許可權控制
DataHub採用阿里雲RAM進行存取控制。使用者對DataHub資源的訪問,通過RAM進行鑒權。阿里雲主帳號擁有所屬資源的所有許可權,子使用者在建立時並沒有任何許可權,不能訪問任何資源,使用者需要在RAM中對該子使用者進行授權操作。關於如何建立RAM子使用者與建立授權策略並進行授權可參見RAM使用文檔。以下將介紹DataHub在RAM下的存取控制體系。
DataHub RAM許可權控制
DataHub資源
DataHub在RAM的存取控制中的資源體系包含Project、Topic和Subscription。目前支援Project、Topic和Subscription層級的鑒權,並不支援Shard的存取控制。其中Subscription是指對某個特定Project下的Topic的一次訂閱。
資源 | RAM中的資源描述 |
|---|---|
Project | acs:dhs:$region:$accountid:projects/$projectName |
Topic | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
Subscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
DataHub API及對應在RAM中的授權策略
Project
API | Action | Resource |
|---|---|---|
CreateProject | dhs:CreateProject | acs:dhs:$region:$accountid:projects/* |
ListProject | dhs:ListProject | acs:dhs:$region:$accountid:projects/* |
DeleteProject | dhs:DeleteProject | acs:dhs:$region:$accountid:projects/$projectName |
GetProject | dhs:GetProject | acs:dhs:$region:$accountid:projects/$projectName |
Topic
API | Action | Resource |
|---|---|---|
CreateTopic | dhs:CreateTopic | acs:dhs:$region:$accountid:projects/$projectName/topics/* |
ListTopic | dhs:ListTopic | acs:dhs:$region:$accountid:projects/$projectName/topics/* |
DeleteTopic | dhs:DeleteTopic | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
GetTopic | dhs:GetTopic | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
UpdateTopic | dhs:UpdateTopic | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
Subscription
API | Action | Resource |
|---|---|---|
CreateSubscription | dhs:CreateSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/* |
DeleteSubscription | dhs:DeleteSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
GetSubscription | dhs:GetSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
UpdateSubscription | dhs:UpdateSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
ListSubscription | dhs:ListSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/* |
CommitOffset | dhs:GetSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
GetOffset | dhs:GetSubscription | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/subscriptions/$subId |
Connector
API | Action | Resource |
|---|---|---|
CreateConnector | dhs:CreateConnector | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/* |
DeleteConnector | dhs:DeleteConnector | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/* |
GetConnector | dhs:GetConnector | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/* |
UpdateConnector | dhs:UpdateConnector | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/* |
ListConnector | dhs:ListConnector | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName/connectors/* |
Shard
API | Action | Resource |
|---|---|---|
ListShard | dhs:ListShard | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
MergeShard | dhs:UpdateShard | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
SplitShard | dhs:UpdateShard | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
PubSub
API | Action | Resource |
|---|---|---|
PutRecords | dhs:PutRecords | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
GetRecords | dhs:GetRecords | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
GetCursor | dhs:GetRecords | acs:dhs:$region:$accountid:projects/$projectName/topics/$topicName |
DataHub支援的Condition
Condition | 功能 | 合法取值 |
|---|---|---|
acs:SourceIp | 指定ip網段 | 普通ip, 支援*通配 |
acs:SecureTransport | 是否是https協議 | true/false |
acs:MFAPresent | 是否多裝置認證 | true/false |
acs:CurrentTime | 指定訪問時間 | ISO8601格式 |
DataHub系統授權策略
DataHub授權策略在RAM系統中已有系統策略,使用者可以根據需求直接添加系統策略。
AliyunDataHubFullAccess
包含DataHub相關的所有許可權,一般用於管理DataHub資源。
AliyunDataHubReadOnlyAccess
唯讀訪問DataHub服務的許可權,可以查看DataHub所有的資源情況,例如查看project詳細資料,列出project列表,讀資料等等,但是不能更新、建立以及寫資料。
AliyunDataHubSubscribeAccess
向DataHub訂閱資料的許可權,只包含和讀資料相關的必要操作,包括GetTopic,ListShard,GetRecords以及訂閱和點位相關的所有介面。
AliyunDataHubPublishAccess
向DataHub發布資料的許可權,只包含和寫資料相關的必要操作,包括GetTopic,ListShard以及PutRecords。
DataHub自訂授權策略
DataHub目前只有上述四種系統權限原則,如果無法滿足需求,使用者可以添加自訂權限原則。具體操作路徑在RAM系統中:策略管理->自訂授權策略->建立授權策略。下面給出幾個自訂策略樣本:
WebConsole中顯示
// 為了在WebConsole中能夠顯示擁有許可權的project,需要在Statement中增加如下配置
// 因為WebConsole需要ListProject和GetProject,才能在頁面展示project
{
"Action": ["dhs:ListProject","dhs:GetProject"],
"Resource": "acs:dhs:*:*:projects/*",
"Effect": "Allow"
}WebConsole中建立topic
// 在WebConsole的project頁面中顯示topic需要ListTopic和GetTopic許可權
// 如希望能夠在WebConsole中的project:test下能夠建立topic,可以使用如下配置
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:ListProject", "dhs:GetProject"],
"Resource": "acs:dhs:*:*:projects/*",
"Effect": "Allow"
},
{
"Action": ["dhs:ListTopic", "dhs:GetTopic", "dhs:CreateTopic"],
"Resource": "acs:dhs:*:*:projects/test/topics/*",
"Effect": "Allow"
}
]
}其他自訂授權策略
//只允許使用者擷取指定Project下topic的資訊
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:ListTopic", "dhs:GetTopic"],
"Resource": "acs:dhs:cn-hangzhou:12121312:projects/foo/topics/*",
"Effect": "Allow"
}
]
}
// 新訂閱功能授權Policy範例1: 給使用者授權具有project foo下topic的所有訂閱許可權
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:*Subscription"],
"Resource": "acs:dhs:cn-hangzhou:*:projects/foo/topics/*/subscriptions/*",
"Effect": "Allow"
}
]
}
// 新訂閱功能授權Policy範例2: 給使用者授權僅具有project foo下查詢訂閱的許可權
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:ListSubscription"],
"Resource": "acs:dhs:cn-hangzhou:*:projects/foo/topics/*/subscriptions/*",
"Effect": "Allow"
}
]
}
// 新訂閱功能授權Policy範例3: 給使用者授權僅具有project foo下的topic t1特定訂閱'14985645198374IoCK'的提交點位許可權
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:GetSubscription"],
"Resource": "acs:dhs:cn-hangzhou:*:projects/foo/topics/t1/subscriptions/14985645198374IoCK",
"Effect": "Allow"
}
]
}
// 對指定Topic進行 Split/Merge shard, 包括ListShard, SplitShard, MergeShard
{
"Version": "1",
"Statement": [
{
"Action": ["dhs:*Shard"],
"Resource": "acs:dhs:cn-hangzhou:12121312:projects/foo/topics/bar",
"Effect": "Allow"
}
]
}