在某些场景下,一个云服务为了完成自身的某个功能,需要获取其他云服务的访问权限。例如:配置审计(Config)服务要读取您的云资源信息,以获取资源列表和变更历史,就需要获取ECS、RDS等产品的访问权限。阿里云提供了服务关联角色 SLR(Service Linked Role)来满足此类场景的需求。本文为主要介绍DLA服务关联角色(AliyunServiceRoleForOpenAnalytics)。

背景信息

DLA服务关联角色(AliyunServiceRoleForOpenAnalytics)是在某些情况下,为了完成DLA自身的某个功能,需要获取其他各种各样的云服务的访问权限,而提供的RAM角色。更多信息请参见服务关联角色

应用场景

DLA作为阿里云数据湖分析产品,提供Serverless SQL和Spark的核心产品功能,需要为用户打通、连接、关联各种各样的阿里云数据源和各种云服务产品(OSS、OTS、RDS、ADS、ODPS、ECS、VPC、RAM、MQ等等),从而实现数据湖的各种各样的功能。因此,DLA会在用户开通DLA服务的时候,自动化的帮助用户在DLA内部创建好服务关联角色,从而极大的提高用户体验。

查看DLA服务关联角色

  1. 登录Data Lake Analytics管理控制台
  2. 单击左侧导航栏中系统管理>跨云服务授权
  3. 跨云服务授权页面查看DLA服务关联角色信息:
    • 角色名称:AliyunServiceRoleForOpenAnalytics
    • 角色权限策略:AliyunServiceRolePolicyForOpenAnalytics
    • 权限说明如下:
      ​{
        "Version": "1",
        "Statement": [
          {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
              "StringEquals": {
                "ram:ServiceName": "openanalytics.aliyuncs.com"
              }
            }
          },
          {
            "Action": [
              "ram:ListUsers",
              "ram:GenerateCredentialReport"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "oss:GetBucket",
              "oss:GetBucketAcl",
              "oss:GetBucketLocation",
              "oss:GetBucketInfo",
              "oss:GetBucketLogging",
              "oss:GetBucketWebsite",
              "oss:GetBucketReferer",
              "oss:GetBucketLifecycle",
              "oss:GetBucketEncryption",
              "oss:GetBucketStat",
              "oss:GetBucketMetadata",
              "oss:GetBucketTagging",
              "oss:GetBucketVersioning",
              "oss:GetSimplifiedObjectMeta",
              "oss:GetObjectMetadata",
              "oss:GetBucketStorageCapacity",
              "oss:GetBucketEncryption",
              "oss:GetObject",
              "oss:GetObjectMeta",
              "oss:GetObjectAcl",
              "oss:GetSymlink",
              "oss:GetObjectTagging",
              "oss:GetService",
              "oss:ListObjects",
              "oss:ListMultipartUploads",
              "oss:ListParts",
              "oss:ListBuckets",
              "oss:ListVpcip",
              "oss:ListVersions",
              "oss:GetBucketCname",
              "oss:GetBucketRequestPayment",
              "oss:GetBucketVpcip",
              "oss:DoesBucketExist",
              "oss:DoesObjectExist",
              "oss:ListObjectsV2",
              "oss:SelectObject",
              "oss:HeadObject",
              "oss:PutBucket",
              "oss:PutObject",
              "oss:PutObjectTagging",
              "oss:CopyObject",
              "oss:InitiateMultipartUpload",
              "oss:UploadPart",
              "oss:UploadPartCopy",
              "oss:CompleteMultipartUpload",
              "oss:AbortMultipartUpload",
              "oss:RestoreObject",
              "oss:PostObject",
              "oss:UploadFile",
              "oss:DownloadFile",
              "oss:AppendObject",
              "oss:DeleteObject",
              "oss:DeleteObjects"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "alikafka:PUB"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "rds:DescribeDBInstances",
              "rds:DescribeDBInstanceAttribute",
              "rds:DescribeDBInstanceNetInfo",
              "rds:DescribeDBInstanceHAConfig",
              "rds:DescribeDBInstanceIPArrayList",
              "rds:ModifySecurityIps",
              "dds:DescribeDBInstances",
              "dds:DescribeDBInstanceAttribute",
              "dds:DescribeSecurityIps",
              "dds:ModifySecurityIps",
              "polardb:DescribeDBClusters",
              "polardb:DescribeDBClusterAttribute",
              "polardb:DescribeDBClusterEndpoints",
              "polardb:DescribeDBClusterAccessWhitelist",
              "polardb:ModifyDBClusterAccessWhitelist"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "mns:GetQueueAttributes",
              "mns:GetTopicAttributes",
              "mns:GetSubscriptionAttributes",
              "mns:ListQueue",
              "mns:ListTopic",
              "mns:ListSubscriptionByTopic",
              "mns:SendMessage",
              "mns:PublishMessage"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "mq:PUB"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "dbs:DescribeBackupPlanList",
              "dbs:DescribeFullBackupList",
              "dbs:DescribeIncrementBackupList",
              "dbs:DescribeRestoreTaskList",
              "dbs:DescribeBackupGatewayList"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "ots:GetRow",
              "ots:BatchGetRow",
              "ots:GetRange",
              "ots:GetShardIterator",
              "ots:GetStreamRecord",
              "ots:ListStream",
              "ots:ListTable",
              "ots:ListSearchIndex",
              "ots:DescribeStream",
              "ots:DescribeTable",
              "ots:DescribeSearchIndex",
              "ots:ComputeSplitPointsBySize",
              "ots:CreateTable",
              "ots:UpdateTable",
              "ots:DeleteTable",
              "ots:PutRow",
              "ots:UpdateRow",
              "ots:DeleteRow",
              "ots:BatchWriteRow",
              "ots:CreateIndex",
              "ots:DropIndex",
              "ots:CreateSearchIndex",
              "ots:DeleteSearchIndex",
              "ots:Search"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "log:ListProject",
              "log:ListLogStores",
              "log:ListShipper",
              "log:GetCursorOrData",
              "log:BatchGetLog",
              "log:GetShipper",
              "log:GetShipperConfig",
              "log:BatchGetLog",
              "log:DeleteShipper",
              "log:CreateShipper"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "ecs:CreateNetworkInterfacePermission",
              "ecs:DeleteNetworkInterfacePermission",
              "ecs:CreateNetworkInterface",
              "ecs:DescribeNetworkInterfaces",
              "ecs:DescribeSecurityGroups"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "vpc:DescribeVSwitches",
              "vpc:DescribeVpcs"
            ],
            "Resource": "*",
            "Effect": "Allow"
          }
        ]
      }​

删除服务关联角色

当您尝试删除服务关联角色(AliyunServiceRoleForOpenAnalytics)时,您需要进行如下操作:
  • 关闭当前Region和其他所有Region的DLA服务,因为DLA是以用户账号维度来判断SLR的关联性。
  • 删除服务关联角色,具体操作请参见删除服务关联角色