Use case

Last Updated: Mar 15, 2018

This sections explains safe practices when configuring a RAM user for authentication processes. Assume your Alibaba Account has no RAM user,

Note: You must replace the default AccessKey with your own AccessKey.

Prerequisites

CLI can be used to read and write data through command lines directly. Follow these steps to install and configure CLI:

  1. Download the Table Store CLI Took Kit.

  2. Install and configure Table Store CLI tool as follows:

    • Install dependency: python onekey_INSTALL.py
    • Configure parameter: python ots_console --url https://<InstanceName>.cn-hangzhou.ots.aliyuncs.com --id <AccessID> --key <AccessKey>
    • Run command: for example, ct pk1:string,pk2:integer readrt:1 writert:1

For more information, see the help documentation in the CLI toolkit.

Create a subaccount

Assume you have a Table Store instance named ram-test-dev.

In this scenario, we do not recommend that you use the primary account to access an instance so as to avoid potential problems caused by uninitentionally exposing the AccessKey and password.

Procedure

  1. Activate the Resource Access Management service.

  2. Use the primary account to log on to the RAM console.

  3. In the left-side navigation pane, click Users.

  4. Click Create User to create a RAM user. Designate it with the same Table Store access permissions as the primary account.

  5. Click OK. The AccessKey for the new RAM user ram_test is generated.

  6. Save the AccessKey information.

  7. Click Authorize to grant the RAM user full access permissions for Table Store.

    authorization

    authorization2

  8. (Optional) Click Manage to grant the account console logon or other permissions.

Example

In this example, the AccessKey is for ram_test. In actual scenarios, replace it with your own AccessKey.

  1. $python ots_console --url https://TableStoreTest.cn-hangzhou.ots.aliyuncs.com --id VPIzjuDB6T4FGoWM --key r1usnIQ4Tw1yI6bNJkKay6A8EJoMvs
  2. $OTS-TableStoreTest>: ct test pk1:string,pk2:integer readrt:1 writert:1
  3. Table test has been created successfully.
  4. $OTS-TableStoreTest>: dt test
  5. You will delete the table:test!
  6. press Y (confirm) :Y
  7. Table test has been deleted successfully.

The ram_test subaccount can be used for all general operations, so as to avoid exposing the AccessKey of the primary account.

Read/write permission separation

To share data of an instance in Table Store without data modification, you can separate read/write permission by creating a subaccount with read-only permission.

Create a RAM user named ram_test_pub. Select ReadOnly on the Edit User-Level Authorization page to grant the RAM user read-only access permission for Table Store.

create user

read-only

Example

Use the AccessKey of the RAM user to test the permissions of creating and deleting a table. In this example, the AccessKey is for ram_test_pub. In actual scenarios, replace it with your own AccessKey.

  1. $python ots_console --url https://TableStoreTest.cn-hangzhou.ots.aliyuncs.com --id ftWyMEYu1rBYTbWM --key u4qR5IGu5xJsvSO1y8moyC6n5vA7af
  2. $OTS-TableStoreTest>: ct test pk1:string,pk2:integer readrt:1 writert:1
  3. Fail to create table test.
  4. $OTS-TableStoreTest>: dt test
  5. You will delete the table:test!
  6. press Y (confirm) :Y
  7. Fail to delete table test.

Note: Due to the read-only access permissions granted to RAM user ram_test_pub, it cannot be used to create or delete a table.

Thank you! We've received your feedback.