权限控制
DataHub采用阿里云RAM进行访问控制。用户对DataHub资源的访问,通过RAM进行鉴权。阿里云主账号拥有所属资源的所有权限,子用户在创建时并没有任何权限,不能访问任何资源,用户需要在RAM中对该子用户进行授权操作。关于如何创建RAM子用户与创建授权策略并进行授权可参见RAM使用文档。以下将介绍DataHub在RAM下的访问控制体系。
DataHub RAM权限控制
DataHub资源
DataHub在RAM的访问控制中的资源体系包含Project、Topic和Subscription。目前支持Project、Topic和Subscription级别的鉴权,并不支持Shard的访问控制。其中Subscription是指对某个特定Project下的Topic的一次订阅。
| 资源 | RAM中的资源描述 |
|---|---|
| Project | acs:dhs:$region:$accountid:projects/$projectName |
| Topic | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
| Subscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
DataHub API及对应在RAM中的授权策略
Project
| API | Action | Resource |
|---|---|---|
| CreateProject | dhs:CreateProject | acs:dhs:$region:$accountid:projects/* |
| ListProject | dhs:ListProject | acs:dhs:$region:$accountid:projects/* |
| DeleteProject | dhs:DeleteProject | acs:dhs:$region:$accountid:projects/$projectName |
| GetProject | dhs:GetProject | acs:dhs:$region:$accountid:projects/$projectName |
Topic
| API | Action | Resource |
|---|---|---|
| CreateTopic | dhs:CreateTopic | acs:dhs:$region:$accountid:projects/$projectName/topics/* |
| ListTopic | dhs:ListTopic | acs:dhs:$region:$accountid:projects/$projectName/topics/* |
| DeleteTopic | dhs:DeleteTopic | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
| GetTopic | dhs:GetTopic | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
| UpdateTopic | dhs:UpdateTopic | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
Subscription
| API | Action | Resource |
|---|---|---|
| CreateSubscription | dhs:CreateSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/* |
| DeleteSubscription | dhs:DeleteSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
| GetSubscription | dhs:GetSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
| UpdateSubscription | dhs:UpdateSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
| ListSubscription | dhs:ListSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/* |
| CommitOffset | dhs:GetSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
| GetOffset | dhs:GetSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
Connector
| API | Action | Resource |
|---|---|---|
| CreateConnector | dhs:CreateConnector | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/* |
| DeleteConnector | dhs:DeleteConnector | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/* |
| GetConnector | dhs:GetConnector | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/* |
| UpdateConnector | dhs:UpdateConnector | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/* |
| ListConnector | dhs:ListConnector | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/* |
Shard
| API | Action | Resource |
|---|---|---|
| ListShard | dhs:ListShard | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
| MergeShard | dhs:UpdateShard | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
| SplitShard | dhs:UpdateShard | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
PubSub
| API | Action | Resource |
|---|---|---|
| PutRecords | dhs:PutRecords | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
| GetRecords | dhs:GetRecords | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
| GetCursor | dhs:GetRecords | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
DataHub支持的Condition
| Condition | 功能 | 合法取值 |
|---|---|---|
| acs:SourceIp | 指定ip网段 | 普通ip, 支持*通配 |
| acs:SecureTransport | 是否是https协议 | true/false |
| acs:MFAPresent | 是否多设备认证 | true/false |
| acs:CurrentTime | 指定访问时间 | ISO8601格式 |
DataHub系统授权策略
DataHub授权策略在RAM系统中已有系统策略,用户可以根据需求直接添加系统策略。
AliyunDataHubFullAccess
包含DataHub相关的所有权限,一般用于管理DataHub资源。
AliyunDataHubReadOnlyAccess
只读访问DataHub服务的权限,可以查看DataHub所有的资源情况,例如查看project详细信息,列出project列表,读数据等等,但是不能更新、创建以及写数据。
AliyunDataHubSubscribeAccess
向DataHub订阅数据的权限,只包含和读数据相关的必要操作,包括GetTopic,ListShard,GetRecords以及订阅和点位相关的所有接口。
AliyunDataHubPublishAccess
向DataHub发布数据的权限,只包含和写数据相关的必要操作,包括GetTopic,ListShard以及PutRecords。
DataHub自定义授权策略
DataHub目前只有上述四种系统权限策略,如果无法满足需求,用户可以添加自定义权限策略。具体操作路径在RAM系统中:策略管理->自定义授权策略->新建授权策略。下面给出几个自定义策略示例:
WebConsole中显示
// 为了在WebConsole中能够显示拥有权限的project,需要在Statement中增加如下配置
// 因为WebConsole需要ListProject和GetProject,才能在页面展示project
{
"Action": ["dhs:ListProject","dhs:GetProject"],
"Resource": "acs:dhs:*:*:projects/*",
"Effect": "Allow"
}WebConsole中创建topic
// 在WebConsole的project页面中显示topic需要ListTopic和GetTopic权限
// 如希望能够在WebConsole中的project:test下能够创建topic,可以使用如下配置
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:ListProject", "dhs:GetProject"],
"Resource": "acs:dhs:*:*:projects/*",
"Effect": "Allow"
},
{
"Action": ["dhs:ListTopic", "dhs:GetTopic", "dhs:CreateTopic"],
"Resource": "acs:dhs:*:*:projects/test/topics/*",
"Effect": "Allow"
}
]
}其他自定义授权策略
//只允许用户获取指定Project下topic的信息
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:ListTopic", "dhs:GetTopic"],
"Resource": "acs:dhs:cn-hangzhou:12121312:projects/foo/topics/*",
"Effect": "Allow"
}
]
}
// 新订阅功能授权Policy样例1: 给用户授权具有project foo下topic的所有订阅权限
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:*Subscription"],
"Resource": "acs:dhs:cn-hangzhou:*:projects/foo/topics/*/subscriptions/*",
"Effect": "Allow"
}
]
}
// 新订阅功能授权Policy样例2: 给用户授权仅具有project foo下查询订阅的权限
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:ListSubscription"],
"Resource": "acs:dhs:cn-hangzhou:*:projects/foo/topics/*/subscriptions/*",
"Effect": "Allow"
}
]
}
// 新订阅功能授权Policy样例3: 给用户授权仅具有project foo下的topic t1特定订阅'14985645198374IoCK'的提交点位权限
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:GetSubscription"],
"Resource": "acs:dhs:cn-hangzhou:*:projects/foo/topics/t1/subscriptions/14985645198374IoCK",
"Effect": "Allow"
}
]
}
// 对指定Topic进行 Split/Merge shard, 包括ListShard, SplitShard, MergeShard
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:*Shard"],
"Resource": "acs:dhs:cn-hangzhou:12121312:projects/foo/topics/bar",
"Effect": "Allow"
}
]
}该文章对您有帮助吗?