Learn the RAM permission actions for calling DLF APIs (REST and management). This topic guides you in configuring granular permissions based on the principle of least privilege, for enhanced security and flexibility.
Understanding DLF APIs
REST APIs: Built on Paimon/Iceberg REST APIs, these are designed for efficient data access and operations.
Management APIs: Based on Alibaba Cloud OpenAPI, these facilitate efficient resource management and O&M.
NoteManaging catalogs, databases, and tables in the DLF console requires Management API permissions. Grant these permissions to users granularly as needed.
Predefined policies
DLF provides two predefined policies that facilitate API authorization:
Policy | Description |
| Grants permissions to call all DLF APIs. Suitable for users who need to perform comprehensive data lake management. |
| Provides read-only API permissions, such as List and Get. |
Grant predefined permissions
Log on to the RAM console as a RAM administrator.
In the left navigation menu, choose .
On the Users page, find the target RAM account and click Add Permissions in the Actions column.
In the Grant Permissions panel, add the
AliyunDLFFullAccessorAliyunDLFReadOnlyAccesspolicy for the RAM user.Click Grant permissions.
Custom policies
Create custom policies for granular permission management. For more information, see Create a custom policy. Example:
{
"Version": "1",
"Statement": [
{
"Action": [
"dlf:ListDatabases",
"dlf:CreateDatabase",
"dlf:GetDatabase",
"dlf:AlterDatabase",
"dlf:ListTables",
"dlf:CreateTable",
"dlf:GetTable",
"dlf:AlterTable",
"dlf:ListPartitions",
"dlf:ListViews"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
REST API actions
Paimon REST
Category | Paimon REST API | Action | Description |
Config | GetConfig | dlf:GetConfig | Gets the configuration of a catalog. |
Database | ListDatabases | dlf:ListDatabases | Lists databases. |
CreateDatabase | dlf:CreateDatabase | Creates a database. | |
GetDatabase | dlf:GetDatabase | Gets a database. | |
DropDatabase | dlf:DropDatabase | Deletes a database. | |
AlterDatabase | dlf:AlterDatabase | Alters a database. | |
Table | ListTables | dlf:ListTables | Lists tables. |
CreateTable | dlf:CreateTable | Creates a table. | |
ListTableDetails | dlf:ListTableDetails | Lists table details. | |
GetTable | dlf:GetTable | Gets a table. | |
AlterTable | dlf:AlterTable | Alters a table. | |
DropTable | dlf:DropTable | Deletes a table. | |
RenameTable | dlf:RenameTable | Renames a table. | |
CommitTable | dlf:CommitTable | Commits table changes. | |
RollbackTable | dlf:RollbackTable | Rolls back a table. | |
GetTableToken | dlf:GetTableToken | Gets the token to access table data. | |
GetTableSnapshot | dlf:GetTableSnapshot | Gets a table snapshot. | |
ListTableSnapshots | dlf:ListTableSnapshots | Gets a list of table snapshots. | |
Partition | ListPartitions | dlf:ListPartitions | Lists partitions. |
MarkDonePartitions | dlf:MarkDonePartitions | Marks partitions as complete. | |
Branch | ListBranches | dlf:ListBranches | Lists table branches. |
CreateBranch | dlf:CreateBranch | Creates a table branch. | |
DropBranch | dlf:DropBranch | Deletes a table branch. | |
ForwardBranch | dlf:ForwardBranch | Forwards a table branch. | |
View | ListViews | dlf:ListViews | Lists views. |
CreateView | dlf:CreateView | Creates a view. | |
GetView | dlf:GetView | Gets a view. | |
AlterView | dlf:AlterView | Alters a view. | |
DropView | dlf:DropView | Deletes a view. | |
RenameView | dlf:RenameView | Renames a view. | |
Function | ListFunctions | dlf:ListFunctions | Lists functions. |
CreateFunction | dlf:CreateFunction | Creates a function. | |
GetFunction | dlf:GetFunction | Gets a function. | |
AlterFunction | dlf:AlterFunction | Alters a function. | |
DropFunction | dlf:DropFunction | Deletes a function. | |
Tag | CreateTag | dlf:CreateTag | Creates a tag. |
GetTag | dlf:GetTag | Gets a tag. | |
ListTags | dlf:ListTags | List tags. | |
DeleteTag | dlf:DeleteTag | Deletes a tag. |
Iceberg REST
Category | Iceberg REST API | Action | Description |
Config | GetConfig | dlf:GetConfig | Gets the configuration of a catalog. |
Namespace | ListNamespaces | dlf:ListDatabases | Lists namespaces. |
CreateNamespace | dlf:CreateDatabase | Creates a namespace. | |
LoadNamespaceMetadata | dlf:GetDatabase | Gets a namespace. | |
NamespaceExists | dlf:GetDatabase | Checks whether a namespace exists. | |
UpdateProperties | dlf:AlterDatabase | Updates namespace properties. | |
DropNamespace | dlf:DropDatabase | Deletes a namespace. | |
Table | ListTables | dlf:ListTables | Lists tables. |
CreateTable | dlf:CreateTable | Creates a table. | |
LoadTable | dlf:GetTable | Gets a table. | |
TableExists | dlf:GetTable | Checks whether a table exists. | |
UpdateTable | dlf:AlterTable | Updates a table. | |
DropTable | dlf:DropTable | Deletes a table. |
Management API actions
Category | Management API | Action | Description |
Activation | DescribeRegions | dlf:DescribeRegions | Lists DLF regions. |
GetRegionStatus | dlf:GetRegionStatus | Gets the activation status in a region. | |
Subscribe | dlf:Subscribe | Activates DLF. | |
CreateInstance | dlf:CreateInstance | Purchases compute resources. | |
User and role management | GetUser | dlf:GetUser | Gets a DLF user. |
ListUsers | dlf:ListUsers | Lists DLF users. | |
CreateRole | dlf:CreateRole | Creates a DLF role. | |
UpdateRole | dlf:UpdateRole | Updates a DLF role. | |
DeleteRole | dlf:DeleteRole | Deletes a DLF role. | |
GetRole | dlf:GetRole | Gets a DLF role. | |
ListRoles | dlf:ListRoles | Lists DLF role. | |
GrantRoleToUsers | dlf:GrantRoleToUsers | Grants a DLF role to multiple DLF users. | |
RevokeRoleFromUsers | dlf:RevokeRoleFromUsers | Revokes a DLF role from multiple DLF users. | |
UpdateRoleUsers | dlf:UpdateRoleUsers | Updates the DLF users within a role. | |
ListRoleUsers | dlf:ListRoleUsers | Retrieves a list of DLF users associated with a DLF role. | |
ListUserRoles | dlf:ListUserRoles | Retrieves a list of DLF roles assigned to a specific DLF user. | |
RefreshUserSync | dlf:RefreshUserSync | Starts DLF user synchronization. | |
Catalog | CreateCatalog | dlf:CreateCatalog | Creates a catalog. |
GetCatalog | dlf:GetCatalog | Gets a catalog. | |
DropCatalog | dlf:DropCatalog | Deletes a catalog. | |
AlterCatalog | dlf:AlterCatalog | Updates a catalog. | |
ListCatalogs | dlf:ListCatalogs | Lists catalogs. | |
GetCatalogByld | dlf:GetCatalogByld | Gets a catalog by its Catalog ID. | |
Database | AlterDatabase | dlf:AlterDatabase | Updates a database. |
GetDatabase | dlf:GetDatabase | Gets a database. | |
DropDatabase | dlf:DropDatabase | Deletes a database. | |
CreateDatabase | dlf:CreateDatabase | Creates a database. | |
ListDatabaseDetails | dlf:ListDatabaseDetails | Lists database details. | |
ListDatabases | dlf:ListDatabases | Lists databases. | |
Table | CreateTable | dlf:CreateTable | Creates a table. |
DropTable | dlf:DropTable | Deletes a table. | |
ListTableDetails | dlf:ListTableDetails | Lists table details. | |
GetTable | dlf:GetTable | Gets a table. | |
ListTables | dlf:ListTables | Lists tables. | |
View | ListViews | dlf:ListViews | Lists views. |
ListViewDetails | dlf:ListViewDetails | Lists view details. | |
CreateView | dlf:CreateView | Creates a view. | |
GetView | dlf:GetView | Gets a view. | |
AlterView | dlf:AlterView | Alters a view. | |
DropView | dlf:DropView | Deletes a view. | |
Function | ListFunctions | dlf:ListFunctions | Lists functions. |
ListFunctionDetails | dlf:ListFunctionDetails | Lists function details. | |
CreateFunction | dlf:CreateFunction | Creates a function. | |
GetFunction | dlf:GetFunction | Gets a function. | |
AlterFunction | dlf:AlterFunction | Alters a function. | |
DropFunction | dlf:DropFunction | Deletes a function. | |
Permission management | GrantPermission | dlf:GrantPermission | Grants permissions on a resource. |
RevokePermission | dlf:RevokePermission | Revokes permissions on a resource. | |
BatchGrantPermissions | dlf:BatchGrantPermissions | Grants permissions in a batch. | |
BatchRevokePermissions | dlf:BatchRevokePermissions | Revokes permissions in a batch. | |
ListPermissions | dlf:ListPermissions | Lists the permissions for a resource. | |
Iceberg Table | GetIcebergTable | dlf:GetIcebergTable | Gets an Iceberg table. |
ListIcebergSnapshots | dlf:ListIcebergSnapshots | Lists Iceberg table snapshots. |