This topic describes how to log on to Hologres by using role-based single sign-on (SSO).
Background information
Enterprise users can use their Alibaba Cloud accounts and passwords to log on to the Alibaba Cloud Management Console and then manage and use cloud resources. However, enterprises that have stricter security requirements may prefer to use the role-based SSO method. For more information, see Overview.
Scenarios
Enterprise users can use their Alibaba Cloud accounts and passwords to log on to the Alibaba Cloud Management Console and then manage and use cloud resources. However, as the regulatory requirements for enterprise security become increasingly strict, enterprises that want centralized management of logon authentication information prefer to use SSO to log on to the Alibaba Cloud Management Console. After you use SSO to log on to an application system, you can access multiple trusted application systems without the need to log on for a second time. Hologres supports role-based SSO. For more information, see Overview. Role-based SSO allows you to access a Hologres instance by using your enterprise account to assume a RAM role. Access permissions are granted to the RAM role. The following figure provides an example.
A user opens the logon page of the identity provider (IdP) on a browser and selects Alibaba Cloud as the required service.
In this example, the IdP is Microsoft Active Directory Federation Services (AD FS). Therefore, the logon URL is https://ADFSServiceName/adfs/ls/IdpInitiatedSignOn.aspx.
NoteSome IdPs require users to log on before the users can select the SSO application that represents Alibaba Cloud.
The IdP generates a Security Assertion Markup Language (SAML) response and returns the response to the browser.
The browser redirects the user to the SSO service page and forwards the SAML response to the SSO service.
The SSO service uses the SAML response to request an Security Token Service (STS) token from Alibaba Cloud STS. Then, the SSO service generates a URL that the user can use to log on to the Alibaba Cloud Management Console by using the STS token.
NoteIf the SAML response contains attributes that map to multiple RAM roles, the user is prompted to first select a role.
The SSO service returns the URL to the browser.
The browser redirects the user to the URL. Then, the user uses an enterprise account to log on to the Alibaba Cloud Management Console and assumes the selected RAM role to log on to a Hologres instance.
Access methods supported by Hologres
Hologres supports the following access methods:
Log on to the Alibaba Cloud Management Console and access Hologres by using an Alibaba Cloud account or a RAM user.
You can log on to the Alibaba Cloud Management Console by using the username and password of an Alibaba Cloud account or a RAM user. Then, you can access Hologres. In this case, the Alibaba Cloud account or RAM user becomes a member of a Hologres instance and has permissions to use Hologres features.
Log on to the Alibaba Cloud Management Console and access Hologres by using role-based SSO.
You can also log on to the Alibaba Cloud Management Console and access Hologres by using role-based SSO. For more information, see Overview. In this case, the RAM role becomes a member of a Hologres instance. The user that assumes this RAM role has the same permissions as an Alibaba Cloud account or a RAM user. For information about RAM roles, see RAM role overview.
In Hologres, RAM roles have equal status with Alibaba Cloud accounts and RAM users. Therefore, in Hologres, a RAM role is regarded as an ordinary available account. A superuser must grant permissions, such as the SELECT, INSERT, and UPDATE permissions, to the RAM role, instead of the Alibaba Cloud account or RAM user that assumes the role. After that, the RAM role can use Hologres based on the granted permissions.
Introduction to role-based SSO
The access to Hologres by using role-based SSO is implemented based on Alibaba Cloud STS. STS is a cloud service that provides temporary access control for Alibaba Cloud accounts or RAM users. You can use STS to issue an access credential that has a custom validity period and access permissions to a user that is managed by your on-premises account system. The user can use an STS temporary access credential to connect to Hologres and use authorized resources.
STS tokens provide the following benefits:
STS tokens reduce the risk of disclosing the AccessKey ID and AccessKey secret of your Alibaba Cloud account. You need to only generate a temporary access credential for users to use.
STS tokens allow you to flexibly control access to resources and impose time limits. Therefore, you do not need to manually revoke permissions. A temporary access credential automatically becomes invalid upon expiration.
To create a RAM role and authorize the role to access Hologres, perform the following steps:
Step 1: Create a RAM role
Log on to the Resource Access Management (RAM) console and create a RAM role. In the Create Role panel, set the Select Trusted Entity parameter to Alibaba Cloud Account or IdP.
If you want an Alibaba Cloud account or a RAM user to assume the RAM role by switching the identity in the Alibaba Cloud Management Console, set the Select Trusted Entity parameter to Alibaba Cloud Account. For more information, see Assign a RAM role to a RAM user and grant permissions.
If you want an on-premises IdP to assume the RAM role, set the Select Trusted Entity parameter to IdP. For more information, see Assign a RAM role to an IdP and grant permissions.
Assign a RAM role to a RAM user and grant permissions
If you want a RAM user to assume a RAM role by switching the identity in the Alibaba Cloud Management Console, log on to the RAM console and create a RAM role. In the Create Role panel, set the Select Trusted Entity parameter to Alibaba Cloud Account.
Create a RAM role for a trusted Alibaba Cloud account.
Log on to the RAM console. In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role. In the Create Role panel, set the Select Trusted Entity parameter to Alibaba Cloud Account.
Click Next. In the Configure Role step, specify a name for the RAM role and set the Select Trusted Alibaba Cloud Account parameter to Current Alibaba Cloud Account.
Click OK. The Finish step shows that the RAM role is created.
Modify the trust policy of the RAM role.
On the Roles page, click the name of the RAM role whose trust policy you want to modify to go to the details page of the RAM role.
On the Trust Policy tab, click Edit Trust Policy and replace the policy content with the following script.
Parameters
When you configure the policy, replace the Alibaba Cloud account ID in
acs:ram::Alibaba Cloud account ID:rootin the following script with the ID of the Alibaba Cloud account to which you want to grant permissions. You can go to the Security Settings page to obtain the account ID.Script
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::Alibaba Cloud account ID:root" ] } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "dataworks.aliyuncs.com" ] } } ], "Version": "1" }
Click Save trust policy document.
Create a RAM user and grant the RAM user the permissions to assume a role.
To assign a RAM role to a RAM user, you must first create a RAM user and grant the RAM user the permissions to assume a role.
Log on to the RAM console. In the left-side navigation pane, choose .
Optional. Click Create User to create one or more RAM users at a time. If a RAM user is available, skip this step. For more information about how to create a RAM user, see Create a RAM user.
On the Users page, find the RAM user that you created and click Add Permissions in the Actions column.
In the Add Permissions panel, attach the AliyunSTSAssumeRoleAccess policy to the RAM user that you created. After that, the RAM user has the permissions to call the AssumeRole operation of STS.
Click OK.
Assign a RAM role to an IdP and grant permissions
If you want an on-premises IdP to log on to the Alibaba Cloud Management Console to assume a RAM role, log on to the RAM console and create a RAM role. In the Create Role panel, set the Select Trusted Entity parameter to IdP.
Create a RAM role for a trusted IdP.
Log on to the RAM console. In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role. In the Create Role panel, set the Select Trusted Entity parameter to IdP.
Click Next. In the Configure Role step, set the RAM Role Name and Note parameters.
Configure the IdP Type and Select IdP parameters, view the conditions, and then click OK. The Finish step shows that the RAM role is created.
Modify the trust policy of the RAM role.
On the Roles page, click the name of the RAM role whose trust policy you want to modify to go to the details page of the RAM role.
On the Trust Policy tab, click Edit Trust Policy and replace the policy content with the following script.
Parameters
When you configure the policy, replace the Alibaba Cloud account ID in
acs:ram::Alibaba Cloud account ID:saml-provider/IDPin the following script with the ID of the Alibaba Cloud account to which you want to grant permissions. You can go to the Security Settings page to obtain the account ID.Script
"Statement": [ { "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "saml:recipient": "https://signin.aliyun.com/saml-role/sso" } }, "Effect": "Allow", "Principal": { "Federated": [ "acs:ram::Alibaba Cloud account ID:saml-provider/IDP" ] } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "dataworks.aliyuncs.com" ] } } ], "Version": "1" } }
Click Save trust policy document.
Step 2: Add the RAM role to a Hologres instance and grant permissions to the role
Before the RAM role can use Hologres based on the granted permissions, the role must obtain the required development permissions on the Hologres instance. By default, the RAM role does not have the permissions to view or manage instances in the Hologres console. Therefore, you must first use your Alibaba Cloud account to grant the required permissions to the RAM role. For more information, see Grant permissions on Hologres to RAM users. After you add the RAM role to a Hologres instance, you can use one of the following methods to grant permissions to the RAM role:
Grant permissions to the RAM role in the Hologres console.
On the Instances page, click the Hologres instance that you want to manage. In the navigation pane, click Account Management. On the User Management page, click Add New User. In the Add New User dialog box, select a RAM role and add it to the Hologres instance.
In the left-side navigation pane, click Database Authorization. On the Database Authorization page, grant permissions to the RAM role.
Use an SQL statement to grant permissions to the RAM role.
For more information, see Permission management overview.
By default, a RAM role does not have the permissions to perform operations in the Hologres console. If you want a RAM user to assume the RAM role, you must use your Alibaba Cloud account to attach the AliyunRAMReadOnlyAccess policy to the RAM user. Otherwise, you cannot use the RAM role to perform operations in the Hologres console. For more information, see Grant permissions on Hologres to RAM users.
Step 3: Log on to Alibaba Cloud and use Hologres
Log on to the Hologres console and go to HoloWeb
After you complete the authorization, a user can assume the RAM role to log on to the Hologres console and use Hologres.
Use the RAM role to log on to the Hologres console and manage Hologres instances.
In the left-side navigation pane, click Go to HoloWeb to go to HoloWeb and perform Hologres schema design and data development. For more information, see Connect to HoloWeb and perform queries.
Use the JDBC or PSQL client to connect to Hologres
In Hologres V2.0 and later, you can specify a security token in the connection options of the PostgreSQL protocol. Then, you can use a PostgreSQL client, such as JDBC or PSQL, to connect to Hologres by using a RAM role based on the security token.
Before you connect to Hologres, make sure that the following operations are complete:
Add the RAM role to a Hologres instance and grant permissions to the RAM role. For more information, see Step 2: Add the RAM role to a Hologres instance and grant permissions to the role.
Call the AssumeRole API operation of the RAM service to obtain the STS token triplet, including the AccessKey ID, AccessKey secret, and security token. For more information, see Call examples of STS SDK for Python. Sample STS token information:
"Credentials": { "SecurityToken": "CAISuwJ1q6Ft5B2yu****KiAA", "AccessKeyId": "STS.NTKaenSkmLhG4HpM5****76UV", "AccessKeySecret": "6itECZnhbG2RU6ktTSBSd6JxeLHKPWyBt****SS62", "Expiration": "2025-02-21T03:47:07Z" }
After you confirm that the preceding operations are complete, you can connect to Hologres by using the following methods:
Use the JDBC client to connect to Hologres. For more information, see Use JDBC to connect to Hologres.
Sample code 1: Load the STS Token triplet for identity verification by using the properties of the PGProperty class provided by the PostgreSQL JDBC driver.
import org.postgresql.PGProperty; import java.sql.*; import java.io.IOException; import java.util.Properties; public class JdbcLinkHologres1 { public static void main(String[] args) throws IOException, ClassNotFoundException, SQLException { // In this example, the AccessKey ID and AccessKey secret are saved in the environment variables. You can also save your AccessKey pair in the configuration file based on your business requirements. // To prevent AccessKey pair leaks, we recommend that you do not directly specify the AccessKey ID and AccessKey secret in the code. String accessKeyId = "ALIBABA_CLOUD_ACCESS_KEY_ID"; String accessKeySecret = "ALIBABA_CLOUD_ACCESS_KEY_SECRET"; String securityToken = "<SecurityToken>"; String url = "jdbc:postgresql://<host>:<port>/<database>"; Properties props = new Properties(); PGProperty.USER.set(props, accessKeyId); PGProperty.PASSWORD.set(props, accessKeySecret); PGProperty.OPTIONS.set(props, "sts_token=" + securityToken); Class.forName("org.postgresql.Driver"); Connection connection = DriverManager.getConnection(url, props); Statement statement = connection.createStatement(); ResultSet resultSet = statement.executeQuery("SELECT * FROM tabletest"); // Process the resultSet while (resultSet.next()) { System.out.println("Result: " + resultSet.getInt(1)); System.out.println("Result: " + resultSet.getString(2)); } } }Sample code 2: Perform URL encoding on the security token information and append the encoded token to the JDBC URL. Then, use the driver class to obtain the Hologres connection and load the AccessKey ID and AccessKey secret for identity verification.
import java.net.URLEncoder; import java.sql.*; import java.io.IOException; public class JdbcLinkHologres2 { public static void main(String[] args) throws IOException, ClassNotFoundException, SQLException { // In this example, the AccessKey ID and AccessKey secret are saved in the environment variables. You can also save your AccessKey pair in the configuration file based on your business requirements. // To prevent AccessKey pair leaks, we recommend that you do not directly specify the AccessKey ID and AccessKey secret in the code. String accessKeyId = "ALIBABA_CLOUD_ACCESS_KEY_ID"; String accessKeySecret = "ALIBABA_CLOUD_ACCESS_KEY_SECRET"; String securityToken = "<SecurityToken>"; String url = "jdbc:postgresql://<host>:<port>/<database>"; String urlWithOptions = url + "?options=sts_token=" + URLEncoder.encode(securityToken, "UTF-8"); Class.forName("org.postgresql.Driver"); Connection connection = DriverManager.getConnection(urlWithOptions, accessKeyId, accessKeySecret); Statement statement = connection.createStatement(); ResultSet resultSet = statement.executeQuery("SELECT * FROM tabletest"); // Process the resultSet while (resultSet.next()) { System.out.println("Result: " + resultSet.getInt(1)); System.out.println("Result: " + resultSet.getString(2)); } } }
Use the PSQL client to connect to Hologres. You can use the following code to connect to Hologres in the Linux system. For more information, see Use the PSQL client to connect to Hologres.
PGUSER=<AccessKeyId> PGPASSWORD=<AccessKeySecret> PGOPTIONS="sts_token=<SecurityToken>" psql -h <host> -p <port> -d <database>
FAQ
What do I do if the password authentication failed for user "<AccessKeyId>" error message is reported when I log on to Hologres by using a RAM role?
This error message indicates that the AccessKey ID, AccessKey secret, or security token is invalid, or the current logon user has not been created in the Hologres instance. To troubleshoot this issue, perform the following steps:
Check whether the RAM role that you use for logon exists in the Hologres instance. If the RAM role does not exist, add it to the instance. For more information, see Step 2: Add the RAM role to a Hologres instance and grant permissions to the role.
Check whether the security token is passed through a URL. If the security token is passed through a URL, it must be processed using
URLEncoder.encode.Check whether the AccessKey ID, AccessKey secret, and security token are valid.