This topic describes how to use an Alibaba Cloud account to grant access permissions to a RAM user.

Instructions

Virtual cluster (VC) is a basic concept in Data Lake Analytics (DLA). You can use an Alibaba Cloud account to define one or more actions in a custom permission policy to grant permissions to a RAM user. The following table describes the actions and their permissions
Action Permission
openanalytics:ConsolePermission Allows a RAM user to access the DLA console. If the RAM user is not assigned this permission, the user can use Alibaba Cloud OpenAPI Explorer to access the DLA console.
openanalytics:CreateVirtualCluster Allows a RAM user to create a VC in DLA.
openanalytics:GetVirtualCluster Allows a RAM user to obtain the status and configurations of a VC in DLA.
openanalytics:ListVirtualClusters Allows a RAM user to query the list of RAM users.
openanalytics:UpdateVirtualCluster Allows a RAM user to modify the status and configurations of a VC, for example, modify the CPU and memory configurations of the VC and enable or disable the VC.
openanalytics:DeleteVirtualCluster Allows a RAM user to delete VCs.
openanalytics:ExecuteOnVirtualCluster Allows a RAM user to submit jobs in a VC.
If you want a RAM user to obtain the status of a VC and submit jobs in the VC, you can create a custom permission policy for this RAM user by configuring the following script. For more information, see Create a custom policy.
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "openanalytics:ConsolePermission",
                "openanalytics:ListVirtualCluster",
                "openanalytics:GetVirtualCluster",
                "openanalytics:ExecuteOnVirtualCluster"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

After the RAM user is granted this permission, the user can access the DLA console, find a VC, and then submit jobs to the VC.

Allow a RAM user to access specified VCs

If you want a RAM user to access specified VCs, you need to modify the following Resource part in the permission policy to perform fine-grained control on permissions: 
 acs:openanalytics:${RegionId}:${OwnerId}:virtualcluster/${VirtualClusteName}
  1. The following table provides the mappings between regions and RegionIds.
    Region RegionId
    China (Hangzhou) cn-hangzhou
    China (Beijing) cn-beijing
    China (Shanghai) cn-shanghai
    China (Shenzhen) cn-shenzhen
    China (Zhangjiakou-Beijing Winter Olympics) cn-zhangjiakou
    China (Hong Kong) cn-hongkong
    Singapore (Singapore) ap-southeast-1
    Indonesia (Jakarta) ap-southeast-5
    All the above regions *
  2. OwnerId specifies the ID of the Alibaba Cloud account that is the resource owner.
    You can use the Alibaba Cloud account to view the account ID in security settings.tp
  3. VirtualClusterName specifies the name of the VC in the DLA console.tp
Based on the preceding instructions, you can form a unique ResourceId and configure it in the permission policy script to control user behavior in a more fine-grained manner. Sample script:
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "openanalytics:ConsolePermission",
                "openanalytics:ListVirtualCluster",
                "openanalytics:GetVirtualCluster",
                "openanalytics:ExecuteOnVirtualCluster"
            ],
            "Resource": "acs:openanalytics:cn-hangzhou:123456:virtualcluster/daily-test"
            "Effect": "Allow"
        }
    ]
}

After this sample policy script is executed, the RAM user can perform operations for the daily-test VC only in the China (Hangzhou) region. Operations for other VCs are not allowed.