You can use Alibaba Cloud Resource Access Management (RAM) to authorize RAM users to manage ApsaraDB for HBase instances.

Description

All the ApsaraDB for HBase instances that are created through an Alibaba Cloud account are the resources that are owned by that account. By default, an Alibaba Cloud account has full access permissions on the resources that are owned by the account. RAM allows you to grant RAM users the permissions to access and manage ApsaraDB for HBase resources that are owned by your Alibaba Cloud account. For more information, see What is RAM?. You can grant RAM users the permissions on the resources of only the dbinstance type. This means that the resource permissions are granted at the instance level. The following table describes the resource format when you use RAM to grant permissions.

Request parameters

Resource type Resource description in the permission policy
dbinstance acs:hbase:$regionid:$accountid:dbinstance/$dbinstanceid

acs:hbase:$regionid:$accountid:dbinstance/

acs:hbase:::dbinstance/

The following table lists the parameters.

Parameter Description
$regionid The ID of the region. You can specify this parameter as an asterisk (*).
$dbinstanceid The name of the instance. You can specify this parameter as an asterisk (*).
$accountid The ID of the Alibaba Cloud account. The ID consists of only digits. You can specify this parameter as an asterisk (*).

Examples

In this example, the authorized user can view all the instances, create instances, and expand the storage of only the specified instances. The expiration time is August 17, 2020.

{
    "Statement": [
        {
            "Action": [
                "hbase:CreateCluster",
                "hbase:ResizeDiskSize"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:hbase:*:*:*/hb-xxxxxxxx"
            ],
            "Condition": {
                "DateLessThan": {
                    "acs:CurrentTime": "2020-08-17T23:59:59+08:00"
                }
            }
        },
        {
            "Action": [
                "hbase:Describe*"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:hbase:*:*:*/*"
            ],
            "Condition": {
                "DateLessThan": {
                    "acs:CurrentTime": "2020-08-17T23:59:59+08:00"
                }
            }
        }
    ],
    "Version": "1"
}
Note For more information about permission settings, see Policy structure and syntax.

Authentication rules of ApsaraDB for HBase API operations

When a RAM user requests access to ApsaraDB for HBase by calling an API operation, the backend of ApsaraDB for HBase sends a request to RAM to check the permissions of the RAM user. This ensures that the RAM user has the required permissions to access the resources. The permissions to be checked are determined by the API syntax and the resources that are requested by the API operation.