You can use system policies to grant RAM users permissions on all ApsaraDB for HBase resources. You can also use custom policies as needed to grant RAM users specific operation permissions on specific instances. This topic describes how to customize a RAM policy.

Grant RAM users permissions on ApsaraDB for HBase resources

For more information about how to create a custom RAM policy, see Create a custom policy.

You can use RAM to grant permissions on only ApsaraDB for HBase instances. When you use RAM to grant permissions, you can specify resources in the Resource field of the policy.
Resource type Resource description in the policy
dbinstance acs:hbase:$regionid:$accountid:dbinstance/$dbinstanceid
The following table describes the parameters.
Parameter Description
regionid The ID of the region.
accountid The ID of the Alibaba Cloud account.
dbinstanceid The ID of the instance.

Examples

In this example, the authorized RAM user can view all the instances, create instances, and expand the storage of only the specified instance. The expiration date of the policy is August 17, 2020.

{
    "Statement": [
        {
            "Action": [
                "hbase:CreateCluster",
                "hbase:ResizeDiskSize"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:hbase:<regionid>:<dbinstance>:<accountid>/<dbinstanceid>"
            ],
            "Condition": {
                "DateLessThan": {
                    "acs:CurrentTime": "2020-08-17T23:59:59+08:00"
                }
            }
        },
        {
            "Action": [
                "hbase:Describe*"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:hbase:<regionid>:<dbinstance>:<accountid>/<dbinstanceid>"
            ],
            "Condition": {
                "DateLessThan": {
                    "acs:CurrentTime": "2020-08-17T23:59:59+08:00"
                }
            }
        }
    ],
    "Version": "1"
}
Note For more information about permission settings, see Policy structure and syntax.

Authentication rules of ApsaraDB for HBase API operations

When you call API operations to access resources as a RAM user, ApsaraDB for HBase checks whether you are granted the required permissions. The permissions that ApsaraDB for HBase checks are determined by the API syntax and the resources that are requested by the API operation. In this example, the API operation is CreateCluster, and the authentication rule applies to acs:hbase:$regionid:$accountid:dbinstance/$dbinstanceid.