自定义授权DLF

MaxCompute项目所在RAM用户未经授权无法访问数据湖构建DLF和对象存储OSS,您可以通过为RAM用户添加信任策略以及权限策略进行自定义授权。本文为您介绍如何通过自定义授权方式对MaxCompute项目RAM用户进行授权。

背景信息

在MaxCompute与DLF和OSS构建湖仓一体场景中,MaxCompute项目的RAM用户未经授权无法访问DLF。

  • MaxCompute项目RAM账号和部署DLF的账号相同时,添加信任策略时需要将service配置成odps.aliyuncs.com

  • MaxCompute项目RAM账号和部署DLF的账号不同时,添加信任策略时需要将service配置成<MaxCompute项目的Owner云账号id>@odps.aliyuncs.com。您可以在个人信息中获取MaxCompute的Owner云账号id

操作步骤

  1. 登录RAM访问控制台创建可信实体为阿里云账号的RAM角色。

  2. 通过RAM控制台修改新建RAM角色的信任策略。

    操作详情,请参见修改RAM角色的信任策略。信任策略内容如下:

    • 创建MaxCompute项目的账号和部署DLF的账号是同一个账号:

      {
      "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
         "Service": [
           "odps.aliyuncs.com"
         ]
       }
      }
      ],
      "Version": "1"
      }
    • 创建MaxCompute项目的账号和部署DLF的账号不是同一个账号:

      {
      "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
         "Service": [
           "<MaxCompute项目的Owner云账号id>@odps.aliyuncs.com"  
         ]
       }
      }
      ],
      "Version": "1"
      }
  3. 通过RAM控制台,为新建的RAM角色自定义权限策略。

    操作详情,请参见创建自定义权限策略。自定义权限内容如下:

    {
    "Version": "1",
    "Statement": [
    {
     "Action": [
       "oss:ListBuckets",
       "oss:GetObject",
       "oss:ListObjects",
       "oss:PutObject",
       "oss:DeleteObject",
       "oss:AbortMultipartUpload",
       "oss:ListParts"
     ],
     "Resource": "*",
     "Effect": "Allow"
    },
    {
     "Action": [
     "dlf:CreateFunction",
    "dlf:BatchGetPartitions",
    "dlf:ListDatabases",
    "dlf:CreateLock",
    "dlf:UpdateFunction",
    "dlf:BatchUpdateTables",
    "dlf:DeleteTableVersion",
    "dlf:UpdatePartitionColumnStatistics",
    "dlf:ListPartitions",
    "dlf:DeletePartitionColumnStatistics",
    "dlf:BatchUpdatePartitions",
    "dlf:GetPartition",
    "dlf:BatchDeleteTableVersions",
    "dlf:ListFunctions",
    "dlf:DeleteTable",
    "dlf:GetTableVersion",
    "dlf:AbortLock",
    "dlf:GetTable",
    "dlf:BatchDeleteTables",
    "dlf:RenameTable",
    "dlf:RefreshLock",
    "dlf:DeletePartition",
    "dlf:UnLock",
    "dlf:GetLock",
    "dlf:GetDatabase",
    "dlf:GetFunction",
    "dlf:BatchCreatePartitions",
    "dlf:ListPartitionNames",
    "dlf:RenamePartition",
    "dlf:CreateTable",
    "dlf:BatchCreateTables",
    "dlf:UpdateTableColumnStatistics",
    "dlf:ListTableNames",
    "dlf:UpdateDatabase",
    "dlf:GetTableColumnStatistics",
    "dlf:ListFunctionNames",
    "dlf:ListPartitionsByFilter",
    "dlf:GetPartitionColumnStatistics",
    "dlf:CreatePartition",
    "dlf:CreateDatabase",
    "dlf:DeleteTableColumnStatistics",
    "dlf:ListTableVersions",
    "dlf:BatchDeletePartitions",
    "dlf:ListCatalogs",
    "dlf:UpdateTable",
    "dlf:ListTables",
    "dlf:DeleteDatabase",
    "dlf:BatchGetTables",
    "dlf:DeleteFunction"
     ],
     "Resource": "*",
     "Effect": "Allow"
    }
    ]
    }
  4. 将自定义的权限策略,授权给新建的RAM角色。

    操作详情,请参见为RAM角色授权