雅典娜报告 "Insufficient permissions to execute the query. Caller does not have full access to table"
Athena reports "Insufficient permissions to execute the query. Caller does not have full access to table"
我拥有 Lake Formation 权限,我的 Athena 查询运行良好。
我现在想将 IAM 用户限制为只能访问某些记录,因此我添加了 Lake Formation 数据过滤器。我这样做后,Athena 报告 Insufficient permissions to execute the query. Caller does not have full access to table.
这是为什么?
原因埋在the documentation:
To run query operations against tables that use row- and cell-level
filtering, you must use a special workgroup called
AmazonAthenaLakeFormation.
您只需创建一个具有该特殊名称 (!) 的工作组。
但是你还没有完成!
一旦您切换到使用该工作组,您将收到不同的错误:Insufficient permissions to execute the query. Encountered an exception executed in context[planning query] with message[User: XXXXXXXXX is not authorized to perform: lakeformation:StartQueryPlanning on resource
要解决此问题,请按照说明向用户授予 IAM 权限 lakeformation:StartQueryPlanning。
但是你还没有完成!
添加该 IAM 权限后,您会发现 StartQueryPlanning 依赖于其他 IAM 权限。然后它会要求更多权限等等。
我最终创建了一个名为 GlueReadOnly 的策略来解决问题:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"glue:SearchTables",
"lakeformation:SearchDatabasesByLFTags",
"glue:GetCrawler",
"glue:GetDataCatalogEncryptionSettings",
"glue:BatchGetDevEndpoints",
"glue:CheckSchemaVersionValidity",
"glue:GetTableVersions",
"glue:GetPartitions",
"glue:GetMLTransform",
"lakeformation:GetWorkUnits",
"glue:GetWorkflowRunProperties",
"glue:GetSchema",
"glue:GetDevEndpoint",
"glue:GetSecurityConfiguration",
"glue:GetResourcePolicy",
"glue:GetTrigger",
"glue:GetUserDefinedFunction",
"glue:GetJobRun",
"glue:GetResourcePolicies",
"glue:GetUserDefinedFunctions",
"glue:GetClassifier",
"glue:GetSchemaByDefinition",
"glue:ListWorkflows",
"glue:GetJobs",
"glue:GetTables",
"glue:GetSchemaVersionsDiff",
"lakeformation:SearchTablesByLFTags",
"glue:GetTriggers",
"glue:GetWorkflowRun",
"lakeformation:GetLFTag",
"lakeformation:GetResourceLFTags",
"glue:GetMapping",
"glue:GetPartition",
"glue:GetDevEndpoints",
"lakeformation:GetQueryStatistics",
"glue:BatchGetWorkflows",
"lakeformation:GetDataLakeSettings",
"glue:ListDevEndpoints",
"glue:BatchGetJobs",
"glue:ListRegistries",
"glue:GetJob",
"glue:GetWorkflow",
"glue:ListSchemaVersions",
"lakeformation:StartQueryPlanning",
"glue:GetConnections",
"glue:GetCrawlers",
"glue:GetClassifiers",
"glue:GetCatalogImportStatus",
"glue:GetTableVersion",
"glue:GetConnection",
"glue:ListMLTransforms",
"glue:ListSchemas",
"glue:GetJobBookmark",
"glue:GetMLTransforms",
"glue:GetRegistry",
"lakeformation:GetEffectivePermissionsForPath",
"lakeformation:ListLFTags",
"lakeformation:GetWorkUnitResults",
"glue:BatchGetPartition",
"glue:GetMLTaskRuns",
"glue:GetSecurityConfigurations",
"glue:ListTriggers",
"glue:GetDatabases",
"lakeformation:GetQueryState",
"glue:ListJobs",
"glue:GetTags",
"glue:GetTable",
"glue:GetDatabase",
"glue:GetMLTaskRun",
"lakeformation:DescribeResource",
"glue:GetDataflowGraph",
"glue:BatchGetCrawlers",
"glue:GetSchemaVersion",
"glue:QuerySchemaVersionMetadata",
"glue:BatchGetTriggers",
"lakeformation:GetTableObjects",
"glue:GetWorkflowRuns",
"lakeformation:DescribeTransaction",
"glue:GetPlan",
"glue:ListCrawlers",
"glue:GetCrawlerMetrics",
"glue:GetJobRuns"
],
"Resource": "*"
}
]
}
我拥有 Lake Formation 权限,我的 Athena 查询运行良好。
我现在想将 IAM 用户限制为只能访问某些记录,因此我添加了 Lake Formation 数据过滤器。我这样做后,Athena 报告 Insufficient permissions to execute the query. Caller does not have full access to table.
这是为什么?
原因埋在the documentation:
To run query operations against tables that use row- and cell-level filtering, you must use a special workgroup called AmazonAthenaLakeFormation.
您只需创建一个具有该特殊名称 (!) 的工作组。
但是你还没有完成!
一旦您切换到使用该工作组,您将收到不同的错误:Insufficient permissions to execute the query. Encountered an exception executed in context[planning query] with message[User: XXXXXXXXX is not authorized to perform: lakeformation:StartQueryPlanning on resource
要解决此问题,请按照说明向用户授予 IAM 权限 lakeformation:StartQueryPlanning。
但是你还没有完成!
添加该 IAM 权限后,您会发现 StartQueryPlanning 依赖于其他 IAM 权限。然后它会要求更多权限等等。 我最终创建了一个名为 GlueReadOnly 的策略来解决问题:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"glue:SearchTables",
"lakeformation:SearchDatabasesByLFTags",
"glue:GetCrawler",
"glue:GetDataCatalogEncryptionSettings",
"glue:BatchGetDevEndpoints",
"glue:CheckSchemaVersionValidity",
"glue:GetTableVersions",
"glue:GetPartitions",
"glue:GetMLTransform",
"lakeformation:GetWorkUnits",
"glue:GetWorkflowRunProperties",
"glue:GetSchema",
"glue:GetDevEndpoint",
"glue:GetSecurityConfiguration",
"glue:GetResourcePolicy",
"glue:GetTrigger",
"glue:GetUserDefinedFunction",
"glue:GetJobRun",
"glue:GetResourcePolicies",
"glue:GetUserDefinedFunctions",
"glue:GetClassifier",
"glue:GetSchemaByDefinition",
"glue:ListWorkflows",
"glue:GetJobs",
"glue:GetTables",
"glue:GetSchemaVersionsDiff",
"lakeformation:SearchTablesByLFTags",
"glue:GetTriggers",
"glue:GetWorkflowRun",
"lakeformation:GetLFTag",
"lakeformation:GetResourceLFTags",
"glue:GetMapping",
"glue:GetPartition",
"glue:GetDevEndpoints",
"lakeformation:GetQueryStatistics",
"glue:BatchGetWorkflows",
"lakeformation:GetDataLakeSettings",
"glue:ListDevEndpoints",
"glue:BatchGetJobs",
"glue:ListRegistries",
"glue:GetJob",
"glue:GetWorkflow",
"glue:ListSchemaVersions",
"lakeformation:StartQueryPlanning",
"glue:GetConnections",
"glue:GetCrawlers",
"glue:GetClassifiers",
"glue:GetCatalogImportStatus",
"glue:GetTableVersion",
"glue:GetConnection",
"glue:ListMLTransforms",
"glue:ListSchemas",
"glue:GetJobBookmark",
"glue:GetMLTransforms",
"glue:GetRegistry",
"lakeformation:GetEffectivePermissionsForPath",
"lakeformation:ListLFTags",
"lakeformation:GetWorkUnitResults",
"glue:BatchGetPartition",
"glue:GetMLTaskRuns",
"glue:GetSecurityConfigurations",
"glue:ListTriggers",
"glue:GetDatabases",
"lakeformation:GetQueryState",
"glue:ListJobs",
"glue:GetTags",
"glue:GetTable",
"glue:GetDatabase",
"glue:GetMLTaskRun",
"lakeformation:DescribeResource",
"glue:GetDataflowGraph",
"glue:BatchGetCrawlers",
"glue:GetSchemaVersion",
"glue:QuerySchemaVersionMetadata",
"glue:BatchGetTriggers",
"lakeformation:GetTableObjects",
"glue:GetWorkflowRuns",
"lakeformation:DescribeTransaction",
"glue:GetPlan",
"glue:ListCrawlers",
"glue:GetCrawlerMetrics",
"glue:GetJobRuns"
],
"Resource": "*"
}
]
}