SWJTU-ZhangLei commented on code in PR #2236:
URL: https://github.com/apache/doris-website/pull/2236#discussion_r2052149051
##########
docs/admin-manual/auth/integrations/aws-authentication-and-authorization.md:
##########
@@ -0,0 +1,424 @@
+---
+{
+ "title": "AWS authentication and authorization",
+ "language": "en"
+}
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+Doris 支持两种 AWS 认证和鉴权方式访问 AWS 服务,IAM User和Assumed Role, 本文介绍如何配置这两种认证和鉴权方式的 AWS
安全凭证。
+
+# 认证方式介绍
+
+## IAM User 认证鉴权
+
+Doris 支持通过 AWS IAM User 来实现对外部数据源的访问认证和鉴权,
即access_key和secret_key密钥的方式,具体配置步骤如下(详细的介绍请参见 AWS 官网文档 [IAM
USER](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)):
+
+### Step1 登录AWS控制台创建IAM User并配置IAM策略
+
+1. 登录AWS控制台选择Create user按钮
+
+
+
+2. 选择直接附加策略
+
+
+
+3. 在策略编辑器中填入对应的AWS资源策略,下文S3 Bucket为例列出了读/写策略的常见模板
+
+
+
+S3 Bucket读策略模版(注意替换对应的bucket name和prefix路径)
+```JSON
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "s3:GetObject",
+ "s3:GetObjectVersion"
+ ],
+ "Resource": "arn:aws:s3:::<bucket>/<prefix>/*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "s3:ListBucket",
+ "s3:GetBucketLocation"
+ ],
+ "Resource": "arn:aws:s3:::<bucket>",
+ "Condition": {
+ "StringLike": {
+ "s3:prefix": [
+ "<prefix>/*"
+ ]
+ }
+ }
+ }
+ ]
+}
+```
+
+S3 Bucket写策略模板
+```JSON
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "s3:PutObject",
+ "s3:GetObject",
+ "s3:GetObjectVersion",
+ "s3:DeleteObject",
+ "s3:DeleteObjectVersion",
+ "s3:AbortMultipartUpload",
+ "s3:ListMultipartUploadParts"
+ ],
+ "Resource": "arn:aws:s3:::<bucket>/<prefix>/*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "s3:ListBucket",
+ "s3:GetBucketLocation"
+ ],
+ "Resource": "arn:aws:s3:::<bucket>",
+ "Condition": {
+ "StringLike": {
+ "s3:prefix": [
+ "<prefix>/*"
+ ]
+ }
+ }
+ }
+ ]
+}
+```
+
+4. 创建IAM User成功后,创建访问密钥
+
+
+
+### Step2 通过访问密钥和SQL语句使用Doris对应功能
+
+S3 Load
+```SQL
+ LOAD LABEL s3_load_2022_04_01
+ (
+ DATA INFILE("s3://your_bucket_name/s3load_example.csv")
+ INTO TABLE test_s3load
+ COLUMNS TERMINATED BY ","
+ FORMAT AS "CSV"
+ (user_id, name, age)
+ )
+ WITH S3
+ (
+ "provider" = "S3",
+ "s3.endpoint" = "s3.us-east-1.amazonaws.com",
+ "s3.region" = "us-east-1",
+ "s3.access_key" = "<your-ak>",
+ "s3.secret_key" = "<your-sk>"
+ )
+ PROPERTIES
+ (
+ "timeout" = "3600"
+ );
+```
+
+TVF
+```SQL
+ SELECT * FROM S3 (
+ 'uri' = 's3://your_bucket/path/to/tvf_test/test.parquet',
+ 'format' = 'parquet',
+ 's3.endpoint' = 's3.us-east-1.amazonaws.com',
+ 's3.region' = 'us-east-1',
+ 's3.access_key' = '<your-ak>',
+ 's3.secret_key'='<your-sk>'
+ )
+```
+
+External Catalog
+```SQL
+ CREATE CATALOG iceberg_catalog PROPERTIES (
+ 'type' = 'iceberg',
+ 'iceberg.catalog.type' = 'hadoop',
+ 'warehouse' = 's3://your_bucket/dir/key',
+ 's3.endpoint' = 's3.us-east-1.amazonaws.com',
+ 's3.region' = 'us-east-1',
+ 's3.access_key' = '<your-ak>',
+ 's3.secret_key' = '<your-sk>'
+ );
+```
+......
+
+您可以在不同 业务逻辑 里指定不同的 IAM User 的 Access Key 和 Secret Key,从而实现外部数据的访问控制。
+
+## Assumed Role 认证鉴权
+
+Assumed Role 支持通过担任 AWS IAM Role 来实现对外部数据源的访问认证和鉴权,配置图示如下图,详细步骤如下文(参见 AWS
官网文档[代入角色](https://docs.aws.amazon.com/zh_cn/awscloudtrail/latest/userguide/cloudtrail-sharing-logs-assume-role.html)):
+
+
+
+### Step1 准备工作
+
+源账户(Source Account):发起 Assume Role 的 AWS 账户(本例中是Doris FE/BE EC2机器所属账户)。
Review Comment:
> 这里太突兀了,突然就介绍两个概念 这两个概念后续将会用来干什么 要说清楚 行文连贯一些
按总分的方式重新组织了
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
