yujunjun/OpenMetadata
1
0
Fork 0
mirror of https://github.com/open-metadata/OpenMetadata.git synced 2025-12-05 12:07:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove Excess Permissions for athena (#13857)

Browse Source
This commit is contained in:
Ayush Shah 2023-11-06 23:54:11 +05:30 committed by GitHub
parent 2fdb1af0f4
commit 73c126887c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 103 additions and 520 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
openmetadata-docs/content/v1.0.x/connectors/database/athena/airflow.md
View File

@ -61,7 +61,6 @@ This policy groups the following permissions:
- `athena` Allows the principal to run queries on Athena resources.
- `glue` Allows principals access to AWS Glue databases, tables, and partitions. This is required so that the principal can use the AWS Glue Data Catalog with Athena.
- `s3` Allows the principal to write and read query results from Amazon S3.
- `lakeformation` Allows principals to request temporary credentials to access data in a data lake location that is registered with Lake Formation.
And is defined as:
@ -73,74 +72,15 @@ And is defined as:
{
"Effect": "Allow",
"Action": [
"athena:BatchGetQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryResultsStream",
"athena:ListQueryExecutions",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:ListWorkGroups",
"athena:ListEngineVersions",
"athena:GetWorkGroup",
"athena:GetDataCatalog",
"athena:GetDatabase",
"athena:GetTableMetadata",
"athena:ListDataCatalogs",
"athena:ListDatabases",
"athena:ListTableMetadata"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabase",
"athena:ListTableMetadata",
"athena:GetQueryExecution",
"athena:StartQueryExecution",
"athena:GetQueryResults",
"glue:GetDatabases",
"glue:UpdateDatabase",
"glue:CreateTable",
"glue:DeleteTable",
"glue:BatchDeleteTable",
"glue:UpdateTable",
"glue:GetTable",
"glue:GetTables",
"glue:BatchCreatePartition",
"glue:CreatePartition",
"glue:DeletePartition",
"glue:BatchDeletePartition",
"glue:UpdatePartition",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchGetPartition"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutBucketPublicAccessBlock"
],
"Resource": [
"arn:aws:s3:::aws-athena-query-results-*"
]
},
{
"Effect": "Allow",
"Action": [
"glue:GetTable",
"lakeformation:GetDataAccess"
],
"Resource": [
@ -151,6 +91,13 @@ And is defined as:
}
```
{% note %}
If you have external services other than glue and facing permission issues, add the permissions to the list above.
{% /note %}
You can find further information on the Athena connector in the [docs](https://docs.open-metadata.org/connectors/database/athena).
### Python Requirements

78
openmetadata-docs/content/v1.0.x/connectors/database/athena/cli.md
View File

@ -61,7 +61,6 @@ This policy groups the following permissions:
- `athena` Allows the principal to run queries on Athena resources.
- `glue` Allows principals access to AWS Glue databases, tables, and partitions. This is required so that the principal can use the AWS Glue Data Catalog with Athena.
- `s3` Allows the principal to write and read query results from Amazon S3.
- `lakeformation` Allows principals to request temporary credentials to access data in a data lake location that is registered with Lake Formation.
And is defined as:
@ -73,74 +72,15 @@ And is defined as:
{
"Effect": "Allow",
"Action": [
"athena:BatchGetQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryResultsStream",
"athena:ListQueryExecutions",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:ListWorkGroups",
"athena:ListEngineVersions",
"athena:GetWorkGroup",
"athena:GetDataCatalog",
"athena:GetDatabase",
"athena:GetTableMetadata",
"athena:ListDataCatalogs",
"athena:ListDatabases",
"athena:ListTableMetadata"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabase",
"athena:ListTableMetadata",
"athena:GetQueryExecution",
"athena:StartQueryExecution",
"athena:GetQueryResults",
"glue:GetDatabases",
"glue:UpdateDatabase",
"glue:CreateTable",
"glue:DeleteTable",
"glue:BatchDeleteTable",
"glue:UpdateTable",
"glue:GetTable",
"glue:GetTables",
"glue:BatchCreatePartition",
"glue:CreatePartition",
"glue:DeletePartition",
"glue:BatchDeletePartition",
"glue:UpdatePartition",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchGetPartition"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutBucketPublicAccessBlock"
],
"Resource": [
"arn:aws:s3:::aws-athena-query-results-*"
]
},
{
"Effect": "Allow",
"Action": [
"glue:GetTable",
"lakeformation:GetDataAccess"
],
"Resource": [
@ -151,6 +91,14 @@ And is defined as:
}
```
{% note %}
If you have external services other than glue and facing permission issues, add the permissions to the list above.
{% /note %}
You can find further information on the Athena connector in the [docs](https://docs.open-metadata.org/connectors/database/athena).
### Python Requirements

78
openmetadata-docs/content/v1.0.x/connectors/database/athena/index.md
View File

@ -82,7 +82,6 @@ This policy groups the following permissions:
- `athena` Allows the principal to run queries on Athena resources.
- `glue` Allows principals access to AWS Glue databases, tables, and partitions. This is required so that the principal can use the AWS Glue Data Catalog with Athena.
- `s3` Allows the principal to write and read query results from Amazon S3.
- `lakeformation` Allows principals to request temporary credentials to access data in a data lake location that is registered with Lake Formation.
And is defined as:
@ -94,74 +93,15 @@ And is defined as:
{
"Effect": "Allow",
"Action": [
"athena:BatchGetQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryResultsStream",
"athena:ListQueryExecutions",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:ListWorkGroups",
"athena:ListEngineVersions",
"athena:GetWorkGroup",
"athena:GetDataCatalog",
"athena:GetDatabase",
"athena:GetTableMetadata",
"athena:ListDataCatalogs",
"athena:ListDatabases",
"athena:ListTableMetadata"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabase",
"athena:ListTableMetadata",
"athena:GetQueryExecution",
"athena:StartQueryExecution",
"athena:GetQueryResults",
"glue:GetDatabases",
"glue:UpdateDatabase",
"glue:CreateTable",
"glue:DeleteTable",
"glue:BatchDeleteTable",
"glue:UpdateTable",
"glue:GetTable",
"glue:GetTables",
"glue:BatchCreatePartition",
"glue:CreatePartition",
"glue:DeletePartition",
"glue:BatchDeletePartition",
"glue:UpdatePartition",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchGetPartition"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutBucketPublicAccessBlock"
],
"Resource": [
"arn:aws:s3:::aws-athena-query-results-*"
]
},
{
"Effect": "Allow",
"Action": [
"glue:GetTable",
"lakeformation:GetDataAccess"
],
"Resource": [
@ -172,6 +112,14 @@ And is defined as:
}
```
{% note %}
If you have external services other than glue and facing permission issues, add the permissions to the list above.
{% /note %}
You can find further information on the Athena connector in the [docs](https://docs.open-metadata.org/connectors/database/athena).
## Metadata Ingestion

78
openmetadata-docs/content/v1.1.x/connectors/database/athena/index.md
View File

@ -58,7 +58,6 @@ This policy groups the following permissions:
- `athena` Allows the principal to run queries on Athena resources.
- `glue` Allows principals access to AWS Glue databases, tables, and partitions. This is required so that the principal can use the AWS Glue Data Catalog with Athena.
- `s3` Allows the principal to write and read query results from Amazon S3.
- `lakeformation` Allows principals to request temporary credentials to access data in a data lake location that is registered with Lake Formation.
And is defined as:
@ -70,74 +69,15 @@ And is defined as:
{
"Effect": "Allow",
"Action": [
"athena:BatchGetQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryResultsStream",
"athena:ListQueryExecutions",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:ListWorkGroups",
"athena:ListEngineVersions",
"athena:GetWorkGroup",
"athena:GetDataCatalog",
"athena:GetDatabase",
"athena:GetTableMetadata",
"athena:ListDataCatalogs",
"athena:ListDatabases",
"athena:ListTableMetadata"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabase",
"athena:ListTableMetadata",
"athena:GetQueryExecution",
"athena:StartQueryExecution",
"athena:GetQueryResults",
"glue:GetDatabases",
"glue:UpdateDatabase",
"glue:CreateTable",
"glue:DeleteTable",
"glue:BatchDeleteTable",
"glue:UpdateTable",
"glue:GetTable",
"glue:GetTables",
"glue:BatchCreatePartition",
"glue:CreatePartition",
"glue:DeletePartition",
"glue:BatchDeletePartition",
"glue:UpdatePartition",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchGetPartition"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutBucketPublicAccessBlock"
],
"Resource": [
"arn:aws:s3:::aws-athena-query-results-*"
]
},
{
"Effect": "Allow",
"Action": [
"glue:GetTable",
"lakeformation:GetDataAccess"
],
"Resource": [
@ -148,6 +88,14 @@ And is defined as:
}
```
{% note %}
If you have external services other than glue and facing permission issues, add the permissions to the list above.
{% /note %}
You can find further information on the Athena connector in the [docs](https://docs.open-metadata.org/connectors/database/athena).
## Metadata Ingestion

78
openmetadata-docs/content/v1.1.x/connectors/database/athena/yaml.md
View File

@ -62,7 +62,6 @@ This policy groups the following permissions:
- `athena` Allows the principal to run queries on Athena resources.
- `glue` Allows principals access to AWS Glue databases, tables, and partitions. This is required so that the principal can use the AWS Glue Data Catalog with Athena.
- `s3` Allows the principal to write and read query results from Amazon S3.
- `lakeformation` Allows principals to request temporary credentials to access data in a data lake location that is registered with Lake Formation.
And is defined as:
@ -74,74 +73,15 @@ And is defined as:
{
"Effect": "Allow",
"Action": [
"athena:BatchGetQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryResultsStream",
"athena:ListQueryExecutions",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:ListWorkGroups",
"athena:ListEngineVersions",
"athena:GetWorkGroup",
"athena:GetDataCatalog",
"athena:GetDatabase",
"athena:GetTableMetadata",
"athena:ListDataCatalogs",
"athena:ListDatabases",
"athena:ListTableMetadata"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabase",
"athena:ListTableMetadata",
"athena:GetQueryExecution",
"athena:StartQueryExecution",
"athena:GetQueryResults",
"glue:GetDatabases",
"glue:UpdateDatabase",
"glue:CreateTable",
"glue:DeleteTable",
"glue:BatchDeleteTable",
"glue:UpdateTable",
"glue:GetTable",
"glue:GetTables",
"glue:BatchCreatePartition",
"glue:CreatePartition",
"glue:DeletePartition",
"glue:BatchDeletePartition",
"glue:UpdatePartition",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchGetPartition"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutBucketPublicAccessBlock"
],
"Resource": [
"arn:aws:s3:::aws-athena-query-results-*"
]
},
{
"Effect": "Allow",
"Action": [
"glue:GetTable",
"lakeformation:GetDataAccess"
],
"Resource": [
@ -152,6 +92,14 @@ And is defined as:
}
```
{% note %}
If you have external services other than glue and facing permission issues, add the permissions to the list above.
{% /note %}
You can find further information on the Athena connector in the [docs](https://docs.open-metadata.org/connectors/database/athena).
### Python Requirements

78
openmetadata-docs/content/v1.2.x/connectors/database/athena/index.md
View File

@ -58,7 +58,6 @@ This policy groups the following permissions:
- `athena` Allows the principal to run queries on Athena resources.
- `glue` Allows principals access to AWS Glue databases, tables, and partitions. This is required so that the principal can use the AWS Glue Data Catalog with Athena.
- `s3` Allows the principal to write and read query results from Amazon S3.
- `lakeformation` Allows principals to request temporary credentials to access data in a data lake location that is registered with Lake Formation.
And is defined as:
@ -70,74 +69,15 @@ And is defined as:
{
"Effect": "Allow",
"Action": [
"athena:BatchGetQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryResultsStream",
"athena:ListQueryExecutions",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:ListWorkGroups",
"athena:ListEngineVersions",
"athena:GetWorkGroup",
"athena:GetDataCatalog",
"athena:GetDatabase",
"athena:GetTableMetadata",
"athena:ListDataCatalogs",
"athena:ListDatabases",
"athena:ListTableMetadata"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabase",
"athena:ListTableMetadata",
"athena:GetQueryExecution",
"athena:StartQueryExecution",
"athena:GetQueryResults",
"glue:GetDatabases",
"glue:UpdateDatabase",
"glue:CreateTable",
"glue:DeleteTable",
"glue:BatchDeleteTable",
"glue:UpdateTable",
"glue:GetTable",
"glue:GetTables",
"glue:BatchCreatePartition",
"glue:CreatePartition",
"glue:DeletePartition",
"glue:BatchDeletePartition",
"glue:UpdatePartition",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchGetPartition"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutBucketPublicAccessBlock"
],
"Resource": [
"arn:aws:s3:::aws-athena-query-results-*"
]
},
{
"Effect": "Allow",
"Action": [
"glue:GetTable",
"lakeformation:GetDataAccess"
],
"Resource": [
@ -148,6 +88,14 @@ And is defined as:
}
```
{% note %}
If you have external services other than glue and facing permission issues, add the permissions to the list above.
{% /note %}
You can find further information on the Athena connector in the [docs](https://docs.open-metadata.org/connectors/database/athena).
## Metadata Ingestion

78
openmetadata-docs/content/v1.2.x/connectors/database/athena/yaml.md
View File

@ -62,7 +62,6 @@ This policy groups the following permissions:
- `athena` Allows the principal to run queries on Athena resources.
- `glue` Allows principals access to AWS Glue databases, tables, and partitions. This is required so that the principal can use the AWS Glue Data Catalog with Athena.
- `s3` Allows the principal to write and read query results from Amazon S3.
- `lakeformation` Allows principals to request temporary credentials to access data in a data lake location that is registered with Lake Formation.
And is defined as:
@ -74,74 +73,15 @@ And is defined as:
{
"Effect": "Allow",
"Action": [
"athena:BatchGetQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryResultsStream",
"athena:ListQueryExecutions",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:ListWorkGroups",
"athena:ListEngineVersions",
"athena:GetWorkGroup",
"athena:GetDataCatalog",
"athena:GetDatabase",
"athena:GetTableMetadata",
"athena:ListDataCatalogs",
"athena:ListDatabases",
"athena:ListTableMetadata"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabase",
"athena:ListTableMetadata",
"athena:GetQueryExecution",
"athena:StartQueryExecution",
"athena:GetQueryResults",
"glue:GetDatabases",
"glue:UpdateDatabase",
"glue:CreateTable",
"glue:DeleteTable",
"glue:BatchDeleteTable",
"glue:UpdateTable",
"glue:GetTable",
"glue:GetTables",
"glue:BatchCreatePartition",
"glue:CreatePartition",
"glue:DeletePartition",
"glue:BatchDeletePartition",
"glue:UpdatePartition",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchGetPartition"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutBucketPublicAccessBlock"
],
"Resource": [
"arn:aws:s3:::aws-athena-query-results-*"
]
},
{
"Effect": "Allow",
"Action": [
"glue:GetTable",
"lakeformation:GetDataAccess"
],
"Resource": [
@ -152,6 +92,14 @@ And is defined as:
}
```
{% note %}
If you have external services other than glue and facing permission issues, add the permissions to the list above.
{% /note %}
You can find further information on the Athena connector in the [docs](https://docs.open-metadata.org/connectors/database/athena).
### Python Requirements

78
openmetadata-ui/src/main/resources/ui/public/locales/en-US/Database/Athena.md
View File

@ -17,7 +17,6 @@ This policy groups the following permissions:
- `athena` Allows the principal to run queries on Athena resources.
- `glue` Allows principals access to AWS Glue databases, tables, and partitions. This is required so that the principal can use the AWS Glue Data Catalog with Athena.
- `s3` Allows the principal to write and read query results from Amazon S3.
- `lakeformation` Allows principals to request temporary credentials to access data in a data lake location that is registered with Lake Formation.
And is defined as:
@ -29,74 +28,15 @@ And is defined as:
{
"Effect": "Allow",
"Action": [
"athena:BatchGetQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryResultsStream",
"athena:ListQueryExecutions",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:ListWorkGroups",
"athena:ListEngineVersions",
"athena:GetWorkGroup",
"athena:GetDataCatalog",
"athena:GetDatabase",
"athena:GetTableMetadata",
"athena:ListDataCatalogs",
"athena:ListDatabases",
"athena:ListTableMetadata"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabase",
"athena:ListTableMetadata",
"athena:GetQueryExecution",
"athena:StartQueryExecution",
"athena:GetQueryResults",
"glue:GetDatabases",
"glue:UpdateDatabase",
"glue:CreateTable",
"glue:DeleteTable",
"glue:BatchDeleteTable",
"glue:UpdateTable",
"glue:GetTable",
"glue:GetTables",
"glue:BatchCreatePartition",
"glue:CreatePartition",
"glue:DeletePartition",
"glue:BatchDeletePartition",
"glue:UpdatePartition",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchGetPartition"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutBucketPublicAccessBlock"
],
"Resource": [
"arn:aws:s3:::aws-athena-query-results-*"
]
},
{
"Effect": "Allow",
"Action": [
"glue:GetTable",
"lakeformation:GetDataAccess"
],
"Resource": [
@ -107,6 +47,14 @@ And is defined as:
}
```
{% note %}
If you have external services other than glue and facing permission issues, add the permissions to the list above.
{% /note %}
You can find further information on the Athena connector in the [docs](https://docs.open-metadata.org/connectors/database/athena).
## Connection Details