This topic describes the actions and resources specified in the custom policies that are attached to a Resource Access Management (RAM) user of Data Lake Analytics (DLA). This topic provides guidelines for creating custom policies to grant RAM users fine-grained permissions.

Custom policies

You can use the RAM console or call the CreatePolicy API operation to create a custom policy. If you select Script for Configuration Mode when you create a custom policy, you need to specify actions and resources in the code editor of the Policy Document section based on the JSON template. For more information, see Create a custom policy.

Examples

Example 1:
The Alibaba Cloud account with the ID of 1234567890 deploys a virtual cluster named dla-vc1 in the China (Hangzhou) region and configures the policy dla-vc1-policy. The permissions provided by the policy allow a RAM user to submit jobs in this cluster, terminate these jobs, and view the detailed log information of these jobs.
Note The RAM user that is granted these permissions is not authorized to perform the following operations:
  • View the detailed log information of the jobs that are submitted by other RAM users.
  • Terminate jobs that are submitted by other RAM users.
  • Commit code for interactive jobs of other RAM users.

The created policy contains the following content: 

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "openanalytics:ConsolePermission",
                "openanalytics:ListSparkJobs",
                "openanalytics:SubmitSparkJob",
                "openanalytics:ListVirtualCluster",
                "openanalytics:GetVirtualCluster"
            ],
            "Resource": "acs:openanalytics:cn-hangzhou:1234567890:virtualcluster/dla-vc1",
            "Effect": "Allow"
        }
    ]
}
Example 2:
The Alibaba Cloud account with the ID of 1234567890 is expected to grant a RAM user permissions to manage the assets of all data lakes in the China (Hangzhou) region. The Alibaba Cloud account creates a policy named dla-cn-hangzhou-admin. The created policy contains the following content: 
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "openanalytics:*"
            ],
            "Resource": "acs:openanalytics:cn-hangzhou:1234567890:*",
            "Effect": "Allow"
        }
    ]
}
Note For more information about the parameters in the policy, see Actions and resources of custom policies.

Actions and resources of custom policies

Console permissions
Action Resource Action description
ConsolePermission * Allows a RAM user to access the DLA console. If the RAM user is not granted this permission, the RAM user can use only API operations to access the DLA console.
Note The resource syntax is acs:openanalytics:${RegionId}:${OwnerId}:virtualcluster/${VirtualClusteName}. An asterisk (*) represents all resources. For more information, see Policy elements.
Spark management permissions
Action Resource Action description
ListSparkJobs acs:openanalytics:<region>:<account-id>:virtualcluster/<virtualClusteName>/sparkjobs/* Allows a RAM user to query all Spark jobs.
SubmitSparkJob Allows a RAM user to submit a Spark job.
Allows a RAM user to submit a Spark SQL statement.
GetSparkJob acs:openanalytics:<region>:<account-id>:virtualcluster/<virtualClusteName>/sparkjobs/jobid Allows a RAM user to obtain the status of a Spark job.
Allows a RAM user to obtain the logs of a Spark job.
Allows a RAM user to obtain the detailed configurations and Spark web UI of a Spark job.
Allows a RAM user to obtain the status of the current session.
KillSparkJob acs:openanalytics:<region>:<account-id>:virtualcluster/<virtualClusteName>/sparkjobs/jobid Allows a RAM user to kill a Spark job.
ExecuteSparkStatement acs:openanalytics:<region>:<account-id>:virtualcluster/<virtualClusteName>/sparkjobs/<jobid>/statements/* Allows a RAM user to execute a code block in a session and obtain the ID of the code block.
ListSparkStatements Allows a RAM user to obtain the execution information of all code blocks in the session cache.
CancelSparkStatement acs:openanalytics:<region>:<account-id>:virtualcluster/<virtualClusteName>/sparkjobs/<jobid>/statements/<statementid> Allows a RAM user to attempt to terminate the execution of a code block.
GetSparkStatement Allows a RAM user to obtain the execution information of a specified code block.
Lakehouse management permissions
Action Resource Action description
ListLakehouses acs:openanalytics:${regionId}:${parentId}:lakehouse/* Allows a RAM user to view lakehouses.
CreateLakehouse acs:openanalytics:${regionId}:${parentId}:lakehouse/* Allows a RAM user to create a lakehouse.
ListLakehouseWorkloads acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/* Allows a RAM user to view workloads of a lakehouse.
CreateLakehouseWorkload acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/* Allows a RAM user to create a workload for a lakehouse.
DeleteLakehouseWorkload acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/${workloadId} Allows a RAM user to delete a workload from a lakehouse.
StartLakehouseWorkload acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/${workloadId} Allows a RAM user to start a workload.
StopLakehouseWorkload acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/${workloadId} Allows a RAM user to stop a workload that is running.
RedoLakehouseWorkload acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/${workloadId} Allows a RAM user to redo a workload, for example, export some data again.
DescribeLakehouseWorkload acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/${workloadId} Allows a RAM user to view the details of a workload.
GetLakehouseWorkloadMonitorInfo acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/${workloadId} Allows a RAM user to view the failure logs of a workload and the Spark web UI.