forked from docs/doc-exports
Lu, Huayi
95132e24fc
Reviewed-by: Pruthi, Vineet <vineet.pruthi@t-systems.com> Reviewed-by: Rechenburg, Matthias <matthias.rechenburg@t-systems.com> Co-authored-by: Lu, Huayi <luhuayi@huawei.com> Co-committed-by: Lu, Huayi <luhuayi@huawei.com>
80 lines
14 KiB
HTML
80 lines
14 KiB
HTML
<a name="EN-US_TOPIC_0000001707293909"></a><a name="EN-US_TOPIC_0000001707293909"></a>
|
|
|
|
<h1 class="topictitle1">Managing Enterprise Projects</h1>
|
|
<div id="body8662426"><p id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_p926823291318">An enterprise project is a cloud resource management mode. Enterprise Management provides users with comprehensive management in cloud-based resources, personnel, and permissions. Unlike common management consoles that feature independent control and configuration of cloud products, the Enterprise Management console is oriented to resource management. It helps enterprises with cloud-based management in resources, personnel, and permissions in the hierarchy of companies, departments, and projects.</p>
|
|
<div class="section" id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_section1323291617427"><h4 class="sectiontitle">Binding an Enterprise Project</h4><p id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_p3876191732818">You can select an enterprise project during cluster creation to associate it with the cluster. For details, see <a href="dws_01_0019.html">Creating a Cluster</a>. The <span class="parmname" id="EN-US_TOPIC_0000001707293909__parmname14876191762813"><b>Enterprise Project</b></span> drop-down list displays the projects you created. In addition, the system has a built-in enterprise project (<span class="parmvalue" id="EN-US_TOPIC_0000001707293909__parmvalue84427473810"><b>default</b></span>). If you do not select an enterprise project for the cluster, the default project is used.</p>
|
|
<p id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_p425792432815">During cluster creation, if the cluster is successfully bound to an enterprise project, the cluster will be successfully created. If the binding fails, the system sends an alarm and the cluster fails to be created.</p>
|
|
<p id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_p646714145508">Snapshots of a cluster retain the association between the cluster and its enterprise project. When the cluster is restored, the association is also restored.</p>
|
|
<p id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_p6284226125619">When you delete a cluster, the association between the cluster and its enterprise project is automatically deleted.</p>
|
|
</div>
|
|
<div class="section" id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_section9386284318"><h4 class="sectiontitle">Viewing Enterprise Projects</h4><p id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_p195088643017">After a cluster is created, you can view the associated enterprise project in the cluster list and <strong id="EN-US_TOPIC_0000001707293909__b162316414471">Cluster Information</strong> page. You can query only the cluster resources of the project on which you have the access permission.</p>
|
|
<ul id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_ul752811358563"><li id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_li2528153511562">In the cluster list on the <strong id="EN-US_TOPIC_0000001707293909__b157806173491">Clusters</strong> page, view the enterprise project to which the cluster belongs.</li><li id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_li165281835105613">In the cluster list, find the target cluster and click the cluster name. The <span class="wintitle" id="EN-US_TOPIC_0000001707293909__wintitle1677517144414"><b>Cluster Information</b></span> page is displayed, on which you can view the enterprise project associated with the cluster. Click the enterprise project name to view and edit it on the Enterprise Management console.<div class="fignone" id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_fig1822447112816"><span class="figcap"><b>Figure 1 </b>Viewing the enterprise project</span><br><span><img id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_image1225857134915" src="figure/en-us_image_0000001759359325.png" title="Click to enlarge" class="imgResize"></span></div>
|
|
</li></ul>
|
|
<ul id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_ul1141072895716"><li id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_li14410128105712">When querying the resource list of a specified project on the Enterprise Management console, you can also query the GaussDB(DWS) resources.</li></ul>
|
|
</div>
|
|
<div class="section" id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_section395894514538"><h4 class="sectiontitle">Searching for Clusters by Enterprise Project</h4><p id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_p18955317530">Log in to the GaussDB(DWS) management console, choose <strong id="EN-US_TOPIC_0000001707293909__b2033143424115">Clusters</strong> > <strong id="EN-US_TOPIC_0000001707293909__b113311834164112">Dedicated Clusters</strong>, click <span class="parmname" id="EN-US_TOPIC_0000001707293909__parmname123324342411"><b>All projects</b></span> above the cluster list, and select the required project name from the drop-down list to view all clusters associated with the project.</p>
|
|
</div>
|
|
<div class="section" id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_section161961120114516"><h4 class="sectiontitle">Migrating a Cluster to or Out of an Enterprise Project</h4><p id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_p35621629184414">A GaussDB(DWS) cluster can be associated with only one enterprise project. After a cluster is created, you can migrate it from its current enterprise project to another one on the Enterprise Management console, or migrate the cluster from another enterprise project to a specified enterprise project. After the migration, the cluster is associated with the new enterprise project. The association between the cluster and the original enterprise project is automatically released. For details, see "Resource Management > Managing Enterprise Project Resources" in the <em id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_i17414165131013">Enterprise Management User Guide</em>.</p>
|
|
</div>
|
|
<div class="section" id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_section2165464536"><h4 class="sectiontitle">Enterprise Project-Level Authorization</h4><p id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_p888314372">If permissions preset in the system cannot meet requirements, you can customize policies and grant the policies to user groups for refined access control. As an independent managed object, the enterprise project can be bound to a user group, and the customized policy can be granted to the user group. This implements refined authorization at the enterprise project level.</p>
|
|
<ol id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_ol102949213211"><li id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_li142781757165616"><span>Log in to the IAM console and create a custom policy.</span><p><p id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_p913202033113">For details, see the <em id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_i5344138121017">Identity and Access Management User Guide</em><em id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_i934548161019"></em>.</p>
|
|
<p id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_p181382015317">Refer to the following to create the policy:</p>
|
|
<ul id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_ul161502083115"><li id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_li171318201315">Use the IAM administrator account, that is, the user in the admin user group, because only the IAM administrator has the permissions to create users and user groups and modify user group permissions.</li><li id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_li51432093120">GaussDB(DWS) is a project-level service, so its <span class="parmname" id="EN-US_TOPIC_0000001707293909__parmname79068221232"><b>Scope</b></span> must be set to <span class="parmvalue" id="EN-US_TOPIC_0000001707293909__parmvalue3908422134"><b>Project-level services</b></span>. If this policy is required to take effect for multiple projects, authorization is required to each project.</li><li id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_li1810964311382">Some GaussDB(DWS) policy templates are preconfigured on IAM. When creating a custom policy, you can select one of the following templates and modify the policy authorization statement based on the template:<ul id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_ul1310984393818"><li id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_li201097433388"><strong id="EN-US_TOPIC_0000001707293909__b11780202194210">DWS FullAccess</strong>: all execution permissions for GaussDB(DWS)</li><li id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_li15110114316383"><strong id="EN-US_TOPIC_0000001707293909__b15621023154210">DWS ReadOnlyAccess</strong>: read-only permission for GaussDB(DWS)</li><li id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_li1053226112612"><strong id="EN-US_TOPIC_0000001707293909__b1858162444216">DWS Administrator</strong>: all execution permissions for GaussDB(DWS)</li><li id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_li557583722619"><strong id="EN-US_TOPIC_0000001707293909__b1057562618421">DWS Database Access</strong>: Users granted this permission can generate temporary database user credentials based on IAM users to connect to databases in the data warehouse clusters.</li></ul>
|
|
</li><li id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_li9141220173112">You can add permissions corresponding to GaussDB(DWS) operations or RESTful APIs listed in <a href="dws_01_0149.html#EN-US_TOPIC_0000001659054650__en-us_topic_0000001422799425_section89181381475">List of Supported Actions</a> to the action list in the policy authorization statement, so that the policy can obtain the permissions.<p id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_p51482018315">For example, if <strong id="EN-US_TOPIC_0000001707293909__b1721015151442">dws:cluster:create</strong> is added to the action list of a policy statement, the policy has the permission to create or restore clusters.</p>
|
|
</li><li id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_li1114112011313">If you want to use other services, grant related operation permissions on these services. For details, see the help documents of related services.<p id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_p1314520103110"><a name="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_li1114112011313"></a><a name="en-us_topic_0000001372520146_li1114112011313"></a>For example, when creating a GaussDB(DWS) cluster, configure the VPC to which the cluster belongs. To obtain the VPC list, add action <strong id="EN-US_TOPIC_0000001707293909__b8762143918416">vpc:*:get*</strong> to the policy statement.</p>
|
|
</li></ul>
|
|
<p id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_p141518203311">Policy example:</p>
|
|
<ul id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_ul11616203317"><li id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_li111642033114">Example in which multiple operation permissions are supported<div class="p" id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_p6161120193118"><a name="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_li111642033114"></a><a name="en-us_topic_0000001372520146_li111642033114"></a>The following policy has the permissions to create/restore/restart/delete a cluster, set security parameters, and reset passwords.<pre class="screen" id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_screen41692053118">{
|
|
"Version": "1.1",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"dws:cluster:create",
|
|
"dws:cluster:restart",
|
|
"dws:cluster:delete",
|
|
"dws:cluster:setParameter",
|
|
"dws:cluster:resetPassword",
|
|
"ecs:*:get*",
|
|
"ecs:*:list*",
|
|
"vpc:*:get*",
|
|
"vpc:*:list*"
|
|
]
|
|
}
|
|
]
|
|
}</pre>
|
|
</div>
|
|
</li><li id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_li1416102063112">Example of wildcard (*) usage<div class="p" id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_p71672013313"><a name="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_li1416102063112"></a><a name="en-us_topic_0000001372520146_li1416102063112"></a>The following policy has all operation permissions on GaussDB(DWS) snapshots.<pre class="screen" id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_screen016172033110">{
|
|
"Version": "1.1",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"dws:snapshot:*",
|
|
"ecs:*:get*",
|
|
"ecs:*:list*",
|
|
"vpc:*:get*",
|
|
"vpc:*:list*"
|
|
]
|
|
}
|
|
]
|
|
}</pre>
|
|
</div>
|
|
</li></ul>
|
|
</p></li><li id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_li62207565480"><span>Click the username in the upper right corner of the management console and select <strong id="EN-US_TOPIC_0000001707293909__b1092485914372">Enterprise Management</strong> from the drop-down list to enter the Enterprise Management console.</span></li><li id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_li4576164103510"><span>Choose <strong id="EN-US_TOPIC_0000001707293909__b18916181925014">Personnel Management > User Group Management</strong> in the left navigation tree. Then, create a user group and add users to it, add the user group to a project, and grant the newly created custom policy to the group so that users in the group can obtain the permissions defined by the policy.</span><p><p id="EN-US_TOPIC_0000001707293909__en-us_topic_0000001372520146_p57078195116">For details, see "Project Management > Personnel Management > Managing User Groups in an Enterprise Project" in the <em id="EN-US_TOPIC_0000001707293909__i1380219953411">Enterprise Management User Guide</em>.</p>
|
|
</p></li></ol>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="dws_01_0600.html">Cluster Management</a></div>
|
|
</div>
|
|
</div>
|
|
|
|
|
|
<script language="JavaScript">
|
|
<!--
|
|
image_size('.imgResize');
|
|
var msg_imageMax = "view original image";
|
|
var msg_imageClose = "close";
|
|
//--></script> |