本文介紹如何通過阿里雲存取控制(RAM)功能,為AnalyticDB for PostgreSQL向量介面建立權限原則,實現精細化的存取控制。通過為不同的RAM使用者授予特定的介面操作許可權,實現安全、隔離的存取控制。
RAM概述
RAM使用者
RAM使用者是RAM的一種實體身份類型。您可以為阿里雲帳號(主帳號)建立RAM使用者並為其授權,實現不同RAM使用者擁有不同資源存取權限的目的。
權限原則
許可權指在某種條件下允許或拒絕對某些資源執行某些操作,權限原則是一組存取權限的集合。
RAM支援以下兩種權限原則:
阿里雲管理的系統權限原則:統一由阿里雲建立,使用者只能使用,不能修改,策略的版本更新由阿里雲維護。
AnalyticDB for PostgreSQL的系統權限原則為:
AliyunGPDBFullAccess:管理AnalyticDB for PostgreSQL的許可權。
AliyunGPDBReadOnlyAccess:唯讀訪問AnalyticDB for PostgreSQL的許可權。
操作步驟
為RAM使用者授予向量介面許可權的步驟如下:
權限原則樣本
建立權限原則時,需要通過Resource欄位指定授權的資源範圍,Action欄位指代具體的操作許可權。Resource格式為acs:gpdb:{region}:{owner_ali_uid}:{resource_name}/{resource_id}。參數含義如下,支援使用“*”作為萬用字元匹配任意值。
region:執行個體所在的地區
owner_ali_uid:主帳號ID
resource_name:資源名稱
resource_id:資源ID
本文以執行個體ID為gp-test1,主帳號ID為123456為例,介紹權限原則的配置樣本,使用時請替換對應資訊。
授權全部向量介面
授予對所有資源執行個體的所有向量相關介面的許可權:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"gpdb:InitVectorDatabase",
"gpdb:CreateNamespace",
"gpdb:DeleteNamespace",
"gpdb:DescribeNamespace",
"gpdb:ListNamespaces",
"gpdb:CreateDocumentCollection",
"gpdb:ListDocumentCollections",
"gpdb:DeleteDocumentCollection",
"gpdb:UpsertChunks",
"gpdb:UploadDocumentAsync",
"gpdb:GetUploadDocumentJob",
"gpdb:CancelUploadDocumentJob",
"gpdb:QueryContent",
"gpdb:ListDocuments",
"gpdb:DescribeDocument",
"gpdb:DeleteDocument",
"gpdb:CreateCollection",
"gpdb:DescribeCollection",
"gpdb:ListCollections",
"gpdb:DeleteCollection",
"gpdb:GrantCollection",
"gpdb:CancelUpsertCollectionDataJob",
"gpdb:GetUpsertCollectionDataJob",
"gpdb:UpsertCollectionData",
"gpdb:UpsertCollectionDataAsync",
"gpdb:QueryCollectionData",
"gpdb:UpdateCollectionDataMetadata",
"gpdb:DeleteCollectionData",
"gpdb:CreateVectorIndex",
"gpdb:DeleteVectorIndex",
"gpdb:ChatWithKnowledgeBase",
"gpdb:ChatWithKnowledgeBaseStream",
"gpdb:QueryKnowledgeBasesContent",
"gpdb:TextEmbedding",
"gpdb:Rerank"
],
"Resource": [
"*"
],
"Condition": {}
}
]
}限制特定執行個體:以上介面分別屬於dbinstance、namespace、collection、document資源,如果您希望只允許對部分執行個體有操作許可權,需修改Resource欄位。樣本如下:
"Resource": [
"acs:gpdb:*:123456:dbinstance/gp-test1",
"acs:gpdb:*:123456:document/gp-test1",
"acs:gpdb:*:123456:collection/gp-test1",
"acs:gpdb:*:123456:namespace/gp-test1"
]LlamaIndex整合授權
當使用LlamaIndex整合AnalyticDB for PostgreSQL作為向量資料庫時,樣本如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"gpdb:InitVectorDatabase",
"gpdb:CreateNamespace",
"gpdb:DescribeNamespace",
"gpdb:CreateCollection",
"gpdb:DescribeCollection",
"gpdb:DeleteCollection",
"gpdb:UpsertCollectionData",
"gpdb:QueryCollectionData",
"gpdb:DeleteCollectionData"
],
"Resource": [
"acs:gpdb:*:123456:dbinstance/gp-test1",
"acs:gpdb:*:123456:collection/gp-test1",
"acs:gpdb:*:123456:namespace/gp-test1"
],
"Condition": {}
}
]
}Dify外掛程式授權
當使用AnalyticDB for PostgreSQLRAG服務的Dify外掛程式時,樣本如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"gpdb:InitVectorDatabase",
"gpdb:CreateNamespace",
"gpdb:DeleteNamespace",
"gpdb:DescribeNamespace",
"gpdb:ListNamespaces",
"gpdb:CreateDocumentCollection",
"gpdb:ListDocumentCollections",
"gpdb:DeleteDocumentCollection",
"gpdb:UpsertChunks",
"gpdb:UploadDocumentAsync",
"gpdb:GetUploadDocumentJob",
"gpdb:CancelUploadDocumentJob",
"gpdb:QueryContent",
"gpdb:ListDocuments",
"gpdb:DescribeDocument",
"gpdb:DeleteDocument",
"gpdb:CancelUpsertCollectionDataJob",
"gpdb:GetUpsertCollectionDataJob",
"gpdb:UpdateCollectionDataMetadata",
"gpdb:ChatWithKnowledgeBase",
"gpdb:ChatWithKnowledgeBaseStream",
"gpdb:QueryKnowledgeBasesContent",
"gpdb:TextEmbedding",
"gpdb:Rerank"
],
"Resource": [
"acs:gpdb:*:123456:dbinstance/gp-test1",
"acs:gpdb:*:123456:namespace/gp-test1",
"acs:gpdb:*:123456:collection/gp-test1",
"acs:gpdb:*:123456:document/gp-test1",
],
"Condition": {}
}
]
}Dify整合授權
當使用Dify整合AnalyticDB for PostgreSQL作為向量資料庫時,樣本如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"gpdb:InitVectorDatabase",
"gpdb:DescribeNamespace",
"gpdb:CreateNamespace",
"gpdb:DescribeCollection",
"gpdb:CreateCollection",
"gpdb:UpsertCollectionData",
"gpdb:QueryCollectionData",
"gpdb:DeleteCollectionData",
"gpdb:DeleteCollection"
],
"Resource": [
"acs:gpdb:*:123456:dbinstance/gp-test1",
"acs:gpdb:*:123456:namespace/gp-test1",
"acs:gpdb:*:123456:collection/gp-test1"
],
"Condition": {}
}
]
}Data API授權
通過Data API訪問執行個體時,主要分為secret和dataapi兩部分操作,樣本如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"gpdb:ListDatabases",
"gpdb:ListSchemas",
"gpdb:ListTables",
"gpdb:DescribeTable",
"gpdb:ExecuteStatement"
],
"Resource": [
"acs:gpdb:*:123456:dataapi/*"
],
"Condition": {}
},
{
"Effect": "Allow",
"Action": [
"gpdb:GetSecretValue",
"gpdb:CreateSecret",
"gpdb:DeleteSecret",
"gpdb:ListSecrets"
],
"Resource": [
"acs:gpdb:*:123456:secret/*"
],
"Condition": {}
}
]
}其中CreateSecret和GetSecretValue涉及執行個體的使用者名稱密碼,如果想實現更嚴格的許可權分離,例如,允許管理員(子帳號A)建立執行個體賬戶和密碼,而應用開發人員(子帳號B)只能使用DataAPI,但不能擷取執行個體密碼,您可以按以下步驟設定。
授權管理員(子帳號A)Secret系統管理權限。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "gpdb:GetSecretValue", "gpdb:CreateSecret", "gpdb:DeleteSecret", "gpdb:ListSecrets" ], "Resource": [ "acs:gpdb:*:123456:secret/*" ], "Condition": {} } ] }管理員(子帳號A)調用
CreateSecret介面擷取SecretARN(例如acs:gpdb:cn-hangzhou:123456:secret/Foo-C9D56DF3-269D-4C92-9D38-8F647292****)。授權應用開發人員(子帳號B)使用指定
Secret執行Data API操作。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "gpdb:ListDatabases", "gpdb:ListSchemas", "gpdb:ListTables", "gpdb:DescribeTable", "gpdb:ExecuteStatement" ], "Resource": [ "acs:gpdb:*:123456:dataapi/*" ], "Condition": {} }, { "Effect": "Allow", "Action": [ "gpdb:UseSecret", ], "Resource": [ "acs:gpdb:*:123456:secret/Foo-C9D56DF3-269D-4C92-9D38-8F647292****" ], "Condition": {} } ] }