To allow multiple users to collaborate in a namespace in the development console of Realtime Compute for Apache Flink, such as performing SQL development and O&M, you can add members to the namespace and assign roles that have predefined permissions to the members. You can also create custom roles to grant permissions based on your business requirements. This improves the flexibility of permission management and ensures security. This topic describes how to create custom roles, add members, and assign roles to members.
Common issues and solutions
Access to a namespace is denied after you log on to the development console of Realtime Compute for Apache Flink. A message appears to notify you that no namespace is available.
This issue indicates that you do not have the permissions to access the current namespace. To obtain the permissions, contact the namespace owner or a member who has the permissions to manage members. For information about how to grant the permissions, see Manage members. After you obtain the permissions, reopen or refresh the page to access the namespace.
Specific features are not available or specific operations are not allowed in a namespace. For example, you cannot deploy, start, or stop a job.
This issue indicates that you do not have the permissions to perform the corresponding operations. To obtain the permissions, click the Role Management tab on the Security page to view the permissions of different roles and the members to which the roles are assigned. Then, contact the namespace owner or a member who has the permissions to manage roles. For information about the permissions of different roles, see Manage roles.
Manage members
Add a member
Make sure that you have the permissions to add members. Log on to the development console of Realtime Compute for Apache Flink. For example, members with the owner role can add members.
In the top navigation bar, select the namespace you want to manage from the drop-down list.
In the left-side navigation pane, click Security. On the page that appears, click the Members tab.
Click Add Member to add a member and configure the Role parameter for the member.
Select RAM account: Select an existing Resource Access Management (RAM) user or RAM role in the current Alibaba Cloud account. You can select multiple RAM users and RAM roles.
Add account manually: Enter the ID of another Alibaba Cloud account, a RAM user, or a RAM role that you want to add.
NoteFor information about how to view the ID of an Alibaba Cloud account, a RAM user, or a RAM role, see View the ID of an Alibaba Cloud account, a RAM user, or a RAM role.
Role: Select a predefined or custom role from the drop-down list. To view the permissions of a specific role, find the role that you want to view on the Role Management tab and click View permissions in the Actions column.
Click OK.
The added member can log on to the development console of Realtime Compute for Apache Flink to access and use the namespace.
NoteIf the member is already logged on, the member can refresh the page to access the namespace.
Modify and delete a member
Modify a member
Make sure that you have the permissions to modify members. Find the member you want to modify and click Edit in the Actions column. You can assign another predefined or custom role to the member. For information about how to view the permissions of an existing custom role, see View role permissions and members.
Delete a member
Make sure that you have the permissions to delete members. Find the member you want to delete and click Delete in the Actions column. After the operation, the member immediately loses access to the namespace.
Manage roles
Roles and permissions
Realtime Compute for Apache Flink supports the following roles:
Predefined roles: owner, editor, and viewer. Predefined roles cannot be deleted and their permissions cannot be modified.
Custom roles: Custom roles can be created, modified, and deleted by members with the owner role or a role that has the related permissions. A custom role must have a larger scope of permissions than the viewer role. You can create up to 10 custom roles in a namespace.
Only members with the editor or owner role can be granted permissions that are not included in the following table, such as the permissions to manage metadata or manage user-defined functions (UDF) in SQL.
The following table describes the permissions of different roles.
First-level permissions | Second-level permissions | owner | editor | viewer | Associated permissions for custom roles |
SQL Editor | View the list of SQL drafts | √ | √ | √ | N/A |
Create and modify SQL drafts | √ | √ | By default, the permissions to view the list of SQL drafts are included. | ||
Debug SQL drafts | √ | √ | By default, the permissions to create and modify SQL drafts and view session clusters are included. | ||
Validate SQL drafts | √ | √ | By default, the permissions to debug SQL drafts are included. | ||
Delete SQL drafts | √ | √ | By default, the permissions to view the list of SQL drafts are included. | ||
Deploy SQL drafts | √ | √ | By default, the permissions to validate SQL drafts are included. | ||
View the list of UDF JAR files | √ | √ | √ | N/A | |
Deployments | View the list of deployments | √ | √ | √ | N/A |
Create JAR and Python deployments | √ | √ | By default, the permissions to view the list of deployments and artifacts are included. | ||
Update deployment configurations | √ | √ | By default, the permissions to view the list of deployments are included. | ||
Delete deployments | √ | √ | By default, the permissions to view the list of deployments are included. | ||
Start/Stop jobs | √ | √ | By default, the permissions to view the list of deployments are included. | ||
Artifacts | View the list of artifacts | √ | √ | √ | By default, the permissions to view the list of deployments are included. |
Upload artifacts | √ | √ | By default, the permissions to view the list of artifacts are included. | ||
Delete artifacts | √ | √ | By default, the permissions to view the list of artifacts are included. | ||
Download artifacts | √ | √ | By default, the permissions to view the list of artifacts are included. | ||
Session Clusters | Delete session clusters | √ | √ | By default, the permissions to view session clusters are included. | |
View session clusters | √ | √ | √ | N/A | |
Create session clusters | √ | √ | By default, the permissions to view session clusters are included. | ||
Update session cluster configurations | √ | √ | By default, the permissions to view session clusters are included. | ||
Start/Stop session clusters | √ | √ | By default, the permissions to view session clusters are included. | ||
Security | View the list of members | √ | √ | √ | N/A |
Create members | √ | By default, the permissions to view the list of members are included. | |||
Modify members | √ | By default, the permissions to view the list of members are included. | |||
Delete members | √ | By default, the permissions to view the list of members are included. | |||
View roles | √ | √ | √ | N/A | |
Create roles | √ | By default, the permissions to view the list of roles are included. | |||
Modify roles | √ | By default, the permissions to view the list of roles are included. | |||
Delete roles | √ | By default, the permissions to view the list of roles are included. | |||
View the list of keys | √ | √ | √ | N/A | |
Create keys | √ | √ | By default, the permissions to view the list of keys are included. | ||
Delete a key | √ | √ | By default, the permissions to view the list of keys are included. | ||
Configurations | View job templates | √ | √ | √ | N/A |
Modify job templates | √ | √ | By default, the permissions to view the list of job templates are included. |
Create a custom role
Make sure that you are assigned the owner role or a role that has the permissions to manage roles. Log on to the development console of Realtime Compute for Apache Flink.
In the top navigation bar, select the namespace you want to manage from the drop-down list.
In the left-side navigation pane, click Security. On the page that appears, click the Role Management tab.
Click Add Role and configure the parameters. The following table describes the parameters.
Parameter
Description
Role Name
Enter a name for the custom role. The name can be up to 64 characters in length and can contain digits, letters, and hyphens (-). The name must start with a letter.
Role Notes
Enter a description or supplementary information for the role. For example, you can specify the purpose of the role or the scope of the permissions granted to the role. You can enter up to 256 characters.
Role Permissions
Add permissions based on the viewer or editor role. A custom role must have a larger scope of permissions than the viewer role.
When you add a permission, the associated permissions are automatically selected to ensure the integrity of access control. For information about the associated permissions of a specific permission, see the "Roles and permissions" section of this topic.
Click OK. The added role appears in the list.
View, modify, and delete a role
View permissions and members associated with a role
Click View permissions in the Actions column to view the permissions of the role. Click View Members to view all members to which the role is assigned.
Modify role permissions
Predefined roles: You cannot modify the permissions of a predefined role.
Custom roles: If you have the permissions to modify a role, click Edit in the Actions column to add or remove permissions based on your business requirements.
Delete a role
Predefined roles: You cannot delete a predefined role.
Custom roles: Before you delete a custom role, find the associated members and assign different roles to them or remove them from the namespace. This operation requires the permissions to manage members and reduces security risks. For information about how to manage members, see Modify and delete members. After you ensure that the role is not assigned to any members and you have the permissions to delete roles, click Delete in the Actions column to delete the role.
View the ID of an Alibaba Cloud account, a RAM user, or a RAM role
ID of an Alibaba Cloud account: Log on to the management console of Realtime Compute for Apache Flink and click the profile picture in the upper-right corner to go to Account Center. You can view Account ID on the Security Settings page.
ID of a RAM user: For more information, see View the information about a RAM user.
ID of a RAM role: For more information, see View the information about a RAM role.
References
To use a RAM user or a RAM role to access the management console of Realtime Compute for Apache Flink and purchase, view, or delete a workspace, you must complete RAM-based authorization. For more information, see Grant permissions to a RAM user.
For information about the differences between the namespace permissions described in this topic and RAM permissions, see Permission management.
For information about how to use different identities, such as Alibaba Cloud accounts, RAM roles, and RAM users, to log on to the management console of Realtime Compute for Apache Flink, see Supported logon methods.