When you use resource groups to organize and manage your resources, you can integrate with Resource Access Management (RAM) to implement resource isolation and fine-grained permission management within a single Alibaba Cloud account. This topic describes how ApsaraDB for HBase supports resource groups and provides step-by-step instructions for granting resource group-level permissions.
-
Resource group-level authorization takes effect only for resource types that support resource groups and for actions that support resource group-level authorization.
-
For resource types that do not support resource groups, granting permissions with a resource group scope has no effect. Instead, you must grant permissions at the account level. For more information, see Actions that do not support resource-group-level authorization.
How resource group authorization works
You can use a resource group to manage resources in your Alibaba Cloud account. For example, you can create a resource group for each of your projects and move resources into their corresponding groups for centralized management. For more information, see What is a resource group?
After you group resources, you can grant permissions for a specific resource group to different RAM principals (RAM users, RAM user groups, or RAM roles). This restricts the principal to managing only the resources within that resource group. For more information, see Resource Grouping and Authorization.
This authorization method provides the following benefits:
-
Fine-grained permissions: Ensures each principal has only the necessary access and prevents mixing resources from different projects within the same account.
-
Scalability: When you add new resources, you only need to add them to the resource group. The principal automatically gains the corresponding permissions for the new resources without requiring further authorization.
Grant resource group-level permissions
This section uses a RAM user as an example to show how to grant permissions on ApsaraDB for HBase resources within a specific resource group.
1. Prerequisites
-
Create a RAM user. For more information, see Create a RAM user.
-
Create a resource group and move existing resources to the target resource group. For more information, see Create a resource group, Automatically move resources to a resource group, and Manually move resources to a resource group.
2. Grant resource group-level permissions
You can grant resource group-level permissions in either of the following ways.
Method 1: Resource Management console
Use the permission management feature of a resource group to grant permissions to a specific RAM user. For more information, see Grant permissions on a resource group to a RAM identity.
-
Log on to the Resource Management console.
-
On the resource groups page, find the target resource group and click Permissions in the Actions column.
-
On the Permissions tab, click Grant Permission.
-
In the Grant Permission panel, configure the principal and permission policy.
-
Principal: Select an existing RAM user.
-
Permission Policy: Select a system policy or an existing custom policy. For more information, see Create a custom permission policy.
-
-
Click Grant.
Method 2: RAM console
Grant resource group-level permissions to a specific RAM user in the RAM console. For more information, see Manage permissions for a RAM user.
-
Log on to the RAM console as an Alibaba Cloud account (primary account) or a RAM administrator.
-
In the left-side navigation pane, choose . On the Users page, find the target RAM user and click Add Permissions in the Actions column.
-
In the Add Permissions panel, add permissions for the RAM user.
-
Resource Scope: Select Resource Group.
-
Principal: Select an existing RAM user or the RAM user created in the prerequisites.
-
Permission Policy: Select a system policy or an existing custom policy. For more information, see Create a custom permission policy.
-
-
Click Grant.
Resource types that support resource groups
The following table lists the resource types of ApsaraDB for HBase that support resource groups.
|
Cloud service |
Cloud service code |
Resource type |
|
ApsaraDB for HBase |
multimod |
cluster |
To request resource group support for additional resource types, submit feedback in the Resource Management console.
Unsupported actions for resource group authorization
The following table lists the ApsaraDB for HBase actions that do not support resource group-level authorization.
|
Action |
Description |
|
hbase:CheckComponentsVersion |
Checks if component versions are the latest. |
|
hbase:CreateHBaseSlbServer |
Creates a load balancing service. |
|
hbase:CreateMultiZoneCluster |
Creates a multi-availability zone cluster. |
|
hbase:DeleteHBaseHaDB |
Deletes an HA instance. |
|
hbase:DescribeActiveOperationMaintainConf |
- |
|
hbase:DescribeActiveOperationTaskType |
Queries the O&M task types, count, and details for an HBase instance. |
|
hbase:DescribeActiveOperationTasks |
Queries the details of O&M tasks for an HBase instance. |
|
hbase:DescribeAvailableResource |
Queries available resources. |
|
hbase:DescribeBackups |
Retrieves backup records for an HBase cluster. |
|
hbase:DescribeDeletedInstances |
Retrieves a list of clusters that are deleted but not yet fully released. |
|
hbase:DescribeEventMetaInfo |
- |
|
hbase:DescribeInstanceType |
Calls the DescribeInstanceType operation to query instance specifications (CPU and memory). |
|
hbase:DescribeMultiZoneAvailableRegions |
Queries available region combinations for multi-availability zone clusters. |
|
hbase:DescribeMultiZoneAvailableResource |
Retrieves purchasable resources in a multi-availability zone. |
|
hbase:DescribeRdsVSwitchs |
- |
|
hbase:DescribeRdsVpcs |
- |
|
hbase:DescribeRdsVswitchs |
- |
|
hbase:DescribeSubDomain |
Calls the DescribeSubDomain operation to get an available subdomain. |
|
hbase:DescribeVSwitches |
- |
|
hbase:DescribeVpcs |
- |
|
hbase:EnableHBaseueBackup |
Enables the backup and recovery feature for HBase. |
|
hbase:EnableHBaseueModule |
Calls the EnableHBaseueModule operation to enable an extended service. |
|
hbase:EvaluateMultiZoneResource |
Calls the EvaluateMultiZoneResource operation to evaluate whether available resources exist. |
|
hbase:GetMultimodeCmsUrl |
Gets the monitoring URL based on the cluster ID. |
|
hbase:ListBdsInstances |
- |
|
hbase:ListHBaseInstances |
Lists HBase instances within the same VPC. |
|
hbase:ListHbaseInstances |
- |
|
hbase:ListTagResources |
Gets a list of tags by resource ID or by tag (query by key, or by key and value). |
|
hbase:ListTags |
Gets all tags within a region. |
|
hbase:ModifyActiveOperationTasks |
Calls the ModifyActiveOperationTasks operation to modify the scheduled switchover time for an O&M task. |
|
hbase:ModifyMultimodSpec |
- |
|
hbase:OpenBackup |
Calls the OpenBackup operation to enable the backup and recovery feature for an HBase cluster. |
|
hbase:RenewInstance |
Calls the RenewInstance operation to renew an HBase instance. |
|
hbase:ResizeColdStorage |
- |
|
hbase:ResizeMultiZoneClusterDiskSize |
Calls the ResizeMultiZoneClusterDiskSize operation to change the disk size of a multi-availability zone instance. |
|
hbase:SwitchHbaseHaSlb |
Compared to the CreateHbaseHaSlb operation, this operation performs an active-standby switchover for high-availability Thrift or high-availability Phoenix. |
|
hbase:TagResources |
Adds a tag to an instance. |
|
hbase:UnTagResources |
Removes one or more tags from a resource. |
|
hbase:UntagResources |
- |
|
hbase:XpackRelateDB |
Calls the XpackRelateDB operation to associate a database. |
|
hbase:action |
- |
For actions that do not support resource group authorization, selecting Resource Group as the resource scope during authorization has no effect. If you need a RAM user to have these permissions, you must create a custom permission policy and select Account as the resource scope.
Here are two examples of custom permission policies. You can adjust the policy content to meet your requirements.
-
To allow all read-only actions that do not support resource group-level authorization, list them in the
Actionelement.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "hbase:DescribeActiveOperationMaintainConf", "hbase:DescribeActiveOperationTaskType", "hbase:DescribeActiveOperationTasks", "hbase:DescribeAvailableResource", "hbase:DescribeBackups", "hbase:DescribeDeletedInstances", "hbase:DescribeEventMetaInfo", "hbase:DescribeInstanceType", "hbase:DescribeMultiZoneAvailableRegions", "hbase:DescribeMultiZoneAvailableResource", "hbase:DescribeRdsVSwitchs", "hbase:DescribeRdsVpcs", "hbase:DescribeRdsVswitchs", "hbase:DescribeSubDomain", "hbase:DescribeVSwitches", "hbase:DescribeVpcs", "hbase:GetMultimodeCmsUrl", "hbase:ListBdsInstances", "hbase:ListHBaseInstances", "hbase:ListHbaseInstances", "hbase:ListTagResources", "hbase:ListTags" ], "Resource": "*" } ] } -
To allow all actions that do not support resource group-level authorization, list them in the
Actionelement.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "hbase:CheckComponentsVersion", "hbase:CreateHBaseSlbServer", "hbase:CreateMultiZoneCluster", "hbase:DeleteHBaseHaDB", "hbase:DescribeActiveOperationMaintainConf", "hbase:DescribeActiveOperationTaskType", "hbase:DescribeActiveOperationTasks", "hbase:DescribeAvailableResource", "hbase:DescribeBackups", "hbase:DescribeDeletedInstances", "hbase:DescribeEventMetaInfo", "hbase:DescribeInstanceType", "hbase:DescribeMultiZoneAvailableRegions", "hbase:DescribeMultiZoneAvailableResource", "hbase:DescribeRdsVSwitchs", "hbase:DescribeRdsVpcs", "hbase:DescribeRdsVswitchs", "hbase:DescribeSubDomain", "hbase:DescribeVSwitches", "hbase:DescribeVpcs", "hbase:EnableHBaseueBackup", "hbase:EnableHBaseueModule", "hbase:EvaluateMultiZoneResource", "hbase:GetMultimodeCmsUrl", "hbase:ListBdsInstances", "hbase:ListHBaseInstances", "hbase:ListHbaseInstances", "hbase:ListTagResources", "hbase:ListTags", "hbase:ModifyActiveOperationTasks", "hbase:ModifyMultimodSpec", "hbase:OpenBackup", "hbase:RenewInstance", "hbase:ResizeColdStorage", "hbase:ResizeMultiZoneClusterDiskSize", "hbase:SwitchHbaseHaSlb", "hbase:TagResources", "hbase:UnTagResources", "hbase:UntagResources", "hbase:XpackRelateDB", "hbase:action" ], "Resource": "*" } ] }
A RAM user or RAM role with account-level permissions can operate on relevant resources across the entire account. Confirm that the granted permissions meet your expectations and follow the principle of least privilege when you assign permissions.
FAQ
View the resource group of a resource
-
Method 1: Click the resource name to open its details page, where you can view its resource group.
-
Method 2: Log on to the Resource Management console and choose . In the left-side pane, select the account to which the resource belongs (the Current Account is selected by default). Use the filter conditions to locate the target resource and view its resource group.
View resources in a resource group
-
Method 1: Log on to the Resource Management console and choose . In the left-side pane, under the account to which the resources belong (the Current Account is selected by default), click the name of the target resource group. Then, select the product from the Select Resource Type list on the right to view all of its resources within that resource group.
-
Method 2: Log on to the Resource Management console and choose . Find the target resource group and click Manage Resources in the Actions column. On the Manage Resources page, select the product from the Product dropdown list to view all its resources within that resource group.
Move resources to another resource group
Log on to the Resource Management console and choose . In the row of the target resource group, click Manage Resources in the Actions column. On the resource management page, use the filter conditions to locate the target resources. Select the checkboxes in the first column for the resources that you want to move, click Transfer Resources at the bottom, and then follow the on-screen instructions to complete the process.