华为云前置准备
本文主要介绍创建 BYOC 类型仓库涉及的华为云平台相关操作,包括 准备虚拟私有云 VPC 和子网、了解资源编排和资源栈 等。
准备虚拟私有云 VPC 和子网
提示:
- 如果已有符合地域和可用区要求的 VPC 和子网,并期望将 BYOC 仓库部署在此 VPC 内,可以跳过下面创建虚拟私有云 VPC 和子网步骤。
- 当前支持的地域和子网可用区为:
| 云平台 | 地域名称 | 地域 ID | 可用区 ID |
|---|---|---|---|
| 华为云 | 北京 | cn-north-4 | 所有 |
| 华为云 | 新加坡 | ap-southeast-3 | 所有 |
| 华为云 | 广州 | cn-south-1 | 所有 |
| 华为云 | 墨西哥城二 | la-north-2 | 所有 |
| 华为云 | 上海 | cn-east-3 | 所有 |
创建 BYOC 类型仓库前,如果没有符合要求的已有 VPC 和子网,则需要提前创建虚拟私有云 VPC 和子网,以下是具体操作。
打开华为云 虚拟私有云 VPC (opens in a new tab) 控制台,点击 创建虚拟私有云,进入 VPC 创建页面。
选择您期望创建 BYOC 仓库的地域,输入名称、选择 IPv4 网段、企业项目,输入子网名称和可用区,点击立即创建完成创建。
了解资源编排和资源栈(可选)
在您的云账号下通过资源编排服务(RFS)执行资源栈模板时,会对 VPC、ECS、OBS 等云资源进行相关操作,因此需要一系列 IAM 权限。
请使用管理员权限进行资源栈创建,或者是联系管理员为你创建这个资源栈,否则可能会遇到因权限不足导致执行模板失败的情况。
RFS 资源编排模板说明
SelectDB 提供的资源编排模板运行在您的云账号下,并且模版代码可见、可审计,不会对您的数据与 VPC 内的其他环境进行操作。您可以通过以下链接获取 SelectDB 提供的资源编排模板:
https://selectdb-cloud-online-bj.obs.cn-north-4.myhuaweicloud.com/public/hwcloud-byoc.zip当您通过华为云 RFS 执行上述资源模板时,它会自动进行 Agent 的创建与部署。然后 Agent 会与 SelectDB Cloud 建立私有连接,并完成仓库初始化流程。
在完成资源编排脚本执行后,您即可从 SelectDB Cloud 平台进入相应仓库,像使用普通的仓库一样,开始新建用于数据分析的计算集群。
如何查看资源栈信息
您可以通过华为云 RFS 产品界面,查看由 SelectDB 资源栈模板创建的所有资源信息,并可通过资源名称查看特定资源。
注意 所有资源栈模版创建出来的资源,都属于您的云账号,并只在您的 VPC 内使用,不会外泄。
- 虚拟机
- 名称:
- SelectDBAgent(ECS)
- SelectDBEip(VPC EIP)
- 用途:
- 用于部署 Agent、Prometheus、FluentBit 等程序
- 挂载在 Agent 机器上,为访问 BSS 服务提供公网能力
- 名称:
- 终端节点
- 名称:SelectDBEndpoint(VPC Endpoint)
- 用途:与 SelectDB Cloud 平台建立私网连接,从而可以拉取管控指令、推送监控和日志
- 存储桶
- 名称:SelectDBBucket(OBS Bucket)
- 用途:用于存储数仓数据
- 安全组
- 名称:SelectDBSecurityGroup(VPC SecurityGroup)
- 用途:绑定在所有 SelectDB 创建出的 ECS 实例上,并通过安全组规则限定特定端口特定来源的流量出站入站
- 子用户/权限策略
- 名称:
- SelectDBUser(子用户)
- SelectDBUserRegionPolicy(子用户权限---针对地域级别服务)
- SelectDBUserGlobalPolicy(子用户权限---针对全局级别服务)
- 用途:创建出的子用户具备 Agent 所需的最小权限策略,之后进行的所有管控操作均使用该子用户的身份进行操作
- 名称:
资源栈模板创建的子用户的权限说明
初次执行完资源栈模板后会创建一个子用户,用于后续在您的 VPC 内管控数据仓库相关组件,以下为该子用户权限示例以及说明:
注意 创建出来的子用户隶属于您的云账号,并只在您的 VPC 内使用,不会外泄。
- 针对区域级别服务策略
{
"Statement": [
{
"Action": [
"ecs:cloudServers:list",
"ecs:cloudServers:createServers",
"ecs:cloudServers:deleteServers",
"ecs:cloudServers:updateServer",
"ecs:cloudServers:changeChargeMode",
"ecs:cloudServers:resize",
"ecs:cloudServers:reboot",
"ecs:cloudServers:stop",
"ecs:cloudServers:start",
"ecs:cloudServers:showServerBlockDevice",
"ecs:cloudServers:listServerBlockDevices",
"ecs:servers:get",
"ecs:servers:list",
"ecs:servers:start",
"ecs:servers:stop",
"ecs:servers:reboot",
"ecs:servers:resize",
"ecs:securityGroups:use",
"ecs:servers:getTags",
"ecs:servers:setTags",
"vpc:securityGroups:get",
"vpc:securityGroups:update",
"vpc:securityGroupRules:get",
"vpc:ports:create",
"vpc:ports:update",
"vpc:ports:delete"
],
"Condition": {
"StringEquals": {
"g:ResourceTag/resource-created-by": [
"selectdb"
]
}
},
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"ecs:cloudServers:showServer",
"ecs:cloudServers:batchSetServerTags",
"evs:volumeTags:create",
"evs:volumeTags:delete",
"evs:volumes:*",
"evs:volumes:get",
"evs:volumes:extend",
"bss:renewal:update",
"bss:order:view",
"bss:order:pay",
"vpc:vpcs:get",
"vpc:vpcs:list",
"vpc:subnets:get",
"vpc:securityGroups:create",
"vpc:securityGroups:delete",
"vpc:securityGroupRules:create",
"vpc:securityGroupRules:delete",
"vpc:ports:get",
"elb:loadbalancers:get",
"elb:loadbalancers:list",
"elb:loadbalancers:create",
"elb:loadbalancers:delete",
"elb:loadbalancerTags:get",
"elb:loadbalancerTags:create",
"elb:loadbalancerTags:delete",
"elb:listeners:get",
"elb:listeners:list",
"elb:listeners:create",
"elb:listeners:delete",
"elb:listenerTags:get",
"elb:listenerTags:create",
"elb:listenerTags:delete",
"elb:pools:get",
"elb:pools:list",
"elb:pools:create",
"elb:pools:delete",
"elb:members:get",
"elb:members:list",
"elb:members:create",
"elb:members:delete",
"elb:l7policies:get",
"elb:l7policies:list",
"elb:l7policies:create",
"elb:l7policies:delete",
"elb:l7rules:get",
"elb:l7rules:list",
"elb:l7rules:create",
"elb:l7rules:delete",
"elb:healthmonitors:get",
"elb:healthmonitors:list",
"elb:healthmonitors:put",
"elb:healthmonitors:create",
"elb:healthmonitors:delete",
"elb:ipgroups:get",
"elb:ipgroups:list",
"elb:ipgroups:create",
"elb:ipgroups:put",
"elb:ipgroups:delete"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
],
"Version": "1.1"
}- 针对全局级别服务策略
{
"Statement": [
{
"Action": [
"obs:bucket:*",
"obs:object:*"
],
"Effect": "Allow",
"Resource": [
"OBS:*:*:bucket:selectdb-bucket-demo",
"OBS:*:*:object:selectdb-bucket-demo/*"
]
},
{
"Action": [
"iam:credentials:getCredential",
"iam:credentials:listCredentials",
"iam:credentials:createCredential"
],
"Condition": {
"StringEquals": {
"g:UserName": [
"selectdb-user-demo"
]
}
},
"Effect": "Allow"
}
],
"Version": "1.1"
}具体权限划分如下:
-
ECS 权限:
- 项目级服务,管理 ECS 实例
"ecs:cloudServers:list", "ecs:cloudServers:showServer", "ecs:cloudServers:createServers", "ecs:cloudServers:deleteServers", "ecs:cloudServers:updateServer", "ecs:cloudServers:changeChargeMode", "ecs:cloudServers:resize", "ecs:cloudServers:reboot", "ecs:cloudServers:stop", "ecs:cloudServers:start", "ecs:cloudServers:showServerBlockDevice", "ecs:cloudServers:listServerBlockDevices", "ecs:servers:get", "ecs:servers:list", "ecs:servers:start", "ecs:servers:stop", "ecs:servers:reboot", "ecs:servers:resize", "ecs:securityGroups:use", "ecs:servers:getTags", "ecs:servers:setTags", "ecs:cloudServers:batchSetServerTags", "evs:volumeTags:create", "evs:volumeTags:delete", "evs:volumes:*", "evs:volumes:get", "evs:volumes:extend", "bss:renewal:update", "bss:order:view", "bss:order:pay" -
VPC & ELB 权限:
- 项目级服务,获取 VPC 相关资源信息
"vpc:vpcs:get", "vpc:vpcs:list", "vpc:subnets:get",- 项目级服务,管理安全组、端口
"vpc:securityGroups:get", "vpc:securityGroups:create", "vpc:securityGroups:update", "vpc:securityGroups:delete", "vpc:securityGroupRules:get", "vpc:securityGroupRules:create", "vpc:securityGroupRules:delete", "vpc:ports:get", "vpc:ports:create", "vpc:ports:update", "vpc:ports:delete",- 项目级服务,管理负载均衡器 ELB 资源
"elb:loadbalancers:get", "elb:loadbalancers:list", "elb:loadbalancers:create", "elb:loadbalancers:delete", "elb:loadbalancerTags:get", "elb:loadbalancerTags:create", "elb:loadbalancerTags:delete", "elb:listeners:get", "elb:listeners:list", "elb:listeners:create", "elb:listeners:delete", "elb:listenerTags:get", "elb:listenerTags:create", "elb:listenerTags:delete", "elb:pools:get", "elb:pools:list", "elb:pools:create", "elb:pools:delete", "elb:members:get", "elb:members:list", "elb:members:create", "elb:members:delete", "elb:l7policies:get", "elb:l7policies:list", "elb:l7policies:create", "elb:l7policies:delete", "elb:l7rules:get", "elb:l7rules:list", "elb:l7rules:create", "elb:l7rules:delete", "elb:healthmonitors:get", "elb:healthmonitors:list", "elb:healthmonitors:put", "elb:healthmonitors:create", "elb:healthmonitors:delete", "elb:ipgroups:get", "elb:ipgroups:list", "elb:ipgroups:create", "elb:ipgroups:put", "elb:ipgroups:delete", -
OBS 权限:
- 全局级服务,管理 OBS 存储桶以及对存储桶及其内容进行读写操作
{ "Effect": "Allow", "Action": [ "obs:bucket:*", "obs:object:*" ], "Resource": [ "OBS:*:*:bucket:selectdb-bucket-demo", "OBS:*:*:object:selectdb-bucket-demo/*" ] }, -
IAM 权限:
- 全局级服务,允许当前子用户创建出永久 aksk
{ "Action": [ "iam:credentials:getCredential", "iam:credentials:listCredentials", "iam:credentials:createCredential" ], "Condition": { "StringEquals": { "g:UserName": [ "selectdb-user-demo" ] } }, "Effect": "Allow" }