All Products
Search
Document Center

Access control

Last Updated: Sep 08, 2021

Access control

DataHub uses Resource Access Management (RAM) for access control. Only RAM users that have been granted necessary permissions can access resources in DataHub. An Alibaba Cloud account has all permissions on the resources within it. By default, a RAM user does not have the permissions to access resources in DataHub after the RAM user is created. You must attach a policy that contains the access permissions on DataHub to the RAM user before the RAM user can access resources in DataHub. For more information about how to create a RAM user and attach policies to the user, see Enable an MFA device for an Alibaba Cloud account. This topic describes how to use RAM to implement access control for DataHub.

Grant permissions to RAM users

Types of DataHub resources that can be accessed by RAM users

RAM users can access the following resources in DataHub: projects, topics, and subscriptions. DataHub supports RAM authentication of projects, topics, and subscriptions. However, RAM authentication cannot be used to access shard data. Subscription is the action that you specify an application to read and process the records in topics of a specific project.

Resource type

Description

Project

acs:dhs:$region:$accountid:projects/$projectName

Topic

acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName

Subscription

acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId

API operations in DataHub and the corresponding RAM policies

Project

Operation

Action

Resource

CreateProject

dhs:CreateProject

acs:dhs:$region:$accountid:projects/*

ListProject

dhs:ListProject

acs:dhs:$region:$accountid:projects/*

DeleteProject

dhs:DeleteProject

acs:dhs:$region:$accountid:projects/$projectName

GetProject

dhs:GetProject

acs:dhs:$region:$accountid:projects/$projectName

Topic

Operation

Action

Resource

CreateTopic

dhs:CreateTopic

acs:dhs:$region:$accountid:projects/$projectName/topics/*

ListTopic

dhs:ListTopic

acs:dhs:$region:$accountid:projects/$projectName/topics/*

DeleteTopic

dhs:DeleteTopic

acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName

GetTopic

dhs:GetTopic

acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName

UpdateTopic

dhs:UpdateTopic

acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName

Subscription

Operation

Action

Resource

CreateSubscription

dhs:CreateSubscription

acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/*

DeleteSubscription

dhs:DeleteSubscription

acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId

GetSubscription

dhs:GetSubscription

acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId

UpdateSubscription

dhs:UpdateSubscription

acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId

ListSubscription

dhs:ListSubscription

acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/*

CommitOffset

dhs:GetSubscription

acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId

GetOffset

dhs:GetSubscription

acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId

Connector

Operation

Action

Resource

CreateConnector

dhs:CreateConnector

acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/*

DeleteConnector

dhs:DeleteConnector

acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/*

GetConnector

dhs:GetConnector

acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/*

UpdateConnector

dhs:UpdateConnector

acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/*

ListConnector

dhs:ListConnector

acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/*

Shard

Operation

Action

Resource

ListShard

dhs:ListShard

acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName

MergeShard

dhs:UpdateShard

acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName

SplitShard

dhs:UpdateShard

acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName

PubSub

Operation

Action

Resource

PutRecords

dhs:PutRecords

acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName

GetRecords

dhs:GetRecords

acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName

GetCursor

dhs:GetRecords

acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName

Conditions that can be applied to the RAM policies for DataHub

Condition

Feature

Valid value

acs:SourceIp

Specifies the IP address or CIDR block.

Regular IP addresses. You can set this field to an asterisk (*) as a wildcard.

acs:SecureTransport

Specifies whether HTTPS is used to access the specified object.

true/false

acs:MFAPresent

Specifies whether multi-factor authentication (MFA) is used during user logon.

true/false

acs:CurrentTime

Specifies the time when the specified object can be accessed.

Specify the time in the ISO 8601 standard.

System policies

DataHub provides system policies that can be attached to RAM users. You can specify the system policies based on your needs.

AliyunDataHubFullAccess

This policy grants all permissions on DataHub to RAM users. In most cases, this policy is used to manage resources in DataHub.

AliyunDataHubReadOnlyAccess

This policy grants read-only permissions on DataHub to RAM users so that the RAM users can query the information about all resources in DataHub. For example, this policy can be used to query the information about a project, view the project list, or read data. However, this policy cannot be used to update, create, or write data.

AliyunDataHubSubscribeAccess

This policy grants RAM users the permissions to subscribe to data in DataHub. This policy can be used to call only the API operations that involve data reads, including GetTopic, ListShard, GetRecords, and all operations related to subscriptions and offsets.

AliyunDataHubPublishAccess

This policy grants RAM users the permissions to publish data to DataHub. This policy can be used to call only the API operations that involve data writes, including GetTopic, ListShard, and PutRecords.

Custom policies

If the system policies provided by DataHub do not meet your requirements, you can create custom policies. To create a custom policy, perform the following operations: Log on to the RAM console by using an Alibaba Cloud account. In the left-side navigation pane, choose Permissions > Policies. On the Policies page, click Create Policy. Sample custom policies:

Display the accessible projects in the DataHub console

// To allow a RAM user to view the projects that the RAM user has the permissions to access in the DataHub console, add the following configurations to the statement block.
// To display the accessible projects in the DataHub console, the permissions to call the ListProject and GetProject operations are required.
{
  "Action": ["dhs:ListProject","dhs:GetProject"], 
  "Resource": "acs:dhs:*:*:projects/*",
  "Effect": "Allow"
}

Create a topic in the DataHub console

// To display the topics of a project in the DataHub console, the permissions to call the ListTopic and GetTopic operations are required.
// To grant a RAM user the permissions to create a topic in the project named "test" in the DataHub console, use the following configurations.
{
  "Version": "1",
  "Statement": [
    {
      "Action": ["dhs:ListProject", "dhs:GetProject"],
      "Resource": "acs:dhs:*:*:projects/*",
      "Effect": "Allow"
    },
    {
      "Action": ["dhs:ListTopic", "dhs:GetTopic", "dhs:CreateTopic"],
      "Resource": "acs:dhs:*:*:projects/test/topics/*",
      "Effect": "Allow"
    }
  ]
}

Other custom policies

// Sample custom policy that grants a RAM user the permissions to query the information about topics in a specified project.
{
  "Version": "1",
  "Statement": [
    {
      "Action": ["dhs:ListTopic", "dhs:GetTopic"],
      "Resource": "acs:dhs:cn-hangzhou:12121312:projects/foo/topics/*",
      "Effect": "Allow"
    }
  ]
}
// Sample custom policy that grants a RAM user all the permissions on subscriptions to topics in the project named "foo".
{
  "Version": "1",
  "Statement": [
    {
      "Action": ["dhs:*Subscription"],
      "Resource": "acs:dhs:cn-hangzhou:*:projects/foo/topics/*/subscriptions/*",
      "Effect": "Allow"
    }
  ]
}
// Sample custom policy that grants a RAM user the permissions to query the information about subscriptions to topics in the project named "foo".
{
  "Version": "1",
  "Statement": [
    {
      "Action": ["dhs:ListSubscription"],
      "Resource": "acs:dhs:cn-hangzhou:*:projects/foo/topics/*/subscriptions/*",
      "Effect": "Allow"
    }
  ]
}
// Sample custom policy that grants a RAM user the permissions to commit offsets for the subscription with the ID "14985645198374IoCK" to topic t1 in the project named "foo".
{
  "Version": "1",
  "Statement": [
    {
      "Action": ["dhs:GetSubscription"],
      "Resource": "acs:dhs:cn-hangzhou:*:projects/foo/topics/t1/subscriptions/14985645198374IoCK",
      "Effect": "Allow"
    }
  ]
}
// Sample custom policy that grants a RAM user the permissions to split or merge shards for a specified topic. The available operations are ListShard, SplitShard, and MergeShard.
{
  "Version": "1",
  "Statement": [
    {
      "Action": ["dhs:*Shard"],
      "Resource": "acs:dhs:cn-hangzhou:12121312:projects/foo/topics/bar",
      "Effect": "Allow"
    }
  ]
}