Hologres is deeply integrated with DataWorks. When you perform data analytics operations on a Hologres instance in the DataWorks console, an error may occur if you are not granted relevant permissions. This topic provides answers to some frequently asked questions about DataWorks permissions.
FAQ
To view answers to frequently asked questions about DataWorks permissions, click the following links:
Why is the Binding HologresDB button unavailable on the Workspace Management page of a workspace?
Problem description
When you associate a Hologres database with a workspace as a RAM user in the Computing Engine information section of the Workspace Management page in the DataWorks console, the Binding HologresDB button is unavailable.
Possible causes
The RAM user does not have the permissions to manage the workspace.
The RAM user does not have development permissions on instances.
Solutions
If the RAM user does not have the permissions to manage the workspace, grant the RAM user relevant permissions on the Space member tab. For more information, see Manage permissions on workspace-level services.
If the RAM user does not have development permissions on instances, log on to the Hologres console and grant the RAM user relevant permissions based on different permission models.
For more information about how to use the simple permission model (SPM) in Hologres to grant relevant permissions, see Manage users.
For more information about how to use the standard PostgreSQL authorization model in Hologres to grant relevant permissions, see Standard PostgreSQL authorization model.
Why does the exclusive resource group for scheduling fail to initialize when I associate a Hologres database with a workspace?
Problem description
After you configure parameters in the Bind Hologres Database dialog box of the DataWorks console, an error message appears, indicating that the association and initialization fail.
Possible causes
After the Hologres database is associated with a workspace, you must initialize the exclusive resource group for scheduling used by the Hologres database. You must make sure that a network connection is established between the Hologres compute engine instance and the exclusive resource group for scheduling. Otherwise, Hologres nodes cannot be run on the exclusive resource group for scheduling.
NoteFor specific types of Hologres instances, you do not need to initialize the exclusive resource group for scheduling. If a message indicating that the initialization is not required is displayed in the DataWorks console, you can use the Hologres compute engine instance to perform data development operations without the need to initialize the exclusive resource group for scheduling.
Solutions
Grant permissions on operations required to initialize the exclusive group for scheduling.
If you want to initialize the network environment as a RAM user but the RAM user is not granted the required permissions, the RAM user cannot check the network environment. In this case, the system prompts you to grant permissions to the RAM user. Before you check the network environment as a RAM user, you must grant the following permissions to the RAM user.
Permissions defined in the AliyunHologresFullAccess policy
The permissions are used to obtain the details and network information about the Hologres instance. For more information about how to grant the permissions to a RAM user, see the "Grant Hologres permissions to a RAM user" section in the "Grant permissions to a RAM user" topic.
Permissions defined in a custom policy
The permissions are used to establish a network connection between the Hologres compute engine and the workspace, obtain permissions on the resource group that you want to use, and complete the association of the Hologres compute engine and the workspace. For information about how to create a custom policy, see Create a custom policy. The following code provides the document of the custom policy:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "dataworks:*ResourceGroup", "Resource": "acs:dataworks:*:*:exclusive_resource_group/*" }, { "Effect": "Allow", "Action": "dataworks:Get*", "Resource": "acs:dataworks:*:*:*" }, { "Effect": "Allow", "Action": "ecs:DescribeSecurityGroups", "Resource": "acs:ecs:*:*:securitygroup/*" }, { "Effect": "Allow", "Action": "vpc:DescribeVpcs", "Resource": "acs:vpc:*:*:vpc/*" }, { "Effect": "Allow", "Action": "vpc:DescribeVSwitches", "Resource": "acs:vpc:*:*:vswitch/*" } ] }
Check and initialize the exclusive resource group for scheduling.
You need to select the scheduling dedicated resource group to be used to run the Hologres node, and initialize the network environmentYou need to select the scheduling dedicated resource group to be used to run the Hologres node, and initialize the network environment. If no exclusive resource groups for scheduling are available, create one by performing the operations described in Create and use an exclusive resource group for scheduling.
Why does the error message "Calculate engine instance already exists" or "Internal tenant system error" appear when I associate a Hologres database with a workspace?
Problem description
After you configure the parameters in the Bind Hologres Database dialog box and click Confirm, the error message
appears or an error message appears, indicating that an internal error occurs in the tenant system. Possible causes
The name that you enter in the Instance Display Name field already exists.
Solutions
Enter another name in the Instance Display Name field and click Confirm.
Why does the error message "permission denied" appear when I query a table on the DataService Studio page?
Problem description
Data of a table cannot be queried on the DataService Studio page in the DataWorks console. The following error message appears: "Execution failed: ERROR: permission denied for table xxxx."
Possible causes
The RAM user that you use does not have the permissions to query the table.
Solutions
Check whether the information about the RAM user that configures the Hologres connection is valid.
Log on to the DataWorks console, go to the Data Source page, and then check whether the information about the RAM user that configures the Hologres connection is valid. For more information, see Add a Hologres data source.
Check whether the RAM user that configures the Hologres connection has the permissions to query the table.
Log on to the DataWorks console, go to the Data Source page, and then check whether the RAM user that configures the Hologres connection has the permissions to query the table. For more information, see Use the RAM role-based authorization mode to add a data source.
For more information about DataWorks permissions and related authorization operations, see Permissions of built-in workspace-level roles.
Why does the error message "permission denied for schema xxx" appear in the production environment of a DataWorks workspace?
Problem description
When SQL statements are committed to the production environment of a DataWorks workspace, the following error message appears:
permission denied for schema xxx.Possible causes
The account that is used to access the Hologres instance in the production environment does not have access permissions on the schema that stores objects of the Hologres instance.
Solutions
Go to the Workspace Settings page of the DataWorks workspace to check the account that is used to access the Hologres instance in the production environment. For more information, see Create and manage workspaces.
Log on to the HoloWeb console. In the top navigation bar, click Security Center. In the left-side navigation pane, click User Management or Database Authorization and view the permissions granted to the account.
If the account has no access permissions on the schema, grant the relevant permissions on the User Management or Database Authorization page. For more information, see Manage databases.