级联跨账户权限 - Amazon Lake Formation
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

级联跨账户权限

请按照以下步骤设置和测试跨账户权限级联:

  1. 使用 Lake Formation 控制台创建 LF-Tag:

    • 标签密钥c175912681300719

    • 标签值[all, public]

  2. 将表与标签和值相关联:

    • c175912681300719

    • all

  3. 授予跨账户标签策略权限。从一个账户向另一个账户111122223333授予标签策略SELECT权限444455556666

    
aws lakeformation grant-permissions \
  --cli-input-json '{
    "Principal": {
        "DataLakePrincipalIdentifier": "444455556666"
    },
    "Resource": {
        "LFTagPolicy": {
            "CatalogId": "111122223333",
            "ResourceType": "TABLE",
            "Expression": [{
                "TagKey": "c175912681300719",
                "TagValues": [
                    "all"
                ]
            }]
        }
    },
    "Permissions": [
        "SELECT"
    ]
}'

    消费者账户 (444455556666) 管理员可以访问带有标签的表c175912681300719:all。使用任一标签值,消费者账户无法级联向其他用户授予权限。

  4. 授予DESCRIBE权限。生产者账户管理员DESCRIBE向消费者账户授予标签密钥和两个值:

    
aws lakeformation grant-permissions \
  --cli-input-json '{
    "Principal": {
        "DataLakePrincipalIdentifier": "444455556666"
    },
    "Resource": {
       "LFTag": {
            "CatalogId": "111122223333",
            "TagKey": "c175912681300719",
             "TagValues": ["all","public"]
        }
    },
    "Permissions": [
        "DESCRIBE"
    ]
}'

    消费者账户管理员尝试使用标签c175912681300719和值 “all”(相同的策略)将权限级联给其他用户:

    
aws lakeformation grant-permissions --region us-east-1 --cli-input-json '{
    "Principal": {
        "DataLakePrincipalIdentifier": "arn:aws:iam::444455556666:role/AccessAnalyzerTrustedService"
    },
    "Resource": {
       "LFTagPolicy": {
            "CatalogId": "111122223333",
            "ResourceType": "TABLE",
            "Expression": [
                {
                    "TagKey": "c175912681300719",
                    "TagValues": [
                        "all"
                    ]
                }
            ]
        }
    },
    "Permissions": [
        "SELECT"
    ]
}'

    结果: AccessDeniedException

    授予失败是因为 Lake Formation 检测到 LF-Tag 策略与制作者账户用于与消费者账户共享资源的 LF-Tag 策略完全相同,并且仅检查用户是否具有可授予的权限,而不是规则 #2(描述权限)。

    使用多个标签值进行授权:

    
aws lakeformation grant-permissions --region us-east-1 --cli-input-json '{
    "Principal": {
        "DataLakePrincipalIdentifier": "arn:aws:iam::444455556666:role/AccessAnalyzerTrustedService"
    },
    "Resource": {
       "LFTagPolicy": {
            "CatalogId": "111122223333",
            "ResourceType": "TABLE",
            "Expression": [
                {
                    "TagKey": "c175912681300719",
                    "TagValues": [
                        "all","public"
                    ]
                }
            ]
        }
    },
    "Permissions": [
        "SELECT"
    ]
}'

    结果 — 成功 — 策略不相同,因此规则 #2 适用,DESCRIBE 权限就足够了。

    消费者尝试单一public值 — 成功:

    
aws lakeformation grant-permissions 
--cli-input-json '{
    "Principal": {
        "DataLakePrincipalIdentifier": "arn:aws:iam::444455556666:role/AccessAnalyzerTrustedService"
    },
    "Resource": {
       "LFTagPolicy": {
            "CatalogId": "111122223333",
            "ResourceType": "TABLE",
            "Expression": [
                {
                    "TagKey": "c175912681300719",
                    "TagValues": [
                        "public"
                    ]
                }
            ]
        }
    },
    "Permissions": [
        "SELECT"
    ]
}'

    政策不相同,因此适用规则 #2。