Machine Learning Studio of Machine Learning Platform for AI (PAI) shares projects with DataWorks. Before you use a RAM user to create MaxCompute or Machine Learning Studio projects, you must grant permissions to the RAM user. In addition, after a security upgrade, PAI supports more secure access to the data in Object Storage Service (OSS). You can configure custom policies to grant RAM users the permissions to access OSS data in the PAI console. This topic describes how to grant the permissions that may be needed in Machine Learning Studio.

Grant the operation permissions on DataWorks and MaxCompute to a RAM user

  1. Log on to the Resource Access Management (RAM) console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. Grant the permissions on DataWorks to the RAM user.
    1. On the Users page, find the RAM user to whom you want to grant permissions, and click Add Permissions in the Actions column.
    2. Optional:In the Add Permissions panel, click Custom Policy.
    3. In the field below Select Policy, enter AliyunDataWorksFullAccess.
    4. Click AliyunDataWorksFullAccess in the Authorization Policy Name column to add the policy to the Selected section.
    5. Click OK.
  4. Create an AccessKey pair for the RAM user.
    1. On the Users page, find the RAM user and click its logon name in the User Logon Name/Display Name column.
    2. In the User AccessKeys section of the RAM user details page, click Create AccessKey Pair.
  5. Log on to the DataWorks console by using your Alibaba Cloud account and grant the permissions on the required MaxCompute project to the RAM user. For more information, see Add workspace members.

Grant access permissions on OSS to Machine Learning Studio

Machine Learning Studio supports OSS. You must use your Alibaba Cloud account to grant permissions to service-linked roles.

  1. Log on to the PAI console.
  2. In the left-side navigation pane, choose Model Training > Visualized Modeling (Machine Learning Studio).
  3. On the Visualized Modeling (Machine Learning Studio) page, find your project and click Machine Learning in the Actions column.
  4. In the left-side navigation pane, choose Settings > General.
  5. In the OSS Authorization section of the General page, select Authorize Machine Learning Platform for AI to access my OSS resources. For other parameters, use the default values.

Use custom policies to grant access permissions on OSS to a RAM user

After a security upgrade, PAI supports more secure access to OSS data. You can configure custom policies to grant RAM users the permissions to access OSS data in the PAI console.

  1. On the Create Custom Policy page, set the parameters.
    Parameter Description
    Policy Name We recommend that you name a policy based on the required permissions and business needs.
    Note The description of the policy. The description helps differentiate this policy from other policies.
    Configuration Mode Select Script.
    Policy Document OSS provides a complete system for data permission management. For more information about how to configure RAM policies for OSS, see Overview.
    Notice We recommend that you define the policy based on the minimum permissions required by the RAM user.
    To use OSS data in the PAI console, you may need the permissions on common operations such as the permissions to access, read data from, and write data to an OSS bucket. We recommend that you grant permissions to the RAM user based on the following sample custom policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "oss:GetObject",
            "oss:ListObjects",
            "oss:DeleteObject",
            "oss:ListParts",
            "oss:PutObject",
            "oss:AbortMultipartUpload",
            "oss:GetBucketCors",
            "oss:GetBucketCors",
            "oss:DeleteBucketCors"
          ],
          "Resource": [
            "acs:oss:*:*:<yourBucketName>",
            "acs:oss:*:*:<yourBucketName>/*"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "oss:ListBuckets"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
    Replace <yourBucketName> in the preceding sample custom policy with the name of the OSS bucket on which the permissions you want to grant.
  2. Click OK.

Grant the permissions on GPU resources to Machine Learning Studio

PAI-Tensorflow uses GPU resources for underlying computing. Therefore, you must grant the permissions on GPU resources to Machine Learning Studio.

  1. Log on to the PAI console.
  2. In the left-side navigation pane, choose Model Training > Visualized Modeling (Machine Learning Studio).
  3. On the Visualized Modeling (Machine Learning Studio) page, turn on the switch in the Open GPU column for your project.