All Products
Search
Document Center

Realtime Compute for Apache Flink:Grant permissions to a RAM user

最終更新日:Oct 16, 2024

When you access the Realtime Compute for Apache Flink console as a Resource Access Management (RAM) user or by using a RAM role and perform operations such as purchasing, viewing, or deleting a workspace, the RAM user or RAM role must have the required permissions. This topic describes the RAM policy types that are supported by Realtime Compute for Apache Flink and how to grant permissions to a RAM user.

Policy types

A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. For more information about the policy elements, structure, and syntax, see Policy elements and Policy structure and syntax.

RAM supports the following two types of policy:

  • System policy: System policies are created and updated by Alibaba Cloud. You can use system policies, but you cannot modify the policies. For more information about the system policies that are supported by Realtime Compute for Apache Flink, see the System policies section of this topic.

  • Custom policy: You can create, update, and delete custom policies to meet your business requirements. For more information about the custom policies that are supported by Realtime Compute for Apache Flink, see the Custom policies section of this topic.

Procedure

You can attach a policy to a RAM user or RAM role to grant the RAM user or RAM role the access permissions in the policy. This section describes how to grant permissions to a RAM user. The operations for granting permissions to a RAM role are similar to the operations for granting permissions to a RAM user. For more information, see Grant permissions to a RAM role.

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

    image

    You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.

  4. In the Grant Permission panel, grant permissions to the RAM user.

    image

    Parameter

    Description

    Resource Scope

    The scope of resources that you can access with the granted permissions. Valid values:

    • Account: The permissions are granted to the current Alibaba Cloud account.

    • ResourceGroup: The permissions are valid for a specific resource group.

    Principal

    The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified as the principal. You can also specify another RAM user.

    Policy

    • System policy: For more information about the system policies that are supported by Realtime Compute for Apache Flink, see the System policies section of this topic.

    • Custom policy: For more information about how to create a custom policy, see Create custom policies. For more information about the custom policies that are supported by Realtime Compute for Apache Flink, see the Custom policies section of this topic. The following sample code provides the document of a policy that allows a RAM user to view the information about all workspaces.

      {
          "Version": "1",
          "Statement":  [
              {
                  "Action": "stream:DescribeVvpInstances",
                  "Resource": "*",
                  "Effect": "Allow"
              }
          ]
      }
  5. Click Grant permissions.

  6. Click Close.

System policies

Permission set

Policy

Description

All permissions on Realtime Compute for Apache Flink

AliyunStreamFullAccess

Includes all permissions in Custom policies.

Permissions to access Realtime Compute for Apache Flink in read-only mode

AliyunStreamReadOnlyAccess

Includes all permissions that start with Describe and Query in Custom policies.

Permissions on Expenses and Costs

AliyunBSSOrderAccess

Allows you to view and pay for orders in the Expenses and Costs console.

Custom policies

Policies related to Realtime Compute for Apache Flink

Note

In a policy, Action indicates the operation that needs to be performed, Resource indicates the object on which the operation is performed, and Effect specifies whether to allow or deny the operation on the object. For more information about the syntax and structure of RAM policies, see Policy structure and syntax. You must replace the following parameters in a policy with the actual values:

  • {#regionId}: the ID of the region in which the Realtime Compute for Apache Flink workspace that you want to manage resides.

  • {#accountId}: the ID of the Alibaba Cloud account.

  • {#instanceId}: the ID of the Realtime Compute for Apache Flink workspace that you want to manage.

  • {#namespace}: the name of the namespace.

  • Policies related to Realtime Compute for Apache Flink workspaces

    Permission

    Policy document

    Purchase a Realtime Compute for Apache Flink workspace

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "stream:CreateVvpInstance",
                "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/*",
                "Effect": "Allow"
            }
        ]
    }

    View information about a workspace

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "stream:DescribeVvpInstances",
                "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/*",
                "Effect": "Allow"
            }
        ]
    }

    Release a pay-as-you-go workspace

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "stream:DeleteVvpInstance",
                "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}",
                "Effect": "Allow"
            }
        ]
    }

    Renew a subscription workspace

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "stream:RenewVvpInstance",
                "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}",
                "Effect": "Allow"
            }
        ]
    }

    Scale a subscription workspace

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "stream:ModifyVvpPrepayInstanceSpec",
                "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}",
                "Effect": "Allow"
            }
        ]
    }

    Change the maximum quota of a pay-as-you-go workspace

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "stream:ModifyVvpInstanceSpec",
                "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}",
                "Effect": "Allow"
            }
        ]
    }

    Change the billing method of a workspace

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "stream:ConvertVvpInstance",
                "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}",
                "Effect": "Allow"
            }
        ]
    }

    Query the price for creating a workspace

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "stream:QueryCreateVvpInstance",
                "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/*",
                "Effect": "Allow"
            }
        ]
    }

    Query the price for renewing a workspace

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "stream:QueryRenewVvpInstance",
                "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}",
                "Effect": "Allow"
            }
        ]
    }

    Query the price for scaling a workspace

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "stream:QueryModifyVvpPrepayInstanceSpec",
                "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}",
                "Effect": "Allow"
            }
        ]
    }

    Query the price for switching from the pay-as-you-go billing method to the subscription billing method

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "stream:QueryConvertVvpInstance",
                "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}",
                "Effect": "Allow"
            }
        ]
    }
  • Policies related to Realtime Compute for Apache Flink namespaces

    Important

    Before you configure namespace permissions, you must configure the DescribeVvpInstances permission to view existing workspaces. Otherwise, an error is returned.

    Permission

    Policy document

    Create a namespace

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "stream:CreateVvpNamespace",
                "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/*",
                "Effect": "Allow"
            }
        ]
    }

    Delete a namespace

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "stream:DeleteVvpNamespace",
                "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/{#namespace}",
                "Effect": "Allow"
            }
        ]
    }

    Change resources for a subscription namespace

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "stream:ModifyVvpPrepayNamespaceSpec",
                "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/{#namespace}",
                "Effect": "Allow"
            }
        ]
    }

    Change resources for a pay-as-you-go namespace

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "stream:ModifyVvpNamespaceSpec",
                "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/{#namespace}",
                "Effect": "Allow"
            }
        ]
    }

    View the namespace list

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "stream:DescribeVvpNamespaces",
                "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/*",
                "Effect": "Allow"
            }
        ]
    }
    Note

    After you configure the policy, you can click the image.png icon to the left of the ID of a specific workspace to view the list of namespaces that are created in the workspace. If you want to log on to the development console of a specific Realtime Compute for Apache Flink namespace, you must have the permission to develop drafts in the namespace. For more information, see Grant namespace permissions.

Permission operations on related services

ECS-related operations

Before you can access the development console of Realtime Compute for Apache Flink over the Internet, you must activate Elastic IP Address (EIP) by using your Alibaba Cloud account. Before you can access resources in a virtual private cloud (VPC), you must create elastic network interfaces (ENIs) in the VPC. The ENIs are added to the dedicated security group of Realtime Compute for Apache Flink. In this case, Realtime Compute for Apache Flink must have the operation permissions on the EIP, security group, and ENIs.

Action

Description

ecs:AssociateEipAddress

Applies for an EIP to access Realtime Compute for Apache Flink over the Internet.

ecs:AttachNetworkInterface

Binds your ENI to a resource pool in Realtime Compute for Apache Flink.

ecs:AuthorizeSecurityGroup

Creates a security group in Realtime Compute for Apache Flink and adds an inbound rule to the security group.

ecs:AuthorizeSecurityGroupEgress

Creates a security group in Realtime Compute for Apache Flink and adds an outbound rule to the security group.

ecs:CreateNetworkInterface

Creates an ENI in your VPC and connects Realtime Compute for Apache Flink to your VPC.

ecs:CreateNetworkInterfacePermission

Binds your ENI to Realtime Compute for Apache Flink.

ecs:CreateSecurityGroup

Creates a security group in Realtime Compute for Apache Flink.

ecs:DeleteNetworkInterface

Deletes the ENIs of the resources that are used in a task of Realtime Compute for Apache Flink after the task is complete.

ecs:DeleteNetworkInterfacePermission

Unbinds your ENI from Realtime Compute for Apache Flink.

ecs:DeleteSecurityGroup

Deletes a security group in Realtime Compute for Apache Flink.

ecs:DescribeNetworkInterfacePermissions

Unbinds your ENI from a serverless resource pool in Realtime Compute for Apache Flink.

ecs:DescribeNetworkInterfaces

Queries ENIs bound to Realtime Compute for Apache Flink.

ecs:DescribeSecurityGroupAttribute

Queries the security group rules of a security group in Realtime Compute for Apache Flink.

ecs:DescribeSecurityGroupReferences

Queries security groups and security group-level authorization in Realtime Compute for Apache Flink.

ecs:DescribeSecurityGroups

Queries basic information about the created security groups in Realtime Compute for Apache Flink.

ecs:DetachNetworkInterface

Unbinds your ENI from a resource pool in Realtime Compute for Apache Flink.

ecs:JoinSecurityGroup

Adds ENIs to a security group in Realtime Compute for Apache Flink.

ecs:LeaveSecurityGroup

Removes ENIs from a security group in Realtime Compute for Apache Flink.

ecs:ModifyNetworkInterfaceAttribute

Modifies information about an ENI, such as the name, the description, and the security group to which the ENI belongs.

ecs:ModifySecurityGroupAttribute

Modifies the name or description of a security group in Realtime Compute for Apache Flink.

ecs:ModifySecurityGroupPolicy

Modifies the access control policy within a security group in Realtime Compute for Apache Flink.

ecs:ModifySecurityGroupRule

Modifies the description of security group inbound rules in Realtime Compute for Apache Flink.

ecs:RevokeSecurityGroup

Deletes a security group inbound rule in Realtime Compute for Apache Flink.

ecs:RevokeSecurityGroupEgress

Deletes a security group outbound rule in Realtime Compute for Apache Flink.

ecs:UnassociateEipAddress

Releases EIPs that are used by Realtime Compute for Apache Flink.

OSS-related operations

Before you can query Object Storage Service (OSS) buckets, you must obtain the permissions on OSS resources.

Action

Description

oss:ListBuckets

Queries OSS buckets that are used by Realtime Compute for Apache Flink.

oss:GetBucketInfo

Queries the statistics about a bucket.

oss:GetObjectMetadata

Obtains the metadata of an object.

oss:GetObject

Obtains an object.

oss:ListObjects

Lists the information about all objects in a bucket.

oss:PutObject

Uploads an object.

oss:CopyObject

Copies objects that are stored in the same bucket or different buckets in the same region.

oss:CompleteMultipartUpload

Completes multipart upload of an object after all parts of the object are uploaded.

oss:AbortMultipartUpload

Cancels a multipart upload task and deletes the uploaded parts.

oss:InitiateMultipartUpload

Instructs OSS to initiate a multipart upload task before data is transmitted in multipart upload mode.

oss:UploadPartCopy

Copies data from an existing object and uploads a part of the object.

oss:UploadPart

Uploads an object by part based on the specified object name and upload ID.

oss:DeleteObject

Deletes an object.

oss:PutBucketcors

Configures cross-origin resource sharing (CORS) rules for a bucket.

oss:GetBucketCors

Queries the CORS rules configured for a bucket.

oss:PutBucket

Creates a bucket.

Note

If you use the Key Management Service (KMS) encryption capability of OSS, you must attach KMS-related policies to the AliyunStreamAsiDefaultRole role. For more information, see the Upload an object to a bucket for which an encryption method is configured section of the "Server-side encryption" topic.

ARMS-related operations

After you activate the Application Real-Time Monitoring Service (ARMS) service, the metrics of deployments in Realtime Compute for Apache Flink are stored in ARMS.

Action

Description

arms:ListDashboards

Queries ARMS dashboards.

arms:CreateContact

Creates a contact.

arms:DeleteContact

Deletes a contact.

arms:SearchContact

Queries a contact.

arms:UpdateContact

Updates a contact.

arms:CreateContactGroup

Creates a contact group.

arms:DeleteContactGroup

Deletes a contact group.

arms:SearchContactGroup

Queries a contact group.

arms:UpdateContactGroup

Updates a contact group.

arms:SearchAlertRules

Queries one or more alert rules.

arms:CreateAlertRules

Creates one or more alert rules.

arms:UpdateAlertRules

Updates one or more alert rules.

arms:DeleteAlertRules

Deletes one or more alert rules.

arms:StartAlertRule

Enables an alert rule.

arms:StopAlertRule

Disables an alert rule.

arms:SearchAlarmHistories

Queries historical alert information.

arms:OpenArmsService

Activates the ARMS service.

arms:CreateWebhook

Creates a webhook.

arms:UpdateWebhook

Updates a webhook.

arms:CreateDispatchRule

Creates a dispatch rule.

arms:ListDispatchRule

Queries dispatch rules.

arms:DeleteDispatchRule

Deletes a dispatch rule.

arms:UpdateDispatchRule

Updates a dispatch rule.

arms:DescribeDispatchRule

Queries details about a dispatch rule.

VPC-related operations

The Describe permission on resources in a VPC is required when you create a Realtime Compute for Apache Flink workspace.

Action

Description

vpc:DescribeVpcAttribute

Queries the configurations of a VPC.

vpc:DescribeVpcs

Queries the created VPCs.

vpc:DescribeVSwitchAttributes

Queries information about a vSwitch.

vpc:DescribeVSwitches

Queries the created vSwitches.

vpc:DescribeRouteTableList

Queries route tables.

vpc:DescribeRouteTables

Queries a route table.

vpc:DescribeRouteEntryList

Queries route entries in a route table.

vpc:DescribeRouterInterfaceAttribute

Queries the configurations of the router interface.

vpc:DescribeRouterInterfaces

Queries router interfaces.

vpc:DescribeVRouters

Queries vRouters in a region.

vpc:CreateVpc

Creates a VPC.

vpc:CreateVSwitch

Creates a vSwitch.

RAM-related operations

When you create a Realtime Compute for Apache Flink workspace, you must have relevant RAM permissions to configure resources.

Action

Description

ram:*

Adds, removes, modifies, and queries the following RAM resources: domains and applications.

DLF-related operations

When you create a Realtime Compute for Apache Flink workspace, you must have Data Lake Formation (DLF) permissions to access related catalogs.

Action

Description

dlf:BatchCreatePartitions

Creates multiple partitions at a time.

dlf:BatchCreateTables

Creates multiple tables at a time.

dlf:BatchDeletePartitions

Deletes multiple partitions at a time.

dlf:BatchDeleteTables

Deletes multiple tables at a time.

dlf:BatchGetPartitions

Queries multiple partitions at a time.

dlf:BatchGetTables

Queries multiple tables at a time.

dlf:BatchUpdatePartitions

Updates multiple partitions at a time.

dlf:BatchUpdateTables

Updates multiple tables at a time.

dlf:CreateCatalog

Creates a data lake catalog.

dlf:CreateDatabase

Creates a database.

dlf:CreateFunction

Creates a function.

dlf:CreatePartition

Creates a partition.

dlf:CreateTable

Creates a table.

dlf:DeleteCatalog

Deletes a data lake catalog.

dlf:DeleteDatabase

Deletes a database.

dlf:DeleteFunction

Deletes a function.

dlf:DeletePartition

Deletes a partition.

dlf:DeleteTable

Deletes a table.

dlf:GetAsyncTaskStatus

Queries the status of an asynchronous task.

dlf:GetCatalog

Queries a data lake catalog.

dlf:GetCatalogByInstanceId

Queries catalogs by instance ID.

dlf:GetCatalogSettings

Queries the data lake configuration.

dlf:GetDatabase

Queries a database.

dlf:GetFunction

Queries a function.

dlf:GetPartition

Queries a partition.

dlf:GetTable

Queries a table.

dlf:ListCatalogs

Queries catalogs.

dlf:ListDatabases

Queries databases.

dlf:ListFunctionNames

Queries function names.

dlf:ListFunctions

Queries functions.

dlf:ListPartitionNames

Queries partition names.

dlf:ListPartitions

Queries partitions.

dlf:ListPartitionsByExpr

Queries partitions by using an expression.

dlf:ListPartitionsByFilter

Queries partitions by using a filter.

dlf:ListTableNames

Queries table names.

dlf:ListTables

Queries tables.

dlf:RenamePartition

Renames a partition.

dlf:RenameTable

Renames a table.

dlf:UpdateCatalog

Updates a data lake catalog.

dlf:UpdateDatabase

Updates a database.

dlf:UpdateFunction

Updates a function.

dlf:UpdateTable

Updates a table.

dlf:BatchGetPartitionColumnStatistics

Queries the statistics on multiple metadata table partitions at a time.

dlf:DeletePartitionColumnStatistics

Deletes the statistics on a metadata table partition.

dlf:DeleteTableColumnStatistics

Deletes the statistics on a metadata table.

dlf:GetPartitionColumnStatistics

Queries the statistics on the fields in a metadata table partition.

dlf:GetTableColumnStatistics

Queries the statistics on the fields in a metadata table.

dlf:UpdateTableColumnStatistics

Updates the statistics on a metadata table.

dlf:UpdatePartitionColumnStatistics

Updates the statistics on a metadata table partition.

dlf:CreateLock

Creates a metadata lock.

dlf:UnLock

Unlocks a metadata lock.

dlf:AbortLock

Aborts a metadata lock.

dlf:RefreshLock

Refreshes a metadata lock.

dlf:GetLock

Queries a metadata lock.

dlf:GetCatalogAccessInfo

Queries the information such as the storage name and storage endpoint about backend storage based on the catalog UUID.

dlf:GetDataToken

Queries catalog- or table-level keys based on the catalog UUID.

dlf:GetDataTokenByName

Queries catalog- or table-level keys based on the catalog UUID, database name, or table name.

dlf-auth:ActOnBehalfOfAnotherUser

Uses a service-linked role (SLR) or service role (SR) to access DLF.

dlf:GrantPermissions

Grants permissions on the principal resources.

dlf:RevokePermissions

Revokes permissions on the principal resources.

dlf:BatchGrantPermissions

Grants multiple permissions at a time.

dlf:BatchRevokePermissions

Revokes multiple permissions at a time.

dlf:UpdatePermissions

Updates permissions on the principal resources.

dlf:ListPermissions

Queries the permissions of a resource or principal.

dlf:CreateRole

Creates a role.

dlf:UpdateRole

Updates a role.

dlf:DeleteRole

Deletes a role.

dlf:GetRole

Queries a role.

dlf:ListRoles

Queries roles.

dlf:GrantRolesToUser

Grants multiple role permissions to a user at a time.

dlf:RevokeRolesFromUser

Revokes multiple role permissions of a user at a time.

dlf:GrantRoleToUsers

Grants a role permission to multiple users at a time.

dlf:RevokeRoleFromUsers

Revokes a role permission of multiple users at a time.

dlf:UpdateRoleUsers

Updates users of a role.

dlf:ListRoleUsers

Queries users of a role.

dlf:ListUserRoles

Queries user roles.

dlf:GrantRolesToPrincipal

Grants multiple role permissions to a principal at a time.

dlf:RevokeRolesFromPrincipal

Revokes multiple role permissions of a principal at a time.

dlf:GrantRoleToPrincipals

Grants a role permission to multiple principals at a time.

dlf:RevokeRoleFromPrincipals

Revokes a role permission of multiple principals at a time.

dlf:UpdateRolePrincipals

Updates the principals in a role.

dlf:BatchDeleteRoles

Deletes multiple roles at a time.

dlf:CheckPermissions

Checks permissions.

dlf:GetCatalogStorageStatistics

Queries the catalog statistics.

dlf:GetCatalogStorageIndicatorDetails

Queries the trend of a catalog metric.

dlf:GetCatalogStorageRank

Queries the ranking of catalog storage statistics.

dlf:GetCatalogStorageAnalysis

Queries the data distribution in a catalog.

dlf:GetDatabaseProfile

Queries the data profile of a database.

dlf:GetDatabaseStorageAnalysis

Queries the data distribution in a database.

dlf:GetTableProfile

Queries the data profile of a table.

dlf:GetTableStorageAnalysis

Queries the data distribution in a table.

dlf:ListPartitionProfiles

Queries partition data profiles.

dlf:getLatestStorageStatisticsDate

Queries the time when the storage overview data was last updated.

dlf:SubscribeOptimize

Submits optimization.

dlf:GetOptimizeRegionStatus

Queries the region and status of optimization.

dlf:GetOptimizeWorkspaceAuthorization

Queries authorization for the optimized workspace.

dlf:AddOptimizeWorkspace

Adds an optimized workspace.

dlf:ListOptimizeWorkspaces

Queries optimized workspaces.

dlf:PreCheckOptimizeWorkspaceConnection

Prechecks the connection to an optimized workspace.

dlf:CheckOptimizeWorkspaceConnection

Checks the connection to an optimized workspace.

dlf:DeleteOptimizeWorkspace

Deletes an optimized workspace.

dlf:SetOptimizeEnable

Enables storage optimization.

dlf:SetOptimizePolicy

Configures a storage optimization policy.

dlf:GetOptimizePolicy

Queries a storage optimization policy.

dlf:SetOptimizeScheduleRule

Adds a storage optimization scheduling rule.

dlf:ListOptimizeScheduleRules

Queries optimization scheduling rules.

dlf:DeleteOptimizeScheduleRule

Deletes a storage optimization scheduling rule.

dlf:RunOptimizeImmediately

Immediately runs storage optimization.

dlf:GetOptimizeInfo

Queries optimization information.

dlf:UpdateOptimizeTaskResult

Updates the result of a storage optimization task.

References