全部产品
云市场

访问控制

更新时间:2019-04-12 10:02:26

DataHub采用阿里云RAM进行访问控制。用户对DataHub资源的访问,通过RAM进行鉴权。阿里云主账号拥有所属资源的所有权限,子用户在创建时并没有任何权限,不能访问任何资源,用户需要在RAM中对该子用户进行授权操作。关于如何创建RAM子用户与创建授权策略并进行授权可参见RAM使用文档。以下将介绍DataHub在RAM下的访问控制体系。

DataHub访问域名

对DataHub资源的访问请求,需根据资源所属服务,选择正确的域名。

DataHub域名列表

地区 Region 外网Endpoint 经典网络ECS Endpoint VPC ECS Endpoint
华东1(杭州) cn-hangzhou https://dh-cn-hangzhou.aliyuncs.com http://dh-cn-hangzhou.aliyun-inc.com http://dh-cn-hangzhou.aliyun-inc.com
华东2(上海) cn-shanghai https://dh-cn-shanghai.aliyuncs.com http://dh-cn-shanghai.aliyun-inc.com http://dh-cn-shanghai-int-vpc.aliyuncs.com
华北2(北京) cn-beijing https://dh-cn-beijing.aliyuncs.com http://dh-cn-beijing.aliyun-inc.com http://dh-cn-beijing-int-vpc.aliyuncs.com
华南1(深圳) cn-shenzhen https://dh-cn-shenzhen.aliyuncs.com http://dh-cn-shenzhen.aliyun-inc.com http://dh-cn-shenzhen-int-vpc.aliyuncs.com
亚太东南1(新加坡) ap-southeast-1 https://dh-singapore.aliyuncs.com http://dh-singapore.aliyun-inc.com http://dh-singapore-int-vpc.aliyuncs.com

DataHub RAM权限控制

DataHub资源

DataHub在RAM的访问控制中的资源体系包含Project、Topic和Subscription。目前支持Project、Topic和Subscription级别的鉴权,并不支持Shard的访问控制。其中Subscription是指对某个特定Project下的Topic的一次订阅。

资源 RAM中的资源描述
Project acs:dhs:$region:$accountid:projects/$projectName
Topic acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName
Subscription acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId

DataHub API及对应在RAM中的授权策略

Project

API Action Resource
CreateProject dhs:CreateProject acs:dhs:$region:$accountid:projects/*
ListProject dhs:ListProject acs:dhs:$region:$accountid:projects/*
DeleteProject dhs:DeleteProject acs:dhs:$region:$accountid:projects/$projectName
GetProject dhs:GetProject acs:dhs:$region:$accountid:projects/$projectName

Topic

API Action Resource
CreateTopic dhs:CreateTopic acs:dhs:$region:$accountid:projects/$projectName/topics/*
ListTopic dhs:ListTopic acs:dhs:$region:$accountid:projects/$projectName/topics/*
DeleteTopic dhs:DeleteTopic acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName
GetTopic dhs:GetTopic acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName
UpdateTopic dhs:UpdateTopic acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName

Subscription

API Action Resource
CreateSubscription dhs:CreateSubscription acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/*
DeleteSubscription dhs:DeleteSubscription acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId
GetSubscription dhs:GetSubscription acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId
UpdateSubscription dhs:UpdateSubscription acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId
ListSubscription dhs:ListSubscription acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/*
CommitOffset dhs:GetSubscription acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId
GetOffset dhs:GetSubscription acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId

Connector

API Action Resource
CreateConnector dhs:CreateConnector acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/*
DeleteConnector dhs:DeleteConnector acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/*
GetConnector dhs:GetConnector acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/*
UpdateConnector dhs:UpdateConnector acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/*
ListConnector dhs:ListConnector acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/*

Shard

API Action Resource
ListShard dhs:ListShard acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName
MergeShard dhs:MergeShard acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName
SplitShard dhs:SplitShard acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName

PubSub

API Action Resource
PutRecords dhs:PutRecords acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName
GetRecords dhs:GetRecords acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName
GetCursor dhs:GetRecords acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName

DataHub支持的Condition

Condition 功能 合法取值
acs:SourceIp 指定ip网段 普通ip, 支持*通配
acs:SecureTransport 是否是https协议 true/false
acs:MFAPresent 是否多设备认证 true/false
acs:CurrentTime 指定访问时间 ISO8601格式

DataHub系统授权策略

DataHub授权策略目前在RAM系统中尚无模板,需要用户自己添加策略,具体操作路径在RAM系统中:策略管理->自定义授权策略->新建授权策略。

AliyunDataHubFullAccess

  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": "dhs:*",
  6. "Resource": "*",
  7. "Effect": "Allow"
  8. }
  9. ]
  10. }

AliyunDataHubReadOnlyAccess

  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": ["dhs:List*", "dhs:Get*"],
  6. "Resource": "*",
  7. "Effect": "Allow"
  8. }
  9. ]
  10. }

WebConsole中显示

  1. // 为了在WebConsole中能够显示拥有权限的project,需要在Statement中增加如下配置
  2. // 因为WebConsole需要ListProject和GetProject,才能在页面展示project
  3. {
  4. "Action": ["dhs:ListProject","dhs:GetProject"],
  5. "Resource": "acs:dhs:*:*:projects/*",
  6. "Effect": "Allow"
  7. }

WebConsole中创建topic

  1. // 在WebConsole的project页面中显示topic需要ListTopic和GetTopic权限
  2. // 如希望能够在WebConsole中的project:test下能够创建topic,可以使用如下配置
  3. {
  4. "Version": "1",
  5. "Statement": [
  6. {
  7. "Action": ["dhs:ListProject", "dhs:GetProject"],
  8. "Resource": "acs:dhs:*:*:projects/*",
  9. "Effect": "Allow"
  10. },
  11. {
  12. "Action": ["dhs:ListTopic", "dhs:GetTopic", "dhs:CreateTopic"],
  13. "Resource": "acs:dhs:*:*:projects/test/topics/*",
  14. "Effect": "Allow"
  15. }
  16. ]
  17. }

DataHub自定义授权策略示例

  1. //只允许用户获取指定Project下topic的信息
  2. {
  3. "Version": "1",
  4. "Statement": [
  5. {
  6. "Action": ["dhs:ListTopic", "dhs:GetTopic"],
  7. "Resource": "acs:dhs:cn-hangzhou:12121312:projects/foo/topics/*",
  8. "Effect": "Allow"
  9. }
  10. ]
  11. }
  12. /* PubSub
  13. * 进行发布订阅,除了需要PutRecords,GetRecords权限外
  14. * 往往用户需要知道topic的schema和该topic的shard状态
  15. * 所以最好同时授予用户GetTopic和ListShard权限
  16. */
  17. {
  18. "Version": "1",
  19. "Statement": [
  20. {
  21. "Action": ["dhs:*Records", "dhs:GetTopic", "dhs:ListShard"],
  22. "Resource": "acs:dhs:cn-hangzhou:12121312:projects/foo/topics/bar",
  23. "Effect": "Allow"
  24. }
  25. ]
  26. }
  27. //对所有topic进行PubSub操作
  28. {
  29. "Version": "1",
  30. "Statement": [
  31. {
  32. "Action": ["dhs:*Records", "dhs:GetTopic", dhs:ListShard"],
  33. "Resource": "acs:dhs:cn-hangzhou:12121312:*",
  34. "Effect": "Allow"
  35. }
  36. ]
  37. }
  38. // 新订阅功能授权Policy样例1: 给用户授权具有project foo下topic的所有订阅权限
  39. {
  40. "Version": "1",
  41. "Statement": [
  42. {
  43. "Action": ["dhs:*Subscription"],
  44. "Resource": "acs:dhs:cn-hangzhou:*:projects/foo/topics/*/subscriptions/*",
  45. "Effect": "Allow"
  46. }
  47. ]
  48. }
  49. // 新订阅功能授权Policy样例2: 给用户授权仅具有project foo下查询订阅的权限
  50. {
  51. "Version": "1",
  52. "Statement": [
  53. {
  54. "Action": ["dhs:ListSubscription"],
  55. "Resource": "acs:dhs:cn-hangzhou:*:projects/foo/topics/*/subscriptions/*",
  56. "Effect": "Allow"
  57. }
  58. ]
  59. }
  60. // 新订阅功能授权Policy样例3: 给用户授权仅具有project foo下的topic t1特定订阅'14985645198374IoCK'的提交点位权限
  61. {
  62. "Version": "1",
  63. "Statement": [
  64. {
  65. "Action": ["dhs:GetSubscription"],
  66. "Resource": "acs:dhs:cn-hangzhou:*:projects/foo/topics/t1/subscriptions/14985645198374IoCK",
  67. "Effect": "Allow"
  68. }
  69. ]
  70. }
  71. // 对指定Topic进行 Split/Merge shard, 包括ListShard, SplitShard, MergeShard
  72. {
  73. "Version": "1",
  74. "Statement": [
  75. {
  76. "Action": ["dhs:*Shard"],
  77. "Resource": "acs:dhs:cn-hangzhou:12121312:projects/foo/topics/bar",
  78. "Effect": "Allow"
  79. }
  80. ]
  81. }