通过DataWorks管控数据湖构建(DLF)权限时,您需要先授权DtaWorks访问DLF资源的相关权限。授权成功后,系统会自动创建一个服务关联角色AliyunServiceRoleForDataWorksAccessDLF。本文为您介绍在DataWorks上授权使用DLF时所产生的服务关联角色。

应用场景

DataWorks访问DLF的服务关联角色(AliyunServiceRoleForDataWorksAccessDLF)的应用场景如下:
  • 授权DataWorks访问DLF资源(catalog、数据库、表、字段)。
  • 允许DataWorks对用户DLF里的资源进行授权操作。
  • 允许DataWorks对用户DLF里的资源进行取消授权的操作。

AliyunServiceRoleForDataWorksAccessDLF介绍

  • 角色名称:AliyunServiceRoleForDataWorksAccessDLF
  • 权限策略:AliyunServiceRolePolicyForDataWorksAccessDLF
  • 权限说明:安全中心默认使用此角色来访问您的DLF的资源。
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "dlf:GetCatalog",
        "dlf:GetDatabase",
        "dlf:GetFunction",
        "dlf:GetTable",
        "dlf:GetRole",
        "dlf:ListCatalogs",
        "dlf:ListDatabases",
        "dlf:ListFunctionNames",
        "dlf:ListFunctions",
        "dlf:ListTableNames",
        "dlf:ListTables",
        "dlf:ListRoles",
        "dlf:ListRoleUsers",
        "dlf:CheckPermissions",
        "dlf:BatchGrantPermissions",
        "dlf:BatchRevokePermissions",
        "dlf:GrantPermissions",
        "dlf:RevokePermissions",
        "dlf:UpdatePermissions",
        "dlf:ListPermissions",
        "dlf-dss:GetCatalog",
        "dlf-dss:GetDatabase",
        "dlf-dss:GetFunction",
        "dlf-dss:GetTable",
        "dlf-dss:ListCatalogs",
        "dlf-dss:ListDatabases",
        "dlf-dss:ListFunctionNames",
        "dlf-dss:ListFunctions",
        "dlf-dss:ListTableNames",
        "dlf-dss:ListTables",
        "dlf-dss:ListRoleUsers",
        "dlf-dss:ListRoles",
        "dlf-dss:CheckPermissions",
        "dlf-dss:GrantPermissions",
        "dlf-dss:RevokePermissions",
        "dlf-dss:UpdatePermissions",
        "dlf-dss:ListPermissions",
        "dlf-dss:BatchGrantPermissions",
        "dlf-dss:BatchRevokePermissions",
        "dlf-dss:CreateTable",
        "dlf-dss:AlterTable",
        "dlf-dss:DropTable",
        "dlf-dss:DescribeTable",
        "dlf-dss:SelectTable",
        "dlf-dss:UpdateTable",
        "dlf-dss:DescribeDatabase",
        "dlf-dss:CreateDatabase",
        "dlf-dss:AlterDatabase",
        "dlf-dss:DropDatabase",
        "dlf-dss:DescribeFunction",
        "dlf-dss:AlterFunction",
        "dlf-dss:CreateFunction",
        "dlf-dss:DropFunction",
        "dlf-dss:ExecuteFunction"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "dlf.dataworks.aliyuncs.com"
        }
      }
    }
  ]
}

创建服务关联角色

当您在数据访问控制,选择申请数据湖构建(DLF)时,系统会提示您授权DataWorks访问数据湖构建,授权后,系统会自动在RAM控制台创建服务关联角色AliyunServiceRoleForDataWorksAccessDLF。详情请参见DLF数据访问权限控制

删除服务关联角色

您可以在RAM控制台删除服务关联角色,删除后,您将无法通过DataWorks进行数据湖权限控制。详情请参见删除RAM角色

RAM用户(子账号)创建服务关联角色所需要的权限

子账号被授权AliyunDataWorksFullAccess策略或如下策略时,即可创建服务关联角色AliyunServiceRoleForDataWorksAccessDLF

{
    "Version": "1",
    "Statement": [
        {
            "Action": "dataworks:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "dlf.dataworks.aliyuncs.com"
                }
            }
        }
    ]
}