系统已支持的ResourceSchema
安全中心系统内置了多个ResourceSchema以支持常见的资源类型,包括:MaxCompute、EMR_ON_ECS_HIVE、SEVERLESS_STARROCKS、HOLOGRES、DATAWORKS_ENTITY、DLF_V1、DLF_NEXT和LINDORM。
授权方式配置
每个 ResourceSchema 都包含 authMethods 字段,定义该资源类型支持的授权方式:
{
"authMethods": [
{
"name": "default",
"displayName": "原生授权",
"isDefault": true
}
]
}
约定:
所有系统内置 ResourceSchema 默认至少包含
default授权方式default代表该资源类型的原生授权方式,由系统根据defSchema映射到具体的PermissionGrantService用户不指定
authMethod或传default时,系统自动使用原生授权方式
授权方式与资源类型映射:
资源类型 | default 映射 | 支持的其他授权方式 | 说明 |
SEVERLESS_STARROCKS | ranger | starrocksManager | 当前唯一支持多种授权方式的资源类型,默认使用 Ranger 授权,可选 StarRocks Manager |
HOLOGRES | hologres | - | 仅支持原生授权 |
DLF_V1 | dlfV1 | - | 仅支持 DLF 1.0 授权 |
EMR_ON_ECS_HIVE | ranger | - | 仅支持 Ranger 授权 |
LINDORM | ranger | - | 仅支持 Ranger 授权 |
DATAWORKS_ENTITY | default | - | 仅支持默认授权 |
MaxCompute | default | 不支持授权 | MaxCompute 权限体系独立 |
DLF_NEXT | default | 不支持授权 | DLF 3.0 权限体系独立 |
以下是这些ResourceSchema的定义:
MaxCompute
{
"name": "MaxCompute",
"displayName": "MaxCompute Resource",
"version": "v1.0.0",
"authPrincipal": [
"RAM_USER",
"RAM_ROLE"
],
"authMethods": [],
"resources": [
{
"level": 0,
"name": "tenant",
"type": "string",
"label": "DATAWORKS_TENANT_ID",
"parent": "",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": false,
"enricherFields": [],
"isValidLeaf": false,
"accessTypeRestrictions": []
},
{
"level": 1,
"name": "workspace",
"type": "string",
"label": "DATAWORKS_WORKSPACE_ID",
"parent": "tenant",
"mandatory": true,
"extendedInfo": {},
"enricherFields": [
"workspaceId",
"workspaceName",
"ownerBaseId"
],
"isValidLeaf": false,
"accessTypeRestrictions": []
},
{
"level": 2,
"name": "project",
"type": "string",
"label": "PROJECT",
"parent": "workspace",
"mandatory": true,
"extendedInfo": {},
"enricherFields": [],
"isValidLeaf": false,
"accessTypeRestrictions": []
},
{
"level": 3,
"name": "schema",
"type": "string",
"label": "SCHEMA",
"parent": "project",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": false,
"enricherFields": [],
"isValidLeaf": false,
"accessTypeRestrictions": []
},
{
"level": 4,
"name": "table",
"type": "string",
"label": "TABLE",
"parent": "schema",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": true,
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [
"select",
"update",
"download",
"describe",
"alter",
"drop"
]
},
{
"level": 4,
"name": "resource",
"type": "string",
"label": "RESOURCE",
"parent": "schema",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": false,
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [
"read",
"write",
"delete",
"all"
]
},
{
"level": 4,
"name": "udf",
"type": "string",
"label": "UDF",
"parent": "schema",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": false,
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [
"read",
"write",
"delete",
"execute",
"all"
]
},
{
"level": 5,
"name": "column",
"type": "string",
"label": "COLUMN",
"parent": "table",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": false,
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [
"select",
"update",
"download"
]
}
]
}
hive
{
"name": "EMR_ON_ECS_HIVE",
"displayName": "Emr On Ecs Hive Resource",
"version": "v1.0.0",
"authPrincipal": [
"RAM_USER"
],
"authMethods": [],
"resources": [
{
"level": 0,
"name": "tenant",
"type": "string",
"label": "DATAWORKS_TENANT_ID",
"parent": "",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": false,
"enricherFields": [],
"isValidLeaf": false,
"accessTypeRestrictions": []
},
{
"level": 1,
"name": "instance",
"type": "string",
"label": "INSTANCE_ID",
"parent": "tenant",
"mandatory": true,
"extendedInfo": {},
"enricherFields": [
"workspaceId",
"workspaceName",
"ownerBaseId"
],
"isValidLeaf": false,
"accessTypeRestrictions": []
},
{
"level": 2,
"name": "database",
"type": "string",
"label": "DATABASE",
"parent": "instance",
"mandatory": true,
"extendedInfo": {},
"recursiveSupported": false,
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [
"create",
"update",
"alter",
"select"
]
},
{
"level": 3,
"name": "table",
"type": "string",
"label": "TABLE",
"parent": "database",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": false,
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [
"select",
"drop",
"update",
"alter",
"all"
]
}
]
}
starrocks
{
"name": "SEVERLESS_STARROCKS",
"displayName": "Serverless Starrocks Resource",
"version": "v1.0.0",
"authPrincipal": [
"RAM_USER",
"RAM_ROLE"
],
"authMethods": [
{
"name": "ranger",
"displayName": "Ranger",
"isDefault": true
},
{
"name": "starrocksManager",
"displayName": "StarRocks Manager",
"isDefault": false
}
],
"resources": [
{
"level": 0,
"name": "tenant",
"type": "string",
"label": "DATAWORKS_TENANT_ID",
"parent": "",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": false,
"enricherFields": [],
"isValidLeaf": false,
"accessTypeRestrictions": []
},
{
"level": 1,
"name": "instance",
"type": "string",
"label": "INSTANCE_ID",
"parent": "tenant",
"mandatory": true,
"extendedInfo": {},
"enricherFields": [],
"isValidLeaf": false,
"accessTypeRestrictions": []
},
{
"level": 2,
"name": "internalCatalog",
"type": "string",
"label": "INTERNAL_CATALOG",
"parent": "instance",
"mandatory": false,
"extendedInfo": {},
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [],
"authMethodAccessTypes": [
{
"authMethod": "starrocksManager",
"accessTypes": ["all", "usage", "create database", "drop", "alter"]
}
]
},
{
"level": 2,
"name": "hiveCatalog",
"type": "string",
"label": "EXTERNAL_HIVE_CATALOG",
"parent": "instance",
"mandatory": false,
"extendedInfo": {},
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [],
"authMethodAccessTypes": [
{
"authMethod": "starrocksManager",
"accessTypes": ["all", "usage", "create database", "drop", "alter"]
}
]
},
{
"level": 3,
"name": "database",
"type": "string",
"label": "DATABASE",
"parent": "internalCatalog",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": true,
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [
"create table",
"drop",
"alter",
"create view",
"create function",
"create materialized view"
],
"authMethodAccessTypes": [
{
"authMethod": "starrocksManager",
"accessTypes": ["all", "alter", "drop", "create table", "create view", "create function", "create materialized view", "create pipe"]
},
{
"authMethod": "ranger",
"accessTypes": ["create table", "drop", "alter", "create view", "create function", "create materialized view"]
}
]
},
{
"level": 3,
"name": "hiveDatabase",
"type": "string",
"label": "EXTERNAL_HIVE_DATABASE",
"parent": "hiveCatalog",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": true,
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [
"create",
"update",
"alter",
"select"
],
"authMethodAccessTypes": [
{
"authMethod": "starrocksManager",
"accessTypes": ["all", "alter", "drop", "create table", "create view", "create function", "create materialized view", "create pipe"]
},
{
"authMethod": "ranger",
"accessTypes": ["create", "update", "alter", "select"]
}
]
},
{
"level": 4,
"name": "table",
"type": "string",
"label": "TABLE",
"parent": "database",
"mandatory": false,
"extendedInfo": {
"constraints": {
"enabled": true,
"supportedTypes": ["rowFilter"],
"maxConstraints": 1,
"definitions": {
"rowFilter": {
"description": "行级过滤条件,SQL WHERE 子句",
"type": "string",
"required": false,
"example": "ID > 3 AND Name = 'test'",
"authMethods": ["ranger"],
"restrictedAccessTypes": ["select"]
}
}
}
},
"recursiveSupported": false,
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [
"delete",
"drop",
"insert",
"select",
"alter",
"export",
"update"
],
"authMethodAccessTypes": [
{
"authMethod": "starrocksManager",
"accessTypes": ["all", "alter", "drop", "select", "insert", "update", "export", "delete"]
},
{
"authMethod": "ranger",
"accessTypes": ["delete", "drop", "insert", "select", "alter", "export", "update"]
}
]
},
{
"level": 4,
"name": "view",
"type": "string",
"label": "VIEW",
"parent": "database",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": false,
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [],
"authMethodAccessTypes": [
{
"authMethod": "starrocksManager",
"accessTypes": ["all", "select", "alter", "drop"]
}
]
},
{
"level": 4,
"name": "materializedView",
"type": "string",
"label": "MATERIALIZED_VIEW",
"parent": "database",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": false,
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [],
"authMethodAccessTypes": [
{
"authMethod": "starrocksManager",
"accessTypes": ["all", "select", "alter", "refresh", "drop"]
}
]
},
{
"level": 4,
"name": "hiveTable",
"type": "string",
"label": "EXTERNAL_HIVE_TABLE",
"parent": "hiveDatabase",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": false,
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [
"select"
],
"authMethodAccessTypes": [
{
"authMethod": "starrocksManager",
"accessTypes": ["all", "alter", "drop", "select", "insert", "update", "export", "delete"]
},
{
"authMethod": "ranger",
"accessTypes": ["select"]
}
]
},
{
"level": 4,
"name": "hiveView",
"type": "string",
"label": "EXTERNAL_HIVE_VIEW",
"parent": "hiveDatabase",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": false,
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [],
"authMethodAccessTypes": [
{
"authMethod": "starrocksManager",
"accessTypes": ["all", "select", "alter", "drop"]
}
]
},
{
"level": 4,
"name": "hiveMaterializedView",
"type": "string",
"label": "EXTERNAL_HIVE_MATERIALIZED_VIEW",
"parent": "hiveDatabase",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": false,
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [],
"authMethodAccessTypes": [
{
"authMethod": "starrocksManager",
"accessTypes": ["all", "select", "alter", "refresh", "drop"]
}
]
}
]
}
StarRocks 授权方式差异说明:
资源层级 | ranger (默认) | starrocksManager | 说明 |
internalCatalog | ❌ 不支持 | ✅ 支持 | Ranger 下不是叶子节点 |
database | ✅ 支持 | ✅ 支持 | accessType 有差异 |
table | ✅ 支持 | ✅ 支持 | Ranger 支持 rowFilter 约束 |
view | ❌ 不支持 | ✅ 支持 | 仅 StarRocks Manager 支持 |
materializedView | ❌ 不支持 | ✅ 支持 | 仅 StarRocks Manager 支持 |
hiveCatalog | ❌ 不支持 | ✅ 支持 | Ranger 下不是叶子节点 |
hiveDatabase | ✅ 支持 | ✅ 支持 | accessType 有差异 |
hiveTable | ✅ 支持(仅 select) | ✅ 支持 | Ranger 仅支持 select |
hiveView | ❌ 不支持 | ✅ 支持 | 仅 StarRocks Manager 支持 |
hiveMaterializedView | ❌ 不支持 | ✅ 支持 | 仅 StarRocks Manager 支持 |
约束条件支持:
资源层级 | 约束类型 | 支持的授权方式 | accessType 限制 | 说明 |
table | rowFilter | ranger |
| 行级过滤条件,SQL WHERE 子句;声明 rowFilter 时 accessType 仅允许 |
hologres
{
"name": "HOLOGRES",
"displayName": "Hologres Resource",
"version": "v1.0.0",
"authPrincipal": [
"RAM_USER"
],
"authMethods": [
{
"name": "hologres",
"displayName": "Hologres",
"isDefault": true
}
],
"resources": [
{
"level": 0,
"name": "tenant",
"type": "string",
"label": "DATAWORKS_TENANT_ID",
"parent": "",
"mandatory": false,
"extendedInfo": {},
"enricherFields": [],
"recursiveSupported": false,
"isValidLeaf": false,
"accessTypeRestrictions": []
},
{
"level": 1,
"name": "instance",
"type": "string",
"label": "INSTANCE_ID",
"parent": "tenant",
"mandatory": true,
"extendedInfo": {},
"enricherFields": [],
"isValidLeaf": false,
"accessTypeRestrictions": []
},
{
"level": 2,
"name": "database",
"type": "string",
"label": "DATABASE",
"parent": "instance",
"mandatory": true,
"extendedInfo": {},
"enricherFields": [],
"isValidLeaf": false,
"accessTypeRestrictions": []
},
{
"level": 3,
"name": "schema",
"type": "string",
"label": "SCHEMA",
"parent": "database",
"mandatory": true,
"extendedInfo": {},
"enricherFields": [],
"isValidLeaf": false,
"accessTypeRestrictions": []
},
{
"level": 4,
"name": "table",
"type": "string",
"label": "TABLE",
"parent": "schema",
"mandatory": true,
"extendedInfo": {},
"recursiveSupported": true,
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [
"select",
"insert",
"update",
"delete",
"truncate",
"all"
]
},
{
"level": 5,
"name": "column",
"type": "string",
"label": "COLUMN",
"parent": "table",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": false,
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [
"select",
"insert",
"update"
]
}
]
}
Hologres 列权限说明:
配置项 | 说明 |
| 支持 |
| table 下的 level 5 子资源,通过 |
列权限访问类型 | 仅支持 |
dlf-legacy
{
"name": "DLF_V1",
"displayName": "Dlf 1.0 Resource",
"version": "v1.0.0",
"authPrincipal": [
"RAM_USER",
"RAM_ROLE"
],
"authMethods": [],
"resources": [
{
"level": 0,
"name": "tenant",
"type": "string",
"label": "DATAWORKS_TENANT_ID",
"parent": "",
"mandatory": false,
"extendedInfo": {},
"enricherFields": [],
"recursiveSupported": false,
"isValidLeaf": false,
"accessTypeRestrictions": []
},
{
"level": 1,
"name": "catalog",
"type": "string",
"label": "CATALOG",
"parent": "tenant",
"mandatory": true,
"extendedInfo": {},
"enricherFields": [],
"isValidLeaf": false,
"accessTypeRestrictions": []
},
{
"level": 2,
"name": "database",
"type": "string",
"label": "DATABASE",
"parent": "catalog",
"mandatory": true,
"extendedInfo": {},
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [
"describe",
"alter",
"drop",
"createTable",
"createFunction",
"list"
]
},
{
"level": 3,
"name": "table",
"type": "string",
"label": "TABLE",
"parent": "database",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": true,
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [
"select",
"update",
"describe",
"alter",
"drop"
]
},
{
"level": 4,
"name": "column",
"type": "string",
"label": "COLUMN",
"parent": "table",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": false,
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [
"select"
]
}
]
}
dlfNext
{
"name": "DLF_NEXT",
"displayName": "Dlf Next Resource",
"version": "v1.0.0",
"authPrincipal": [
"RAM_USER",
"RAM_ROLE",
"DLF_ROLE"
],
"authMethods": [],
"resources": [
{
"level": 0,
"name": "tenant",
"type": "string",
"label": "DATAWORKS_TENANT_ID",
"parent": "",
"mandatory": false,
"extendedInfo": {},
"enricherFields": [],
"recursiveSupported": false,
"isValidLeaf": false,
"accessTypeRestrictions": []
},
{
"level": 1,
"name": "catalog",
"type": "string",
"label": "CATALOG",
"parent": "tenant",
"mandatory": true,
"extendedInfo": {},
"enricherFields": [],
"isValidLeaf": false,
"accessTypeRestrictions": []
},
{
"level": 2,
"name": "database",
"type": "string",
"label": "DATABASE",
"parent": "catalog",
"mandatory": true,
"extendedInfo": {},
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [
"describe",
"list",
"alter",
"drop",
"createTable",
"createFunction",
"createView",
"grant",
"all"
]
},
{
"level": 3,
"name": "table",
"type": "string",
"label": "TABLE",
"parent": "database",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": true,
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [
"select",
"update",
"alter",
"drop",
"grant",
"all"
]
},
{
"level": 4,
"name": "column",
"type": "string",
"label": "COLUMN",
"parent": "table",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": false,
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [
"select"
]
}
]
}
DATAWORKS_ENTITY
{
"name": "DATAWORKS_ENTITY",
"displayName": "Dataworks Entity",
"version": "v1.0.0",
"authPrincipal": [
"RAM_USER",
"RAM_ROLE",
"DATAWORKS_WORKSPACE_ROLE",
"DATAWORKS_WORKSPACE_MEMBER"
],
"authMethods": [],
"resources": [
{
"level": 0,
"name": "tenant",
"type": "string",
"label": "DATAWORKS_TENANT_ID",
"parent": "",
"mandatory": false,
"extendedInfo": {},
"enricherFields": [],
"recursiveSupported": false,
"isValidLeaf": false,
"accessTypeRestrictions": []
},{
"level": 1,
"name": "tenantRole",
"type": "string",
"label": "DATAWORKS_TENANT_ROLE_CODE",
"parent": "tenant",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": false,
"enricherFields": [
"roleName"
],
"isValidLeaf": true,
"accessTypeRestrictions": [
"joinIn"
],
"authPrincipalRestrictions": [
"RAM_USER",
"RAM_ROLE"
]
},
{
"level": 1,
"name": "workspace",
"type": "string",
"label": "DATAWORKS_WORKSPACE_ID",
"parent": "tenant",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": false,
"enricherFields": [
"workspaceId",
"workspaceName",
"ownerBaseId"
],
"isValidLeaf": false,
"accessTypeRestrictions": []
},
{
"level": 2,
"name": "workspaceRole",
"type": "string",
"label": "DATAWORKS_WORKSPACE_ROLE_CODE",
"parent": "workspace",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": false,
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [
"joinIn"
],
"authPrincipalRestrictions": [
"RAM_USER",
"RAM_ROLE"
]
}
]
}
Lindorm
{
"name": "LINDORM",
"displayName": "Lindorm",
"version": "v1.0.0",
"authPrincipal": [
"RAM_USER"
],
"authMethods": [],
"resources": [
{
"level": 0,
"name": "tenant",
"type": "string",
"label": "DATAWORKS_TENANT_ID",
"parent": "",
"mandatory": false,
"extendedInfo": {},
"recursiveSupported": false,
"enricherFields": [],
"isValidLeaf": false,
"accessTypeRestrictions": []
},
{
"level": 1,
"name": "instance",
"type": "string",
"label": "INSTANCE_ID",
"parent": "tenant",
"mandatory": true,
"extendedInfo": {},
"enricherFields": [
"instanceName"
],
"isValidLeaf": false,
"accessTypeRestrictions": [
"write",
"read",
"admin",
"trash",
"system",
"all"
]
},
{
"level": 2,
"name": "database",
"type": "string",
"label": "DATABASE",
"parent": "instance",
"mandatory": true,
"extendedInfo": {},
"recursiveSupported": false,
"enricherFields": [],
"isValidLeaf": false,
"accessTypeRestrictions": [
"write",
"read",
"admin",
"trash",
"system",
"all"
]
},
{
"level": 3,
"name": "table",
"type": "string",
"label": "TABLE",
"parent": "database",
"mandatory": true,
"extendedInfo": {},
"recursiveSupported": false,
"enricherFields": [],
"isValidLeaf": true,
"accessTypeRestrictions": [
"write",
"read",
"admin",
"trash",
"all"
]
}
]
}