Identity credentials map Alibaba Cloud RAM users or RAM roles to data source access accounts. After an administrator configures identity credentials, users can request data access permissions for StarRocks, Hive, and Lindorm in DataWorks, with access control enforced by Ranger.
Overview
When users access data sources such as StarRocks, Hive, or Lindorm through DataWorks, these data engines do not natively support authentication with Alibaba Cloud RAM users or RAM roles. Instead, they require the data source's own accounts, such as a username and password. The identity credential feature centrally maps RAM users or RAM roles to data source access accounts. This mitigates risks such as credential leakage, malicious tampering, and privilege abuse.
Identity credentials fit into the Ranger access control workflow as follows:
Add a Ranger configuration: Configure the connection information for the Ranger instance in the security center. For more information, see Add a Ranger configuration.
Add a service association: Add a StarRocks, Hive, or Lindorm type service to the Ranger instance. For more information, see Add a service.
Configure identity credentials: Map RAM users or RAM roles to their corresponding data source accounts.
Request permissions: Users submit permission requests in . After a security administrator approves the request, Ranger automatically generates a policy.
Prerequisites
You have completed the Ranger configuration and service association. For more information, see Add a Ranger configuration.
You must be a Tenant Administrator to access the Identity Credentials page and perform configurations.
Go to the identity credentials page
Log on to the DataWorks console. In the top navigation bar, select the desired region. In the left-side navigation pane, choose . On the page that appears, click Go to Security Center.
In the left-side navigation pane, click Identity Credentials.
Add an identity credential
On the Identity Credentials page, click New in the upper-left corner. In the New Access Identity dialog box, configure the following parameters.
Parameter | Description |
Alibaba Cloud RAM user/Role | Select the RAM user or RAM role that will use this identity credential to access the data source. |
Data Source Type | Select the type of data source to access. Supported types: StarRocks, Hive, and Lindorm. Note The selected data source type must match the configured Ranger service type. For example, to request permissions for Lindorm, you must configure a Lindorm-type service in Ranger. |
Cluster/Instance | Based on the selected data source type, select the corresponding cluster or instance:
Important You must have the |
Account Type | Select the account type. The account type determines whether the user has approval permissions:
|
Account Name | The account name that the Alibaba Cloud RAM user or RAM role uses to access the data source. Important This account name must match the username configured in Ranger. Otherwise, Ranger cannot correctly match permission policies. |
Account password | The password that the Alibaba Cloud RAM user or RAM role uses to access the data source. |
Next steps
After configuring an identity credential, users can go to , select the databases or tables they need to access, and submit a permission request. For more information, see data access control.