This topic describes how to use an Alibaba Cloud account to grant access permissions to a RAM user.
Instructions
Virtual cluster (VC) is a basic concept in Data Lake Analytics (DLA). You can use
an Alibaba Cloud account to define one or more actions in a custom permission policy
to grant permissions to a RAM user. The following table describes the actions and
their permissions
| Action | Permission |
| openanalytics:ConsolePermission | Allows a RAM user to access the DLA console. If the RAM user is not assigned this permission, the user can use Alibaba Cloud OpenAPI Explorer to access the DLA console. |
| openanalytics:CreateVirtualCluster | Allows a RAM user to create a VC in DLA. |
| openanalytics:GetVirtualCluster | Allows a RAM user to obtain the status and configurations of a VC in DLA. |
| openanalytics:ListVirtualClusters | Allows a RAM user to query the list of RAM users. |
| openanalytics:UpdateVirtualCluster | Allows a RAM user to modify the status and configurations of a VC, for example, modify the CPU and memory configurations of the VC and enable or disable the VC. |
| openanalytics:DeleteVirtualCluster | Allows a RAM user to delete VCs. |
| openanalytics:ExecuteOnVirtualCluster | Allows a RAM user to submit jobs in a VC. |
If you want a RAM user to obtain the status of a VC and submit jobs in the VC, you
can create a custom permission policy for this RAM user by configuring the following
script. For more information, see Create a custom policy.
{
"Version": "1",
"Statement": [
{
"Action": [
"openanalytics:ConsolePermission",
"openanalytics:ListVirtualCluster",
"openanalytics:GetVirtualCluster",
"openanalytics:ExecuteOnVirtualCluster"
],
"Resource": "*",
"Effect": "Allow"
}
]
}After the RAM user is granted this permission, the user can access the DLA console, find a VC, and then submit jobs to the VC.
Allow a RAM user to access specified VCs
If you want a RAM user to access specified VCs, you need to modify the following
Resource part in the permission policy to perform fine-grained control on permissions: acs:openanalytics:${RegionId}:${OwnerId}:virtualcluster/${VirtualClusteName}- The following table provides the mappings between regions and
RegionIds.Region RegionId China (Hangzhou) cn-hangzhou China (Beijing) cn-beijing China (Shanghai) cn-shanghai China (Shenzhen) cn-shenzhen China (Zhangjiakou-Beijing Winter Olympics) cn-zhangjiakou China (Hong Kong) cn-hongkong Singapore (Singapore) ap-southeast-1 Indonesia (Jakarta) ap-southeast-5 All the above regions * OwnerIdspecifies the ID of the Alibaba Cloud account that is the resource owner.You can use the Alibaba Cloud account to view the account ID in security settings.
VirtualClusterNamespecifies the name of the VC in the DLA console.
Based on the preceding instructions, you can form a unique
ResourceId and configure it in the permission policy script to control user behavior in a more
fine-grained manner. Sample script:{
"Version": "1",
"Statement": [
{
"Action": [
"openanalytics:ConsolePermission",
"openanalytics:ListVirtualCluster",
"openanalytics:GetVirtualCluster",
"openanalytics:ExecuteOnVirtualCluster"
],
"Resource": "acs:openanalytics:cn-hangzhou:123456:virtualcluster/daily-test"
"Effect": "Allow"
}
]
}After this sample policy script is executed, the RAM user can perform operations for
the daily-test VC only in the China (Hangzhou) region. Operations for other VCs are not allowed.