diff --git a/docs/das/umn/das_01_0002.html b/docs/das/umn/das_01_0002.html index c936b8c10..afc6c43d6 100644 --- a/docs/das/umn/das_01_0002.html +++ b/docs/das/umn/das_01_0002.html @@ -2,7 +2,7 @@

What Is Data Admin Service?

Data Admin Service (DAS) is a web service that allows you to log in to and perform operations on databases.

- +
diff --git a/docs/das/umn/das_01_0012.html b/docs/das/umn/das_01_0012.html index 50162a5fc..53f945590 100644 --- a/docs/das/umn/das_01_0012.html +++ b/docs/das/umn/das_01_0012.html @@ -1,7 +1,7 @@

Permissions Management

-

If you need to assign different permissions to different employees in your enterprise to access your DAS resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control for your cloud resources.

+

If you need to assign different permissions to different employees in your enterprise to access your DAS resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control for your resources.

With IAM, you can use your account to create IAM users, and assign permissions to the users to control their access to specific resources. For example, if you need software developers in your enterprise to be able to use DAS but not able to delete DAS resources or perform any high-risk operations, you can create IAM users for the developers and grant them only the permissions required for using DAS resources.

If your account does not require individual IAM users for permissions management, you can skip this section.

DAS Permissions

By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups and attach permissions policies or roles to these groups. Users then inherit permissions from the groups they belong to and can perform specified operations on cloud services.

@@ -9,7 +9,7 @@

You can grant users permissions by using roles and policies.

  • Roles: A type of coarse-grained authorization system that defines permissions related to users responsibilities. Only a limited number of service-level roles are available for authorization. When using roles to grant permissions, you may need to also assign other roles that the permissions depend on. Roles are not ideal for fine-grained authorization and secure access control.
  • Policies: A type of fine-grained authorization system that defines permissions required to perform operations on specific cloud resources under certain conditions. Policies are more flexible than roles, and they can ensure more secure access control. For example, you can grant IAM users only permissions for managing a certain type of database resource.
-

Table 1 lists all the system-defined roles and policies supported by DAS.

+

Table 1 lists all system permissions of DAS.

@@ -23,9 +23,9 @@ - - - - + + + + +
Table 1 DAS system permissions

Policy Name

DAS Administrator

DAS administrator, who has full permissions for DAS.

+

DAS administrator with all permissions for DAS

System-defined role

+

System role

This role depends on the Tenant Guest role.

The DAS Administrator and Tenant Guest roles must be assigned in the same project.

@@ -33,13 +33,22 @@

DAS FullAccess

Full permissions for DAS

+

All permissions for DAS

System-defined policy

+

System policy

None

DAS ReadOnlyAccess

+

Read-only permission for DAS

+

System policy

+

None

+
@@ -48,47 +57,59 @@

By default, users with fine-grained authorization have permissions to view and delete database connections on the Development Tool page on DAS. The instances are the same as those configured for related services.

Table 2 describes the common operations supported by each system-defined policy or role of DAS. Select the policy or role you need based on the following tables.

-
Table 2 Common operations supported by each system-defined policy or role of DAS

Operation

+
- - + - - - + - - - + - - - + - - - + - - - + @@ -161,9 +182,9 @@ - @@ -171,9 +192,9 @@ - diff --git a/docs/das/umn/das_04_0042.html b/docs/das/umn/das_04_0042.html index 6fc6974a0..c14258bc1 100644 --- a/docs/das/umn/das_04_0042.html +++ b/docs/das/umn/das_04_0042.html @@ -11,7 +11,12 @@ - + + + @@ -21,6 +26,8 @@ - - - - - -
Table 2 Common operations and system permissions

Operation

DAS Administrator

+

DAS Administrator

DAS FullAccess

+

DAS FullAccess

+

DAS ReadOnlyAccess

Logging in to a database

+

Logging in to a database

Supported

+

Supported

+

+

x

Adding a database connection

+

Adding a database connection

Supported

+

Supported

+

+

x

Modifying a database connection

+

Modifying a database connection

Supported

+

Supported

+

+

x

Deleting a DB instance connection

+

Deleting a DB instance connection

Supported

+

Supported

+

+

x

Viewing the login list in Development Tool

+

Viewing the login list in Development Tool

Supported

+

Supported

+

+

Operation permissions:

  • All permissions on the account center, billing center, and resource center
  • All permissions on cloud resources owned by the account
-

OBS policies are configured in the Global project.

+

OBS policies are configured in global projects.

System-defined role

+

System role

None

OBS OperateAccess

Operation permissions: Users with this permission can view buckets, obtain basic bucket information, obtain bucket metadata, view objects, upload objects, download objects, delete objects, and obtain object ACLs.

-

Configure the OBS policies globally.

+

OBS policies are configured in global projects.

System-defined policy

+

System policy

None

Import Type

+

Database

+

Select the target database to which the file is to be imported.

+

Import Type

Set Import Type to sql or CSV.

Import a file from your local PC or an OBS bucket.

  • Upload file

    If you select Upload file for File Source, you need to set Attachment Storage and upload the required file.

    To keep your data secure, provide your own OBS bucket to store the file you uploaded. In this way, DAS automatically connects to your OBS bucket for in-memory reading. No data is stored on DAS.

    +

    Select an OBS bucket to store the file. Click Bucket ACL Info to check whether a public OBS bucket is selected.

    +
    • SAFE: The bucket ACL permission set does not contain ALL USERS.
    • WARN: The bucket ACL permission set contains ALL USERS.
    • UNKNOWN: The bucket ACL permission set is unknown, maybe due to the lack of IAM permissions. You are advised to go to the OBS page to view the bucket ACL configuration.

    Creating OBS buckets is free of charge, but saving files will incur certain costs.

    If you select Delete the uploaded file upon an import success, the file you uploaded will be automatically deleted from the OBS bucket after being imported to the destination database.

  • Choose from OBS

    If you select Choose from OBS for File Source, you need to select a file from the bucket.

    @@ -28,17 +35,6 @@

Attachment Storage

-

Select an OBS bucket to store the file. Click Bucket ACL Info to check whether a public OBS bucket is selected.

-
  • SAFE: The bucket ACL permission set does not contain ALL USERS.
  • WARN: The bucket ACL permission set contains ALL USERS.
  • UNKNOWN: The bucket ACL permission set is unknown, maybe due to the lack of IAM permissions. You are advised to go to the OBS page to view the bucket ACL configuration.
-

Database

-

Select the database that you want to import the file to.

-

Charset

Select a charset as needed.

diff --git a/docs/das/umn/das_10_0014.html b/docs/das/umn/das_10_0014.html index 0206021d5..13ea25e02 100644 --- a/docs/das/umn/das_10_0014.html +++ b/docs/das/umn/das_10_0014.html @@ -4,7 +4,12 @@
  1. Error message: Access denied for user 'user_name'@'100.xxx.xx.xx' (using password: YES)
    1. Error cause: The username or password of the RDS instance is incorrect.
      Solution: Check whether the username and password are correct. If you are not sure, log in to the RDS console to reset the password.

      Changing the password may affect services.

      -

      If the username and password are correct, log in to the database using a client or CLI and run select * from mysql.user where user = 'user_name' to view the account. If 100.xxx.xxx.xxx is assigned to a user, only the user can connect to the database through DAS. user_name @% and user_name @100.% are different users with independent passwords and permissions. Enter the password of user_name @100.%.

      +

      MySQL account names consist of a user name and a host name, which enables creation of distinct accounts for users with the same user name who connect from different hosts.

      +

      100.% indicates an IP address starting with 100 assigned to a server where DAS is installed.

      +

      To log in to the database on DAS as a non-root user, make sure 100.% is assigned to the user's host.

      +

      If the username and password are correct, log in to the database using a client or CLI as the root user. Then run select * from mysql.user where user = 'user_name' to view the account.

      +

      user_name @% and user_name @100.% are different users with independent passwords and permissions even they have the same user_name. If you have both the accounts, enter the password of user_name @100.% to log in to your database on DAS.

      +
      Figure 1 User management
    2. Error cause: The IP address of the DAS server is not in the whitelist of the login user.
      Solution: Log in to the database using the client or CLI, and create a user that can be used to access the database through DAS.
      create user 'user_name'@'100.%' identified by 'password'; 
 grant select on *.* to 'user_name'@'100.%';
      • Ensure that the IP address of the DAS server is in a CIDR block starting with 100. Add the IP address to the whitelist of the login user.
      • Grant permissions to user user_name@100.% based on service requirements.
      @@ -14,7 +19,7 @@ grant select on *.* to 'user_name'@'100.%'; 
      select user, host, ssl_type from mysql.user where user = 'user_name';
  2. Error message: Trying to connect with ssl, but ssl not enabled in the server

    Error cause: The SSL function is not enabled on the server.

    -
    Solution: Run the following statement to check whether the user is an SSL user. If yes, enable SSL on the RDS instance details page. The user is an SSL user if the ssl_type field has a value.
    select user, host, ssl_type from mysql.user where user = 'user_name';
    +
    Solution: Run the following statement to check whether the user is an SSL user. If yes, enable SSL on the RDS instance details page. The user is an SSL user if the ssl_type field has a value.
    select user, host, ssl_type from mysql.user where user = 'user_name';
  3. Error message: Client does not support authentication protocol requested by server. plugin type was = 'sha256_password'.
    1. Error cause: DAS does not allow you to connect to the database whose password is encrypted with SHA-256.
      Solution: Execute the following SQL statements to change the password encryption method to mysql_native_password.
      alter user 'user_name'@'%' identified with mysql_native_password by 'password';
      diff --git a/docs/das/umn/en-us_image_0000002369231434.png b/docs/das/umn/en-us_image_0000002369231434.png new file mode 100644 index 000000000..b99e66beb Binary files /dev/null and b/docs/das/umn/en-us_image_0000002369231434.png differ