通過DataWorks管控資料湖構建(DLF)許可權時,您需要先授權DtaWorks訪問DLF資源的相關許可權。授權成功後,系統會自動建立一個服務關聯角色AliyunServiceRoleForDataWorksAccessDLF。本文為您介紹在DataWorks上授權使用DLF時所產生的服務關聯角色。
應用情境
DataWorks訪問DLF的服務關聯角色(AliyunServiceRoleForDataWorksAccessDLF)的應用情境如下:
- 授權DataWorks訪問DLF資源(catalog、資料庫、表、欄位)。
- 允許DataWorks對使用者DLF裡的資源進行授權操作。
- 允許DataWorks對使用者DLF裡的資源進行取消授權的操作。
AliyunServiceRoleForDataWorksAccessDLF介紹
- 角色名稱:AliyunServiceRoleForDataWorksAccessDLF
- 權限原則:AliyunServiceRolePolicyForDataWorksAccessDLF
- 許可權說明:資訊安全中心預設使用此角色來訪問您的DLF的資源。
{
"Version": "1",
"Statement": [
{
"Action": [
"dlf:GetCatalog",
"dlf:GetDatabase",
"dlf:GetFunction",
"dlf:GetTable",
"dlf:GetRole",
"dlf:ListCatalogs",
"dlf:ListDatabases",
"dlf:ListFunctionNames",
"dlf:ListFunctions",
"dlf:ListTableNames",
"dlf:ListTables",
"dlf:ListRoles",
"dlf:ListRoleUsers",
"dlf:CheckPermissions",
"dlf:BatchGrantPermissions",
"dlf:BatchRevokePermissions",
"dlf:GrantPermissions",
"dlf:RevokePermissions",
"dlf:UpdatePermissions",
"dlf:ListPermissions",
"dlf-dss:GetCatalog",
"dlf-dss:GetDatabase",
"dlf-dss:GetFunction",
"dlf-dss:GetTable",
"dlf-dss:ListCatalogs",
"dlf-dss:ListDatabases",
"dlf-dss:ListFunctionNames",
"dlf-dss:ListFunctions",
"dlf-dss:ListTableNames",
"dlf-dss:ListTables",
"dlf-dss:ListRoleUsers",
"dlf-dss:ListRoles",
"dlf-dss:CheckPermissions",
"dlf-dss:GrantPermissions",
"dlf-dss:RevokePermissions",
"dlf-dss:UpdatePermissions",
"dlf-dss:ListPermissions",
"dlf-dss:BatchGrantPermissions",
"dlf-dss:BatchRevokePermissions",
"dlf-dss:CreateTable",
"dlf-dss:AlterTable",
"dlf-dss:DropTable",
"dlf-dss:DescribeTable",
"dlf-dss:SelectTable",
"dlf-dss:UpdateTable",
"dlf-dss:DescribeDatabase",
"dlf-dss:CreateDatabase",
"dlf-dss:AlterDatabase",
"dlf-dss:DropDatabase",
"dlf-dss:DescribeFunction",
"dlf-dss:AlterFunction",
"dlf-dss:CreateFunction",
"dlf-dss:DropFunction",
"dlf-dss:ExecuteFunction"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "dlf.dataworks.aliyuncs.com"
}
}
}
]
}建立服務關聯角色
當您在資料存取控制,選擇申請資料湖構建(DLF)時,系統會提示您授權DataWorks訪問資料湖構建,授權後,系統會自動在RAM控制台建立服務關聯角色AliyunServiceRoleForDataWorksAccessDLF。詳情請參見DLF資料存取權限控制。
刪除服務關聯角色
您可以在RAM控制台刪除服務關聯角色,刪除後,您將無法通過DataWorks進行資料湖許可權控制。詳情請參見刪除RAM角色。
RAM使用者(子帳號)建立服務關聯角色所需要的許可權
子帳號被授權AliyunDataWorksFullAccess策略或如下策略時,即可建立服務關聯角色AliyunServiceRoleForDataWorksAccessDLF。
{
"Version": "1",
"Statement": [
{
"Action": "dataworks:*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "dlf.dataworks.aliyuncs.com"
}
}
}
]
}