All Products
Search
Document Center

ApsaraDB for HBase:Customize a RAM policy

Last Updated:Apr 03, 2024

You can use system policies to grant RAM users permissions on all ApsaraDB for HBase resources. You can also use custom policies as needed to grant RAM users specific operation permissions on specific instances. This topic describes how to customize a RAM policy.

Grant RAM users permissions on ApsaraDB for HBase resources

For more information about how to create a custom RAM policy, see Create custom policies.

You can use RAM to grant permissions on only ApsaraDB for HBase instances. When you use RAM to grant permissions, you can specify resources in the Resource field of the policy.

Resource type

Resource description in the policy

dbinstance

acs:hbase:$regionid:$accountid:dbinstance/$dbinstanceid

The following table describes the parameters.

Parameter

Description

regionid

The ID of the region.

accountid

The ID of the Alibaba Cloud account.

dbinstanceid

The ID of the instance.

Examples

In this example, the authorized RAM user can view all the instances, create instances, and expand the storage of only the specified instance. The expiration date of the policy is August 17, 2020.

{
    "Statement": [
        {
            "Action": [
                "hbase:CreateCluster",
                "hbase:ResizeDiskSize"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:hbase:<regionid>:dbinstance:<accountid>/<dbinstanceid>"
            ],
            "Condition": {
                "DateLessThan": {
                    "acs:CurrentTime": "2020-08-17T23:59:59+08:00"
                }
            }
        },
        {
            "Action": [
                "hbase:Describe*"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:hbase:<regionid>:dbinstance:<accountid>/<dbinstanceid>"
            ],
            "Condition": {
                "DateLessThan": {
                    "acs:CurrentTime": "2020-08-17T23:59:59+08:00"
                }
            }
        }
    ],
    "Version": "1"
}
Note

For more information about permission settings, see Policy structure and syntax.

Authentication rules of ApsaraDB for HBase API operations

When you call API operations to access resources as a RAM user, ApsaraDB for HBase checks whether you are granted the required permissions. The permissions that ApsaraDB for HBase checks are determined by the API syntax and the resources that are requested by the API operation. In this example, the API operation is CreateCluster, and the authentication rule applies to acs:hbase:$regionid:$accountid:dbinstance/$dbinstanceid.