Authorization overview

更新时间:
复制 MD 格式

This topic describes key information about granting permissions, including authorization scenarios, the permission model, console differences, the authorization process, and how to grant access based on your logon method.

Notes

When you first activate Realtime Compute for Apache Flink, the activation page prompts you to complete an automated authorization. You are redirected to RAM, where you click Agree to Authorization on the Cloud Resource Access Authorization page. After you complete the authorization, your Alibaba Cloud account has access to both the Management Console and the Development Console, and can call the resources of related cloud services.

If you need to share a workspace with other users and grant them granular permissions, follow the instructions in this topic to configure authorization for them.

Authorization

Scenarios

Scenario

Description

Authorization strategy

Authorization method

Administrative operations

If a user needs to perform administrative operations, such as purchasing a workspace, purchasing resources, or adjusting resource configurations, the user must log on to the Management Console.

  • Full access: To grant a user all permissions on this console, attach the AliyunStreamFullAccess system policy.

  • Granular permissions: For fine-grained control over user permissions, create a custom policy and assign it to the user as needed.

Authorize access to the Management Console

Development and O&M operations

If a user needs to perform operations such as job development, debugging, or O&M, the user must log on to the Development Console.

  • Full access: To grant a user all permissions on the Development Console for a namespace, assign the Owner role to the user.

  • Granular permissions: For fine-grained control over user permissions, create a custom role and assign it to the user as needed.

Authorize access to the Development Console

Permission model

Management console

Permissions for the Management Console are managed by an Alibaba Cloud account in the RAM console by attaching policies to RAM users or RAM identities. The scope of these policies covers all resources within the Alibaba Cloud account, including those for Realtime Compute for Apache Flink and related services.

Development console

Permissions for the Development Console are managed by an Alibaba Cloud account in the Development Console by assigning roles to RAM users or other Alibaba Cloud accounts. The scope of these roles covers all permissions for the primary and secondary features of the Development Console.

Consoles

Before you log on and grant permissions, you must identify which console to authorize. Realtime Compute for Apache Flink provides a Management Console and a Development Console. The following table describes the differences in their user interfaces (UIs) and purposes.

Console

UI

Purpose

Management Console

The Overview page displays a Flink Fully Managed product card at the top, which provides Quick Start and Buy Now entry points. Below this card is a list of workspaces with columns such as Workspace Status, Used/Purchased CUs, and Billing Method. In the Actions column, click Console to go to the corresponding workspace. Click More to perform administrative operations such as scaling or releasing resources.

View, purchase, and release workspaces, adjust resources, clone namespaces, and switch OSS buckets for fully managed storage.

Development Console

The Development Console consists of the following areas: the left-side navigation pane provides entry points for features such as Data Development, Data Management, Data Lineage, O&M Center (including Job O&M, Queue Management, Session Management, and Configuration Management), Connectors, File Management, and Security Services. The file tree on the left is used to manage job drafts. The top toolbar includes buttons for operations such as New, Save, Format, Deep Check, Debug, Deploy, and Go to O&M. The central area is the SQL editor, which is used to write and edit Flink SQL scripts.

In a target namespace, you can perform operations such as job development, O&M, and namespace authorization.

Authorization process

Before granting permissions, the administrator (the Alibaba Cloud account that purchased the workspace or another user with the required permissions) must determine the use case, identify the required console, and choose an authorization strategy (granting a system policy/role or creating a custom one). Then, complete the authorization by following the specific authorization method for the target console.

Authorization by logon method

Alibaba Cloud account logon

Important

The Alibaba Cloud account that purchased the workspace has full permissions on the Management Console and Development Console by default and requires no separate authorization. If another Alibaba Cloud account needs to access the Realtime Compute consoles, you can grant permissions as described in the following instructions.

Logon method

Target console

Authorization

Alibaba Cloud account

Management Console

Other Alibaba Cloud accounts cannot be granted access to the Management Console.

Development Console

RAM user logon

Logon method

Target console

Authorization

RAM user

Management Console

Development Console

RAM role logon

Important

When logging on by assuming a RAM role, the corresponding RAM user must have the AliyunSTSAssumeRoleAccess permission to assume RAM roles.

Logon method

Target console

Authorization

A RAM user assuming a role from an Alibaba Cloud account

Management Console

Development Console

For example, if a RAM user from account A and another from account B both assume the same role in account A, the authorized principal is the role itself, regardless of which user assumes it.

Resource Directory member logon

Logon method

Target console

Authorization

Log on as a root user (Alibaba Cloud account)

Management Console

No separate authorization is required.

Development Console

A RAM user of the management account logs on by assuming a RAM role of a member

Management Console

In most cases, no separate authorization is required.

Development Console

Log on as a RAM user of a member

Management Console

Development Console

A CloudSSO user logs on by assuming a RAM role

Management Console

Development Console

A CloudSSO user logs on as a RAM user

Management Console

Development Console

Key concepts

Account types

Account type

Description

Alibaba Cloud account

An Alibaba Cloud account is the fundamental entity that owns Alibaba Cloud resources and is used for metering and billing. It has full access to all purchased products. For more information about the registration process, see Create an Alibaba Cloud Account.

RAM user

A RAM user is an entity identity in RAM that represents a person or application that needs to access Alibaba Cloud resources. After you create and authorize a RAM user, the user can access cloud resources based on the granted permissions. For more information, see Create a RAM user.

RAM role

A RAM role is a virtual user that can be granted a set of policies. Unlike a RAM user, a RAM role has no permanent credentials such as a logon password or an AccessKey pair. A trusted entity must assume the role to use it. For more information, see RAM role overview.

Resource Directory member

Resource Directory (RD) is a service that allows enterprise customers to manage multi-level relationships between accounts and resources. A member is a resource account created in Resource Directory to host specific projects or applications on Alibaba Cloud. For more information, see What is Resource Directory?.

Permission

Alibaba Cloud uses permissions to describe what a RAM identity (RAM user, RAM user group, or RAM role) can do to specific resources:

  • The Alibaba Cloud account (resource owner) controls all permissions

    • Each resource has exactly one owner, which must be an Alibaba Cloud account. The owner has full control over the resource.

    • The resource owner is not necessarily the resource creator. For example, if a RAM identity is granted permission to create resources, the created resources belong to the Alibaba Cloud account. In this case, the RAM identity is the creator but not the owner.

  • RAM identities (operators) have no permissions by default

    • A RAM identity represents an operator. All of its operations must be explicitly authorized by an Alibaba Cloud account.

    • A newly created RAM identity has no permissions by default. It can operate on resources through the console or API only after the Alibaba Cloud account grants it permissions.

Policy

A policy is a set of permissions defined with a specific syntax and structure. It specifies the authorized resources, actions, and conditions. For more information about the policy elements and language specifications supported by RAM, see Policy elements and Policy structure and syntax.

RAM supports the following types of policies:

  • System policies: Created and maintained by Alibaba Cloud. You can use but cannot modify them.

  • Custom policies: Created and maintained by users. You can create, update, and delete them yourself.

You can grant access permissions to a RAM identity by attaching policies. For more information, see Grant permissions to a RAM user, Grant permissions to a RAM user group, and Grant permissions to a RAM role.