通过RAM对向量接口进行权限管理
本文介绍如何通过阿里云访问控制(RAM)功能,为云原生数据仓库 AnalyticDB PostgreSQL 版向量接口创建权限策略,实现精细化的访问控制。通过为不同的RAM用户授予特定的接口操作权限,实现安全、隔离的访问控制。
RAM概述
RAM用户
RAM用户是RAM的一种实体身份类型。您可以为阿里云账号(主账号)创建RAM用户并为其授权,实现不同RAM用户拥有不同资源访问权限的目的。
权限策略
权限指在某种条件下允许或拒绝对某些资源执行某些操作,权限策略是一组访问权限的集合。
RAM支持以下两种权限策略:
阿里云管理的系统权限策略:统一由阿里云创建,用户只能使用,不能修改,策略的版本更新由阿里云维护。
云原生数据仓库 AnalyticDB PostgreSQL 版的系统权限策略为:
AliyunGPDBFullAccess:管理AnalyticDB for PostgreSQL的权限。
AliyunGPDBReadOnlyAccess:只读访问AnalyticDB for PostgreSQL的权限。
操作步骤
为RAM用户授予向量接口权限的步骤如下:
权限策略示例
创建权限策略时,需要通过Resource字段指定授权的资源范围,Action字段指代具体的操作权限。Resource格式为acs:gpdb:{region}:{owner_ali_uid}:{resource_name}/{resource_id}。参数含义如下,支持使用“*”作为通配符匹配任意值。
region:实例所在的地域
owner_ali_uid:主账号ID
resource_name:资源名称
resource_id:资源ID
本文以实例ID为gp-test1,主账号ID为123456为例,介绍权限策略的配置示例,使用时请替换对应信息。
授权全部向量接口
授予对所有资源实例的所有向量相关接口的权限:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"gpdb:InitVectorDatabase",
"gpdb:CreateNamespace",
"gpdb:DeleteNamespace",
"gpdb:DescribeNamespace",
"gpdb:ListNamespaces",
"gpdb:CreateDocumentCollection",
"gpdb:ListDocumentCollections",
"gpdb:DeleteDocumentCollection",
"gpdb:UpsertChunks",
"gpdb:UploadDocumentAsync",
"gpdb:GetUploadDocumentJob",
"gpdb:CancelUploadDocumentJob",
"gpdb:QueryContent",
"gpdb:ListDocuments",
"gpdb:DescribeDocument",
"gpdb:DeleteDocument",
"gpdb:CreateCollection",
"gpdb:DescribeCollection",
"gpdb:ListCollections",
"gpdb:DeleteCollection",
"gpdb:GrantCollection",
"gpdb:CancelUpsertCollectionDataJob",
"gpdb:GetUpsertCollectionDataJob",
"gpdb:UpsertCollectionData",
"gpdb:UpsertCollectionDataAsync",
"gpdb:QueryCollectionData",
"gpdb:UpdateCollectionDataMetadata",
"gpdb:DeleteCollectionData",
"gpdb:CreateVectorIndex",
"gpdb:DeleteVectorIndex",
"gpdb:ChatWithKnowledgeBase",
"gpdb:ChatWithKnowledgeBaseStream",
"gpdb:QueryKnowledgeBasesContent",
"gpdb:TextEmbedding",
"gpdb:Rerank"
],
"Resource": [
"*"
],
"Condition": {}
}
]
}限制特定实例:以上接口分别属于dbinstance、namespace、collection、document资源,如果您希望只允许对部分实例有操作权限,需修改Resource字段。示例如下:
"Resource": [
"acs:gpdb:*:123456:dbinstance/gp-test1",
"acs:gpdb:*:123456:document/gp-test1",
"acs:gpdb:*:123456:collection/gp-test1",
"acs:gpdb:*:123456:namespace/gp-test1"
]LlamaIndex集成授权
当使用LlamaIndex集成AnalyticDB for PostgreSQL作为向量数据库时,示例如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"gpdb:InitVectorDatabase",
"gpdb:CreateNamespace",
"gpdb:DescribeNamespace",
"gpdb:CreateCollection",
"gpdb:DescribeCollection",
"gpdb:DeleteCollection",
"gpdb:UpsertCollectionData",
"gpdb:QueryCollectionData",
"gpdb:DeleteCollectionData"
],
"Resource": [
"acs:gpdb:*:123456:dbinstance/gp-test1",
"acs:gpdb:*:123456:collection/gp-test1",
"acs:gpdb:*:123456:namespace/gp-test1"
],
"Condition": {}
}
]
}Dify插件授权
当使用AnalyticDB for PostgreSQLRAG服务的Dify插件时,示例如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"gpdb:InitVectorDatabase",
"gpdb:CreateNamespace",
"gpdb:DeleteNamespace",
"gpdb:DescribeNamespace",
"gpdb:ListNamespaces",
"gpdb:CreateDocumentCollection",
"gpdb:ListDocumentCollections",
"gpdb:DeleteDocumentCollection",
"gpdb:UpsertChunks",
"gpdb:UploadDocumentAsync",
"gpdb:GetUploadDocumentJob",
"gpdb:CancelUploadDocumentJob",
"gpdb:QueryContent",
"gpdb:ListDocuments",
"gpdb:DescribeDocument",
"gpdb:DeleteDocument",
"gpdb:CancelUpsertCollectionDataJob",
"gpdb:GetUpsertCollectionDataJob",
"gpdb:UpdateCollectionDataMetadata",
"gpdb:ChatWithKnowledgeBase",
"gpdb:ChatWithKnowledgeBaseStream",
"gpdb:QueryKnowledgeBasesContent",
"gpdb:TextEmbedding",
"gpdb:Rerank"
],
"Resource": [
"acs:gpdb:*:123456:dbinstance/gp-test1",
"acs:gpdb:*:123456:namespace/gp-test1",
"acs:gpdb:*:123456:collection/gp-test1",
"acs:gpdb:*:123456:document/gp-test1",
],
"Condition": {}
}
]
}Dify集成授权
当使用Dify集成AnalyticDB for PostgreSQL作为向量数据库时,示例如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"gpdb:InitVectorDatabase",
"gpdb:DescribeNamespace",
"gpdb:CreateNamespace",
"gpdb:DescribeCollection",
"gpdb:CreateCollection",
"gpdb:UpsertCollectionData",
"gpdb:QueryCollectionData",
"gpdb:DeleteCollectionData",
"gpdb:DeleteCollection"
],
"Resource": [
"acs:gpdb:*:123456:dbinstance/gp-test1",
"acs:gpdb:*:123456:namespace/gp-test1",
"acs:gpdb:*:123456:collection/gp-test1"
],
"Condition": {}
}
]
}Data API授权
通过Data API访问实例时,主要分为secret和dataapi两部分操作,示例如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"gpdb:ListDatabases",
"gpdb:ListSchemas",
"gpdb:ListTables",
"gpdb:DescribeTable",
"gpdb:ExecuteStatement"
],
"Resource": [
"acs:gpdb:*:123456:dataapi/*"
],
"Condition": {}
},
{
"Effect": "Allow",
"Action": [
"gpdb:GetSecretValue",
"gpdb:CreateSecret",
"gpdb:DeleteSecret",
"gpdb:ListSecrets"
],
"Resource": [
"acs:gpdb:*:123456:secret/*"
],
"Condition": {}
}
]
}其中CreateSecret和GetSecretValue涉及实例的用户名密码,如果想实现更严格的权限分离,例如,允许管理员(子账号A)创建实例账户和密码,而应用开发者(子账号B)只能使用DataAPI,但不能获取实例密码,您可以按以下步骤设置。
授权管理员(子账号A)Secret管理权限。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "gpdb:GetSecretValue", "gpdb:CreateSecret", "gpdb:DeleteSecret", "gpdb:ListSecrets" ], "Resource": [ "acs:gpdb:*:123456:secret/*" ], "Condition": {} } ] }管理员(子账号A)调用
CreateSecret接口获取SecretARN(例如acs:gpdb:cn-hangzhou:123456:secret/Foo-C9D56DF3-269D-4C92-9D38-8F647292****)。授权应用开发者(子账号B)使用指定
Secret执行Data API操作。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "gpdb:ListDatabases", "gpdb:ListSchemas", "gpdb:ListTables", "gpdb:DescribeTable", "gpdb:ExecuteStatement" ], "Resource": [ "acs:gpdb:*:123456:dataapi/*" ], "Condition": {} }, { "Effect": "Allow", "Action": [ "gpdb:UseSecret", ], "Resource": [ "acs:gpdb:*:123456:secret/Foo-C9D56DF3-269D-4C92-9D38-8F647292****" ], "Condition": {} } ] }