全部产品
Search

搜索本产品

    云原生大数据计算服务 MaxCompute:自定义授权DLF

    文档中心

    云原生大数据计算服务 MaxCompute:自定义授权DLF

    更新时间:Dec 21, 2023

    MaxCompute项目所在RAM用户未经授权无法访问数据湖构建DLF和对象存储OSS,您可以通过为RAM用户添加信任策略以及权限策略进行自定义授权。本文为您介绍如何通过自定义授权方式对MaxCompute项目RAM用户进行授权。

    背景信息

    在MaxCompute与DLF和OSS构建湖仓一体场景中,MaxCompute项目的RAM用户未经授权无法访问DLF。

    • MaxCompute项目RAM账号和部署DLF的账号相同时,添加信任策略时需要将service配置成odps.aliyuncs.com

    • MaxCompute项目RAM账号和部署DLF的账号不同时,添加信任策略时需要将service配置成<MaxCompute项目的Owner云账号id>@odps.aliyuncs.com。您可以在个人信息中获取MaxCompute的Owner云账号id

    操作步骤

    1. 登录RAM访问控制台创建可信实体为阿里云账号的RAM角色。

    2. 通过RAM控制台修改新建RAM角色的信任策略。

      操作详情,请参见修改RAM角色的信任策略。信任策略内容如下:

      • 创建MaxCompute项目的账号和部署DLF的账号是同一个账号:

        {
"Statement": [
{
 "Action": "sts:AssumeRole",
 "Effect": "Allow",
 "Principal": {
   "Service": [
     "odps.aliyuncs.com"
   ]
 }
}
],
"Version": "1"
}

      • 创建MaxCompute项目的账号和部署DLF的账号不是同一个账号:

        {
"Statement": [
{
 "Action": "sts:AssumeRole",
 "Effect": "Allow",
 "Principal": {
   "Service": [
     "<MaxCompute项目的Owner云账号id>@odps.aliyuncs.com"  
   ]
 }
}
],
"Version": "1"
}

    3. 通过RAM控制台,为新建的RAM角色自定义权限策略。

      操作详情,请参见创建自定义权限策略。自定义权限内容如下:

      {
"Version": "1",
"Statement": [
{
 "Action": [
   "oss:ListBuckets",
   "oss:GetObject",
   "oss:ListObjects",
   "oss:PutObject",
   "oss:DeleteObject",
   "oss:AbortMultipartUpload",
   "oss:ListParts"
 ],
 "Resource": "*",
 "Effect": "Allow"
},
{
 "Action": [
 "dlf:CreateFunction",
"dlf:BatchGetPartitions",
"dlf:ListDatabases",
"dlf:CreateLock",
"dlf:UpdateFunction",
"dlf:BatchUpdateTables",
"dlf:DeleteTableVersion",
"dlf:UpdatePartitionColumnStatistics",
"dlf:ListPartitions",
"dlf:DeletePartitionColumnStatistics",
"dlf:BatchUpdatePartitions",
"dlf:GetPartition",
"dlf:BatchDeleteTableVersions",
"dlf:ListFunctions",
"dlf:DeleteTable",
"dlf:GetTableVersion",
"dlf:AbortLock",
"dlf:GetTable",
"dlf:BatchDeleteTables",
"dlf:RenameTable",
"dlf:RefreshLock",
"dlf:DeletePartition",
"dlf:UnLock",
"dlf:GetLock",
"dlf:GetDatabase",
"dlf:GetFunction",
"dlf:BatchCreatePartitions",
"dlf:ListPartitionNames",
"dlf:RenamePartition",
"dlf:CreateTable",
"dlf:BatchCreateTables",
"dlf:UpdateTableColumnStatistics",
"dlf:ListTableNames",
"dlf:UpdateDatabase",
"dlf:GetTableColumnStatistics",
"dlf:ListFunctionNames",
"dlf:ListPartitionsByFilter",
"dlf:GetPartitionColumnStatistics",
"dlf:CreatePartition",
"dlf:CreateDatabase",
"dlf:DeleteTableColumnStatistics",
"dlf:ListTableVersions",
"dlf:BatchDeletePartitions",
"dlf:ListCatalogs",
"dlf:UpdateTable",
"dlf:ListTables",
"dlf:DeleteDatabase",
"dlf:BatchGetTables",
"dlf:DeleteFunction"
 ],
 "Resource": "*",
 "Effect": "Allow"
}
]
}

    4. 将自定义的权限策略,授权给新建的RAM角色。

      操作详情,请参见为RAM角色授权