All Products
Search
Document Center

Realtime Compute for Apache Flink:Authorize an account to perform operations in a namespace

Last Updated:Feb 06, 2024

If you want to allow multiple Alibaba Cloud accounts or RAM users to use the same namespace in the console of fully managed Flink and perform operations such as draft development and deployment O&M, you must add the Alibaba Cloud accounts or RAM users as members of the namespace. This way, the Alibaba Cloud accounts or RAM users are authorized to perform operations in the namespace. This topic describes how to add an Alibaba Cloud account or a RAM user as a member of a namespace in the console of fully managed Flink. This topic also describes the operations that can be performed by different roles in a namespace.

Precautions

If an account does not have permissions to perform operations in a namespace, the namespace list is empty after the account is used to log on to the console of fully managed Flink, and the account cannot be used to perform operations such as draft development in the namespace.image

Important

If you use the old authorization method to grant permissions to the Alibaba Cloud account that assumes the RAM role, the RAM role does not have the permissions to access the namespace. In this case, you must follow the procedure in this topic to grant permissions to the RAM role. The new authorization method allows you to perform authorization based on the ID of the RAM role.

Operations supported by roles

Realtime Compute for Apache Flink allows you to add an Alibaba Cloud account, a RAM user, and an Alibaba Cloud account that is assigned a RAM role as a member of a namespace. You can assign the owner, editor, or viewer role to the member that you add. The following table describes the operations that can be performed by different roles.

Operation

owner

editor

viewer

View deployments

Y

Y

Y

Start and cancel a deployment

Y

Y

N

Modify deployment configurations

Y

Y

N

View resources

Y

Y

Y

Upload resources

Y

Y

N

Write SQL statements

Y

Y

N

Create a user-defined function (UDF)

Y

Y

N

Register metadata

Y

Y

N

View a deployment template

Y

Y

Y

Add, delete, or modify a deployment template

Y

N

N

Manage members

Y

N

N

Manage keys

Y

Y

N

Procedure

  1. Log on to the console of fully managed Flink by using the member that is assigned the owner role in a namespace.

  2. In the top navigation bar, select the namespace from the drop-down list.

    image.png

  3. In the left-side navigation pane, click Security. On the Security page, click Add Member.

  4. In the Add Member dialog box, add the required RAM users or RAM roles and configure the Role parameter.

    项目空间授权.png

    • Select RAM account: This section displays the RAM users and RAM roles that are created under the Alibaba Cloud account of the namespace. You can select multiple RAM users and RAM roles to grant permissions at a time.

    • Add account manually: You can manually enter the ID of another Alibaba Cloud account, a RAM user, or a RAM role to grant permissions.

      Note

      For more information about how to view the ID of an Alibaba Cloud account, a RAM user, or a RAM role, see View the ID of an Alibaba Cloud account, a RAM user, or a RAM role.

    • Role: For more information about the operations that can be performed by different roles, see Operations supported by roles.

  1. Click OK.

  2. After a member is added, the member can log on to the console of fully managed Flink by using the URL of the namespace to perform operations.

    Note

    If the member has logged on to the console of fully managed Flink, the member can refresh the page to access the desired namespace.

View the ID of an Alibaba Cloud account, a RAM user, or a RAM role

References

  • If you use a RAM user or a RAM role to access the Realtime Compute for Apache Flink console and purchase, view, or delete a workspace, you must perform RAM-based authorization. For more information, see Grant permissions to a RAM user.

  • For more information about the differences between the permissions on a namespace that are described in this topic and RAM permissions, see Permission management.

  • For more information about how to use different identities such as Alibaba Cloud accounts, RAM roles, and RAM users to access the Realtime Compute for Apache Flink console, see Supported logon methods.