You can use system policies to grant RAM users permissions on all ApsaraDB for HBase resources. You can also use custom policies as needed to grant RAM users specific operation permissions on specific instances. This topic describes how to customize a RAM policy.
Grant RAM users permissions on ApsaraDB for HBase resources
For more information about how to create a custom RAM policy, see Create custom policies.
You can use RAM to grant permissions on only ApsaraDB for HBase instances. When you use RAM to grant permissions, you can specify resources in the Resource field of the policy.
Resource type | Resource description in the policy |
dbinstance | acs:hbase:$regionid:$accountid:dbinstance/$dbinstanceid |
The following table describes the parameters.
Parameter | Description |
regionid | The ID of the region. |
accountid | The ID of the Alibaba Cloud account. |
dbinstanceid | The ID of the instance. |
Examples
In this example, the authorized RAM user can view all the instances, create instances, and expand the storage of only the specified instance. The expiration date of the policy is August 17, 2020.
{
"Statement": [
{
"Action": [
"hbase:CreateCluster",
"hbase:ResizeDiskSize"
],
"Effect": "Allow",
"Resource": [
"acs:hbase:<regionid>:dbinstance:<accountid>/<dbinstanceid>"
],
"Condition": {
"DateLessThan": {
"acs:CurrentTime": "2020-08-17T23:59:59+08:00"
}
}
},
{
"Action": [
"hbase:Describe*"
],
"Effect": "Allow",
"Resource": [
"acs:hbase:<regionid>:dbinstance:<accountid>/<dbinstanceid>"
],
"Condition": {
"DateLessThan": {
"acs:CurrentTime": "2020-08-17T23:59:59+08:00"
}
}
}
],
"Version": "1"
}For more information about permission settings, see Policy structure and syntax.
Authentication rules of ApsaraDB for HBase API operations
When you call API operations to access resources as a RAM user, ApsaraDB for HBase checks whether you are granted the required permissions. The permissions that ApsaraDB for HBase checks are determined by the API syntax and the resources that are requested by the API operation. In this example, the API operation is CreateCluster, and the authentication rule applies to acs:hbase:$regionid:$accountid:dbinstance/$dbinstanceid.