This topic describes how to log on to Hologres by using role-based single sign-on (SSO).

Background information

Enterprise users can use their Alibaba Cloud accounts and passwords to log on to the Alibaba Cloud Management Console and then manage and use cloud resources. However, as the regulatory requirements for enterprise security become increasingly strict, some enterprises prefer to use role-based SSO to log on to the Alibaba Cloud Management Console. For more information, see Overview.

Scenarios

Enterprise users can use their Alibaba Cloud accounts and passwords to log on to the Alibaba Cloud Management Console and then manage and use cloud resources. However, as the regulatory requirements for enterprise security become increasingly strict, enterprises that want centralized management of logon authentication information prefer to use SSO to log on to the Alibaba Cloud Management Console. After you use SSO to log on to an application system, you can access multiple trusted application systems without the need to log on for a second time. Hologres supports role-based SSO. For more information, see Overview. You can use role-based SSO to log on to the Alibaba Cloud Management Console as an enterprise user and assume a RAM role to access a Hologres instance. Access permissions are granted to the RAM role.
  1. A user opens the logon page of the identity provider (IdP) on a browser and selects Alibaba Cloud as the required service.

    In this example, the IdP is Microsoft Active Directory Federation Services (AD FS). Therefore, the logon URL is https://ADFSServiceName/adfs/ls/IdpInitiatedSignOn.aspx.

    Note Some IdPs require users to log on before the users can select the SSO application that represents Alibaba Cloud.
  2. The IdP generates a Security Assertion Markup Language (SAML) response and returns the response to the browser.
  3. The browser redirects the user to the SSO service page and forwards the SAML response to the SSO service.
  4. The SSO service uses the SAML response to request an Security Token Service (STS) token from Alibaba Cloud STS. Then, the SSO service generates a URL that the user can use to log on to the Alibaba Cloud Management Console by using the STS token.
    Note If the SAML response contains attributes that map to multiple RAM roles, the user is prompted to first select a role.
  5. The SSO service returns the URL to the browser.
  6. The browser redirects the user to the URL. Then, the user uses an enterprise account to log on to the Alibaba Cloud Management Console and assumes the selected RAM role to log on to a Hologres instance.

Access methods supported by Hologres

Hologres supports the following access methods:
  • Log on to the Alibaba Cloud Management Console and access Hologres by using an Alibaba Cloud account or as a RAM user.

    You can log on to the Alibaba Cloud Management Console by using an Alibaba Cloud account and password or as a RAM user. Then, you can have access to Hologres. In this case, the account becomes a member of a Hologres instance and has permissions to use Hologres features.

  • Log on to the Alibaba Cloud Management Console and access Hologres by using role-based SSO.

    You can also log on to the Alibaba Cloud Management Console and have access to Hologres by using role-based SSO. For more information, see Overview. In this case, the RAM role becomes a member of a Hologres instance. The user that assumes this RAM role has the same permissions as an Alibaba Cloud account or a RAM user. For information about RAM roles, see RAM role overview.

In Hologres, RAM roles have equal status with Alibaba Cloud accounts and RAM users. Therefore, in Hologres, a RAM role is regarded as an ordinary available account. For each RAM role, a superuser must grant permissions, such as the SELECT, INSERT, and UPDATE permissions, to the RAM role, not the Alibaba Cloud account or RAM user that assumes the role. After that, the RAM role can use Hologres based on the granted permissions.

Introduction to role-based SSO

The access to Hologres by using role-based SSO is implemented based on Alibaba Cloud STS . STS is a cloud service that provides temporary access control for Alibaba Cloud accounts or RAM users. You can use STS to issue an access credential that has a custom validity period and access permissions to a user that is managed by your on-premises account system. A user can use an STS temporary access credential to connect to Hologres and use authorized resources.

STS tokens provide the following benefits:
  • STS tokens reduce the risk of disclosing the AccessKey ID and AccessKey secret of your Alibaba Cloud account. You need to only generate a temporary access credential for users to use.
  • STS tokens allow you to flexibly control access to resources and impose time limits. Therefore, you do not need to manually revoke permissions. A temporary access credential automatically becomes invalid upon expiration.

Step 1: Create a RAM role

Log on to the Resource Access Management (RAM) console and create a RAM role. In the Create Role panel, set the Select Trusted Entity parameter to Alibaba Cloud Account or IdP.

Assign a RAM role to a RAM user and grant permissions

If you want a RAM user to assume a RAM role by switching the identity in the Alibaba Cloud Management Console, log on to the RAM console and create a RAM role. In the Create Role panel, set the Select Trusted Entity parameter to Alibaba Cloud Account.

  1. Create a RAM role for a trusted Alibaba Cloud account.
    1. Log on to the RAM console. In the left-side navigation pane, click Roles.
    2. On the Roles page, click Create Role. In the Create Role panel, set the Select Trusted Entity parameter to Alibaba Cloud Account.
    3. Click Next. Specify a name for the RAM role and set the Select Trusted Alibaba Cloud Account parameter to Current Alibaba Cloud Account.
    4. Click OK. The Finish step shows that the RAM role is created.
  2. Modify the trust policy of the RAM role.
    1. On the Roles page, click the name of the RAM role whose trust policy you want to modify to go to the details page of the RAM role.
    2. Click the Trust Policy Management tab and replace the policy content with the following script.
      • Parameter description

        When you configure the policy, replace the Alibaba Cloud account ID in acs:ram::Alibaba Cloud account ID:root in the following script with the ID of the Alibaba Cloud account to which you want to grant permissions. You can go to the Security Settings page to obtain the account ID.

      • Script
        {
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "RAM": [
                    "acs:ram::Alibaba Cloud account ID:root"
                ]
            }
        },
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "dataworks.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}
    3. Click OK.
  3. Create a RAM user and grant the RAM user the permissions to assume a role.
    To assign a RAM role to a RAM user, you must first create a RAM user and grant the RAM user the permissions to assume a role.
    1. Log on to the RAM console. In the left-side navigation pane, choose Identities > Users.
    2. Optional. Click Create User to create one or more RAM users at a time. If a RAM user is available, skip this step. On the Create User page, select OpenAPI Access for the Access Mode parameter and set other parameters. Click OK.
    3. On the Users page, find the RAM user that you created and click Add Permissions in the Actions column.
    4. In the Add Permissions panel, attach the AliyunSTSAssumeRoleAccess policy to the RAM user that you created. After that, the RAM user has the permissions to call the AssumeRole operation of STS. Grant STS permissions
    5. Click OK.

Assign a RAM role to an IdP and grant permissions

If you want an on-premises IdP to log on to the Alibaba Cloud Management Console to assume a RAM role, log on to the RAM console and create a RAM role. In the Create Role panel, set the Select Trusted Entity parameter to IdP.

  1. Create a RAM role for a trusted IdP.
    1. Log on to the RAM console. In the left-side navigation pane, click Roles.
    2. On the Roles page, click Create Role. In the Create Role panel, set the Select Trusted Entity parameter to IdP.
    3. Click Next. Set the RAM Role Name and Note parameters.
    4. Select a trusted IdP, view the conditions, and then click OK. The Finish step shows that the RAM role is created.
  2. Modify the trust policy of the RAM role.
    1. On the Roles page, click the name of the RAM role whose trust policy you want to modify to go to the details page of the RAM role.
    2. Click the Trust Policy Management tab and replace the policy content with the following script.
      • Parameter description

        When you configure the policy, replace the Alibaba Cloud account ID in acs:ram::Alibaba Cloud account ID:saml-provider/IDP in the following script with the ID of the Alibaba Cloud account to which you want to grant permissions. You can go to the Security Settings page to obtain the account ID.

      • Script
        "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "saml:recipient": "https://signin.aliyun.com/saml-role/sso"
                }
            },
            "Effect": "Allow",
            "Principal": {
                "Federated": [
                    "acs:ram::Alibaba Cloud account ID:saml-provider/IDP"
                ]
            }
        },
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "dataworks.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}
}
    3. Click OK.

Step 2: Add the RAM role to a Hologres instance and grant permissions to the role

Before the RAM role can use Hologres based on the granted permissions, the role must obtain the required development permissions on the Hologres instance. By default, the RAM role does not have the permissions to view or manage instances in the Hologres console. Therefore, you must first use your Alibaba Cloud account to grant the required permissions to the RAM role. For more information, see Grant permissions on Hologres to RAM users. After you add the RAM role to a Hologres instance, you can use one of the following methods to grant permissions to the RAM role:

  1. Grant permissions to the RAM role in the Hologres console.
    1. Click the Hologres instance that you want to manage. In the navigation tree, click Account Management. On the User Management page, click Add New User. In the Add New User dialog box, select a RAM role and add it to the Hologres instance.
    2. In the left-side navigation pane, click Database Authorization. On the Database Authorization page, grant permissions to the RAM role.
  2. Use an SQL statement to grant permissions to the RAM role.
    For more information, see Permission management overview.
  3. By default, a RAM role does not have the permissions to perform operations in the Hologres console. If you want a RAM user to assume the RAM role, you must first use your Alibaba Cloud account to attach the AliyunRAMReadOnlyAccess policy to the RAM user. Otherwise, the RAM role cannot perform operations in the Hologres console. For more information, see Grant permissions on Hologres to RAM users.

Step 3: Log on to the Alibaba Cloud Management Console and use Hologres

After you complete the authorization, a user can assume the RAM role and use Hologres.

  1. Access Alibaba Cloud, assume the RAM role, and then log on to the Alibaba Cloud Management Console.
  2. Go to the Hologres console to manage and monitor instances.
  3. In the Hologres console, click Go to HoloWeb to go to HoloWeb that supports Hologres schema design and data development. For more information, see HoloWeb quick start.