MaxCompute项目所在RAM用户未经授权无法访问数据湖构建DLF和对象存储OSS,您可以通过为RAM用户添加信任策略以及权限策略进行自定义授权。本文为您介绍如何通过自定义授权方式对MaxCompute项目RAM用户进行授权。
背景信息
在MaxCompute与DLF和OSS构建湖仓一体场景中,MaxCompute项目的RAM用户未经授权无法访问DLF。
MaxCompute项目RAM账号和部署DLF的账号相同时,添加信任策略时需要将service配置成
odps.aliyuncs.com
。MaxCompute项目RAM账号和部署DLF的账号不同时,添加信任策略时需要将service配置成
<MaxCompute项目的Owner云账号id>@odps.aliyuncs.com
。您可以在个人信息中获取MaxCompute的Owner云账号id。
操作步骤
登录RAM访问控制台创建可信实体为阿里云账号的RAM角色。
操作详情,请参见创建可信实体为阿里云账号的RAM角色。
通过RAM控制台修改新建RAM角色的信任策略。
操作详情,请参见修改RAM角色的信任策略。信任策略内容如下:
创建MaxCompute项目的账号和部署DLF的账号是同一个账号:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "odps.aliyuncs.com" ] } } ], "Version": "1" }
创建MaxCompute项目的账号和部署DLF的账号不是同一个账号:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "<MaxCompute项目的Owner云账号id>@odps.aliyuncs.com" ] } } ], "Version": "1" }
通过RAM控制台,为新建的RAM角色自定义权限策略。
操作详情,请参见创建自定义权限策略。自定义权限内容如下:
{ "Version": "1", "Statement": [ { "Action": [ "oss:ListBuckets", "oss:GetObject", "oss:ListObjects", "oss:PutObject", "oss:DeleteObject", "oss:AbortMultipartUpload", "oss:ListParts" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "dlf:CreateFunction", "dlf:BatchGetPartitions", "dlf:ListDatabases", "dlf:CreateLock", "dlf:UpdateFunction", "dlf:BatchUpdateTables", "dlf:DeleteTableVersion", "dlf:UpdatePartitionColumnStatistics", "dlf:ListPartitions", "dlf:DeletePartitionColumnStatistics", "dlf:BatchUpdatePartitions", "dlf:GetPartition", "dlf:BatchDeleteTableVersions", "dlf:ListFunctions", "dlf:DeleteTable", "dlf:GetTableVersion", "dlf:AbortLock", "dlf:GetTable", "dlf:BatchDeleteTables", "dlf:RenameTable", "dlf:RefreshLock", "dlf:DeletePartition", "dlf:UnLock", "dlf:GetLock", "dlf:GetDatabase", "dlf:GetFunction", "dlf:BatchCreatePartitions", "dlf:ListPartitionNames", "dlf:RenamePartition", "dlf:CreateTable", "dlf:BatchCreateTables", "dlf:UpdateTableColumnStatistics", "dlf:ListTableNames", "dlf:UpdateDatabase", "dlf:GetTableColumnStatistics", "dlf:ListFunctionNames", "dlf:ListPartitionsByFilter", "dlf:GetPartitionColumnStatistics", "dlf:CreatePartition", "dlf:CreateDatabase", "dlf:DeleteTableColumnStatistics", "dlf:ListTableVersions", "dlf:BatchDeletePartitions", "dlf:ListCatalogs", "dlf:UpdateTable", "dlf:ListTables", "dlf:DeleteDatabase", "dlf:BatchGetTables", "dlf:DeleteFunction" ], "Resource": "*", "Effect": "Allow" } ] }
将自定义的权限策略,授权给新建的RAM角色。
操作详情,请参见为RAM角色授权。
文档内容是否对您有帮助?