Grant the permissions that are required to use Machine Learning Designer - Platform For AI

Machine Learning Platform for AI (PAI) provides a variety of modules and is integrated with other Alibaba Cloud services such as MaxCompute, DataWorks, Realtime Compute for Apache Flink, Deep Learning Containers (DLC), and Object Storage Service (OSS) to offer a one-stop machine learning platform. Before you use Machine Learning Designer for modeling, you must grant your Resource Access Management (RAM) user the permissions that are required to use the features of Machine Learning Designer. You must also grant PAI the permissions to access related Alibaba Cloud services. This ensures that the features of Machine Learning Designer work as expected. This topic describes how to grant the permissions that are required to use Machine Learning Designer.

Background information

Machine Learning Designer is dependent on OSS and a few other Alibaba Cloud services (optional), including MaxCompute, Realtime Compute for Apache Flink, and general training resources. You can grant permissions on these services to your RAM user or RAM role based on your requirements. The following list provides short descriptions about each service to help you determine which permissions to grant:

MaxCompute: Machine Learning Designer provides hundreds of algorithms that are developed by Alibaba Cloud based on the MaxCompute framework.
Realtime Compute for Apache Flink: Machine Learning Designer provides algorithm components that can be used in Realtime Compute for Apache Flink, such as the PyAlink Script component.
OSS: The data and models that are used for training are stored in OSS buckets. Permissions on this service are required for Machine Learning Designer to operate as expected. We recommend that you purchase an OSS instance and grant your RAM user or RAM role the permissions to use OSS before you use Machine Learning Designer.
General training resources: Machine Learning Designer provides deep learning algorithms that use general training resources for model training. In addition, the Python Script component also relies on general training resources to run training jobs. We recommend that you activate the general training resources and grant your RAM user or RAM role the corresponding permissions before you use Machine Learning Designer.

Note

You can log on to the PAI console to view the cloud services on which each module depends and the authorization details. Choose Activation & Authorization > Dependent Services.

Before you use Machine Learning Designer, you must grant your RAM user or RAM role the required permissions to manage Machine Learning Designer, MaxCompute, Realtime Compute for Apache Flink, general training resources, and OSS resources and grant PAI the permissions to access OSS. To use all the functions of Machine Learning Designer, you must grant your RAM user or RAM role the permissions to use the corresponding cloud services. You can perform the instructions in the following sections to complete authorization.

Grant your RAM user or RAM role the permissions to access Machine Learning Designer
Grant your RAM user or RAM role the permissions to access MaxCompute
Grant your RAM user or RAM role the permissions to access general training resources
Grant your RAM user or RAM role the permissions to access Realtime Compute for Apache Flink
Grant your RAM user or RAM role the permissions to access OSS
Authorize the service-linked role

Authorize the operation account

Machine Learning Designer provides a visualized environment for full-link machine learning development with rich built-in machine learning algorithms. You may need to activate and authorize the following cloud services when you use Machine Learning Designer.

PAI module: Machine Learning Designer

Operation account

Service

Reference

Alibaba Cloud account

You can use an Alibaba Cloud account to perform operations on Machine Learning Designer. No additional authorization is required.

N/A

RAM user

(Recommended)

PAI provides different member roles. You can assume different member roles to the RAM users for convenient permission management. For more information about the permissions of each role, go to the Roles and Permissions page.

image..png

Manage members of the workspace

Grant your RAM user or RAM role the permissions to access general training resources
You can use the general computing resources of PAI for AI development.
We recommend that you use an Alibaba Cloud account to purchase general computing resources. If you want to use a RAM user to purchase resources, the RAM user must be granted AliyunPAIFullAccess permissions.
To use your RAM user to submit training tasks to DLC resource groups that are associated with a workspace, you must add the RAM user as an Algorithm developer, Algorithm operator, or Admin to the workspace.

Grant your RAM user or RAM role the permissions to access MaxCompute

Machine Learning Designer provides hundreds of self-developed algorithms based on the MaxCompute framework. Make sure that you activate MaxCompute before you use these algorithms.

Scenario	Description	Reference
Activate MaxCompute	We recommend that you use an Alibaba Cloud account to activate MaxCompute. No additional authorization is required. If you want to activate MaxCompute by using a RAM user, you need to grant the AliyunBSSOrderAccess and AliyunDataWorksFullAccess permissions to the RAM user.	Activation: Activate MaxCompute and DataWorks Authorization: Manage the members of a workspace Common operations: Create a MaxCompute project and Manage computing resources of the workspace
Use MaxCompute	If the features you use in Machine Learning Designer depend on MaxCompute, you do not need to perform authorization. You can directly add a RAM user as a member of the development role in a PAI workspace.

Grant your RAM user or RAM role the permissions to access OSS

You need to activate and authorize OSS to use OSS as a data source when you use deep learning algorithm components.

Scenario

Description

Reference

Activate OSS

We recommend that you use an Alibaba Cloud account to activate OSS. No additional authorization is required. If you want to use a RAM user to activate OSS, you need to grant the AliyunOSSFullAccess permissions to the RAM user.

Activation: Activate OSS
Authorization: Overview of RAM policy
Common operations: Create buckets

Use OSS

Use OSS after activation:

Authorization: OSS provides detailed RAM control policies. You can grant permissions to RAM users as needed.
Common operations: You need to create a bucket to upload objects to OSS.

You can create a custom policy to flexibly define the permissions that allow a RAM user to access OSS in the PAI console. To create a policy, perform the following steps.

Log on to the RAM console.
In the left-side navigation pane, choose Permissions > Policies
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
Enter the following policy content in the code editor and click Next to edit policy information.
OSS provides a complete system for data permission management. For more information about how to configure policies in OSS, see Overview.
Important
We recommend that you follow the principle of the least privilege when you specify the policy content.
To access OSS in the PAI console, you must have the permissions to perform regular operations, such as the permissions to list the OSS buckets that you are authorized to access and read data from or write data to the OSS buckets. We recommend that you grant permissions on OSS to a RAM user based on the following sample policy content:
```
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:GetObject",
        "oss:ListObjects",
        "oss:DeleteObject",
        "oss:ListParts",
        "oss:PutObject",
        "oss:AbortMultipartUpload",
        "oss:GetBucketCors",
        "oss:GetBucketCors",
        "oss:DeleteBucketCors"
      ],
      "Resource": [
        "acs:oss:*:*:<yourBucketName>",
        "acs:oss:*:*:<yourBucketName>/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "oss:ListBuckets"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}
```
Replace <yourBucketName> in the preceding sample policy content with the name of the OSS bucket that your RAM user is authorized to access.
Specify Name and Note for the policy and click OK.

Dependent cloud service: Flink

Machine Learning Designer provides dozens of self-developed algorithms based on the Flink framework. Make sure that you activate Flink before you use these algorithms.

Scenario

Description

Reference

Activate Flink

We recommend that you use an Alibaba Cloud account to activate Flink. No additional authorization is required. If you want to activate Flink by using a RAM user, you must grant the AliyunStreamFullAccess permissions to the RAM user.

Activation: Activate Realtime Compute for Apache Flink
Authorization: Grant permissions to a RAM user

Use Flink

Use Flink after activation:

Authorization: Flink provides detailed RAM control policies. You can grant permissions to RAM users as needed.

Authorize the service-linked role

In most cases, the authorization is completed when you activate PAI. If the authorization is not performed, perform the following steps.

Log on to the PAI console.
In the left-side navigation pane, choose Activation & Authorization > Dependent Services. In the Designer section, find OSS.
View the authorization details of OSS in the Actions column.
- If PAI is not granted the permissions to access OSS, click Authorize Now in the Operation column and grant the permissions to PAI by following the on-screen instructions.
- If PAI is granted the permissions on OSS, click View authorization information in the Operation column to view the authorization details.