Because Hologres and DataWorks are deeply integrated, you might encounter permission errors during development. This topic explains how to resolve several common issues.
Common issues
Follow these links for solutions to common permission issues.
-
The + Bind HologresDB button is grayed out in the workspace configuration
-
Environment initialization fails when binding a Hologres database
-
A "permission denied" error occurs during a query in DataService Studio
-
A "permission denied for schema xxx" error occurs in the DataWorks production environment
The Bind HologresDB button is grayed out
-
Symptom
When you try to bind a Hologres database on the Compute Engine Information tab of the workspace configuration page in the DataWorks console, the + Bind HologresDB button is grayed out.
-
Cause
-
The RAM user does not have administrative permissions for the workspace.
-
The RAM user does not have development permissions for the instance.
-
-
Solution
-
If the RAM user does not have administrative permissions for the workspace, grant the required permissions to the user on the Member Management page. For more information, see Manage permissions on workspace-level services.
-
If the RAM user does not have development permissions for the instance, grant the permissions in Hologres based on the user permission model in use.
-
To grant permissions in the simple permission model, see Add a user.
-
To grant permissions in the standard PostgreSQL authorization model, see Grant permissions in the standard PostgreSQL authorization model.
-
-
Environment initialization fails during binding
-
Symptom
After you configure parameters in the Bind HologresDB dialog box in the DataWorks console, you receive an error that binding and environment initialization failed.
-
Cause
After binding a compute engine, you must initialize its network environment, which is the exclusive resource group it will use for scheduling. This initialization establishes network connectivity between the Hologres instance and the DataWorks resource group, which is necessary for tasks to run.
NoteSome types of Hologres instances do not require initialization. If the UI indicates that initialization is not required, you can immediately start using the engine for data development.
-
Solution
-
Grant initialization permissions.
If you lack the required permissions, you cannot check the network environment, and the system will prompt you for authorization. Therefore, grant the following policies before checking the network environment.
-
Policy 1: AliyunHologresFullAccess
This policy provides access to detailed information about the Hologres instance and its network. For more information, see Grant the AliyunHologresFullAccess policy.
-
Policy 2: Create the following custom policy.
This policy allows you to connect the Hologres and DataWorks networks, manage resource groups, and complete the binding process. For more information, see Create a custom policy. The policy contains the following content.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "dataworks:*ResourceGroup", "Resource": "acs:dataworks:*:*:exclusive_resource_group/*" }, { "Effect": "Allow", "Action": "dataworks:Get*", "Resource": "acs:dataworks:*:*:*" }, { "Effect": "Allow", "Action": "ecs:DescribeSecurityGroups", "Resource": "acs:ecs:*:*:securitygroup/*" }, { "Effect": "Allow", "Action": "vpc:DescribeVpcs", "Resource": "acs:vpc:*:*:vpc/*" }, { "Effect": "Allow", "Action": "vpc:DescribeVSwitches", "Resource": "acs:vpc:*:*:vswitch/*" } ] }
-
-
Check and initialize the network environment.
You must select the exclusive resource group for scheduling engine tasks and then complete the initialization. If the required resource group is not available, create one by following the instructions in Add and use an exclusive resource group for scheduling. The UI displays the Hologres instance network information, which includes the instance name, VPC, and VSwitch for both the production and development environments. From the DataWorks exclusive resource group for scheduling drop-down list, select a resource group and verify that the initialization status is Completed.
-
Binding fails due to a duplicate instance name
-
Symptom
After you configure parameters in the Bind HologresDB dialog box and click OK, you receive the error message: "A compute engine instance with the same name already exists" or "Internal tenant system error."
-
Cause
The Instance Display Name of the Hologres instance conflicts with an existing instance.
-
Solution
Change the Instance Display Name and click OK again.
"Permission denied" error in DataService Studio
-
Symptom
When you query a table on the DataService Studio page in the DataWorks console, you receive the error "Execution failed: ERROR: permission denied for table xxxx".
-
Cause
The user account for the DataService Studio configuration lacks query permissions on the table.
-
Solution
-
Verify that the correct account is configured for the Hologres data source in DataService Studio.
Log on to the DataWorks console, go to the Data Source Management page, and check the user account configuration for the data source. For more information, see Configure a Hologres data source.
-
Check whether the account configured for the Hologres data source has permission to view the table.
Log on to the DataWorks console, go to the Data Source Management page, and check the permission configuration of the data source account. For more information, see Configure a data source by using RAM role-based authorization.
For more information about DataWorks permissions and authorization, see Appendix: List of preset roles and permissions (workspace level).
-
Production environment error: permission denied for schema xxx
-
Symptom
When you publish an SQL task to run in the production environment in DataWorks, you receive the error
permission denied for schema xxx. -
Cause
The account for the production environment lacks access permissions to the instance's schema.
-
Solution
-
Go to the DataWorks workspace configuration page to identify the account bound to the production environment. For details, see Create and manage a workspace. You can find this configuration on the Hologres tab within the Compute Engine Information section, under the Access Identity setting for the target instance.
-
Log on to HoloWeb and navigate to the Security Center page. On the Users or Database Authorization page, view the permissions of the production environment account.
-
If the account lacks the required permissions, grant them on the Users or Database Authorization page. For more information, see Manage DBs.
-