This document explains key authorization concepts for Realtime Compute for Apache Flink. It covers use cases, the permission model, the functional differences between Management and Development Consoles, the authorization process, and instructions based on different logon methods.
Before you begin
When you first activate Realtime Compute for Apache Flink, you are prompted to authorize access to cloud resources. You will be redirected to a cloud resource access authorization page for Resource Access Management (RAM) where you must click Authorize in RAM. After you grant this authorization, your Alibaba Cloud account receives permissions to access Realtime Compute for Apache Flink's Management and Development Consoles, and to access resources of related cloud products.
To share a workspace with other users and implement granular access control, follow the instructions in this document to configure the required permissions.
General authorization guide
Authorization use cases
Use case | Description | Authorization policy | Authorization method |
Management operations | To perform management operations such as purchasing workspaces, buying resources, or adjusting resource configurations, the user must log on to the Management Console. |
| |
Development and O&M operations | To perform operations such as job development, debugging, or other O&M tasks, a user must log on to the Development Console. |
|
Permission model
Management Console
Permissions for the Management Console are managed in the RAM console. An Alibaba Cloud account grants permissions by attaching a policy to a RAM identity, such as a RAM user or Role. The scope of this policy covers all resources within the Alibaba Cloud account, including permissions for Realtime Compute for Apache Flink and related products.
Development Console
An Alibaba Cloud account manages permissions for the Development Console by assigning roles to RAM users or other Alibaba Cloud accounts within the console itself. The scope of these roles covers all first-level and second-level functional permissions within the Development Console.
Console overview
Realtime Compute for Apache Flink has two distinct consoles: Management Console and Development Console. The table below describes their differences in user interface (UI) and functions.
Console name | UI | Functions |
Management Console |
| Viewing, creating, releasing, and adjusting workspaces; cloning namespaces. |
Development Console |
| Perform operations within a target namespace, such as job development, O&M, and namespace authorization. |
Authorization process
First, the Alibaba Cloud account owner or a RAM administrator identifies the specific console the principal requires access to. Next, they decide whether to grant a predefined system policy/role, or create and assign a custom policy/role. Finally, they follow the console's specific authorization procedure to grant the chosen permissions.
Grant permissions based on logon method
Alibaba Cloud account logon
The Alibaba Cloud account that purchased the workspace has all permissions for both the Realtime Compute Management Console and the Realtime Compute Development Console by default and does not require separate authorization. When other Alibaba Cloud accounts need to access a Realtime Compute console, you can grant permissions as described below.
Logon method | Logon target | Authorization instructions |
Alibaba Cloud account | Management Console | Cross-account access is not allowed. |
Development Console |
|
RAM user logon
Logon method | Logon target | Authorization instructions |
RAM user | Management Console |
|
Development Console |
|
RAM role logon
To assume and use a RAM role to log on, a RAM user must have the AliyunSTSAssumeRoleAccess permission.
Logon method | Logon target | Authorization instructions |
RAM role | Management Console |
|
Development Console |
|
When a RAM user assumes a RAM role, the authorized principal is always the RAM role itself. Example: If flinktestA (from account A) or flinktestB (from account B) assumes a RAM role, the authorized principal is the RAM role in both cases. The permissions are dictated by the role's configuration.
Resource directory member logon
Logon method | Logon target | Authorization instructions |
Logon as a root user (Alibaba Cloud account) | Management Console | No separate authorization required. |
Development Console |
| |
RAM admin logon as a RAM role | Management Console | Separate authorization is typically not required. |
Development Console |
| |
Logon as a RAM user | Management Console |
|
Development Console |
| |
CloudSSO user logon as a RAM role | Management Console |
|
Realtime Compute Development Console |
| |
CloudSSO user logon as a RAM user | Management Console |
|
Development Console |
|
Basic authorization concepts
Account types
Account type | Description |
Alibaba Cloud account | An Alibaba Cloud account is the fundamental entity that owns Alibaba Cloud resources and is used for metering and billing. It holds all permissions for the products and resources it owns. |
RAM user | A RAM user is an entity representing a person or application that needs to access Alibaba Cloud. After you create a RAM user and grant it permissions, it can access authorized cloud resources. To create a RAM user, see Create a RAM user. |
RAM role | A RAM role is a virtual identity that can be granted a set of permission policies. Unlike a RAM user, a RAM role does not have permanent credentials like a logon password or an AccessKey pair. A trusted entity must assume the RAM role to use its permissions. For more information, see RAM role overview. |
Resource Directory member | Resource Directory (RD) is a service provided by Alibaba Cloud for enterprise customers to manage multi-level account and resource relationships. A member is a resource account created through RD to host specific projects or applications on Alibaba Cloud. For more information, see What is Resource Directory?. |
Permissions
Alibaba Cloud uses permissions to describe the ability of a RAM identity to access specific resources:
The Alibaba Cloud account (resource owner) controls all permissions
Each resource has one and only one owner, which must be an Alibaba Cloud account. This account has full control over the resource.
The resource owner is not necessarily the resource creator. For example, if a RAM identity is granted permission to create a resource, the resource created by that identity belongs to the Alibaba Cloud account. In this case, the RAM identity is the creator but not the owner.
RAM identities have no permissions by default
They can operate on resources through the consoles or API only after an Alibaba Cloud account grants them the necessary permissions.
Policy
A policy is a set of permissions described using a specific syntax and structure. It can precisely define the authorized resource set, action set, and conditions. For more information, see Policy elements and Policy syntax and structure.
RAM supports the following two types of policies:
System policies: These are created and maintained by Alibaba Cloud. You can use them but cannot modify them.
Custom policies: You can create, update, and delete these policies. You are responsible for maintaining and updating them.
Attaching a policy to a RAM identity grants the permissions specified in that policy. For more information, see Grant permissions to a RAM user, Grant permissions to a RAM user group, and Grant permissions to a RAM role.