been granted necessary permissions can access resources in DataHub. An Alibaba Cloud account has all permissions on the resources within it. By default, a RAM user does not have the permissions to access resources in DataHub after the RAM user is created. You must attach a policy that contains the access permissions on DataHub to the RAM user before the RAM user can access resources in DataHub. For more information about how to create a RAM user and attach policies to the user, see Bind an MFA device to an Alibaba Cloud account. This topic describes how to use RAM to implement access control for DataHub.
Grant permissions to RAM users
Types of DataHub resources that can be accessed by RAM users
RAM users can access the following resources in DataHub: projects, topics, and subscriptions. DataHub supports RAM authentication of projects, topics, and subscriptions. However, RAM authentication cannot be used to access shard data. Subscription is the action that you specify an application to read and process the records in topics of a specific project.
Resource type | Description |
Project | acs:dhs:$region:$accountid:projects/$projectName |
Topic | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
Subscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
API operations in DataHub and the corresponding RAM policies
Project
Operation | Action | Resource |
CreateProject | dhs:CreateProject | acs:dhs:$region:$accountid:projects/* |
ListProject | dhs:ListProject | acs:dhs:$region:$accountid:projects/* |
DeleteProject | dhs:DeleteProject | acs:dhs:$region:$accountid:projects/$projectName |
GetProject | dhs:GetProject | acs:dhs:$region:$accountid:projects/$projectName |
Topic
Operation | Action | Resource |
CreateTopic | dhs:CreateTopic | acs:dhs:$region:$accountid:projects/$projectName/topics/* |
ListTopic | dhs:ListTopic | acs:dhs:$region:$accountid:projects/$projectName/topics/* |
DeleteTopic | dhs:DeleteTopic | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
GetTopic | dhs:GetTopic | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
UpdateTopic | dhs:UpdateTopic | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
Subscription
Operation | Action | Resource |
CreateSubscription | dhs:CreateSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/* |
DeleteSubscription | dhs:DeleteSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
GetSubscription | dhs:GetSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
UpdateSubscription | dhs:UpdateSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
ListSubscription | dhs:ListSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/* |
CommitOffset | dhs:GetSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
GetOffset | dhs:GetSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
Connector
Operation | Action | Resource |
CreateConnector | dhs:CreateConnector | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/* |
DeleteConnector | dhs:DeleteConnector | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/* |
GetConnector | dhs:GetConnector | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/* |
UpdateConnector | dhs:UpdateConnector | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/* |
ListConnector | dhs:ListConnector | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/* |
Shard
Operation | Action | Resource |
ListShard | dhs:ListShard | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
MergeShard | dhs:UpdateShard | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
SplitShard | dhs:UpdateShard | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
PubSub
Operation | Action | Resource |
PutRecords | dhs:PutRecords | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
GetRecords | dhs:GetRecords | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
GetCursor | dhs:GetRecords | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
Conditions that can be applied to the RAM policies for DataHub
Condition | Feature | Valid value |
acs:SourceIp | Specifies the IP address or CIDR block. | Regular IP addresses. You can set this field to an asterisk (*) as a wildcard. |
acs:SecureTransport | Specifies whether HTTPS is used to access the specified object. | true/false |
acs:MFAPresent | Specifies whether multi-factor authentication (MFA) is used during user logon. | true/false |
acs:CurrentTime | Specifies the time when the specified object can be accessed. | Specify the time in the ISO 8601 standard. |
System policies
DataHub provides system policies that can be attached to RAM users. You can specify the system policies based on your needs.
AliyunDataHubFullAccess
This policy grants all permissions on DataHub to RAM users. In most cases, this policy is used to manage resources in DataHub.
AliyunDataHubReadOnlyAccess
This policy grants read-only permissions on DataHub to RAM users so that the RAM users can query the information about all resources in DataHub. For example, this policy can be used to query the information about a project, view the project list, or read data. However, this policy cannot be used to update, create, or write data.
AliyunDataHubSubscribeAccess
This policy grants RAM users the permissions to subscribe to data in DataHub. This policy can be used to call only the API operations that involve data reads, including GetTopic, ListShard, GetRecords, and all operations related to subscriptions and offsets.
AliyunDataHubPublishAccess
This policy grants RAM users the permissions to publish data to DataHub. This policy can be used to call only the API operations that involve data writes, including GetTopic, ListShard, and PutRecords.
Custom policies
If the system policies provided by DataHub do not meet your requirements, you can create custom policies. To create a custom policy, perform the following operations: Log on to the RAM console by using an Alibaba Cloud account. In the left-side navigation pane, choose Permissions > Policies. On the Policies page, click Create Policy. Sample custom policies:
Display the accessible projects in the DataHub console
// To allow a RAM user to view the projects that the RAM user has the permissions to access in the DataHub console, add the following configurations to the statement block.
// To display the accessible projects in the DataHub console, the permissions to call the ListProject and GetProject operations are required.
{
"Action": ["dhs:ListProject","dhs:GetProject"],
"Resource": "acs:dhs:*:*:projects/*",
"Effect": "Allow"
}Create a topic in the DataHub console
// To display the topics of a project in the DataHub console, the permissions to call the ListTopic and GetTopic operations are required.
// To grant a RAM user the permissions to create a topic in the project named "test" in the DataHub console, use the following configurations.
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:ListProject", "dhs:GetProject"],
"Resource": "acs:dhs:*:*:projects/*",
"Effect": "Allow"
},
{
"Action": ["dhs:ListTopic", "dhs:GetTopic", "dhs:CreateTopic"],
"Resource": "acs:dhs:*:*:projects/test/topics/*",
"Effect": "Allow"
}
]
}Other custom policies
// Sample custom policy that grants a RAM user the permissions to query the information about topics in a specified project.
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:ListTopic", "dhs:GetTopic"],
"Resource": "acs:dhs:cn-hangzhou:12121312:projects/foo/topics/*",
"Effect": "Allow"
}
]
}
// Sample custom policy that grants a RAM user all the permissions on subscriptions to topics in the project named "foo".
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:*Subscription"],
"Resource": "acs:dhs:cn-hangzhou:*:projects/foo/topics/*/subscriptions/*",
"Effect": "Allow"
}
]
}
// Sample custom policy that grants a RAM user the permissions to query the information about subscriptions to topics in the project named "foo".
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:ListSubscription"],
"Resource": "acs:dhs:cn-hangzhou:*:projects/foo/topics/*/subscriptions/*",
"Effect": "Allow"
}
]
}
// Sample custom policy that grants a RAM user the permissions to commit offsets for the subscription with the ID "14985645198374IoCK" to topic t1 in the project named "foo".
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:GetSubscription"],
"Resource": "acs:dhs:cn-hangzhou:*:projects/foo/topics/t1/subscriptions/14985645198374IoCK",
"Effect": "Allow"
}
]
}
// Sample custom policy that grants a RAM user the permissions to split or merge shards for a specified topic. The available operations are ListShard, SplitShard, and MergeShard.
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:*Shard"],
"Resource": "acs:dhs:cn-hangzhou:12121312:projects/foo/topics/bar",
"Effect": "Allow"
}
]
}