If you want to allow multiple Alibaba Cloud accounts or RAM users to use the same namespace in the console of fully managed Flink and perform operations such as draft development and deployment O&M, you must add the Alibaba Cloud accounts or RAM users as members of the namespace. This way, the Alibaba Cloud accounts or RAM users are authorized to perform operations in the namespace. This topic describes how to add an Alibaba Cloud account or a RAM user as a member of a namespace in the console of fully managed Flink. This topic also describes the operations that can be performed by different roles in a namespace.
Precautions
If an account does not have permissions to perform operations in a namespace, the namespace list is empty after the account is used to log on to the console of fully managed Flink, and the account cannot be used to perform operations such as draft development in the namespace.
If you use the old authorization method to grant permissions to the Alibaba Cloud account that assumes the RAM role, the RAM role does not have the permissions to access the namespace. In this case, you must follow the procedure in this topic to grant permissions to the RAM role. The new authorization method allows you to perform authorization based on the ID of the RAM role.
Operations supported by roles
Realtime Compute for Apache Flink allows you to add an Alibaba Cloud account, a RAM user, and an Alibaba Cloud account that is assigned a RAM role as a member of a namespace. You can assign the owner, editor, or viewer role to the member that you add. The following table describes the operations that can be performed by different roles.
Operation | owner | editor | viewer |
View deployments | Y | Y | Y |
Start and cancel a deployment | Y | Y | N |
Modify deployment configurations | Y | Y | N |
View resources | Y | Y | Y |
Upload resources | Y | Y | N |
Write SQL statements | Y | Y | N |
Create a user-defined function (UDF) | Y | Y | N |
Register metadata | Y | Y | N |
View a deployment template | Y | Y | Y |
Add, delete, or modify a deployment template | Y | N | N |
Manage members | Y | N | N |
Manage keys | Y | Y | N |
Procedure
Log on to the console of fully managed Flink by using the member that is assigned the owner role in a namespace.
In the top navigation bar, select the namespace from the drop-down list.
In the left-side navigation pane, click Security. On the Security page, click Add Member.
In the Add Member dialog box, add the required RAM users or RAM roles and configure the Role parameter.
Select RAM account: This section displays the RAM users and RAM roles that are created under the Alibaba Cloud account of the namespace. You can select multiple RAM users and RAM roles to grant permissions at a time.
Add account manually: You can manually enter the ID of another Alibaba Cloud account, a RAM user, or a RAM role to grant permissions.
NoteFor more information about how to view the ID of an Alibaba Cloud account, a RAM user, or a RAM role, see View the ID of an Alibaba Cloud account, a RAM user, or a RAM role.
Role: For more information about the operations that can be performed by different roles, see Operations supported by roles.
Click OK.
After a member is added, the member can log on to the console of fully managed Flink by using the URL of the namespace to perform operations.
NoteIf the member has logged on to the console of fully managed Flink, the member can refresh the page to access the desired namespace.
View the ID of an Alibaba Cloud account, a RAM user, or a RAM role
ID of an Alibaba Cloud account: Click the profile picture in the upper-right corner of the console. Then, view Account ID on the Security Settings page of the Account Center.
ID of a RAM user: For more information, see View the information about a RAM user.
ID of a RAM role: For more information, see View the information about a RAM role.
References
If you use a RAM user or a RAM role to access the Realtime Compute for Apache Flink console and purchase, view, or delete a workspace, you must perform RAM-based authorization. For more information, see Grant permissions to a RAM user.
For more information about the differences between the permissions on a namespace that are described in this topic and RAM permissions, see Permission management.
For more information about how to use different identities such as Alibaba Cloud accounts, RAM roles, and RAM users to access the Realtime Compute for Apache Flink console, see Supported logon methods.