How to create a custom RAM authorization policy for HBase - ApsaraDB for HBase

Custom RAM policies give you fine-grained control over which RAM users can perform which operations on which ApsaraDB for HBase instances. Unlike system policies, which grant access to all resources, custom policies let you restrict permissions to specific instances or combine multiple permission levels with optional conditions such as expiration dates.

For instructions on creating a custom policy in the RAM console, see Create custom policies.

Resource types and ARN format

ApsaraDB for HBase supports one resource type for RAM authorization: dbinstance.

Use the following format in the Resource field of your policy:

acs:hbase:<regionid>:<accountid>:dbinstance/<dbinstanceid>

Parameter	Description
`regionid`	The ID of the region where the instance is deployed
`accountid`	The ID of your Alibaba Cloud account
`dbinstanceid`	The ID of the ApsaraDB for HBase instance

Policy examples

Grant read-only access

The following policy allows a RAM user to call any hbase:Describe* API operation on the specified instance. Use this for users who only need to view instance information, such as operations or audit personnel.

{
    "Statement": [
        {
            "Action": [
                "hbase:Describe*"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:hbase:<regionid>:<accountid>:dbinstance/<dbinstanceid>"
            ]
        }
    ],
    "Version": "1"
}

Grant specific operations on a single instance

The following policy allows a RAM user to create clusters and expand the storage of a specific instance. This is suitable for developers or operators who manage a single instance but should not have access to other instances.

{
    "Statement": [
        {
            "Action": [
                "hbase:CreateCluster",
                "hbase:ResizeDiskSize"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:hbase:<regionid>:<accountid>:dbinstance/<dbinstanceid>"
            ]
        }
    ],
    "Version": "1"
}

Grant time-limited access with an expiration date

Use the Condition field to restrict when a policy is in effect. The following policy grants read access, cluster creation, and storage expansion permissions on a specific instance until August 17, 2020 (UTC+8).

{
    "Statement": [
        {
            "Action": [
                "hbase:CreateCluster",
                "hbase:ResizeDiskSize",
                "hbase:Describe*"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:hbase:<regionid>:<accountid>:dbinstance/<dbinstanceid>"
            ],
            "Condition": {
                "DateLessThan": {
                    "acs:CurrentTime": "2020-08-17T23:59:59+08:00"
                }
            }
        }
    ],
    "Version": "1"
}

Replace the following placeholders with actual values:

Placeholder	Description	Example
`<regionid>`	The ID of the region	`cn-hangzhou`
`<accountid>`	Your Alibaba Cloud account ID	`123456789012`
`<dbinstanceid>`	The ID of the ApsaraDB for HBase instance	`hb-bp1234567890abcd`

Note

For the full list of condition keys and operators, see Policy structure and syntax.

How ApsaraDB for HBase authenticates API calls

When a RAM user calls an ApsaraDB for HBase API operation, the service checks whether the user's policies grant the required permissions. The check evaluates both the API operation being called and the resource it targets.

For example, when a RAM user calls CreateCluster, ApsaraDB for HBase checks whether the user has hbase:CreateCluster permission on the target resource acs:hbase:<regionid>:<accountid>:dbinstance/<dbinstanceid>.