This topic describes the account model, Alibaba Cloud account and Resource Access Management (RAM) user authorization, and account verification in Realtime Compute for Apache Flink.
Account model
Log on to the RAM console to configure your account.
Realtime Compute for Apache Flink allows you to log on to its console by using an Alibaba Cloud account or as a RAM user. You can use an Alibaba Cloud account to purchase Realtime Compute for Apache Flink and create projects. You can also authorize a RAM user to use the Realtime Compute for Apache Flink projects that are created by using an Alibaba Cloud account.
In Realtime Compute for Apache Flink, a project belongs to an Alibaba Cloud account. If a project requires collaboration of multiple persons, you must use the Alibaba Cloud account + RAM user model, as shown in the following figure.
Alibaba Cloud account + RAM user model
- Initialize RAM.
You must initialize RAM when you use RAM for the first time. For more information, see Set a password policy for RAM users and Set security policies for RAM users.
- Create a RAM user.
You can allocate RAM users to the developers of Realtime Compute for Apache Flink. For more information about how to create a RAM user, see Create a RAM user.
- Create a custom permission policy.
For more information about how to create a custom permission policy in the RAM console, see Create a custom policy.
- The following code demonstrates a permission policy of Realtime Compute for Apache
Flink:
{ "Version": "1", "Statement": [ { "Action": "stream:*", "Resource": "acs:stream:*:*:*", "Effect": "Allow" }, { "Action": "ram:PassRole", "Resource": "acs:ram:*:*:*", "Effect": "Allow" } ] }
- Realtime Compute for Apache Flink supports
project-level
permission policies. This way, you can authorize RAM users to access differentprojects
. To authorize a RAM user to access a singleproject
, modify the preceding code in the following way. Replaceprojectname
with the name of a project you want to authorize.- Before the modification
"Resource": "acs:stream:*:*:*"
- After the modification
"Resource":"acs:stream:*:*:projectname"
- Before the modification
- The following code demonstrates a permission policy of Realtime Compute for Apache
Flink:
- Grant permissions to RAM users or RAM user groups.
Attach the preceding policy to specified RAM users or RAM user groups. For more information, see Grant permissions to a RAM user and Grant permissions to a RAM user group.
- Log on to the Realtime Compute for Apache Flink console as a RAM user.
RAM users can log on to the Realtime Compute for Apache Flink console by using the RAM user logon URL.Note You can find the RAM user logon URL under RAM user logon in the Account Management section of the Overview page in the RAM console.