什么是 BYOC
私有仓库(BYOC 仓库,Bring Your Own Cloud)在您的自有云资源池中,为您提供 SelectDB Cloud 数据仓库安装、运维服务。
当您启动计算集群时,对应的虚拟机资源将在您的 VPC 中启动,费用云厂商向您收取。此外,您还需为 SelectDB 服务的使用时长支付费用。
当前,SelectDB Cloud 已经在阿里云、华为云的部分地域支持了 BYOC 仓库,其他云正在陆续支持中。
在什么情况下我应该使用 BYOC 仓库
一般来说,使用 BYOC 仓库出于两个目的:
- 合规 :部分合规框架要求用户的数据只能保存在自有的云 VPC 内,BYOC 模式在您自己的云资源池中提供数据仓库服务,符合合规要求。在安全性上,BYOC 与 SAAS 仓库均有受业界合规框架认可的安全性。
- 成本 :BYOC 仓库使用的虚拟机资源在您的云资源池内启动,费用与云厂商直接结算,对于与云厂商有较大优惠幅度的客户来说,BYOC 仓库有更好的成本优势。
虽然 SelectDB Cloud 提供了一站式的数据仓库安装与运维,但 BYOC 仓库位于您自己的云资源环境中,需要您对云环境有基础的了解,例如网段规划、负载均衡等。
BYOC 仓库的实现方式
BYOC 仓库会在您的 VPC 内安装一个管控 Agent,以及必要的监控组件。管控 Agent 会通过私网连接(PrivateLink)从 SelectDB Cloud 中拉去管控命令,来完成您在 SelectDB Cloud Manager 下发的集群启动、停止、升级操作。
管控 Agent 代码可见,可审计,可以保证您的数据将保存在您的 VPC 中,不会向外传输。
如何创建一个 BYOC 仓库
阿里云
点击“新建仓库”,在仓库模式处选择“BYOC”,选择阿里云以及所在的地域,并选择需要仓库的版本。
此表列出了可以部署 SelectDB Cloud BYOC Warehouse 的阿里云地域和可用区,以及相关的可用区。在创建资源栈时,您将需要这些信息来选择一个可用的子网。
| 云厂商 | 地域 | 可用区 |
|---|---|---|
| 阿里云 | 华东 2 (上海) | 可用区 E |
| 阿里云 | 华南 1 (深圳) | 可用区 D |
接下来,进行 VPC 的配置,如果您之前在一个 VPC 新建过 BYOC 仓库,那么我们可以复用这个 VPC 内的管控组件直接创建仓库,如果是在没有新建过 BYOC 仓库的 VPC 新建,需要初始化 VPC。
选择“ new_vpc(新建 VPC)”,并点击创建按钮。 接下来在新窗口会打开创建资源栈的页面。
SelectDB Cloud 会使用阿里云的资源编排服务创建对应的资源,白屏化完成用户 VPC 内的环境准备工作。在阿里云资源编排服务中,选择要部署 BYOC 仓库的 VPC 以及子网,点击创建进入下一步。
阿里云部署 BYOC 仓库时创建的资源
您可通过 ROS 界面资源选项卡查看创建出的所有资源情况,并可通过资源名称查看特定资源:
- ECS
- 名称:
- SelectDBAgent(ECS 机器)
- SelectDBKeyPair(密钥对)
- 用途:
- 用于部署 Agent,Prometheus 等程序
- 提供密钥登录能力
- 名称:
- 终端节点
- 名称:SelectDBEndpoint
- 用途:与 SelectDB Manage 服务建立私网连接,从而可以拉取管控指令并且能够单向推送监控、日志
- Bucket
- 名称:SelectDBBucket
- 用途:用于存储数仓数据
- 安全组
- 名称:SelectDBSecurityGroup
- 用途:绑定在终端节点和 ECS 实例,并通过安全组规则限定特定端口特定子网的流量才能通行(允许来自同一子网的443,22,5000,9090,8888,8666,8777端口流量入网,允许所有端口流量出网)
- RAM User / RAM Role
- 名称:
- SelectDBUser(子用户),SelectDBUserAccessKey(aksk),SelectDBUserPolicy(子用户权限)
- SelectDBRole(角色),SelectDBRolePolicy(角色权限)
- 用途:
- 创建出的子用户具备 Agent 所需的最小权限,之后进行的所有的业务操作均使用该子用户的身份 (所有子用户信息只会在用户 VPC 内使用,不会外泄)
- 名称:
阿里云部署 BYOC 仓库时所需要的权限
要正确执行这个阿里云资源编排服务(ROS)模板,需要一系列的权限。这些权限覆盖了 ECS, VPC, OSS 等多个阿里云服务,通常通过 RAM 策略授予,确保执行此模板的用户或角色具备相应权限,否则可能会遇到执行模板失败的情况。 以下是根据模板中定义的资源和操作所需的权限:
-
Elastic Compute Service (ECS) 权限:
- 管理 ECS 实例
"ecs:DescribeInstances", "ecs:CreateInstance", "ecs:RunInstances", "ecs:StopInstance", "ecs:StartInstance", "ecs:RebootInstance", "ecs:RenewInstance", "ecs:DeleteInstance", "ecs:ModifyInstanceAttribute", "ecs:ModifyInstanceChargeType", "ecs:ModifyInstanceAutoRenewAttribute", "ecs:DescribeDisks", "ecs:ResizeDisk", "ecs:DescribeTags", "ecs:AddTags", "ecs:RemoveTags", "ecs:DescribeImages",- 管理 ECS 安全组
"ecs:DescribeSecurityGroups", "ecs:CreateSecurityGroup", "ecs:AuthorizeSecurityGroup", "ecs:AuthorizeSecurityGroupEgress", "ecs:DescribeSecurityGroupAttribute", "ecs:DeleteSecurityGroup",- 管理 ECS SSH 密钥对
"ecs:DescribeKeyPairs", "ecs:CreateKeyPair", "ecs:AttachKeyPair", "ecs:DeleteKeyPairs", "ecs:DetachKeyPair",- 执行 ECS 云助手相关操作
"ecs:DescribeInvocations", "ecs:InvokeCommand", "ecs:RunCommand" -
Virtual Private Cloud (VPC) 和 PrivateLink 权限:
- 获取 VPC 相关资源信息
"vpc:DescribeVpcs", "vpc:DescribeVSwitches",- 管理 PrivateLink 终端节点
"privatelink:CreateVpcEndpoint", "privatelink:DeleteVpcEndpoint", "privatelink:GetVpcEndpointAttribute", "privatelink:ListVpcEndpoints", "privatelink:ListVpcEndpointServicesByEndUser", "privatelink:ListVpcEndpointSecurityGroups", "privatelink:ListVpcEndpointConnections", "privatelink:AddZoneToVpcEndpoint", "privatelink:AttachSecurityGroupToVpcEndpoint", "privatelink:DetachSecurityGroupFromVpcEndpoint", "privatelink:TagResources", "privatelink:UntagResources", "privatelink:UpdateVpcEndpointAttribute",- 管理负载均衡器(SLB)资源
"slb:DescribeLoadBalancers", "slb:DescribeLoadBalancerAttribute", "slb:CreateLoadBalancer", "slb:DeleteLoadBalancer", "slb:DescribeLoadBalancerListeners", "slb:CreateLoadBalancerHTTPListener", "slb:CreateLoadBalancerTCPListener", "slb:StartLoadBalancerListener", "slb:DeleteLoadBalancerListener", "slb:DescribeVServerGroups", "slb:DescribeVServerGroupAttribute", "slb:CreateVServerGroup", "slb:AddVServerGroupBackendServers", "slb:ModifyVServerGroupBackendServers", "slb:RemoveVServerGroupBackendServers", "slb:RemoveBackendServers", "slb:DeleteVServerGroup", "slb:DescribeAccessControlLists", "slb:CreateAccessControlList", "slb:AddAccessControlListEntry", "slb:RemoveAccessControlListEntry", "slb:DeleteAccessControlList", "slb:DescribeRules", "slb:CreateRules", "slb:DeleteRules", "slb:DescribeTags", "slb:AddTags", "slb:RemoveTags" -
Object Storage Service (OSS) 权限:
- 管理 OSS 存储桶以及对存储桶及其内容进行读写操作(针对特定桶)
{ "Effect": "Allow", "Action": "oss:*", "Resource": [ "acs:oss:*:*:selectdb-bucket-*", "acs:oss:*:*:selectdb-bucekt-*/*" ] }, -
Resource Access Management (RAM) 权限:
- 管理 RAM 用户
"ram:GetUser", "ram:ListPoliciesForUser", "ram:ListUsers", "ram:ListGroupsForUser", "ram:AttachPolicyToUser", "ram:CreateUser", "ram:DeleteUser", "ram:DetachPolicyFromUser", "ram:UpdateUser",- 管理 RAM 访问密钥
"ram:CreateAccessKey", "ram:DeleteAccessKey", "ram:UpdateAccessKey", "ram:GetAccessKeyLastUsed", "ram:ListAccessKeys",- 管理 RAM 策略
ram:AttachPolicyToRole ram:AttachPolicyToUser ram:CreatePolicy ram:DeletePolicy ram:DetachPolicyFromRole ram:DetachPolicyFromUser ram:UpdatePolicyDescription ram:GetPolicy- 管理 RAM 角色
"ram:CreateRole", "ram:DeleteRole", "ram:PassRole", "ram:UpdateRole", "ram:GetRole", "ram:ListPoliciesForRole", "ram:ListRoles", "sts:AssumeRole" -
Resource Orchestration Service(ROS)权限:
- 管理资源栈
"ros:*"
这些权限覆盖了 ECS, VPC, OSS, ROS 等多个阿里云服务,通常通过 RAM 策略授予,确保执行此模板的用户或角色具备相应权限,否则可能会遇到执行模板失败的情况。
阿里云部署 BYOC 仓库创建子用户的权限
初次执行完模板创建出资源栈之后,所有的管控操作均基于该子用户的权限进行,以下为模板节选
# 策略1: 允许对 ECS,VPC,LB 进行相关操作
- Action:
# ECS https://help.aliyun.com/zh/ecs/user-guide/control-access-to-resources-by-using-ram-users?spm=a2c4g.11186623.0.nextDoc.38e61906zVPKhn
# CloudAssistant https://help.aliyun.com/zh/ecs/user-guide/use-ram-to-implement-permission-control#section-4ym-u5j-3gc
- "ecs:DescribeInstances"
- "ecs:RunInstances"
- "ecs:StopInstance"
- "ecs:StartInstance"
- "ecs:RebootInstance"
- "ecs:RenewInstance"
- "ecs:DeleteInstance"
- "ecs:ModifyInstanceAttribute"
- "ecs:ModifyInstanceChargeType"
- "ecs:ModifyInstanceAutoRenewAttribute"
- "ecs:DescribeDisks"
- "ecs:ResizeDisk"
- "ecs:DescribeTags"
- "ecs:AddTags"
- "ecs:RemoveTags"
- "ecs:DescribeSecurityGroups"
- "ecs:CreateSecurityGroup"
- "ecs:AuthorizeSecurityGroup"
- "ecs:AuthorizeSecurityGroupEgress"
- "ecs:DescribeSecurityGroupAttribute"
- "ecs:DeleteSecurityGroup"
- "ecs:DescribeKeyPairs"
- "ecs:AttachKeyPair"
- "ecs:DetachKeyPair"
- "ecs:InvokeCommand"
- "ecs:RunCommand"
- "ecs:DescribeInvocations"
# VPC https://help.aliyun.com/zh/ram/developer-reference/aliyunvpcfullaccess?spm=a2c4g.11186623.0.i24
- "vpc:DescribeVpcs"
- "vpc:DescribeVSwitches"
# LB https://help.aliyun.com/zh/slb/classic-load-balancer/developer-reference/ram-authorization?spm=a2c4g.11186623.0.i6#concept-slb-rjf-cz
- "slb:DescribeLoadBalancers"
- "slb:DescribeLoadBalancerAttribute"
- "slb:CreateLoadBalancer"
- "slb:DeleteLoadBalancer"
- "slb:DescribeLoadBalancerListeners"
- "slb:CreateLoadBalancerHTTPListener"
- "slb:CreateLoadBalancerTCPListener"
- "slb:StartLoadBalancerListener"
- "slb:DeleteLoadBalancerListener"
- "slb:DescribeVServerGroups"
- "slb:DescribeVServerGroupAttribute"
- "slb:CreateVServerGroup"
- "slb:AddVServerGroupBackendServers"
- "slb:ModifyVServerGroupBackendServers"
- "slb:RemoveVServerGroupBackendServers"
- "slb:RemoveBackendServers"
- "slb:DeleteVServerGroup"
- "slb:DescribeAccessControlLists"
- "slb:CreateAccessControlList"
- "slb:AddAccessControlListEntry"
- "slb:RemoveAccessControlListEntry"
- "slb:DeleteAccessControlList"
- "slb:DescribeRules"
- "slb:CreateRules"
- "slb:DeleteRules"
- "slb:DescribeTags"
- "slb:AddTags"
- "slb:RemoveTags"
Resource:
- "acs:ecs:cn-beijing:*:*"
- "acs:vpc:cn-beijing:*:*"
- "acs:slb:cn-beijing:*:*"
Effect: Allow
# 策略2: 允许对刚创建出的 Bucket 及其中的对象进行增删改查操作
- Action:
# Bucket https://help.aliyun.com/zh/oss/user-guide/overview-22?spm=a2c4g.11186623.0.i63#section-3wi-z7m-fmq
- "oss:*"
Resource:
- Fn::Join:
- ''
- - 'acs:oss:*:*:'
- Ref: SelectDBBucket
- ""
- Fn::Join:
- ''
- - 'acs:oss:*:*:'
- Ref: SelectDBBucket
- "/*"
Effect: Allow
# 策略3: 允许进行访问控制相关操作, 该 RAM User 能够扮演指定的 RAM Role
- Action:
# RAM https://help.aliyun.com/zh/ram/developer-reference/api-ram-2015-05-01-ram?spm=a2c4g.11186623.0.i74
- "sts:AssumeRole"
Resource:
- Fn::GetAtt:
- SelectDBRole
- Arn
Effect: Allow具体权限划分如下:
-
Elastic Compute Service (ECS) 权限:
- 管理 ECS 实例
"ecs:DescribeInstances", "ecs:RunInstances", "ecs:StopInstance", "ecs:StartInstance", "ecs:RebootInstance", "ecs:RenewInstance", "ecs:DeleteInstance", "ecs:ModifyInstanceAttribute", "ecs:ModifyInstanceChargeType", "ecs:ModifyInstanceAutoRenewAttribute", "ecs:DescribeDisks", "ecs:ResizeDisk", "ecs:DescribeTags", "ecs:AddTags", "ecs:RemoveTags",- 管理 ECS 安全组
"ecs:DescribeSecurityGroups", "ecs:CreateSecurityGroup", "ecs:AuthorizeSecurityGroup", "ecs:AuthorizeSecurityGroupEgress", "ecs:DescribeSecurityGroupAttribute", "ecs:DeleteSecurityGroup",- 管理 ECS SSH 密钥对
"ecs:DescribeKeyPairs", "ecs:AttachKeyPair", "ecs:DetachKeyPair",- 执行 ECS 云助手相关操作
"ecs:InvokeCommand", "ecs:RunCommand", "ecs:DescribeInvocations", -
Virtual Private Cloud (VPC) 和 SLB 权限:
- 获取 VPC 相关资源信息
"vpc:DescribeVpcs", "vpc:DescribeVSwitches",- 管理负载均衡器(SLB)资源
"slb:DescribeLoadBalancers", "slb:DescribeLoadBalancerAttribute", "slb:CreateLoadBalancer", "slb:DeleteLoadBalancer", "slb:DescribeLoadBalancerListeners", "slb:CreateLoadBalancerHTTPListener", "slb:CreateLoadBalancerTCPListener", "slb:StartLoadBalancerListener", "slb:DeleteLoadBalancerListener", "slb:DescribeVServerGroups", "slb:DescribeVServerGroupAttribute", "slb:CreateVServerGroup", "slb:AddVServerGroupBackendServers", "slb:ModifyVServerGroupBackendServers", "slb:RemoveVServerGroupBackendServers", "slb:RemoveBackendServers", "slb:DeleteVServerGroup", "slb:DescribeAccessControlLists", "slb:CreateAccessControlList", "slb:AddAccessControlListEntry", "slb:RemoveAccessControlListEntry", "slb:DeleteAccessControlList", "slb:DescribeRules", "slb:CreateRules", "slb:DeleteRules", "slb:DescribeTags", "slb:AddTags", "slb:RemoveTags", -
Object Storage Service (OSS) 权限:
- 管理 OSS 存储桶以及对存储桶及其内容进行读写操作(针对特定桶)
- Action: # Bucket https://help.aliyun.com/zh/oss/user-guide/overview-22?spm=a2c4g.11186623.0.i63#section-3wi-z7m-fmq - "oss:*" Resource: - Fn::Join: - '' - - 'acs:oss:*:*:' - Ref: SelectDBBucket - "" - Fn::Join: - '' - - 'acs:oss:*:*:' - Ref: SelectDBBucket - "/*" Effect: Allow -
Resource Access Management (RAM) 权限:
- 允许扮演特定角色
- Action:
# RAM https://help.aliyun.com/zh/ram/developer-reference/api-ram-2015-05-01-ram?spm=a2c4g.11186623.0.i74
- "sts:AssumeRole"
Resource:
- Fn::GetAtt:
- SelectDBRole
- Arn
Effect: Allow阿里云资源编排脚本审计
SelectDB 提供的资源编排模板代码可见,可审计,不会对您的数据与 VPC 内的其他环境进行操作。您可以通过以下链接对 SelectDB 提供的资源编排模板进行审计:
在完成资源编排脚本执行后,SelectDB Cloud 会与 BYOC 仓库建立连接,随后,您可以进入仓库,创建集群。
华为云
点击“新建仓库”,在仓库模式处选择“BYOC”,选择云厂商以及所在的地域,并选择需要仓库的版本。
此表列出了可以部署 SelectDB Cloud BYOC Warehouse 的阿里云地域和可用区,以及相关的可用区。在执行部署脚本时,您将需要这些信息来选择一个可用的子网。
| 云厂商 | 地域 | 可用区 |
|---|---|---|
| 华为云 | 华南-广州 | 可用区 6 |
接下来,进行 VPC 的配置,如果您之前在一个 VPC 新建过 BYOC 仓库,那么我们可以复用这个 VPC 内的管控组件直接创建仓库,如果是在没有新建过 BYOC 仓库的 VPC 新建,需要初始化 VPC。
选择“ new_vpc(新建 VPC)”,并点击创建按钮。 接下来,在创建页面,复制 SelectDB 提供的 Token,并点击“打开资源编排页面”。
SelectDB Cloud 会使用华为云的资源编排服务创建对应的资源,白屏化完成用户 VPC 内的环境准备工作。
填写从 SelectDB Cloud 控制台复制的 Token,选择要部署 BYOC 仓库的 VPC 以及子网,点击下一步。
在“配置参数”、“资源栈设置”页面点击下一步,进入到最后的配置确认,点击“直接部署资源栈”,并点击确定,完成部署。
华为云部署 BYOC 仓库时创建的资源
可通过 RFS 界面资源选项卡查看创建出的所有资源情况,并可通过资源名称查看特定资源:
- ECS
- 名称:
- SelectDBAgent(ECS 机器)
- 用途:
- 用于部署 Agent,Prometheus 等程序
- 名称:
- 终端节点
- 名称:SelectDBEndpoint
- 用途:与 SelectDB Manage 服务建立私网连接,从而可以拉取管控指令并且能够单向推送监控、日志
- Bucket
- 名称:SelectDBBucket
- 用途:用于存储数仓数据
- 安全组
- 名称:SelectDBSecurityGroup
- 用途:绑定在终端节点和 ECS 实例,并通过安全组规则限定特定端口特定子网的流量才能通行(允许来自同一子网的443,22,5000,9090,8888,8666,8777端口流量入网,允许所有端口流量出网)
- IAM User
- 名称:SelectDBUser(子用户),SelectDBUserRegionPolicy(子用户权限---针对 Region 级别服务),SelectDBUserGlobalPolicy(子用户权限---针对全局级别服务)
- 用途:创建出的子用户具备 Agent 所需的最小权限,之后进行的所有的业务操作均使用该子用户的身份 (所有子用户信息只会在用户 VPC 内使用,不会外泄)
华为云部署 BYOC 仓库时所需要的权限
要正确执行这个华为云资源编排服务(RFS)模板,需要一系列的权限。这些权限覆盖了 ECS, VPC, OBS, IAM 等多个华为云服务,通常通过 IAM 策略授予,确保执行此模板的用户或角色具备相应权限,否则可能会遇到执行模板失败的情况。
以下是根据模板中定义的资源和操作所需的权限:
-
Elastic Compute Service (ECS) 权限:
- 管理 ECS 实例
"ecs:servers:get", "ecs:servers:list", "ecs:cloudServers:list", "ecs:cloudServers:showServer", "ecs:cloudServers:createServers", "ecs:cloudServers:deleteServers", "ecs:cloudServers:updateServer", "ecs:cloudServers:changeChargeMode", "ecs:cloudServers:resize", "ecs:cloudServers:reboot", "ecs:servers:start", "ecs:servers:stop", "ecs:servers:reboot", "ecs:servers:resize", "ecs:securityGroups:use", "ecs:cloudServers:showServerBlockDevice", "ecs:cloudServers:listServerBlockDevices", "ecs:servers:getTags", "ecs:servers:setTags", "bss:renewal:update", "bss:order:pay", -
Virtual Private Cloud (VPC) 和 PrivateLink 权限
- 获取 VPC 相关资源信息
"vpc:vpcs:get", "vpc:vpcs:list", "vpc:subnets:get", "vpc:subnetTags:get",- 管理安全组
"vpc:securityGroups:get", "vpc:securityGroups:create", "vpc:securityGroups:update", "vpc:securityGroups:delete", "vpc:securityGroupRules:get", "vpc:securityGroupRules:create", "vpc:securityGroupRules:delete",- 管理端口
"vpc:ports:get", "vpc:ports:create", "vpc:ports:update", "vpc:ports:delete",- 管理 EIP
"vpc:publicIps:get", "vpc:publicIps:list", "vpc:publicIps:create", "vpc:publicIps:delete", "vpc:publicipTags:create", "vpc:publicipTags:delete",- 管理负载均衡器(ELB)资源
"elb:loadbalancers:get", "elb:loadbalancers:list", "elb:loadbalancers:create", "elb:loadbalancers:delete", "elb:loadbalancerTags:get", "elb:loadbalancerTags:create", "elb:loadbalancerTags:delete", "elb:listeners:get", "elb:listeners:list", "elb:listeners:create", "elb:listeners:delete", "elb:listenerTags:get", "elb:listenerTags:create", "elb:listenerTags:delete", "elb:pools:get", "elb:pools:list", "elb:pools:create", "elb:pools:delete", "elb:members:get", "elb:members:list", "elb:members:create", "elb:members:delete", "elb:l7policies:get", "elb:l7policies:list", "elb:l7policies:create", "elb:l7policies:delete", "elb:l7rules:get", "elb:l7rules:list", "elb:l7rules:create", "elb:l7rules:delete", "elb:healthmonitors:get", "elb:healthmonitors:list", "elb:healthmonitors:put", "elb:healthmonitors:create", "elb:healthmonitors:delete", "elb:ipgroups:get", "elb:ipgroups:list", "elb:ipgroups:create", "elb:ipgroups:put", "elb:ipgroups:delete"- VPCEndpoint 管理员权限 由于云厂商限制,目前 VPCEndpoint Administrator 权限需要依赖 VPC, ECS, DNS 管理员权限
-
Object Storage Service (OSS) 权限:
- 管理 OSS 存储桶以及对存储桶及其内容进行读写操作
{ "Effect": "Allow", "Action": [ "obs:bucket:*", "obs:object:*" ], "Resource": [ "obs:*:*:bucket:selectdb-bucket-*", "obs:*:*:object:selectdb-bucket-*/*", "obs:*:*:bucket:selectdb-import-data-cn-north-4", "obs:*:*:object:selectdb-import-data-cn-north-4/*" ] }, -
Identity and Access Management (IAM) 权限:
- 管理 IAM 用户、用户组、权限
"iam:permissions:addUserToGroup", "iam:users:listUsersForGroup", "iam:permissions:removeUserFromGroup", "iam:groups:listGroupsForUser", "iam:permissions:checkUserInGroup", "iam:users:updateUser", "iam:users:createUser", "iam:users:listUsers", "iam:users:getUser", "iam:users:deleteUser", "iam:projects:listProjectsForUser", "iam:roles:getRole", "iam:roles:listRoles", "iam:roles:createRole", "iam:roles:updateRole", "iam:roles:deleteRole", "iam:permissions:revokeRoleFromGroup", "iam:permissions:listRolesForGroupOnDomain", "iam:permissions:checkRoleForGroupOnDomain", "iam:permissions:grantRoleToGroup", "iam:groups:listGroups", "iam:groups:createGroup", "iam:permissions:revokeRoleFromGroupOnDomain", "iam:permissions:listRolesForGroup", "iam:permissions:grantRoleToGroupOnProject", "iam:permissions:checkRoleForGroup", "iam:groups:deleteGroup", "iam:groups:updateGroup", "iam:permissions:grantRoleToGroupOnDomain", "iam:permissions:revokeRoleFromGroupOnProject", "iam:groups:getGroup", "iam:permissions:listRolesForAgencyOnDomain", "iam:permissions:revokeRoleFromAgencyOnDomain", "iam:permissions:listRolesForAgency", "iam:permissions:checkRoleForAgencyOnProject", "iam:permissions:listRolesForGroupOnProject", "iam:permissions:checkRoleForGroupOnProject", "iam:permissions:checkRoleForAgency", "iam:permissions:listRolesForAgencyOnProject", "iam:permissions:grantRoleToAgencyOnDomain", "iam:permissions:revokeRoleFromAgencyOnProject", "iam:permissions:grantRoleToAgency", "iam:permissions:grantRoleToAgencyOnProject", "iam:permissions:revokeRoleFromAgency", "iam:tokens:assume", "iam:agencies:list*" -
Resource Orchestration Service(RFS)权限:
- 管理资源栈
rf:*:*
这些权限覆盖了 ECS, VPC, OBS, IAM 等多个华为云服务,通常通过 IAM 策略授予,确保执行此模板的用户或角色具备相应权限,否则可能会遇到执行模板失败的情况。
华为云部署 BYOC 仓库创建子用户的权限
初次执行完模板创建出资源栈之后,所有的管控操作均基于该子用户的权限进行,以下为模版节选
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:servers:get",
"ecs:servers:list",
"ecs:cloudServers:list",
"ecs:cloudServers:showServer",
"ecs:cloudServers:createServers",
"ecs:cloudServers:deleteServers",
"ecs:cloudServers:updateServer",
"ecs:cloudServers:changeChargeMode",
"ecs:cloudServers:resize",
"ecs:cloudServers:reboot",
"ecs:servers:start",
"ecs:servers:stop",
"ecs:servers:reboot",
"ecs:servers:resize",
"ecs:securityGroups:use",
"ecs:cloudServers:showServerBlockDevice",
"ecs:cloudServers:listServerBlockDevices",
"ecs:servers:getTags",
"ecs:servers:setTags",
"vpc:vpcs:get",
"vpc:vpcs:list",
"vpc:subnets:get",
"vpc:securityGroups:get",
"vpc:securityGroups:create",
"vpc:securityGroups:update",
"vpc:securityGroups:delete",
"vpc:securityGroupRules:get",
"vpc:securityGroupRules:create",
"vpc:securityGroupRules:delete",
"vpc:ports:get",
"vpc:ports:create",
"vpc:ports:update",
"vpc:ports:delete",
"elb:loadbalancers:get",
"elb:loadbalancers:list",
"elb:loadbalancers:create",
"elb:loadbalancers:delete",
"elb:loadbalancerTags:get",
"elb:loadbalancerTags:create",
"elb:loadbalancerTags:delete",
"elb:listeners:get",
"elb:listeners:list",
"elb:listeners:create",
"elb:listeners:delete",
"elb:listenerTags:get",
"elb:listenerTags:create",
"elb:listenerTags:delete",
"elb:pools:get",
"elb:pools:list",
"elb:pools:create",
"elb:pools:delete",
"elb:members:get",
"elb:members:list",
"elb:members:create",
"elb:members:delete",
"elb:l7policies:get",
"elb:l7policies:list",
"elb:l7policies:create",
"elb:l7policies:delete",
"elb:l7rules:get",
"elb:l7rules:list",
"elb:l7rules:create",
"elb:l7rules:delete",
"elb:healthmonitors:get",
"elb:healthmonitors:list",
"elb:healthmonitors:put",
"elb:healthmonitors:create",
"elb:healthmonitors:delete",
"elb:ipgroups:get",
"elb:ipgroups:list",
"elb:ipgroups:create",
"elb:ipgroups:put",
"elb:ipgroups:delete",
"bss:renewal:update",
"bss:order:pay"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"obs:bucket:*",
"obs:object:*"
],
"Resource": [
"obs:*:*:bucket:${huaweicloud_obs_bucket.SelectDBBucket.id}",
"obs:*:*:object:${huaweicloud_obs_bucket.SelectDBBucket.id}/*",
"obs:*:*:bucket:selectdb-import-data-cn-north-4",
"obs:*:*:object:selectdb-import-data-cn-north-4/*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:tokens:assume"
],
"Resource": [
"*"
]
}
]具体权限划分如下:
-
Elastic Compute Service (ECS) 权限:
- 项目级服务,管理 ECS 实例
"ecs:servers:get", "ecs:servers:list", "ecs:cloudServers:list", "ecs:cloudServers:showServer", "ecs:cloudServers:createServers", "ecs:cloudServers:deleteServers", "ecs:cloudServers:updateServer", "ecs:cloudServers:changeChargeMode", "ecs:cloudServers:resize", "ecs:cloudServers:reboot", "ecs:servers:start", "ecs:servers:stop", "ecs:servers:reboot", "ecs:servers:resize", "ecs:securityGroups:use", "ecs:cloudServers:showServerBlockDevice", "ecs:cloudServers:listServerBlockDevices", "ecs:servers:getTags", "ecs:servers:setTags", "bss:renewal:update", "bss:order:pay", -
Virtual Private Cloud (VPC) 和 ELB 权限
- 项目级服务,获取 VPC 相关资源信息
"vpc:vpcs:get", "vpc:vpcs:list", "vpc:subnets:get",- 项目级服务,管理安全组
"vpc:securityGroups:get", "vpc:securityGroups:create", "vpc:securityGroups:update", "vpc:securityGroups:delete", "vpc:securityGroupRules:get", "vpc:securityGroupRules:create", "vpc:securityGroupRules:delete",- 项目级服务,管理端口
"vpc:ports:get", "vpc:ports:create", "vpc:ports:update", "vpc:ports:delete",- 项目级服务,管理负载均衡器(ELB)资源
"elb:loadbalancers:get", "elb:loadbalancers:list", "elb:loadbalancers:create", "elb:loadbalancers:delete", "elb:loadbalancerTags:get", "elb:loadbalancerTags:create", "elb:loadbalancerTags:delete", "elb:listeners:get", "elb:listeners:list", "elb:listeners:create", "elb:listeners:delete", "elb:listenerTags:get", "elb:listenerTags:create", "elb:listenerTags:delete", "elb:pools:get", "elb:pools:list", "elb:pools:create", "elb:pools:delete", "elb:members:get", "elb:members:list", "elb:members:create", "elb:members:delete", "elb:l7policies:get", "elb:l7policies:list", "elb:l7policies:create", "elb:l7policies:delete", "elb:l7rules:get", "elb:l7rules:list", "elb:l7rules:create", "elb:l7rules:delete", "elb:healthmonitors:get", "elb:healthmonitors:list", "elb:healthmonitors:put", "elb:healthmonitors:create", "elb:healthmonitors:delete", "elb:ipgroups:get", "elb:ipgroups:list", "elb:ipgroups:create", "elb:ipgroups:put", "elb:ipgroups:delete" -
Object Storage Service (OSS) 权限:
- 全局级服务,管理 OSS 存储桶以及对存储桶及其内容进行读写操作
{ "Effect": "Allow", "Action": [ "obs:bucket:*", "obs:object:*" ], "Resource": [ "obs:*:*:bucket:selectdb-bucket-*", "obs:*:*:object:selectdb-bucket-*/*", "obs:*:*:bucket:selectdb-import-data-cn-north-4", "obs:*:*:object:selectdb-import-data-cn-north-4/*" ] }, -
Identity and Access Management (IAM) 权限:
- 全局级服务,允许扮演特定角色,获取该角色的临时凭证
{ "Effect": "Allow", "Action": [ "iam:tokens:assume" ], "Resource": [ "*" ] }
华为云资源编排脚本审计
SelectDB 提供的资源编排模板代码可见,可审计,不会对您的数据与 VPC 内的其他环境进行操作。您可以通过以下链接对 SelectDB 提供的资源编排模板进行审计:
在完成资源编排模板执行后,SelectDB Cloud 会与 BYOC 仓库建立连接,随后,您可以进入仓库,创建集群。
腾讯云
点击“新建仓库”,在仓库模式处选择“BYOC”,选择云厂商以及所在的地域,并选择需要仓库的版本。
此表列出了可以部署 SelectDB Cloud BYOC Warehouse 的阿里云地域和可用区,以及相关的可用区。在执行部署脚本时,您将需要这些信息来选择一个可用的子网。
| 云厂商 | 地域 | 可用区 |
|---|---|---|
| 腾讯云 | 北京 | 全部可用区 |
接下来,进行 VPC 的配置,如果您之前在一个 VPC 新建过 BYOC 仓库,那么我们可以复用这个 VPC 内的管控组件直接创建仓库,如果是在没有新建过 BYOC 仓库的 VPC 新建,需要初始化 VPC。选择“ new_vpc(新建 VPC)”,并点击创建按钮。
接下来,在创建页面,复制 SelectDB 提供的命令,点击“打开 CloudShell”,在 CloudShell 中执行复制的命令。
您需要在腾讯云保持登录状态才能正常打开 CloudShell,如果仍然在进入 CloudShell 时报错,请尝试重新登录。
按照 CloudShell 中的模板引导,输入 VPC、子网信息,并等待部署。
腾讯云部署 BYOC 仓库时创建的资源
可通过查看 terraform.tfstate 状态文件查看创建出的所有资源情况(请勿修改该文件,否则在进行更新或销毁时由于状态信息缺失导致失败,从而出现资源泄露的情况)
- CVM
- 名称:
- SelectDBAgent
- SelectDBKeypair
- 用途:
- 用于部署 Agent,Prometheus 等程序
- 提供密钥登录能力
- 名称:
- 终端节点
- 名称:SelectDBEndpoint
- 用途:与 SelectDB Manage 服务建立私网连接,从而可以拉取管控指令并且能够单向推送监控、日志
- Bucket
- 名称:SelectDBBucket
- 用途:用于存储数仓数据
- 安全组
- 名称:SelectDBSecurityGroup
- 用途:绑定在终端节点和 CVM 实例,并通过安全组规则限定特定端口特定子网的流量才能通行(允许来自同一子网的443,22,5000,9090,8888,8666,8777端口流量入网,允许所有端口流量出网)
- CAM User / CAM Role
- 名称:
- SelectDBUser(子用户),SelectDBUserAccessKey(aksk),SelectDBUserPolicy(子用户权限)
- SelectDBRole(角色),SelectDBRolePolicy(角色权限)
- 用途:
- 创建出的子用户具备 Agent 所需的最小权限,之后进行的所有的业务操作均使用该子用户的身份 (所有子用户信息只会在用户 VPC 内使用,不会外泄)
- 用于绑定在 CVM 实例上,用于后续内网调用腾讯云 openAPI 切换为访问元数据服务来获取临时 aksk,相较于目前使用永久 aksk 的方式更加安全
- 名称:
腾讯云部署 BYOC 仓库时所需要的权限
要正确在腾讯云 CloudShell 中执行部署脚本,需要一系列的权限。以下是根据模板中定义的资源和操作所需的权限,请保证执行模版的用户或角色权限大于等于以下权限:
{
"statement": [
{
"action": [
"cvm:DescribeInstances",
"cvm:DescribeInstanceAttributes",
"cvm:InquiryPriceRunInstances",
"cvm:RunInstances",
"cvm:StartInstances",
"cvm:StopInstances",
"cvm:PurgeInstances",
"cvm:RebootInstances",
"cvm:TerminateInstances",
"cvm:RenewInstances",
"cvm:ViewModifyInstancesAttribute",
"cvm:ModifyInstancesAttribute",
"cvm:ModifyInstancesChargeType",
"cvm:DescribeInstancesCbsNum",
"cvm:CreateCbsStorages",
"cvm:AttachCbsStorages",
"cvm:DetachCbsStorages",
"cvm:ResizeCbsStorage",
"cvm:ModifyCbsStorageAttributes",
"cvm:DescribeDisks",
"cvm:CreateDisks",
"cvm:AttachDisks",
"cvm:DetachDisks",
"cvm:RenewDisk",
"cvm:ResizeDisk",
"cvm:ModifyDiskAttributes",
"cvm:DescribeImages",
"cvm:DescribeSecurityGroups",
"cvm:DescribeSecurityGroupPolicys",
"cvm:CreateSecurityGroup",
"cvm:CreateSecurityGroupPolicy",
"cvm:ModifySecurityGroupAttributes",
"cvm:ModifySingleSecurityGroupPolicy",
"cvm:ModifySecurityGroupPolicys",
"cvm:AssociateSecurityGroups",
"cvm:DisassociateSecurityGroups",
"cvm:DeleteSecurityGroup",
"cvm:DeleteSecurityGroupPolicy",
"cvm:DescribeSecurityGroupAssociateInstances",
"cvm:DescribeKeyPairs",
"cvm:CreateKeyPair",
"cvm:AssociateInstancesKeyPairs",
"cvm:DisassociateInstancesKeyPairs",
"cvm:DeleteKeyPairs",
"vpc:DescribeVpcEx",
"vpc:DescribeSubnet",
"vpc:DescribeSubnetEx",
"vpc:ModifyVpcEndPointAttribute",
"vpc:DescribeVpcEndPoint",
"vpc:DescribeVpcEndPointService",
"vpc:DescribeVpcEndPointServiceWhiteList",
"vpc:CheckVpcEndPointServiceExist",
"vpc:CreateVpcEndPoint",
"vpc:DeleteVpcEndPoint",
"vpc:ModifyVpcEndPointAttribute",
"vpc:DisassociateVpcEndPointSecurityGroups",
"vpc:DescribeNetworkInterfaces",
"vpc:DescribeRouteTable",
"vpc:DescribeVpcLimits",
"clb:DescribeLoadBalancers",
"clb:DescribeLoadBalancersDetail",
"clb:InquiryPriceCreateLoadBalancer",
"clb:InquiryPriceRefundLoadBalancer",
"clb:InquiryPriceRenewLoadBalancer",
"clb:CreateLoadBalancer",
"clb:DeleteLoadBalancer",
"clb:DeleteLoadBalancers",
"clb:DescribeListeners",
"clb:DescribeLBListeners",
"clb:DescribeLoadBalancerListeners",
"clb:CreateListener",
"clb:CreateLoadBalancerListeners",
"clb:SetLoadBalancerStartStatus",
"clb:DeleteListener",
"clb:DeleteLoadBalancerListeners",
"clb:DescribeTargets",
"clb:DescribeTargetGroups",
"clb:DescribeTargetGroupList",
"clb:DescribeTargetGroupInstances",
"clb:CreateTargetGroup",
"clb:ModifyTargetGroupAttribute",
"clb:DeleteTargetGroups",
"clb:RegisterTargets",
"clb:DeregisterTargets",
"clb:BatchRegisterTargets",
"clb:BatchDeregisterTargets",
"clb:RegisterTargetGroupInstances",
"clb:AssociateTargetGroups",
"clb:DisassociateTargetGroups",
"clb:RegisterInstancesWithLoadBalancer",
"clb:DeregisterTargetGroupInstances",
"clb:DeregisterInstancesFromLoadBalancer",
"clb:CreateRule",
"clb:CreateListenerRules",
"clb:ModifyRule",
"clb:DeleteRule",
"clb:SetSecurityGroups",
"clb:SetSecurityGroupForLoadbalancers",
"clb:SetLoadBalancerSecurityGroups"
],
"effect": "allow",
"resource": [
"qcs::cvm:ap-beijing::*",
"qcs::vpc:ap-beijing::*",
"qcs::clb:ap-beijing::*"
]
},
{
"action": [
"tat:RunCommand",
"tat:DescribeInvocations",
"tat:DescribeInvocationTasks",
"tag:DescribeResourceTagsByResourceIds",
"tag:TagResources",
"tag:UnTagResources"
],
"effect": "allow",
"resource": [
"*"
]
},
{
"action": [
"finance:*"
],
"effect": "allow",
"resource": [
"qcs::cvm:::*",
"qcs::clb:::*"
]
},
{
"action": [
"cos:*"
],
"effect": "allow",
"resource": [
"qcs::cos:ap-beijing::*"
]
},
{
"action": [
"cam:GetPolicy",
"cam:GetPolicyVersion",
"cam:ListPolicyVersions",
"cam:ListAccessKeys",
"cam:GetUserPermissionBoundary",
"cam:ListUserTags",
"cam:QueryApiKey",
"cam:CheckUserPolicyAttachment",
"cam:CreatePolicy",
"cam:DeletePolicy",
"cam:UpdatePolicy",
"cam:GetAccountSummary",
"cam:DescribeSubAccounts",
"cam:ListSubAccounts",
"cam:GetUser",
"cam:GetUserAppId",
"cam:ListUsers",
"cam:GetAllMaskedSubUser",
"cam:GetUserPermissionBoundary",
"cam:AddUser",
"cam:AttachUserPolicy",
"cam:ListAttachedUserPolicies",
"cam:ListAttachedUserAllPolicies",
"cam:CheckUserPolicyAttachment",
"cam:DetachUserPolicy",
"cam:DeleteUser",
"cam:UpdateUser",
"cam:ListUserTags",
"cam:DescribeRoleList",
"cam:GetRole",
"cam:CreateRole",
"cam:GetRolePermissionBoundary",
"cam:GetServiceLinkedRoleDeletionStatus",
"cam:CreateServiceLinkedRole",
"cam:PutRolePermissionsBoundary",
"cam:AttachRolePolicy",
"cam:ListAttachedRolePolicies",
"cam:DeleteRole",
"cam:DeleteRolePermissionsBoundary",
"cam:DeleteServiceLinkedRole",
"cam:DetachRolePolicy",
"cam:LogoutRoleSessions",
"cam:PassRole",
"cam:ListRoleTags",
"cam:TagRole",
"cam:UntagRole",
"cam:UpdateRoleConsoleLogin",
"cam:UpdateRoleDescription",
"cam:UpdateAssumeRolePolicy",
"cam:ListAccessKeys",
"cam:QueryApiKey",
"cam:DeleteApiKey",
"cam:CreateApiKey",
"cam:CreateAccessKey",
"cam:DeleteAccessKey",
"cam:UpdateAccessKey"
],
"effect": "allow",
"resource": [
"*"
]
}
],
"version": "2.0"
}-
Cloud Virtual Machine (CVM) 权限:
- 管理 CVM 实例
"cvm:DescribeInstances", "cvm:DescribeInstanceAttributes", "cvm:InquiryPriceRunInstances", "cvm:RunInstances", "cvm:StartInstances", "cvm:StopInstances", "cvm:PurgeInstances", "cvm:RebootInstances", "cvm:TerminateInstances", "cvm:RenewInstances", "cvm:ViewModifyInstancesAttribute", "cvm:ModifyInstancesAttribute", "cvm:ModifyInstancesChargeType", "cvm:DescribeInstancesCbsNum", "cvm:CreateCbsStorages", "cvm:AttachCbsStorages", "cvm:DetachCbsStorages", "cvm:ResizeCbsStorage", "cvm:ModifyCbsStorageAttributes", "cvm:DescribeDisks", "cvm:CreateDisks", "cvm:AttachDisks", "cvm:DetachDisks", "cvm:RenewDisk", "cvm:ResizeDisk", "cvm:ModifyDiskAttributes", "cvm:DescribeImages",- 管理 CVM 安全组
"cvm:DescribeSecurityGroups", "cvm:DescribeSecurityGroupPolicys", "cvm:CreateSecurityGroup", "cvm:CreateSecurityGroupPolicy", "cvm:ModifySecurityGroupAttributes", "cvm:ModifySingleSecurityGroupPolicy", "cvm:ModifySecurityGroupPolicys", "cvm:AssociateSecurityGroups", "cvm:DisassociateSecurityGroups", "cvm:DeleteSecurityGroup", "cvm:DeleteSecurityGroupPolicy", "cvm:DescribeSecurityGroupAssociateInstances",- 管理 CVM SSH 密钥对
"cvm:DescribeKeyPairs", "cvm:CreateKeyPair", "cvm:AssociateInstancesKeyPairs", "cvm:DisassociateInstancesKeyPairs", "cvm:DeleteKeyPairs",- 执行 CVM 云助手相关操作,标签管理
"tat:RunCommand", "tat:DescribeInvocations", "tat:DescribeInvocationTasks", "tag:DescribeResourceTagsByResourceIds", "tag:TagResources", "tag:UnTagResources" -
Virtual Private Cloud (VPC) 、PrivateLink 和LB 权限:
- 获取 VPC 相关资源信息
"vpc:DescribeVpcEx", "vpc:DescribeSubnet", "vpc:DescribeSubnetEx", "vpc:DescribeNetworkInterfaces", "vpc:DescribeRouteTable", "vpc:DescribeVpcLimits",- 管理终端节点资源
"vpc:ModifyVpcEndPointAttribute", "vpc:DescribeVpcEndPoint", "vpc:DescribeVpcEndPointService", "vpc:DescribeVpcEndPointServiceWhiteList", "vpc:CheckVpcEndPointServiceExist", "vpc:CreateVpcEndPoint", "vpc:DeleteVpcEndPoint", "vpc:ModifyVpcEndPointAttribute", "vpc:DisassociateVpcEndPointSecurityGroups",- 管理负载均衡器(CLB)资源
"clb:DescribeLoadBalancers", "clb:DescribeLoadBalancersDetail", "clb:InquiryPriceCreateLoadBalancer", "clb:InquiryPriceRefundLoadBalancer", "clb:InquiryPriceRenewLoadBalancer", "clb:CreateLoadBalancer", "clb:DeleteLoadBalancer", "clb:DeleteLoadBalancers", "clb:DescribeListeners", "clb:DescribeLBListeners", "clb:DescribeLoadBalancerListeners", "clb:CreateListener", "clb:CreateLoadBalancerListeners", "clb:SetLoadBalancerStartStatus", "clb:DeleteListener", "clb:DeleteLoadBalancerListeners", "clb:DescribeTargets", "clb:DescribeTargetGroups", "clb:DescribeTargetGroupList", "clb:DescribeTargetGroupInstances", "clb:CreateTargetGroup", "clb:ModifyTargetGroupAttribute", "clb:DeleteTargetGroups", "clb:RegisterTargets", "clb:DeregisterTargets", "clb:BatchRegisterTargets", "clb:BatchDeregisterTargets", "clb:RegisterTargetGroupInstances", "clb:AssociateTargetGroups", "clb:DisassociateTargetGroups", "clb:RegisterInstancesWithLoadBalancer", "clb:DeregisterTargetGroupInstances", "clb:DeregisterInstancesFromLoadBalancer", "clb:CreateRule", "clb:CreateListenerRules", "clb:ModifyRule", "clb:DeleteRule", "clb:SetSecurityGroups", "clb:SetSecurityGroupForLoadbalancers", "clb:SetLoadBalancerSecurityGroups" -
Finance 权限:
- 允许购买 CVM 和CLB 资源
{ "action": [ "finance:*" ], "effect": "allow", "resource": [ "qcs::cvm:::*", "qcs::clb:::*" ] }, -
Cloud Object Storage (COS) 权限:
- 管理 COS 存储桶以及对存储桶及其内容进行读写操作(针对特定桶)
{ "action": [ "cos:*" ], "effect": "allow", "resource": [ "qcs::cos:ap-beijing:uid/${local.appID}:${tencentcloud_cos_bucket.SelectDBBucket.id}", "qcs::cos:ap-beijing:uid/${local.appID}:${tencentcloud_cos_bucket.SelectDBBucket.id}/*" ] }, -
Cloud Access Management(CAM) 权限:
- 管理策略
"cam:GetPolicy", "cam:GetPolicyVersion", "cam:ListPolicyVersions", "cam:GetUserPermissionBoundary", "cam:ListUserTags", "cam:QueryApiKey", "cam:CheckUserPolicyAttachment", "cam:CreatePolicy", "cam:DeletePolicy", "cam:UpdatePolicy",- 管理子用户,获取账号信息
"cam:GetAccountSummary", "cam:DescribeSubAccounts", "cam:ListSubAccounts", "cam:GetUser", "cam:GetUserAppId", "cam:ListUsers", "cam:GetAllMaskedSubUser", "cam:GetUserPermissionBoundary", "cam:AddUser", "cam:AttachUserPolicy", "cam:ListAttachedUserPolicies", "cam:ListAttachedUserAllPolicies", "cam:CheckUserPolicyAttachment", "cam:DetachUserPolicy", "cam:DeleteUser", "cam:UpdateUser", "cam:ListUserTags",- 管理 CAM 访问密钥
"cam:ListAccessKeys", "cam:QueryApiKey", "cam:DeleteApiKey", "cam:CreateApiKey", "cam:CreateAccessKey", "cam:DeleteAccessKey", "cam:UpdateAccessKey"- 管理角色
"cam:DescribeRoleList", "cam:GetRole", "cam:CreateRole", "cam:GetRolePermissionBoundary", "cam:GetServiceLinkedRoleDeletionStatus", "cam:CreateServiceLinkedRole", "cam:PutRolePermissionsBoundary", "cam:AttachRolePolicy", "cam:ListAttachedRolePolicies", "cam:DeleteRole", "cam:DeleteRolePermissionsBoundary", "cam:DeleteServiceLinkedRole", "cam:DetachRolePolicy", "cam:LogoutRoleSessions", "cam:PassRole", "cam:ListRoleTags", "cam:TagRole", "cam:UntagRole", "cam:UpdateRoleConsoleLogin", "cam:UpdateRoleDescription", "cam:UpdateAssumeRolePolicy",
这些权限覆盖了 CVM, VPC, COS 等多个腾讯云云服务,通常通过 CAM 策略授予,确保执行此模板的用户或角色具备相应权限,否则可能会遇到执行模板失败的情况。
腾讯云部署 BYOC 仓库创建子用户的权限
初次执行完模板创建出资源栈之后,所有的管控操作均基于该子用户的权限进行,以下为模板节选
{
"version": "2.0",
"statement": [
{
"action": [
"cvm:DescribeInstances",
"cvm:DescribeInstanceAttributes",
"cvm:InquiryPriceRunInstances",
"cvm:RunInstances",
"cvm:StartInstances",
"cvm:StopInstances",
"cvm:PurgeInstances",
"cvm:RebootInstances",
"cvm:TerminateInstances",
"cvm:RenewInstances",
"cvm:ViewModifyInstancesAttribute",
"cvm:ModifyInstancesAttribute",
"cvm:ModifyInstancesChargeType",
"cvm:AssociateInstancesKeyPairs",
"cvm:DisassociateInstancesKeyPairs",
"cvm:DeleteKeyPairs",
"cvm:DescribeSecurityGroups",
"cvm:CreateSecurityGroup",
"cvm:CreateSecurityGroupPolicy",
"cvm:ModifySecurityGroupAttributes",
"cvm:ModifySingleSecurityGroupPolicy",
"cvm:ModifySecurityGroupPolicys",
"cvm:AssociateSecurityGroups",
"cvm:DisassociateSecurityGroups",
"cvm:DeleteSecurityGroup",
"cvm:DeleteSecurityGroupPolicy",
"cvm:CreateCbsStorages",
"cvm:AttachCbsStorages",
"cvm:DetachCbsStorages",
"cvm:ResizeCbsStorage",
"cvm:ModifyCbsStorageAttributes",
"cvm:DescribeDisks",
"cvm:CreateDisks",
"cvm:AttachDisks",
"cvm:DetachDisks",
"cvm:RenewDisk",
"cvm:ResizeDisk",
"cvm:ModifyDiskAttributes",
"vpc:DescribeVpcEx",
"vpc:DescribeSubnet",
"vpc:DescribeSubnetEx",
"vpc:ModifyVpcEndPointAttribute",
"clb:DescribeLoadBalancers",
"clb:DescribeLoadBalancersDetail",
"clb:InquiryPriceCreateLoadBalancer",
"clb:InquiryPriceRefundLoadBalancer",
"clb:InquiryPriceRenewLoadBalancer",
"clb:CreateLoadBalancer",
"clb:DeleteLoadBalancer",
"clb:DeleteLoadBalancers",
"clb:DescribeListeners",
"clb:DescribeLBListeners",
"clb:DescribeLoadBalancerListeners",
"clb:CreateListener",
"clb:CreateLoadBalancerListeners",
"clb:SetLoadBalancerStartStatus",
"clb:DeleteListener",
"clb:DeleteLoadBalancerListeners",
"clb:DescribeTargets",
"clb:DescribeTargetGroups",
"clb:DescribeTargetGroupList",
"clb:DescribeTargetGroupInstances",
"clb:CreateTargetGroup",
"clb:ModifyTargetGroupAttribute",
"clb:DeleteTargetGroups",
"clb:RegisterTargets",
"clb:DeregisterTargets",
"clb:BatchRegisterTargets",
"clb:BatchDeregisterTargets",
"clb:RegisterTargetGroupInstances",
"clb:AssociateTargetGroups",
"clb:DisassociateTargetGroups",
"clb:RegisterInstancesWithLoadBalancer",
"clb:DeregisterTargetGroupInstances",
"clb:DeregisterInstancesFromLoadBalancer",
"clb:CreateRule",
"clb:CreateListenerRules",
"clb:ModifyRule",
"clb:DeleteRule",
"clb:SetSecurityGroups",
"clb:SetSecurityGroupForLoadbalancers",
"clb:SetLoadBalancerSecurityGroups"
],
"effect": "allow",
"resource": [
"qcs::cvm:ap-beijing:uin/${data.tencentcloud_user_info.SelectDBUserAccount.owner_uin}:*",
"qcs::vpc:ap-beijing:uin/${data.tencentcloud_user_info.SelectDBUserAccount.owner_uin}:*",
"qcs::clb:ap-beijing:uin/${data.tencentcloud_user_info.SelectDBUserAccount.owner_uin}:*"
]
},
{
"action": [
"tat:RunCommand",
"tat:DescribeInvocations",
"tat:DescribeInvocationTasks"
],
"effect": "allow",
"resource": [
"*"
]
},
{
"action": [
"finance:*"
],
"effect": "allow",
"resource": [
"qcs::cvm:::*",
"qcs::clb:::*"
]
},
{
"action": [
"cos:*"
],
"effect": "allow",
"resource": [
"qcs::cos:ap-beijing:uid/${local.appID}:${tencentcloud_cos_bucket.SelectDBBucket.id}",
"qcs::cos:ap-beijing:uid/${local.appID}:${tencentcloud_cos_bucket.SelectDBBucket.id}/*"
]
},
{
"action": [
"name/sts:AssumeRole"
],
"effect": "allow",
"resource": [
"qcs::cam::uin/${data.tencentcloud_user_info.SelectDBUserAccount.owner_uin}:roleName/${tencentcloud_cam_role.SelectDBRole.name}"
]
}
]
}具体权限划分如下:
-
Cloud Virtual Machine (CVM) 权限:
- 管理 CVM 实例
"cvm:DescribeInstances", "cvm:DescribeInstanceAttributes", "cvm:InquiryPriceRunInstances", "cvm:RunInstances", "cvm:StartInstances", "cvm:StopInstances", "cvm:PurgeInstances", "cvm:RebootInstances", "cvm:TerminateInstances", "cvm:RenewInstances", "cvm:ViewModifyInstancesAttribute", "cvm:ModifyInstancesAttribute", "cvm:ModifyInstancesChargeType", "cvm:CreateCbsStorages", "cvm:AttachCbsStorages", "cvm:DetachCbsStorages", "cvm:ResizeCbsStorage", "cvm:ModifyCbsStorageAttributes", "cvm:DescribeDisks", "cvm:CreateDisks", "cvm:AttachDisks", "cvm:DetachDisks", "cvm:RenewDisk", "cvm:ResizeDisk", "cvm:ModifyDiskAttributes",- 管理 CVM 安全组
"cvm:DescribeSecurityGroups", "cvm:CreateSecurityGroup", "cvm:CreateSecurityGroupPolicy", "cvm:ModifySecurityGroupAttributes", "cvm:ModifySingleSecurityGroupPolicy", "cvm:ModifySecurityGroupPolicys", "cvm:AssociateSecurityGroups", "cvm:DisassociateSecurityGroups", "cvm:DeleteSecurityGroup", "cvm:DeleteSecurityGroupPolicy",- 管理 CVM SSH 密钥对
"cvm:AssociateInstancesKeyPairs", "cvm:DisassociateInstancesKeyPairs", "cvm:DeleteKeyPairs",- 执行 CVM 云助手相关操作
"tat:RunCommand", "tat:DescribeInvocations", "tat:DescribeInvocationTasks" -
Virtual Private Cloud (VPC) 和 CLB 权限:
- 获取 VPC 相关资源信息
"vpc:DescribeVpcEx", "vpc:DescribeSubnet", "vpc:DescribeSubnetEx", "vpc:ModifyVpcEndPointAttribute",- 管理负载均衡器(CLB)资源
"clb:DescribeLoadBalancers", "clb:DescribeLoadBalancersDetail", "clb:InquiryPriceCreateLoadBalancer", "clb:InquiryPriceRefundLoadBalancer", "clb:InquiryPriceRenewLoadBalancer", "clb:CreateLoadBalancer", "clb:DeleteLoadBalancer", "clb:DeleteLoadBalancers", "clb:DescribeListeners", "clb:DescribeLBListeners", "clb:DescribeLoadBalancerListeners", "clb:CreateListener", "clb:CreateLoadBalancerListeners", "clb:SetLoadBalancerStartStatus", "clb:DeleteListener", "clb:DeleteLoadBalancerListeners", "clb:DescribeTargets", "clb:DescribeTargetGroups", "clb:DescribeTargetGroupList", "clb:DescribeTargetGroupInstances", "clb:CreateTargetGroup", "clb:ModifyTargetGroupAttribute", "clb:DeleteTargetGroups", "clb:RegisterTargets", "clb:DeregisterTargets", "clb:BatchRegisterTargets", "clb:BatchDeregisterTargets", "clb:RegisterTargetGroupInstances", "clb:AssociateTargetGroups", "clb:DisassociateTargetGroups", "clb:RegisterInstancesWithLoadBalancer", "clb:DeregisterTargetGroupInstances", "clb:DeregisterInstancesFromLoadBalancer", "clb:CreateRule", "clb:CreateListenerRules", "clb:ModifyRule", "clb:DeleteRule", "clb:SetSecurityGroups", "clb:SetSecurityGroupForLoadbalancers", "clb:SetLoadBalancerSecurityGroups" -
Finance 权限:
- 允许购买 CVM 和LB 资源
{ "action": [ "finance:*" ], "effect": "allow", "resource": [ "qcs::cvm:::*", "qcs::clb:::*" ] }, -
Cloud Object Storage (COS) 权限:
- 管理 COS 存储桶以及对存储桶及其内容进行读写操作(针对特定桶)
{ "action": [ "cos:*" ], "effect": "allow", "resource": [ "qcs::cos:ap-beijing:uid/${local.appID}:${tencentcloud_cos_bucket.SelectDBBucket.id}", "qcs::cos:ap-beijing:uid/${local.appID}:${tencentcloud_cos_bucket.SelectDBBucket.id}/*" ] }, -
Cloud Access Management(CAM) 权限:
- 允许扮演特定角色
{
"action": [
"name/sts:AssumeRole"
],
"effect": "allow",
"resource": [
"qcs::cam::uin/${data.tencentcloud_user_info.SelectDBUserAccount.owner_uin}:roleName/${tencentcloud_cam_role.SelectDBRole.name}"
]
}腾讯云 Terraform 脚本审计
SelectDB 提供的 Terraform 模板代码可见,可审计,不会对您的数据与 VPC 内的其他环境进行操作。您可以通过以下链接对 SelectDB 提供的 Terraform 模板进行审计:
在完成资源编排模板执行后,SelectDB Cloud 会与 BYOC 仓库建立连接,随后,您可以进入仓库,创建集群。
Manager 功能指南
BYOC 仓库的管理与 SAAS 仓库大致相同,根据自身架构有细微的不同。
集群
您可以像往常一样创建集群,并设置自动启停。
需要注意的是,BYOC 仓库的计费分为两部分:
- 云资源费用:启动集群时创建的虚拟机产生的费用,由云厂商收取。
- 计算服务费:运维集群所收取的服务费,由 SelectDB 收取,按照集群的核数与使用时长收费。
连接
在连接模块,由于仓库的核心组件已经进入您的 VPC,在这里也不再需要私网连接。为了不破坏您的 VPC 的网络规划,我们并没有设置开启公网的入口,您可以在云控制台自行设置负载均衡并开启公网。
监控告警
监控告警与 SAAS 仓库保持一致,您依然可以使用我们预制的监控指标,并通过多种渠道进行告警。
用量
在用量模块依然会展示您当前仓库当前的用量,包括计算(vCPU-Hour)与存储(GB-Hour),方便您在 SelectDB Cloud Manager 把握仓库的用量情况。
设置
在设置模块,您修改仓库名,修改仓库 admin 用户的密码,升级仓库版本以及删除仓库。
需要注意的是,当您删除仓库后, SelectDB Cloud 没有权限删除在您 VPC 内的管控组件,您可以通过删除 CloudFormation 产生的资源渣栈的方式,彻底删除在您 VPC 内的管控产生的机器资源与私网连接。
运维指引
BYOC 是 SelectDB 提供的在您的 VPC 部署的全托管服务,我们设计 BYOC 这种产品形态的目的就是尽可能简化您的运维操作。如果您在使用过程中遇到了任何问题,您都可以与 SelectDB 联系。在使用过程中,请注意下列的高危操作,可能导致集群不可用。
高危操作
大部分的仓库资源都在您的云环境中运行,请避免直接在云控制台直接操作 SelectDB 创建的云资源。
由 SelectDB Cloud 创建的云资源都有以下三个标签(Tag):
- selectdb-cloud-resource: sdb-server
- Name: 具体的仓库 ID
- selectdb-cluster-id: 具体的集群 ID
您可以通过云控制台的过滤功能过滤由 SelectDB 创建的资源。
可能导致仓库异常不可用的操作有:
- 修改 SelectDB 创建的角色/用户的权限
- 修改/删除 SelectDB 创建的虚拟机、存储桶
- 修改/删除 SelectDB 创建的终端节点服务
请注意, 您在云控制台操作导致的仓库不可用可能无法被恢复 。
登录 SelectDB 创建的主机
从我们 BYOC 的产品形态出发,在使用仓库时,您不需要登录物理机进行操作,且登录物理机对于系统来说是危险且不可控的。但出于审计、合规等要求,我们也为您提供登录主机的方式,请谨慎操作。
BYOC 集群节点的登录认证方式默认采用的是 SSH 密钥对。SSH 密钥对由 agent 代为生成和管理,并将其自动备份至用户远端对象存储桶中。
首先,我们需要提取密钥对,下面介绍一种简单获取密钥对的方法:
登录 agent 机器,agent 机器的密码是 selectdb-执行资源栈账号 ID 的后六位,比如 执行资源栈账号的 ID 是1086771816499303,那么登录 agent 机器的密码为:
selectdb-499303登录 agent 机器后,执行以下命令,即可获取 SSH 密钥对。
sdbctl get sdb:ecs:keypair
# 其中 privateKey 为私钥串信息
# {"KeyPairName":"op_keypair","PublicKey":"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGZSYUTP0ylwElEjIc...mdLMUUN8tvdiYk0+m\nffvEUvRY=\n-----END RSA PRIVATE KEY-----\n"}
# 将 privateKey 内容保存到 login.perm,注意替换换行符
touch login.perm
sed -i 's/\\n/\r\n/g' login.pem
# 修改 login.perm 文件权限
chmod 400 login.perm获取密钥对之后,就可以像登录普通机器一样登录 BYOC 集群的节点了。
# sdbctl get sdb:ecs:keypair
ssh -i "login.perm" root@sdb-node-private-ip