If multiple users in your organization need to use Data Lake Analytics (DLA) after you activate DLA by using your Alibaba Cloud account, these users must share the AccessKey pair of your Alibaba Cloud account. This may cause your AccessKey pair to be disclosed and makes it difficult to control which operations a specific user can perform in the DLA console. To prevent these issues, you can create Resource Access Management (RAM) users and grant specific permissions to each RAM user. Users can then use the credentials of RAM users to access or manage DLA.

Policies

Policies are categorized into system policies and custom policies.

  • System policies: the default policies that Alibaba Cloud provide for various management purposes. DLA provides the following system policies:
    • AliyunDLAFullAccess: grants RAM users the permissions to manage DLA, including all the permissions on all the resources in DLA.
    • AliyunDLADeveloperAccess: grants RAM users the developer permissions. Compared with the AliyunDLAFullAccess policy, the AliyunDLADeveloperAccess policy does not grant RAM users the permissions to create, modify, or release virtual clusters.
    • AliyunDLAReadOnlyAccess: grants RAM users the read-only permissions on DLA resources. These permissions allow users to perform operations, such as view information about virtual clusters and jobs.

    For more information about system policies, see System policies of DLA.

  • Custom policies: the policies that you can customize based on your business requirements. These policies are suitable for users that require fine-grained control and are familiar with the API of each Alibaba Cloud service. For more information, see Create a custom policy.

Procedure

This procedure demonstrates how to use your Alibaba Cloud account to create a RAM user in the RAM console and attach a custom policy or system policy to the RAM user.

  1. Create a RAM user.
    1. Log on to the RAM console by using your Alibaba Cloud account.
    2. In the left-side navigation pane, choose Identities > Users.
    3. On the Users page, click Create User. Create User
    4. Set the Logon Name and Display Name parameters.
    5. In the Access Mode section, select Console Access or Programmatic Access.
      • Console Access: If you select this access mode, you must configure the basic settings related to logon security. These settings specify whether to use a system-generated or custom logon password, reset the password on the next logon, and enable multi-factor authentication (MFA).
      • Programmatic Access: If you select this access mode, the system automatically creates an AccessKey pair for the RAM user that you want to create. You can access DLA by calling API operations or by using other development tools.
      Create User
      Note To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This prevents the RAM user from using an AccessKey pair to access DLA after the RAM user leaves the organization.
    6. Click OK.
  2. (Optional) Create a custom policy.

    In addition to the system policies provided by DLA, you can create custom policies in the RAM console by performing the following steps:

    1. In the left-side navigation pane of the RAM console, choose Permissions > Policies.
    2. On the Policies page, click Create Policy. Create Policy
    3. Specify Policy Name.
    4. Select Script for Configuration Mode. In the Policy Document section, enter the policy content in the code editor.
      Note For the values of the Action and Resource parameters in the policy content, see Grant RAM users fine-grained permissions to access DLA.
      Create Custom Policy
    5. Click OK.
  3. Grant permissions to the RAM user.
    1. In the left-side navigation pane of the RAM console, choose Identities > Users.
    2. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column. Add Permissions
    3. In the Select Policy section, click the Custom Policy tab and add the required policy to the Selected section. Select Policy
    4. Click OK.
    5. Click Complete.

System policies of DLA

Feature DLAFullAccess DLADeveloperAccess DLAReadonlyAccess
View virtual clusters ✔️ ✔️ ✔️
Add a virtual cluster ✔️
Modify a virtual cluster ✔️
Release a virtual cluster ✔️
View cluster tags ✔️ ✔️ ✔️
Add a cluster tag ✔️
Delete a cluster tag ✔️
View Spark jobs ✔️ ✔️ ✔️
Submit a Spark job ✔️ ✔️
View Spark jobs ✔️ ✔️ ✔️
Stop a Spark job ✔️
Execute a Spark code block ✔️ ✔️
View Spark code blocks ✔️ ✔️ ✔️
Terminate a Spark code block ✔️
View Spark code ✔️ ✔️ ✔️
View lakehouses ✔️ ✔️ ✔️
Create a lakehouse ✔️
Dump DSL descriptions of a lakehouse ✔️ ✔️
View the progress of all tables related to a lakehouse ✔️ ✔️ ✔️
View workloads ✔️ ✔️ ✔️
Create a workload ✔️
Delete a workload ✔️
Start a workload ✔️
Stop a workload ✔️
Redo a workload ✔️
Dump DSL descriptions of a workload ✔️ ✔️
Check the output prefix of a workload ✔️ ✔️ ✔️
View logs or Spark web UI of a workload ✔️ ✔️ ✔️
View the progress of all tables related to a workload ✔️ ✔️ ✔️