This topic describes how to log on to Hologres by using role-based single sign-on (SSO).
Background information
Enterprise users can use their Alibaba Cloud accounts and passwords to log on to the Alibaba Cloud Management Console and then manage and use cloud resources. However, enterprises that have stricter security requirements may prefer to use the role-based SSO method. For more information, see Overview.
Scenarios
Enterprise users can use their Alibaba Cloud accounts and passwords to log on to the Alibaba Cloud Management Console and then manage and use cloud resources. However, as the regulatory requirements for enterprise security become increasingly strict, enterprises that want centralized management of logon authentication information prefer to use SSO to log on to the Alibaba Cloud Management Console. After you use SSO to log on to an application system, you can access multiple trusted application systems without the need to log on for a second time. Hologres supports role-based SSO. For more information, see Overview. Role-based SSO allows you to access a Hologres instance by using your enterprise account to assume a RAM role. Access permissions are granted to the RAM role.
A user opens the logon page of the identity provider (IdP) on a browser and selects Alibaba Cloud as the required service.
In this example, the IdP is Microsoft Active Directory Federation Services (AD FS). Therefore, the logon URL is https://ADFSServiceName/adfs/ls/IdpInitiatedSignOn.aspx.
NoteSome IdPs require users to log on before the users can select the SSO application that represents Alibaba Cloud.
The IdP generates a Security Assertion Markup Language (SAML) response and returns the response to the browser.
The browser redirects the user to the SSO service page and forwards the SAML response to the SSO service.
The SSO service uses the SAML response to request an Security Token Service (STS) token from Alibaba Cloud STS. Then, the SSO service generates a URL that the user can use to log on to the Alibaba Cloud Management Console by using the STS token.
NoteIf the SAML response contains attributes that map to multiple RAM roles, the user is prompted to first select a role.
The SSO service returns the URL to the browser.
The browser redirects the user to the URL. Then, the user uses an enterprise account to log on to the Alibaba Cloud Management Console and assumes the selected RAM role to log on to a Hologres instance.
Access methods supported by Hologres
Hologres supports the following access methods:
Log on to the Alibaba Cloud Management Console and access Hologres by using an Alibaba Cloud account or a RAM user.
You can log on to the Alibaba Cloud Management Console by using the username and password of an Alibaba Cloud account or a RAM user. Then, you can access Hologres. In this case, the Alibaba Cloud account or RAM user becomes a member of a Hologres instance and has permissions to use Hologres features.
Log on to the Alibaba Cloud Management Console and access Hologres by using role-based SSO.
You can also log on to the Alibaba Cloud Management Console and access Hologres by using role-based SSO. For more information, see Overview. In this case, the RAM role becomes a member of a Hologres instance. The user that assumes this RAM role has the same permissions as an Alibaba Cloud account or a RAM user. For information about RAM roles, see RAM role overview.
In Hologres, RAM roles have equal status with Alibaba Cloud accounts and RAM users. Therefore, in Hologres, a RAM role is regarded as an ordinary available account. A superuser must grant permissions, such as the SELECT, INSERT, and UPDATE permissions, to the RAM role, instead of the Alibaba Cloud account or RAM user that assumes the role. After that, the RAM role can use Hologres based on the granted permissions.
Introduction to role-based SSO
The access to Hologres by using role-based SSO is implemented based on Alibaba Cloud STS. STS is a cloud service that provides temporary access control for Alibaba Cloud accounts or RAM users. You can use STS to issue an access credential that has a custom validity period and access permissions to a user that is managed by your on-premises account system. The user can use an STS temporary access credential to connect to Hologres and use authorized resources.
STS tokens provide the following benefits:
STS tokens reduce the risk of disclosing the AccessKey ID and AccessKey secret of your Alibaba Cloud account. You need to only generate a temporary access credential for users to use.
STS tokens allow you to flexibly control access to resources and impose time limits. Therefore, you do not need to manually revoke permissions. A temporary access credential automatically becomes invalid upon expiration.
To create a RAM role and authorize the role to access Hologres, perform the following steps:
Step 1: Create a RAM role
Log on to the Resource Access Management (RAM) console and create a RAM role. In the Create Role panel, set the Select Trusted Entity parameter to Alibaba Cloud Account or IdP.
If you want an Alibaba Cloud account or a RAM user to assume the RAM role by switching the identity in the Alibaba Cloud Management Console, set the Select Trusted Entity parameter to Alibaba Cloud Account. For more information, see Assign a RAM role to a RAM user and grant permissions.
If you want an on-premises IdP to assume the RAM role, set the Select Trusted Entity parameter to IdP. For more information, see Assign a RAM role to an IdP and grant permissions.
Assign a RAM role to a RAM user and grant permissions
If you want a RAM user to assume a RAM role by switching the identity in the Alibaba Cloud Management Console, log on to the RAM console and create a RAM role. In the Create Role panel, set the Select Trusted Entity parameter to Alibaba Cloud Account.
Create a RAM role for a trusted Alibaba Cloud account.
Log on to the RAM console. In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role. In the Create Role panel, set the Select Trusted Entity parameter to Alibaba Cloud Account.
Click Next. In the Configure Role step, specify a name for the RAM role and set the Select Trusted Alibaba Cloud Account parameter to Current Alibaba Cloud Account.
Click OK. The Finish step shows that the RAM role is created.
Modify the trust policy of the RAM role.
On the Roles page, click the name of the RAM role whose trust policy you want to modify to go to the details page of the RAM role.
On the Trust Policy tab, click Edit Trust Policy and replace the policy content with the following script.
Parameters
When you configure the policy, replace the Alibaba Cloud account ID in
acs:ram::Alibaba Cloud account ID:root
in the following script with the ID of the Alibaba Cloud account to which you want to grant permissions. You can go to the Security Settings page to obtain the account ID.Script
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::Alibaba Cloud account ID:root" ] } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "dataworks.aliyuncs.com" ] } } ], "Version": "1" }
Click Save trust policy document.
Create a RAM user and grant the RAM user the permissions to assume a role.
To assign a RAM role to a RAM user, you must first create a RAM user and grant the RAM user the permissions to assume a role.
Log on to the RAM console. In the left-side navigation pane, choose .
Optional. Click Create User to create one or more RAM users at a time. If a RAM user is available, skip this step. For more information about how to create a RAM user, see Create a RAM user.
On the Users page, find the RAM user that you created and click Add Permissions in the Actions column.
In the Add Permissions panel, attach the AliyunSTSAssumeRoleAccess policy to the RAM user that you created. After that, the RAM user has the permissions to call the AssumeRole operation of STS.
Click OK.
Assign a RAM role to an IdP and grant permissions
If you want an on-premises IdP to log on to the Alibaba Cloud Management Console to assume a RAM role, log on to the RAM console and create a RAM role. In the Create Role panel, set the Select Trusted Entity parameter to IdP.
Create a RAM role for a trusted IdP.
Log on to the RAM console. In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role. In the Create Role panel, set the Select Trusted Entity parameter to IdP.
Click Next. In the Configure Role step, set the RAM Role Name and Note parameters.
Configure the IdP Type and Select IdP parameters, view the conditions, and then click OK. The Finish step shows that the RAM role is created.
Modify the trust policy of the RAM role.
On the Roles page, click the name of the RAM role whose trust policy you want to modify to go to the details page of the RAM role.
On the Trust Policy tab, click Edit Trust Policy and replace the policy content with the following script.
Parameters
When you configure the policy, replace the Alibaba Cloud account ID in
acs:ram::Alibaba Cloud account ID:saml-provider/IDP
in the following script with the ID of the Alibaba Cloud account to which you want to grant permissions. You can go to the Security Settings page to obtain the account ID.Script
"Statement": [ { "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "saml:recipient": "https://signin.aliyun.com/saml-role/sso" } }, "Effect": "Allow", "Principal": { "Federated": [ "acs:ram::Alibaba Cloud account ID:saml-provider/IDP" ] } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "dataworks.aliyuncs.com" ] } } ], "Version": "1" } }
Click Save trust policy document.
Step 2: Add the RAM role to a Hologres instance and grant permissions to the role
Before the RAM role can use Hologres based on the granted permissions, the role must obtain the required development permissions on the Hologres instance. By default, the RAM role does not have the permissions to view or manage instances in the Hologres console. Therefore, you must first use your Alibaba Cloud account to grant the required permissions to the RAM role. For more information, see Grant permissions on Hologres to RAM users. After you add the RAM role to a Hologres instance, you can use one of the following methods to grant permissions to the RAM role:
Grant permissions to the RAM role in the Hologres console.
On the Instances page, click the Hologres instance that you want to manage. In the navigation pane, click Account Management. On the User Management page, click Add New User. In the Add New User dialog box, select a RAM role and add it to the Hologres instance.
In the left-side navigation pane, click Database Authorization. On the Database Authorization page, grant permissions to the RAM role.
Use an SQL statement to grant permissions to the RAM role.
For more information, see Permission management overview.
By default, a RAM role does not have the permissions to perform operations in the Hologres console. If you want a RAM user to assume the RAM role, you must use your Alibaba Cloud account to attach the AliyunRAMReadOnlyAccess policy to the RAM user. Otherwise, you cannot use the RAM role to perform operations in the Hologres console. For more information, see Grant permissions on Hologres to RAM users.
Step 3: Log on to the Alibaba Cloud Management Console and use Hologres
After you complete the authorization, a user can assume the RAM role and use Hologres.
Assume the RAM role to log on to the Alibaba Cloud Management Console.
Go to the Hologres console to manage and monitor instances.
In the Hologres console, click Go to HoloWeb to go to HoloWeb to perform Hologres schema design and data development. For more information, see Connect to HoloWeb.