在DataWorks上操作其他引擎時,您需先授權DataWorks可訪問其他引擎(例如,MaxCompute、EMR等)的相關許可權。授權成功後,系統會自動建立一個對應引擎服務關聯角色。本文為您介紹在DataWorks上授權使用引擎類雲產品時自動建立的角色及角色權限原則詳情。
背景資訊
當在DataWorks控制台進行引擎相關操作時(如新增引擎執行個體、編輯已有引擎),介面會提示您需先完成授權相關操作,您根據介面提示完成授權操作後,系統會自動為您建立好對應服務的關聯角色。
當前DataWorks支援通過授權自動建立的角色列表及對應的角色詳情介紹引導如下。
角色列表 | 角色用途 | 詳情連結 |
| 授權DataWorks訪問MaxCompute。 | |
| 擷取EMR(新版資料湖)的中繼資料資訊,用於資料地圖預覽資料記錄值。 | |
| 擷取、修改VPC網路設定及安全性群組配置,用於打通DataWorks獨享資源群組與資料來源間的網路鏈路,實現網路連通。 | |
| 擷取RAM角色列表,在配置角色訪問資料來源功能時支援選擇角色。 | |
| 在進行資料來源配置、任務配置、資料同步時,允許DataWorks訪問當前雲帳號下的其他雲產品資源。包含RDS、Redis、MongoDB、PolarDB-X、HybridDB for MySQL、AnalyticDB for PostgreSQL、PolarDB、DMS、DLF等雲資源的部分系統管理權限。 | |
| 擷取與修改EventBridge中的事件,用於支撐DataWorks開放平台中的產品訊息事件能力。 | |
| 擷取資料湖構建(DLF)中繼資料資訊、執行中繼資料許可權授予與回收等操作,用於實現資訊安全中心對DLF中繼資料進行申請、審批能力。 | |
| 管理事件匯流排EventBridge上的資源,並訪問OSS等雲產品的相關資源。 |
下文為您重點介紹MaxCompute引擎、EMR(新版資料湖)相關的角色詳情。
角色1:AliyunServiceRoleForDataworksEngine
角色名稱:AliyunServiceRoleForDataworksEngine
角色用途:用於Dataworks-引擎訪問(dataworks-engine)的服務關聯角色,dataworks-engine使用此角色來訪問您在其他雲產品中的資源。
綁定的角色策略:AliyunServiceRolePolicyForDataworksEngine
權限原則詳情:
{ "Version": "1", "Statement": [ { "Action": "odps:*", "Effect": "Allow", "Resource": "*" }, { "Action": [ "stream:ActOnBehalfOfAnotherUser", "stream:CreateDeployment", "stream:StartJobWithParams", "stream:ListDeployments", "stream:GetDeployment", "stream:GetJob", "stream:StopJob", "stream:DeleteDeployment" ], "Effect": "Allow", "Resource": "*" }, { "Action": "dlf-auth:ActOnBehalfOfAnotherUser", "Resource": "*", "Effect": "Allow" }, { "Action": [ "pai:*", "paiplugin:*", "eas:*", "featurestore:*" ], "Resource": "*", "Effect": "Allow" }, { "Effect": "Allow", "Action": [ "emr-serverless-spark:StartSessionCluster", "emr-serverless-spark:CreateSqlStatement", "emr-serverless-spark:GetSqlStatement", "emr-serverless-spark:TerminateSqlStatement", "emr-serverless-spark:ListSessionClusters", "emr-serverless-spark:ListWorkspaces", "emr-serverless-spark:ListWorkspaceQueues", "emr-serverless-spark:ListReleaseVersions", "emr-serverless-spark:CancelJobRun", "emr-serverless-spark:ListJobRuns", "emr-serverless-spark:GetJobRun", "emr-serverless-spark:StartJobRun", "emr-serverless-spark:AddMembers", "emr-serverless-spark:GrantRoleToUsers", "emr-serverless-spark:ListLogContents", "emr-serverless-spark:GetTemplate", "emr-serverless-spark:ListKyuubiServices", "emr-serverless-spark:GetLivyCompute", "emr-serverless-spark:CreateLivyCompute", "emr-serverless-spark:UpdateLivyCompute", "emr-serverless-spark:ListLivyCompute", "emr-serverless-spark:DeleteLivyCompute", "emr-serverless-spark:StartLivyCompute", "emr-serverless-spark:StopLivyCompute", "emr-serverless-spark:CreateLivyComputeToken", "emr-serverless-spark:GetLivyComputeToken", "emr-serverless-spark:ListLivyComputeToken", "emr-serverless-spark:DeleteLivyComputeToken", "emr-serverless-spark:RefreshLivyComputeToken" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "adb:SubmitSparkApp", "adb:GetSparkAppState", "adb:GetSparkAppLog", "adb:GetSparkAppWebUiAddress", "adb:ListSparkApps", "adb:GetSparkAppInfo", "adb:KillSparkApp", "adb:DescribeAdbMySqlTables", "adb:getDatabaseObjectsByFilter", "adb:getTable" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "lindorm:GetLindormInstanceList", "lindorm:GetLindormInstance", "lindorm:GetLindormInstanceEngineList", "lindorm:GetLindormV2InstanceEngineList", "lindorm:ListLdpsComputeGroups", "lindorm:RestartLdpsComputeGroup" ], "Resource": "*" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "engine.dataworks.aliyuncs.com" } } }, { "Action": [ "searchengine:GetInstance", "searchengine:ListInstances", "searchengine:GetTable", "searchengine:ListTables" ], "Resource": "*", "Effect": "Allow" } ] }
角色2:AliyunServiceRoleForDataworksOnEmr
授權後自動產生的角色及角色權限原則請勿隨意修改、刪除,否則會無法正常使用DataWorks on EMR功能。
角色名稱:AliyunServiceRoleForDataworksOnEmr
角色用途:用於在資料地圖中預覽資料記錄值、擷取EMR叢集(DLF類型)的中繼資料資訊以及擷取EMR叢集的各項配置資訊。
綁定的角色策略:AliyunServiceRolePolicyForDataworksOnEmr
權限原則詳情:
EMR 的存取權限
{ "Version": "1", "Statement": [ { "Action": [ "emr:GetCluster", "emr:GetOnKubeCluster", "emr:GetClusterClientMeta", "emr:GetApplicationConfigFile", "emr:ListClusters", "emr:ListNodes", "emr:ListNodeGroups", "emr:ListApplications", "emr:ListApplicationConfigs", "emr:ListApplicationConfigFiles", "emr:ListApplicationLinks", "emr:ListComponentInstances", "emr:DescribeClusterV2", "emr:DescribeCluster", "emr:DescribeClusterServiceConfig", "emr:DescribeFlowAgentToken", "emr:DescribeClusterBasicInfo", "emr:ListClusterHostComponent" ], "Resource": "*", "Effect": "Allow" } ] }DLF(資料湖構建)的存取權限
如果EMR叢集使用DLF來統一管理中繼資料時,自動建立的角色權限原則中還會包含以下DLF的存取權限,用於DataWorks擷取EMR的中繼資料資訊。
{ "Action": [ "dlf:SubmitQuery", "dlf:GetQueryResult", "dlf:GetTable", "dlf:ListDatabases", "dlf:GetTableProfile", "dlf:GetCatalogSettings", "dlf:BatchGrantPermissions", "dlf:ListPartitionsByFilter", "dlf:ListPartitions", "dlf:GetHudiProperties", "dlf:ListCatalogs", "dlf:GetDatabase", "dlf:GetLifecycleRule", "dlf:GetCatalog", "dlf:GetIcebergNamespace", "dlf:GetIcebergTable" ], "Resource": "*", "Effect": "Allow" }ACK(Container Service Kubernetes 版)的存取權限
如果EMR叢集是EMR on ACK時,自動建立的角色權限原則中還會包含以下ACK的存取權限。
{ "Action": [ "cs:DescribeUserPermission", "cs:DescribeClusterDetail", "cs:DescribeClusterUserKubeconfig", "cs:GetClusters", "cs:GrantPermissions", "cs:RevokeK8sClusterKubeConfig" ], "Resource": "*", "Effect": "Allow" }Serverless Spark的存取權限
如果EMR叢集是EMR Serverless Spark時,自動建立的角色權限原則中還會包含以下Serverless Spark的存取權限。
{ "Effect": "Allow", "Action": [ "emr-serverless-spark:StartSessionCluster", "emr-serverless-spark:CreateSqlStatement", "emr-serverless-spark:GetSqlStatement", "emr-serverless-spark:TerminateSqlStatement", "emr-serverless-spark:ListSessionClusters", "emr-serverless-spark:ListWorkspaces", "emr-serverless-spark:ListWorkspaceQueues", "emr-serverless-spark:ListReleaseVersions", "emr-serverless-spark:CancelJobRun", "emr-serverless-spark:ListJobRuns", "emr-serverless-spark:GetJobRun", "emr-serverless-spark:StartJobRun", "emr-serverless-spark:AddMembers", "emr-serverless-spark:GrantRoleToUsers", "emr-serverless-spark:ListLogContents", "emr-serverless-spark:GetTemplate", "emr-serverless-spark:ListKyuubiServices", "emr-serverless-spark:GetLivyCompute", "emr-serverless-spark:CreateLivyCompute", "emr-serverless-spark:UpdateLivyCompute", "emr-serverless-spark:ListLivyCompute", "emr-serverless-spark:DeleteLivyCompute", "emr-serverless-spark:StartLivyCompute", "emr-serverless-spark:StopLivyCompute", "emr-serverless-spark:CreateLivyComputeToken", "emr-serverless-spark:GetLivyComputeToken", "emr-serverless-spark:ListLivyComputeToken", "emr-serverless-spark:DeleteLivyComputeToken", "emr-serverless-spark:RefreshLivyComputeToken", "emr-serverless-spark:ListLogContents" ], "Resource": "*" }上傳SQL檔案、JAR包或儲存臨時查詢結果時還會包含如下OSS許可權。
{ "Action": [ "oss:PutObject", "oss:GetObject", "oss:DeleteObject", "oss:DeleteObjectVersion" ], "Resource": [ "acs:oss:*:*:*/.dataworks/*", "acs:oss:*:*:*/.dlsdata/*" ], "Effect": "Allow" }, { "Action": "oss:PostDataLakeStorageFileOperation", "Resource": "*", "Effect": "Allow" }