All Products
Search
Document Center

Realtime Compute for Apache Flink:Grant permissions on namespaces

最終更新日:Oct 18, 2024

To allow multiple users to collaborate in a namespace in the development console of Realtime Compute for Apache Flink, such as performing SQL development and O&M, you can add members to the namespace and assign roles that have predefined permissions to the members. You can also create custom roles to grant permissions based on your business requirements. This improves the flexibility of permission management and ensures security. This topic describes how to create custom roles, add members, and assign roles to members.

Common issues and solutions

  • You fail to access a namespace after you log on to the development console of Realtime Compute for Apache Flink. A message appears to indicate that no namespace is available within your account.

    image

    This issue indicates that you do not have the permissions to access the current namespace. To obtain the permissions to access the namespace, contact the namespace owner or a member who has the permissions to manage members. For more information about how to grant the permissions, see the Manage members section of this topic. After you obtain the permissions, reopen or refresh the page to access the namespace.

  • You cannot use specific features or you cannot perform specific operations in a namespace. For example, you cannot deploy, start, or stop a job.

    image

    This issue indicates that you do not have the permissions to perform the corresponding operations. To obtain the permissions, click the Role Management tab on the Permissions page to view the permissions of different roles and the members to whom the roles are assigned. Then, contact the namespace owner or a member who has the permissions to manage roles. For more information about roles and role permissions, see the Manage roles section of this topic.

    image

Manage members

Add a member

  1. Log on to the development console of Realtime Compute for Apache Flink as a member who has the permissions to add members, such as a namespace owner.

  2. In the top navigation bar, select the namespace that you want to manage from the drop-down list.

    image.png

  3. In the left-side navigation pane, choose security > Permissions. On the Permissions page, click the Members tab.

  4. On the Members tab, click Add Member. In the Add Member dialog box, add a member and select a role for the member by configuring the following parameters.

    项目空间授权.png

    • Select RAM account: Select an existing Resource Access Management (RAM) user or RAM role in the current Alibaba Cloud account. You can select multiple RAM users and RAM roles.

    • Add account manually: Enter the ID of another Alibaba Cloud account, a RAM user, or a RAM role that you want to add.

      Note

      For more information about how to view the ID of an Alibaba Cloud account, a RAM user, or a RAM role, see the View the ID of an Alibaba Cloud account, a RAM user, or a RAM role section of this topic.

    • Role: Select a predefined or custom role from the drop-down list. To view the permissions of a role, find the role that you want to view on the Role Management tab and click View permissions in the Actions column.

  1. Click OK.

  2. The added member can log on to the development console of Realtime Compute for Apache Flink to access and use the namespace.

    Note

    If the member has already logged on, the member can refresh the page to access the namespace.

Modify and delete a member

  • Modify a member

    Make sure that you have the permissions to modify members. On the Members tab, find the member who you want to modify and click Edit in the Actions column. You can assign another predefined or custom role to the member. For more information about how to view the permissions of an existing custom role, see the View permissions of and members associated with a role section of this topic.

  • Delete a member

    Make sure that you have the permissions to delete members. On the Members tab, find the member who you want to delete and click Delete in the Actions column. After the member is deleted, the member immediately has no permission to access the namespace.

Manage roles

Roles and role permissions

Realtime Compute for Apache Flink supports the roles of the following types:

  • Predefined roles: owner, editor, and viewer. Predefined roles cannot be deleted and their permissions cannot be modified.

  • Custom roles: Custom roles can be created, modified, and deleted by members who are assigned the owner role or a role that has the related permissions. A custom role must have a larger scope of permissions than the viewer role. You can create up to 10 custom roles in a namespace.

Note

Only members who are assigned the editor or owner role can be granted permissions that are not included in the following table, such as the permissions to manage metadata or manage user-defined functions (UDFs) in SQL.

The following table describes the permissions of different roles.

First-level permission

Second-level permission

owner

editor

viewer

Associated permissions for custom roles

Use the extract, transform, and load (ETL) feature for SQL development

View SQL drafts

N/A

Create and modify SQL drafts

By default, the permissions to view SQL drafts are included.

Debug SQL drafts

By default, the permissions to create and modify SQL drafts and view session clusters are included.

Validate SQL drafts

By default, the permissions to debug SQL drafts are included.

Delete SQL drafts

By default, the permissions to view SQL drafts are included.

Deploy SQL drafts

By default, the permissions to validate SQL drafts are included.

View UDF JAR files

N/A

Manage deployments

View deployments

N/A

Create JAR and Python deployments

By default, the permissions to view deployments and artifacts are included.

Update deployment configurations

By default, the permissions to view deployments are included.

Delete deployments

By default, the permissions to view deployments are included.

Start/Stop jobs

By default, the permissions to view deployments are included.

Manage artifacts

View artifacts

By default, the permissions to view deployments are included.

Upload artifacts

By default, the permissions to view artifacts are included.

Delete artifacts

By default, the permissions to view artifacts are included.

Download artifacts

By default, the permissions to view artifacts are included.

Manage session clusters

Delete session clusters

By default, the permissions to view session clusters are included.

View session clusters

N/A

Create session clusters

By default, the permissions to view session clusters are included.

Update session cluster configurations

By default, the permissions to view session clusters are included.

Start/Stop session clusters

By default, the permissions to view session clusters are included.

Perform security-related operations

View members

N/A

Create members

By default, the permissions to view members are included.

Modify members

By default, the permissions to view members are included.

Delete members

By default, the permissions to view members are included.

View roles

N/A

Create roles

By default, the permissions to view roles are included.

Modify roles

By default, the permissions to view roles are included.

Delete roles

By default, the permissions to view roles are included.

View variables

N/A

Create variables

By default, the permissions to view variables are included.

Delete variables

By default, the permissions to view variables are included.

Manage configurations

View job templates

N/A

Modify job templates

By default, the permissions to view job templates are included.

Create a custom role

  1. Log on to the development console of Realtime Compute for Apache Flink as a member who is assigned the owner role or a role that has the permissions to manage roles.

  2. In the top navigation bar, select the namespace that you want to manage from the drop-down list.

    image.png

  3. In the left-side navigation pane, choose security > Permissions. On the Permissions page, click the Role Management tab.

  4. On the Role Management tab, click Add Role. In the Add a custom role panel, configure the parameters. The following table describes the parameters.

    Parameter

    Description

    Role Name

    The name of the custom role. The name can be up to 64 characters in length and can contain digits, letters, and hyphens (-). The name must start with a letter.

    Role Notes

    The description or supplementary information of the role. For example, you can specify the purpose of the role or the scope of the permissions granted to the role. The description can be up to 256 characters.

    Role Permissions

    Add permissions based on the viewer or editor role. A custom role must have a larger scope of permissions than the viewer role.

    When you add a permission, the associated permissions are automatically selected to ensure the integrity of access control. For more information about the associated permissions of a specific permission, see the "Roles and role permissions" section of this topic.

  5. Click OK. The added role appears in the list.

View, modify, and delete a role

image

  • View permissions of and members associated with a role

    On the Role Management tab, find the role that you want to manage and click View permissions in the Actions column to view the permissions of the role. Click View Members in the Actions column to view all members to which the role is assigned.

  • Modify role permissions

    • Predefined roles: You cannot modify the permissions of a predefined role.

    • Custom roles: If you have the permissions to modify a role, click Edit in the Actions column to add or remove permissions based on your business requirements.

  • Delete a role

    • Predefined roles: You cannot delete a predefined role.

    • Custom roles: Before you delete a custom role, find the associated members and assign different roles to the members or remove the members from the namespace. This operation requires the permissions to manage members and reduces security risks. For information about how to manage members, see the Modify and delete a member section of this topic. After you confirm that the role is not assigned to any members and you have the permissions to delete roles, click Delete in the Actions column to delete the role.

View the ID of an Alibaba Cloud account, a RAM user, or a RAM role

  • View the ID of an Alibaba Cloud account: Log on to the management console of Realtime Compute for Apache Flink and click the profile picture in the upper-right corner to go to Account Center. You can view the account ID on the Basic Information page.

  • View the ID of a RAM user: For more information, see View the information about a RAM user.

  • View the ID of a RAM role: For more information, see View the information about a RAM role.image

References

  • To use a RAM user or a RAM role to access the management console of Realtime Compute for Apache Flink and purchase, view, or delete a workspace, you must complete grant permissions to RAM users. For more information, see Grant permissions to a RAM user.

  • For more information about the differences between the namespace permissions described in this topic and RAM permissions, see Permission management.

  • For more information about how to use different identities, such as Alibaba Cloud accounts, RAM roles, or RAM users, to log on to the management console of Realtime Compute for Apache Flink, see Supported logon methods.