MaxCompute專案所在RAM使用者未經授權無法訪問資料湖構建DLF和Object Storage Service,可以通過為RAM使用者添加信任策略以及權限原則進行自訂授權。本文介紹如何通過自訂授權方式對MaxCompute專案RAM使用者進行授權。
背景資訊
在MaxCompute與DLF和OSS構建湖倉一體情境中,MaxCompute專案的RAM使用者未經授權無法訪問DLF。
MaxCompute專案RAM使用者和部署DLF的帳號相同時,添加信任策略時需要將service配置成
odps.aliyuncs.com。MaxCompute專案RAM使用者和部署DLF的帳號不同時,添加信任策略時需要將service配置成
<MaxCompute專案的Owner雲帳號id>@odps.aliyuncs.com。可以在帳號中心中擷取帳號ID。
操作步驟
登入RAM存取控制台建立可信實體為阿里雲帳號的RAM角色。
操作詳情,請參見建立可信實體為阿里雲帳號的RAM角色。
通過RAM控制台修改建立RAM角色的信任策略。
操作詳情,請參見修改RAM角色的信任策略。信任策略內容如下:
建立MaxCompute專案的帳號和部署DLF的帳號是同一個帳號:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "odps.aliyuncs.com" ] } } ], "Version": "1" }建立MaxCompute專案的帳號和部署DLF的帳號不是同一個帳號:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "<MaxCompute專案的Owner雲帳號id>@odps.aliyuncs.com" ] } } ], "Version": "1" }
通過RAM控制台,為建立的RAM角色自訂權限原則。
操作詳情,請參見建立自訂權限原則。自訂許可權內容如下:
{ "Version": "1", "Statement": [ { "Action": [ "oss:ListBuckets", "oss:GetObject", "oss:ListObjects", "oss:PutObject", "oss:DeleteObject", "oss:AbortMultipartUpload", "oss:ListParts" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "dlf:CreateFunction", "dlf:BatchGetPartitions", "dlf:ListDatabases", "dlf:CreateLock", "dlf:UpdateFunction", "dlf:BatchUpdateTables", "dlf:DeleteTableVersion", "dlf:UpdatePartitionColumnStatistics", "dlf:ListPartitions", "dlf:DeletePartitionColumnStatistics", "dlf:BatchUpdatePartitions", "dlf:GetPartition", "dlf:BatchDeleteTableVersions", "dlf:ListFunctions", "dlf:DeleteTable", "dlf:GetTableVersion", "dlf:AbortLock", "dlf:GetTable", "dlf:BatchDeleteTables", "dlf:RenameTable", "dlf:RefreshLock", "dlf:DeletePartition", "dlf:UnLock", "dlf:GetLock", "dlf:GetDatabase", "dlf:GetFunction", "dlf:BatchCreatePartitions", "dlf:ListPartitionNames", "dlf:RenamePartition", "dlf:CreateTable", "dlf:BatchCreateTables", "dlf:UpdateTableColumnStatistics", "dlf:ListTableNames", "dlf:UpdateDatabase", "dlf:GetTableColumnStatistics", "dlf:ListFunctionNames", "dlf:ListPartitionsByFilter", "dlf:GetPartitionColumnStatistics", "dlf:CreatePartition", "dlf:CreateDatabase", "dlf:DeleteTableColumnStatistics", "dlf:ListTableVersions", "dlf:BatchDeletePartitions", "dlf:ListCatalogs", "dlf:UpdateTable", "dlf:ListTables", "dlf:DeleteDatabase", "dlf:BatchGetTables", "dlf:DeleteFunction" ], "Resource": "*", "Effect": "Allow" } ] }將自訂的權限原則,授權給建立的RAM角色。
操作詳情,請參見管理RAM角色的許可權。