This topic describes how to configure Data Lake Analytics (DLA) access permissions for RAM users by using Alibaba Cloud accounts in RAM.
API operations of DLA
Virtual clusters (VCs) are a basic concept in DLA. Alibaba Cloud accounts can call
API operations to define a series of operations and combinations of operations in
custom policies to limit the permissions of RAM users on VCs. The following table
describes the API operations.
| API | Description |
|---|---|
| openanalytics:ConsolePermission | Allows a RAM user to access the DLA console. If the RAM user is not assigned this permission, the user can use only Alibaba Cloud OpenAPI Explorer to access the DLA console. |
| openanalytics:CreateVirtualCluster | Allows a RAM user to create a VC in DLA. |
| openanalytics:GetVirtualCluster | Allows a RAM user to obtain the status and configurations of a VC in DLA. |
| openanalytics:ListVirtualClusters | Allows a RAM user to query VCs. |
| openanalytics:UpdateVirtualCluster | Allows a RAM user to change the status and configurations of a VC. For example, you can call this API operation to modify the CPU and memory configurations of the VC and enable or disable the VC. |
| openanalytics:DeleteVirtualCluster | Allows a RAM user to delete a VC. |
| openanalytics:ExecuteOnVirtualCluster | Allows a RAM user to submit jobs in a VC. |
If you want a RAM user to obtain the status of a VC and submit jobs in the VC, you
can create a custom policy for the RAM user in the RAM console and configure the following script. For more information, see Create a custom policy.
{
"Version": "1",
"Statement": [
{
"Action": [
"openanalytics:ConsolePermission",
"openanalytics:ListVirtualCluster",
"openanalytics:GetVirtualCluster",
"openanalytics:ExecuteOnVirtualCluster"
],
"Resource": "*",
"Effect": "Allow"
}
]
}After the preceding operations are complete, the RAM user that is granted the custom policy is allowed to access the DLA console, search for VCs in the DLA console, and submit jobs in VCs.
Configure a RAM user to access specific VCs
If you want a RAM user to access specific VCs, you must change the setting of
Resource in the custom policy to impose fine-grained permission control over the RAM user.
The following example shows the values of Resource. The following table describes the values of Resource. acs:openanalytics:${RegionId}:${OwnerId}:virtualcluster/${VirtualClusteName}| Parameter | Description |
|---|---|
| RegionId | The ID of the region. Mapping between regions and region IDs:
|
| OwnerId | The ID of the Alibaba Cloud account to which the resource belongs. You can view your own account ID in Security Settings of your Alibaba Cloud account. |
| VirtualClusterName | The name of the VC. |
You can create a unique
ResourceId that corresponds to a VC based on the preceding parameter description. Then, you
can add ResourceId to custom policies in the RAM console. This way, you can control the behavior of the RAM user in a fine-grained manner.
The following example shows the policy configuration.// This example allows the RAM user to manage only thedaily-test VC in the China (Hangzhou) region.
{
"Version": "1",
"Statement": [
{
"Action": [
"openanalytics:ConsolePermission",
"openanalytics:ListVirtualCluster",
"openanalytics:GetVirtualCluster",
"openanalytics:ExecuteOnVirtualCluster"
],
"Resource": "acs:openanalytics:cn-hangzhou:123456:virtualcluster/daily-test"
"Effect": "Allow"
}
]
}