华为云资源编排与 IAM 权限
当用户创建 BYOC 类型仓库时,会首先借助云厂商的资源编排服务自动部署 Agent,完成 Agent 与 SelectDB Cloud 平台之间的私有连接,然后由 Agent 负责 BYOC 仓库的部署与管理工作。
本文主要介绍 SelectDB Cloud 如何通过华为云 RFS 资源栈创建 BYOC 云服务资源,并对所依赖的 IAM 最小权限策进行说明。
RFS 资源编排模板说明
SelectDB 提供的资源编排模板运行在您的云账号下,并且模版代码可见、可审计,不会对您的数据与 VPC 内的其他环境进行操作。您可以通过以下链接获取 SelectDB 提供的资源编排模板:
https://selectdb-cloud-online-bj.obs.cn-north-4.myhuaweicloud.com/selectdb/public/hwcloud-cn-south-1-byoc-cf.zip
当您通过华为云 RFS 执行上述资源模板时,它会自动进行 Agent 的创建与部署。然后 Agent 会与 SelectDB Cloud 建立私有连接,并完成仓库初始化流程。
在完成资源编排脚本执行后,您即可从 SelectDB Cloud 平台进入相应仓库,像使用普通的仓库一样,开始新建用于数据分析的计算集群。
如何查看资源栈信息
您可以通过华为云 ROS 产品界面,查看由 SelectDB 资源栈模板创建的所有资源信息,并可通过资源名称查看特定资源。
注意 所有资源栈模版创建出来的资源,都属于您的云账号,并只在您的 VPC 内使用,不会外泄。
- ECS
- 名称:SelectDBAgent(ECS 机器)
- 用途:用于部署 Agent 类程序
- 终端节点
- 名称:SelectDBEndpoint
- 用途:与 SelectDB Cloud 平台建立私网连接,从而可以拉取管控指令、推送监控和日志
- Bucket
- 名称:SelectDBBucket
- 用途:存储数仓数据
- 安全组
- 名称:SelectDBSecurityGroup
- 用途:绑定在终端节点和 ECS 实例,并通过安全组规则限定特定端口特定子网的流量才能通行(允许来自同一子网的443、22、5000、9090、8888、8666、8777端口流量入网,允许所有端口流量出网)
- IAM User
- 名称:SelectDBUser(子用户),SelectDBUserRegionPolicy(子用户权限---针对 Region 级别服务),SelectDBUserGlobalPolicy(子用户权限---针对全局级别服务)
- 用途:创建出的子用户具备 Agent 所需的最小权限,之后进行的所有业务操作均使用该子用户的身份
资源栈模板所依赖的权限
在您的云账号下通过资源编排服务(ROS)执行资源栈模板时,会创建 ECS、VPC、OSS 等云资源或进行相关操作,因此需要一系列 IAM 权限。在正式执行前,请确保执行此模板的用户具备相应权限,否则可能会遇到执行模板失败的情况。
注意 资源栈模版的执行过程完全在您的云账号下进行,创建出来的资源也都属于您的云账号。SelectDB 不会获取您的云账号信息,也无法使用该账号的相应 IAM 权限。
以下是根据模板中定义的资源和操作所需的权限:
-
权限汇总:
- Region-Policy
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:cloudServers:list", "ecs:cloudServers:showServer", "ecs:cloudServers:createServers", "ecs:cloudServers:deleteServers", "ecs:cloudServers:updateServer", "ecs:cloudServers:changeChargeMode", "ecs:cloudServers:resize", "ecs:cloudServers:reboot", "ecs:cloudServers:stop", "ecs:cloudServers:start", "ecs:cloudServers:showServerBlockDevice", "ecs:cloudServers:listServerBlockDevices", "ecs:servers:get", "ecs:servers:list", "ecs:servers:start", "ecs:servers:stop", "ecs:servers:reboot", "ecs:servers:resize", "ecs:securityGroups:use", "ecs:servers:getTags", "ecs:servers:setTags", "evs:volumes:get", "evs:volumes:extend", "bss:renewal:update", "bss:order:pay", "vpc:vpcs:get", "vpc:vpcs:list", "vpc:subnets:get", "vpc:subnetTags:get", "vpc:securityGroups:get", "vpc:securityGroups:create", "vpc:securityGroups:update", "vpc:securityGroups:delete", "vpc:securityGroupRules:get", "vpc:securityGroupRules:create", "vpc:securityGroupRules:delete", "vpc:ports:get", "vpc:ports:create", "vpc:ports:update", "vpc:ports:delete", "vpc:publicIps:get", "vpc:publicIps:list", "vpc:publicIps:create", "vpc:publicIps:delete", "vpc:publicipTags:create", "vpc:publicipTags:delete", "elb:loadbalancers:get", "elb:loadbalancers:list", "elb:loadbalancers:create", "elb:loadbalancers:delete", "elb:loadbalancerTags:get", "elb:loadbalancerTags:create", "elb:loadbalancerTags:delete", "elb:listeners:get", "elb:listeners:list", "elb:listeners:create", "elb:listeners:delete", "elb:listenerTags:get", "elb:listenerTags:create", "elb:listenerTags:delete", "elb:pools:get", "elb:pools:list", "elb:pools:create", "elb:pools:delete", "elb:members:get", "elb:members:list", "elb:members:create", "elb:members:delete", "elb:l7policies:get", "elb:l7policies:list", "elb:l7policies:create", "elb:l7policies:delete", "elb:l7rules:get", "elb:l7rules:list", "elb:l7rules:create", "elb:l7rules:delete", "elb:healthmonitors:get", "elb:healthmonitors:list", "elb:healthmonitors:put", "elb:healthmonitors:create", "elb:healthmonitors:delete", "elb:ipgroups:get", "elb:ipgroups:list", "elb:ipgroups:create", "elb:ipgroups:put", "elb:ipgroups:delete" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "rf:*:*" ], "Resource": [ "*" ] } ] }- Global-Policy
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "obs:bucket:*", "obs:object:*" ], "Resource": [ "obs:*:*:bucket:selectdb-*", "obs:*:*:object:selectdb-*/*" ] }, { "Effect": "Allow", "Action": [ "iam:permissions:addUserToGroup", "iam:users:listUsersForGroup", "iam:permissions:removeUserFromGroup", "iam:groups:listGroupsForUser", "iam:permissions:checkUserInGroup", "iam:users:updateUser", "iam:users:createUser", "iam:users:listUsers", "iam:users:getUser", "iam:users:deleteUser", "iam:projects:listProjectsForUser", "iam:roles:getRole", "iam:roles:listRoles", "iam:roles:createRole", "iam:roles:updateRole", "iam:roles:deleteRole", "iam:permissions:revokeRoleFromGroup", "iam:permissions:listRolesForGroupOnDomain", "iam:permissions:checkRoleForGroupOnDomain", "iam:permissions:grantRoleToGroup", "iam:groups:listGroups", "iam:groups:createGroup", "iam:permissions:revokeRoleFromGroupOnDomain", "iam:permissions:listRolesForGroup", "iam:permissions:grantRoleToGroupOnProject", "iam:permissions:checkRoleForGroup", "iam:groups:deleteGroup", "iam:groups:updateGroup", "iam:permissions:grantRoleToGroupOnDomain", "iam:permissions:revokeRoleFromGroupOnProject", "iam:groups:getGroup", "iam:permissions:listRolesForAgencyOnDomain", "iam:permissions:revokeRoleFromAgencyOnDomain", "iam:permissions:listRolesForAgency", "iam:permissions:checkRoleForAgencyOnProject", "iam:permissions:listRolesForGroupOnProject", "iam:permissions:checkRoleForGroupOnProject", "iam:permissions:checkRoleForAgency", "iam:permissions:listRolesForAgencyOnProject", "iam:permissions:grantRoleToAgencyOnDomain", "iam:permissions:revokeRoleFromAgencyOnProject", "iam:permissions:grantRoleToAgency", "iam:permissions:grantRoleToAgencyOnProject", "iam:permissions:revokeRoleFromAgency", "iam:tokens:assume", "iam:agencies:list*" ], "Resource": [ "*" ] } ] }- VPCEndpoint Administrator
{ "Version": "1.0", "Statement": [ { "Action": [ "vpcep:*:*" ], "Effect": "Allow" } ], "Depends": [ { "catalog": "BASE", "display_name": "Server Administrator" }, { "catalog": "VPC", "display_name": "VPC Administrator" }, { "catalog": "DNS", "display_name": "DNS Administrator" } ] } -
Elastic Compute Service (ECS) 权限:
- 管理 ECS 实例
"ecs:cloudServers:list", "ecs:cloudServers:showServer", "ecs:cloudServers:createServers", "ecs:cloudServers:deleteServers", "ecs:cloudServers:updateServer", "ecs:cloudServers:changeChargeMode", "ecs:cloudServers:resize", "ecs:cloudServers:reboot", "ecs:cloudServers:stop", "ecs:cloudServers:start", "ecs:cloudServers:showServerBlockDevice", "ecs:cloudServers:listServerBlockDevices", "ecs:servers:get", "ecs:servers:list", "ecs:servers:start", "ecs:servers:stop", "ecs:servers:reboot", "ecs:servers:resize", "ecs:securityGroups:use", "ecs:servers:getTags", "ecs:servers:setTags", "evs:volumes:get", "evs:volumes:extend", "bss:renewal:update", "bss:order:pay", -
Virtual Private Cloud (VPC) 和 PrivateLink 权限
- 获取 VPC 相关资源信息
"vpc:vpcs:get", "vpc:vpcs:list", "vpc:subnets:get", "vpc:subnetTags:get",- 管理安全组
"vpc:securityGroups:get", "vpc:securityGroups:create", "vpc:securityGroups:update", "vpc:securityGroups:delete", "vpc:securityGroupRules:get", "vpc:securityGroupRules:create", "vpc:securityGroupRules:delete",- 管理端口
"vpc:ports:get", "vpc:ports:create", "vpc:ports:update", "vpc:ports:delete",- 管理 EIP
"vpc:publicIps:get", "vpc:publicIps:list", "vpc:publicIps:create", "vpc:publicIps:delete", "vpc:publicipTags:create", "vpc:publicipTags:delete",- 管理负载均衡器(ELB)资源
"elb:loadbalancers:get", "elb:loadbalancers:list", "elb:loadbalancers:create", "elb:loadbalancers:delete", "elb:loadbalancerTags:get", "elb:loadbalancerTags:create", "elb:loadbalancerTags:delete", "elb:listeners:get", "elb:listeners:list", "elb:listeners:create", "elb:listeners:delete", "elb:listenerTags:get", "elb:listenerTags:create", "elb:listenerTags:delete", "elb:pools:get", "elb:pools:list", "elb:pools:create", "elb:pools:delete", "elb:members:get", "elb:members:list", "elb:members:create", "elb:members:delete", "elb:l7policies:get", "elb:l7policies:list", "elb:l7policies:create", "elb:l7policies:delete", "elb:l7rules:get", "elb:l7rules:list", "elb:l7rules:create", "elb:l7rules:delete", "elb:healthmonitors:get", "elb:healthmonitors:list", "elb:healthmonitors:put", "elb:healthmonitors:create", "elb:healthmonitors:delete", "elb:ipgroups:get", "elb:ipgroups:list", "elb:ipgroups:create", "elb:ipgroups:put", "elb:ipgroups:delete",- VPCEndpoint 管理员权限 由于云厂商限制,目前 VPCEndpoint Administrator 权限需要依赖 VPC, ECS, DNS 管理员权限
-
Object Storage Service (OSS) 权限:
- 管理 OSS 存储桶以及对存储桶及其内容进行读写操作
{ "Effect": "Allow", "Action": [ "obs:bucket:*", "obs:object:*" ], "Resource": [ "obs:*:*:bucket:selectdb-bucket-*", "obs:*:*:object:selectdb-bucket-*/*", "obs:*:*:bucket:selectdb-import-data-cn-north-4", "obs:*:*:object:selectdb-import-data-cn-north-4/*" ] }, -
Identity and Access Management (IAM) 权限:
- 管理 IAM 用户、用户组、权限
"iam:permissions:addUserToGroup", "iam:users:listUsersForGroup", "iam:permissions:removeUserFromGroup", "iam:groups:listGroupsForUser", "iam:permissions:checkUserInGroup", "iam:users:updateUser", "iam:users:createUser", "iam:users:listUsers", "iam:users:getUser", "iam:users:deleteUser", "iam:projects:listProjectsForUser", "iam:roles:getRole", "iam:roles:listRoles", "iam:roles:createRole", "iam:roles:updateRole", "iam:roles:deleteRole", "iam:permissions:revokeRoleFromGroup", "iam:permissions:listRolesForGroupOnDomain", "iam:permissions:checkRoleForGroupOnDomain", "iam:permissions:grantRoleToGroup", "iam:groups:listGroups", "iam:groups:createGroup", "iam:permissions:revokeRoleFromGroupOnDomain", "iam:permissions:listRolesForGroup", "iam:permissions:grantRoleToGroupOnProject", "iam:permissions:checkRoleForGroup", "iam:groups:deleteGroup", "iam:groups:updateGroup", "iam:permissions:grantRoleToGroupOnDomain", "iam:permissions:revokeRoleFromGroupOnProject", "iam:groups:getGroup", "iam:permissions:listRolesForAgencyOnDomain", "iam:permissions:revokeRoleFromAgencyOnDomain", "iam:permissions:listRolesForAgency", "iam:permissions:checkRoleForAgencyOnProject", "iam:permissions:listRolesForGroupOnProject", "iam:permissions:checkRoleForGroupOnProject", "iam:permissions:checkRoleForAgency", "iam:permissions:listRolesForAgencyOnProject", "iam:permissions:grantRoleToAgencyOnDomain", "iam:permissions:revokeRoleFromAgencyOnProject", "iam:permissions:grantRoleToAgency", "iam:permissions:grantRoleToAgencyOnProject", "iam:permissions:revokeRoleFromAgency", "iam:tokens:assume", "iam:agencies:list*" -
Resource Orchestration Service(RFS)权限:
- 管理资源栈
rf:*:*
资源栈模板创建的子用户的权限说明
初次执行完资源栈模板后会创建一个子用户,用于后续在您的 VPC 内管控数据仓库相关组件,以下为该子用户拥有的权限说明。
注意 创建出来的子用户隶属于您的云账号,并只在您的 VPC 内使用,不会外泄。
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:cloudServers:list",
"ecs:cloudServers:showServer",
"ecs:cloudServers:createServers",
"ecs:cloudServers:deleteServers",
"ecs:cloudServers:updateServer",
"ecs:cloudServers:changeChargeMode",
"ecs:cloudServers:resize",
"ecs:cloudServers:reboot",
"ecs:cloudServers:stop",
"ecs:cloudServers:start",
"ecs:cloudServers:showServerBlockDevice",
"ecs:cloudServers:listServerBlockDevices",
"ecs:servers:get",
"ecs:servers:list",
"ecs:servers:start",
"ecs:servers:stop",
"ecs:servers:reboot",
"ecs:servers:resize",
"ecs:securityGroups:use",
"ecs:servers:getTags",
"ecs:servers:setTags",
"evs:volumes:get",
"evs:volumes:extend",
"bss:renewal:update",
"bss:order:pay",
"vpc:vpcs:get",
"vpc:vpcs:list",
"vpc:subnets:get",
"vpc:securityGroups:get",
"vpc:securityGroups:create",
"vpc:securityGroups:update",
"vpc:securityGroups:delete",
"vpc:securityGroupRules:get",
"vpc:securityGroupRules:create",
"vpc:securityGroupRules:delete",
"vpc:ports:get",
"vpc:ports:create",
"vpc:ports:update",
"vpc:ports:delete",
"elb:loadbalancers:get",
"elb:loadbalancers:list",
"elb:loadbalancers:create",
"elb:loadbalancers:delete",
"elb:loadbalancerTags:get",
"elb:loadbalancerTags:create",
"elb:loadbalancerTags:delete",
"elb:listeners:get",
"elb:listeners:list",
"elb:listeners:create",
"elb:listeners:delete",
"elb:listenerTags:get",
"elb:listenerTags:create",
"elb:listenerTags:delete",
"elb:pools:get",
"elb:pools:list",
"elb:pools:create",
"elb:pools:delete",
"elb:members:get",
"elb:members:list",
"elb:members:create",
"elb:members:delete",
"elb:l7policies:get",
"elb:l7policies:list",
"elb:l7policies:create",
"elb:l7policies:delete",
"elb:l7rules:get",
"elb:l7rules:list",
"elb:l7rules:create",
"elb:l7rules:delete",
"elb:healthmonitors:get",
"elb:healthmonitors:list",
"elb:healthmonitors:put",
"elb:healthmonitors:create",
"elb:healthmonitors:delete",
"elb:ipgroups:get",
"elb:ipgroups:list",
"elb:ipgroups:create",
"elb:ipgroups:put",
"elb:ipgroups:delete"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"obs:bucket:*",
"obs:object:*"
],
"Resource": [
"obs:*:*:bucket:${huaweicloud_obs_bucket.SelectDBBucket.id}",
"obs:*:*:object:${huaweicloud_obs_bucket.SelectDBBucket.id}/*",
"obs:*:*:bucket:selectdb-import-data-cn-south-1",
"obs:*:*:object:selectdb-import-data-cn-south-1/*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:tokens:assume"
],
"Resource": [
"*"
]
}
]具体权限划分如下:
-
Elastic Compute Service (ECS) 权限:
- 项目级服务,管理 ECS 实例
"ecs:cloudServers:list", "ecs:cloudServers:showServer", "ecs:cloudServers:createServers", "ecs:cloudServers:deleteServers", "ecs:cloudServers:updateServer", "ecs:cloudServers:changeChargeMode", "ecs:cloudServers:resize", "ecs:cloudServers:reboot", "ecs:cloudServers:stop", "ecs:cloudServers:start", "ecs:cloudServers:showServerBlockDevice", "ecs:cloudServers:listServerBlockDevices", "ecs:servers:get", "ecs:servers:list", "ecs:servers:start", "ecs:servers:stop", "ecs:servers:reboot", "ecs:servers:resize", "ecs:securityGroups:use", "ecs:servers:getTags", "ecs:servers:setTags", "evs:volumes:get", "evs:volumes:extend", "bss:renewal:update", "bss:order:pay" -
Virtual Private Cloud (VPC) 和 ELB 权限
- 项目级服务,获取 VPC 相关资源信息
"vpc:vpcs:get", "vpc:vpcs:list", "vpc:subnets:get",- 项目级服务,管理安全组
"vpc:securityGroups:get", "vpc:securityGroups:create", "vpc:securityGroups:update", "vpc:securityGroups:delete", "vpc:securityGroupRules:get", "vpc:securityGroupRules:create", "vpc:securityGroupRules:delete",- 项目级服务,管理端口
"vpc:ports:get", "vpc:ports:create", "vpc:ports:update", "vpc:ports:delete",- 项目级服务,管理负载均衡器(ELB)资源
"elb:loadbalancers:get", "elb:loadbalancers:list", "elb:loadbalancers:create", "elb:loadbalancers:delete", "elb:loadbalancerTags:get", "elb:loadbalancerTags:create", "elb:loadbalancerTags:delete", "elb:listeners:get", "elb:listeners:list", "elb:listeners:create", "elb:listeners:delete", "elb:listenerTags:get", "elb:listenerTags:create", "elb:listenerTags:delete", "elb:pools:get", "elb:pools:list", "elb:pools:create", "elb:pools:delete", "elb:members:get", "elb:members:list", "elb:members:create", "elb:members:delete", "elb:l7policies:get", "elb:l7policies:list", "elb:l7policies:create", "elb:l7policies:delete", "elb:l7rules:get", "elb:l7rules:list", "elb:l7rules:create", "elb:l7rules:delete", "elb:healthmonitors:get", "elb:healthmonitors:list", "elb:healthmonitors:put", "elb:healthmonitors:create", "elb:healthmonitors:delete", "elb:ipgroups:get", "elb:ipgroups:list", "elb:ipgroups:create", "elb:ipgroups:put", "elb:ipgroups:delete", -
Object Storage Service (OSS) 权限:
- 全局级服务,管理 OSS 存储桶以及对存储桶及其内容进行读写操作
{ "Effect": "Allow", "Action": [ "obs:bucket:*", "obs:object:*" ], "Resource": [ "obs:*:*:bucket:selectdb-bucket-*", "obs:*:*:object:selectdb-bucket-*/*", "obs:*:*:bucket:selectdb-import-data-cn-north-4", "obs:*:*:object:selectdb-import-data-cn-north-4/*" ] }, -
Identity and Access Management (IAM) 权限:
- 全局级服务,允许扮演特定角色,获取该角色的临时凭证
{ "Effect": "Allow", "Action": [ "iam:tokens:assume" ], "Resource": [ "*" ] }