阿里云资源编排与 RAM 授权
当用户创建 BYOC 类型仓库时,会首先借助云厂商的资源编排服务自动部署 Agent,完成 Agent 与 SelectDB Cloud 平台之间的私有连接,然后由 Agent 负责 BYOC 仓库的部署与管理工作。
本文主要介绍 SelectDB Cloud 如何通过阿里云 ROS 资源栈创建 BYOC 云服务资源,并对所依赖的 RAM 最小权限策进行说明。
ROS 资源编排模版说明
SelectDB 提供的资源编排模板运行在您的云账号下,并且模版代码可见、可审计,不会对您的数据与 VPC 内的其他环境进行操作。您可以通过以下链接获取 SelectDB 提供的资源编排模板:
https://selectdb-cloud-online-bj.oss-cn-beijing.aliyuncs.com/public/aliyun-cn-shanghai-byoc-cf.yaml
当您通过阿里云 ROS 执行上述资源模板时,它会自动进行 Agent 的创建与部署。然后 Agent 会与 SelectDB Cloud 建立私有连接,并完成仓库初始化流程。
在完成资源编排脚本执行后,您即可从 SelectDB Cloud 平台进入相应仓库,像使用普通的仓库一样,开始新建用于数据分析的计算集群。
如何查看资源栈信息
您可以通过阿里云 ROS 产品界面,查看由 SelectDB 资源栈模板创建的所有资源信息,并可通过资源名称查看特定资源。
注意 所有资源栈模版创建出来的资源,都属于您的云账号,并只在您的 VPC 内使用,不会外泄。
- ECS
- 名称:SelectDBAgent(ECS 机器)、SelectDBKeyPair(密钥对)
- 用途:用于部署 Agent 类程序,并提供密钥登录能力
- 终端节点
- 名称:SelectDBEndpoint
- 用途:与 SelectDB Cloud 平台建立私网连接,从而可以拉取管控指令、推送监控和日志
- Bucket
- 名称:SelectDBBucket
- 用途:存储数仓数据
- 安全组
- 名称:SelectDBSecurityGroup
- 用途:绑定在终端节点和 ECS 实例,并通过安全组规则限定特定端口特定子网的流量才能通行(允许来自同一子网的443、22、5000、9090、8888、8666、8777端口流量入网,允许所有端口流量出网)
- RAM User / RAM Role
- 名称:SelectDBUser(子用户),SelectDBUserAccessKey(aksk),SelectDBUserPolicy(子用户权限),SelectDBRole(角色),SelectDBRolePolicy(角色权限)
- 用途:创建出的子用户具备 Agent 所需的最小权限,之后进行的所有业务操作均使用该子用户的身份
资源栈模板所依赖的权限
在您的云账号下通过资源编排服务(ROS)执行资源栈模板时,会创建 ECS、VPC、OSS 等云资源或进行相关操作,因此需要一系列 RAM 权限。在正式执行前,请确保执行此模板的用户具备相应权限,否则可能会遇到执行模板失败的情况。
注意 资源栈模版的执行过程完全在您的云账号下进行,创建出来的资源也都属于您的云账号。SelectDB 不会获取您的云账号信息,也无法使用该账号的相应 RAM 权限。
以下是根据模板中定义的资源和操作所需的权限:
-
权限汇总:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInstances", "ecs:CreateInstance", "ecs:RunInstances", "ecs:StopInstance", "ecs:StartInstance", "ecs:RebootInstance", "ecs:DeleteInstance", "ecs:ModifyInstanceAttribute", "ecs:ModifyInstanceChargeType", "ecs:ModifyInstanceAutoRenewAttribute", "ecs:ModifyInstanceSpec", "ecs:ModifyPrepayInstanceSpec", "ecs:DescribeDisks", "ecs:ResizeDisk", "ecs:DescribeTags", "ecs:AddTags", "ecs:RemoveTags", "ecs:DescribeImages", "ecs:DescribeKeyPairs", "ecs:CreateKeyPair", "ecs:AttachKeyPair", "ecs:DeleteKeyPairs", "ecs:DetachKeyPair", "ecs:DescribeInvocations", "ecs:InvokeCommand", "ecs:RunCommand", "ecs:DescribeSecurityGroups", "ecs:AuthorizeSecurityGroup", "ecs:AuthorizeSecurityGroupEgress", "ecs:CreateSecurityGroup", "ecs:DeleteSecurityGroup", "ecs:JoinSecurityGroup", "ecs:ModifySecurityGroupAttribute", "ecs:LeaveSecurityGroup", "ecs:ModifySecurityGroupEgressRule", "ecs:ModifySecurityGroupPolicy", "ecs:ModifySecurityGroupRule", "ecs:RevokeSecurityGroup", "ecs:RevokeSecurityGroupEgress", "ecs:DescribeSecurityGroupAttribute", "ecs:DeleteSecurityGroup", "privatelink:CreateVpcEndpoint", "privatelink:DeleteVpcEndpoint", "privatelink:GetVpcEndpointAttribute", "privatelink:ListVpcEndpoints", "privatelink:ListVpcEndpointServicesByEndUser", "privatelink:ListVpcEndpointSecurityGroups", "privatelink:ListVpcEndpointConnections", "privatelink:AddZoneToVpcEndpoint", "privatelink:AttachSecurityGroupToVpcEndpoint", "privatelink:DetachSecurityGroupFromVpcEndpoint", "privatelink:DetachSecurityGroupFromVpcEndpoint", "privatelink:RemoveZoneFromVpcEndpoint", "privatelink:UpdateVpcEndpointConnectionAttribute", "privatelink:TagResources", "privatelink:UntagResources", "privatelink:UpdateVpcEndpointAttribute" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "vpc:DescribeVpcs", "vpc:DescribeVSwitches", "slb:DescribeLoadBalancers", "slb:DescribeLoadBalancerAttribute", "slb:CreateLoadBalancer", "slb:DeleteLoadBalancer", "slb:DescribeLoadBalancerListeners", "slb:CreateLoadBalancerHTTPListener", "slb:CreateLoadBalancerTCPListener", "slb:StartLoadBalancerListener", "slb:DeleteLoadBalancerListener", "slb:DescribeVServerGroups", "slb:DescribeVServerGroupAttribute", "slb:CreateVServerGroup", "slb:AddVServerGroupBackendServers", "slb:ModifyVServerGroupBackendServers", "slb:RemoveVServerGroupBackendServers", "slb:RemoveBackendServers", "slb:DeleteVServerGroup", "slb:DescribeAccessControlLists", "slb:CreateAccessControlList", "slb:AddAccessControlListEntry", "slb:RemoveAccessControlListEntry", "slb:DeleteAccessControlList", "slb:DescribeRules", "slb:CreateRules", "slb:DeleteRules", "slb:DescribeTags", "slb:AddTags", "slb:RemoveTags" ], "Resource": [ "acs:vpc:cn-beijing:*:*", "acs:slb:cn-beijing:*:*" ] }, { "Effect": "Allow", "Action": "oss:*", "Resource": [ "acs:oss:*:*:selectdb-bucket-*", "acs:oss:*:*:selectdb-bucekt-*/*" ] }, { "Effect": "Allow", "Action": [ "ram:GetUser", "ram:ListPoliciesForUser", "ram:ListUsers", "ram:ListGroupsForUser", "ram:AttachPolicyToUser", "ram:CreateUser", "ram:DeleteUser", "ram:DetachPolicyFromUser", "ram:UpdateUser", "ram:CreateAccessKey", "ram:DeleteAccessKey", "ram:UpdateAccessKey", "ram:GetAccessKeyLastUsed", "ram:ListAccessKeys", "ram:ListEntitiesForPolicy", "ram:AttachPolicyToRole", "ram:CreatePolicy", "ram:DeletePolicy", "ram:DetachPolicyFromRole", "ram:UpdatePolicyDescription", "ram:GetPolicy", "ram:CreateRole", "ram:DeleteRole", "ram:PassRole", "ram:UpdateRole", "ram:GetRole", "ram:ListPoliciesForRole", "ram:ListRoles", "sts:AssumeRole" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ros:*", "Resource": "*" } ] }
-
Elastic Compute Service (ECS) 权限:
- 管理 ECS 实例
"ecs:DescribeInstances", "ecs:CreateInstance", "ecs:RunInstances", "ecs:StopInstance", "ecs:StartInstance", "ecs:RebootInstance", "ecs:RenewInstance", "ecs:DeleteInstance", "ecs:ModifyInstanceAttribute", "ecs:ModifyInstanceChargeType", "ecs:ModifyInstanceAutoRenewAttribute", "ecs:ModifyInstanceSpec", "ecs:ModifyPrepayInstanceSpec", "ecs:DescribeDisks", "ecs:ResizeDisk", "ecs:DescribeTags", "ecs:AddTags", "ecs:RemoveTags", "ecs:DescribeImages",
- 管理 ECS 安全组
"ecs:DescribeSecurityGroups", "ecs:AuthorizeSecurityGroup", "ecs:AuthorizeSecurityGroupEgress", "ecs:CreateSecurityGroup", "ecs:DeleteSecurityGroup", "ecs:JoinSecurityGroup", "ecs:ModifySecurityGroupAttribute", "ecs:LeaveSecurityGroup", "ecs:ModifySecurityGroupEgressRule", "ecs:ModifySecurityGroupPolicy", "ecs:ModifySecurityGroupRule", "ecs:RevokeSecurityGroup", "ecs:RevokeSecurityGroupEgress", "ecs:DescribeSecurityGroupAttribute", "ecs:DeleteSecurityGroup",
- 管理 ECS SSH 密钥对
"ecs:DescribeKeyPairs", "ecs:CreateKeyPair", "ecs:AttachKeyPair", "ecs:DeleteKeyPairs", "ecs:DetachKeyPair",
- 执行 ECS 云助手相关操作
"ecs:DescribeInvocations", "ecs:InvokeCommand", "ecs:RunCommand"
-
Virtual Private Cloud (VPC) 和 PrivateLink 权限:
- 获取 VPC 相关资源信息
"vpc:DescribeVpcs", "vpc:DescribeVSwitches",
- 管理 PrivateLink 终端节点
"privatelink:CreateVpcEndpoint", "privatelink:DeleteVpcEndpoint", "privatelink:GetVpcEndpointAttribute", "privatelink:ListVpcEndpoints", "privatelink:ListVpcEndpointServicesByEndUser", "privatelink:ListVpcEndpointSecurityGroups", "privatelink:ListVpcEndpointConnections", "privatelink:AddZoneToVpcEndpoint", "privatelink:AttachSecurityGroupToVpcEndpoint", "privatelink:DetachSecurityGroupFromVpcEndpoint", "privatelink:TagResources", "privatelink:UntagResources", "privatelink:UpdateVpcEndpointAttribute",
- 管理负载均衡器(SLB)资源
"slb:DescribeLoadBalancers", "slb:DescribeLoadBalancerAttribute", "slb:CreateLoadBalancer", "slb:DeleteLoadBalancer", "slb:DescribeLoadBalancerListeners", "slb:CreateLoadBalancerHTTPListener", "slb:CreateLoadBalancerTCPListener", "slb:StartLoadBalancerListener", "slb:DeleteLoadBalancerListener", "slb:DescribeVServerGroups", "slb:DescribeVServerGroupAttribute", "slb:CreateVServerGroup", "slb:AddVServerGroupBackendServers", "slb:ModifyVServerGroupBackendServers", "slb:RemoveVServerGroupBackendServers", "slb:RemoveBackendServers", "slb:DeleteVServerGroup", "slb:DescribeAccessControlLists", "slb:CreateAccessControlList", "slb:AddAccessControlListEntry", "slb:RemoveAccessControlListEntry", "slb:DeleteAccessControlList", "slb:DescribeRules", "slb:CreateRules", "slb:DeleteRules", "slb:DescribeTags", "slb:AddTags", "slb:RemoveTags"
-
Object Storage Service (OSS) 权限:
- 管理 OSS 存储桶以及对存储桶及其内容进行读写操作(针对特定桶)
{ "Effect": "Allow", "Action": "oss:*", "Resource": [ "acs:oss:*:*:selectdb-bucket-*", "acs:oss:*:*:selectdb-bucekt-*/*" ] },
-
Resource Access Management (RAM) 权限:
- 管理 RAM 用户
"ram:GetUser", "ram:ListPoliciesForUser", "ram:ListUsers", "ram:ListGroupsForUser", "ram:AttachPolicyToUser", "ram:CreateUser", "ram:DeleteUser", "ram:DetachPolicyFromUser", "ram:UpdateUser",
- 管理 RAM 访问密钥
"ram:CreateAccessKey", "ram:DeleteAccessKey", "ram:UpdateAccessKey", "ram:GetAccessKeyLastUsed", "ram:ListAccessKeys",
- 管理 RAM 策略
ram:AttachPolicyToRole ram:AttachPolicyToUser ram:CreatePolicy ram:DeletePolicy ram:DetachPolicyFromRole ram:DetachPolicyFromUser ram:UpdatePolicyDescription ram:GetPolicy
- 管理 RAM 角色
"ram:CreateRole", "ram:DeleteRole", "ram:PassRole", "ram:UpdateRole", "ram:GetRole", "ram:ListPoliciesForRole", "ram:ListRoles", "sts:AssumeRole"
-
Resource Orchestration Service(ROS)权限:
- 管理资源栈
"ros:*"
资源栈模板创建的子用户的权限说明
初次执行完资源栈模板后会创建一个子用户,用于后续在您的 VPC 内管控数据仓库相关组件,以下为该子用户拥有的权限说明。
注意 创建出来的子用户隶属于您的云账号,并只在您的 VPC 内使用,不会外泄。
# 策略1: 允许对 ECS,VPC,LB 进行相关操作
- Action:
# ECS https://help.aliyun.com/zh/ecs/user-guide/control-access-to-resources-by-using-ram-users?spm=a2c4g.11186623.0.nextDoc.38e61906zVPKhn
# CloudAssistant https://help.aliyun.com/zh/ecs/user-guide/use-ram-to-implement-permission-control#section-4ym-u5j-3gc
- "ecs:DescribeInstances"
- "ecs:RunInstances"
- "ecs:StopInstance"
- "ecs:StartInstance"
- "ecs:RebootInstance"
- "ecs:RenewInstance"
- "ecs:DeleteInstance"
- "ecs:ModifyInstanceAttribute"
- "ecs:ModifyInstanceChargeType"
- "ecs:ModifyInstanceAutoRenewAttribute"
- "ecs:ModifyInstanceSpec"
- "ecs:ModifyPrepayInstanceSpec"
- "ecs:DescribeDisks"
- "ecs:ResizeDisk"
- "ecs:DescribeTags"
- "ecs:AddTags"
- "ecs:RemoveTags"
- "ecs:DescribeSecurityGroups"
- "ecs:CreateSecurityGroup"
- "ecs:AuthorizeSecurityGroup"
- "ecs:AuthorizeSecurityGroupEgress"
- "ecs:DescribeSecurityGroupAttribute"
- "ecs:DeleteSecurityGroup"
- "ecs:DescribeKeyPairs"
- "ecs:AttachKeyPair"
- "ecs:DetachKeyPair"
- "ecs:InvokeCommand"
- "ecs:RunCommand"
- "ecs:DescribeInvocations"
# VPC https://help.aliyun.com/zh/ram/developer-reference/aliyunvpcfullaccess?spm=a2c4g.11186623.0.i24
- "vpc:DescribeVpcs"
- "vpc:DescribeVSwitches"
# LB https://help.aliyun.com/zh/slb/classic-load-balancer/developer-reference/ram-authorization?spm=a2c4g.11186623.0.i6#concept-slb-rjf-cz
- "slb:DescribeLoadBalancers"
- "slb:DescribeLoadBalancerAttribute"
- "slb:CreateLoadBalancer"
- "slb:DeleteLoadBalancer"
- "slb:DescribeLoadBalancerListeners"
- "slb:CreateLoadBalancerHTTPListener"
- "slb:CreateLoadBalancerTCPListener"
- "slb:StartLoadBalancerListener"
- "slb:DeleteLoadBalancerListener"
- "slb:DescribeVServerGroups"
- "slb:DescribeVServerGroupAttribute"
- "slb:CreateVServerGroup"
- "slb:AddVServerGroupBackendServers"
- "slb:ModifyVServerGroupBackendServers"
- "slb:RemoveVServerGroupBackendServers"
- "slb:RemoveBackendServers"
- "slb:DeleteVServerGroup"
- "slb:DescribeAccessControlLists"
- "slb:CreateAccessControlList"
- "slb:AddAccessControlListEntry"
- "slb:RemoveAccessControlListEntry"
- "slb:DeleteAccessControlList"
- "slb:DescribeRules"
- "slb:CreateRules"
- "slb:DeleteRules"
- "slb:DescribeTags"
- "slb:AddTags"
- "slb:RemoveTags"
Resource:
- "acs:ecs:cn-beijing:*:*"
- "acs:vpc:cn-beijing:*:*"
- "acs:slb:cn-beijing:*:*"
Effect: Allow
# 策略2: 允许对刚创建出的 Bucket 及其中的对象进行增删改查操作
- Action:
# Bucket https://help.aliyun.com/zh/oss/user-guide/overview-22?spm=a2c4g.11186623.0.i63#section-3wi-z7m-fmq
- "oss:*"
Resource:
- Fn::Join:
- ''
- - 'acs:oss:*:*:'
- Ref: SelectDBBucket
- ""
- Fn::Join:
- ''
- - 'acs:oss:*:*:'
- Ref: SelectDBBucket
- "/*"
Effect: Allow
# 策略3: 允许进行访问控制相关操作, 该 RAM User 能够扮演指定的 RAM Role
- Action:
# RAM https://help.aliyun.com/zh/ram/developer-reference/api-ram-2015-05-01-ram?spm=a2c4g.11186623.0.i74
- "sts:AssumeRole"
Resource:
- Fn::GetAtt:
- SelectDBRole
- Arn
Effect: Allow
具体权限划分如下:
-
Elastic Compute Service (ECS) 权限:
- 管理 ECS 实例
"ecs:DescribeInstances", "ecs:RunInstances", "ecs:StopInstance", "ecs:StartInstance", "ecs:RebootInstance", "ecs:RenewInstance", "ecs:DeleteInstance", "ecs:ModifyInstanceAttribute", "ecs:ModifyInstanceChargeType", "ecs:ModifyInstanceAutoRenewAttribute", "ecs:ModifyInstanceSpec", "ecs:ModifyPrepayInstanceSpec", "ecs:DescribeDisks", "ecs:ResizeDisk", "ecs:DescribeTags", "ecs:AddTags", "ecs:RemoveTags",
- 管理 ECS 安全组
"ecs:DescribeSecurityGroups", "ecs:CreateSecurityGroup", "ecs:AuthorizeSecurityGroup", "ecs:AuthorizeSecurityGroupEgress", "ecs:DescribeSecurityGroupAttribute", "ecs:DeleteSecurityGroup",
- 管理 ECS SSH 密钥对
"ecs:DescribeKeyPairs", "ecs:AttachKeyPair", "ecs:DetachKeyPair",
- 执行 ECS 云助手相关操作
"ecs:InvokeCommand", "ecs:RunCommand", "ecs:DescribeInvocations",
-
Virtual Private Cloud (VPC) 和 SLB 权限:
- 获取 VPC 相关资源信息
"vpc:DescribeVpcs", "vpc:DescribeVSwitches",
- 管理负载均衡器(SLB)资源
"slb:DescribeLoadBalancers", "slb:DescribeLoadBalancerAttribute", "slb:CreateLoadBalancer", "slb:DeleteLoadBalancer", "slb:DescribeLoadBalancerListeners", "slb:CreateLoadBalancerHTTPListener", "slb:CreateLoadBalancerTCPListener", "slb:StartLoadBalancerListener", "slb:DeleteLoadBalancerListener", "slb:DescribeVServerGroups", "slb:DescribeVServerGroupAttribute", "slb:CreateVServerGroup", "slb:AddVServerGroupBackendServers", "slb:ModifyVServerGroupBackendServers", "slb:RemoveVServerGroupBackendServers", "slb:RemoveBackendServers", "slb:DeleteVServerGroup", "slb:DescribeAccessControlLists", "slb:CreateAccessControlList", "slb:AddAccessControlListEntry", "slb:RemoveAccessControlListEntry", "slb:DeleteAccessControlList", "slb:DescribeRules", "slb:CreateRules", "slb:DeleteRules", "slb:DescribeTags", "slb:AddTags", "slb:RemoveTags",
-
Object Storage Service (OSS) 权限:
- 管理 OSS 存储桶以及对存储桶及其内容进行读写操作(针对特定桶)
- Action: # Bucket https://help.aliyun.com/zh/oss/user-guide/overview-22?spm=a2c4g.11186623.0.i63#section-3wi-z7m-fmq - "oss:*" Resource: - Fn::Join: - '' - - 'acs:oss:*:*:' - Ref: SelectDBBucket - "" - Fn::Join: - '' - - 'acs:oss:*:*:' - Ref: SelectDBBucket - "/*" Effect: Allow
-
Resource Access Management (RAM) 权限:
- 允许扮演特定角色
- Action: # RAM https://help.aliyun.com/zh/ram/developer-reference/api-ram-2015-05-01-ram?spm=a2c4g.11186623.0.i74 - "sts:AssumeRole" Resource: - Fn::GetAtt: - SelectDBRole - Arn Effect: Allow