This topic describes how to configure Data Lake Analytics (DLA) access permissions for RAM users by using Alibaba Cloud accounts in RAM.

API operations of DLA

Virtual clusters (VCs) are a basic concept in DLA. Alibaba Cloud accounts can call API operations to define a series of operations and combinations of operations in custom policies to limit the permissions of RAM users on VCs. The following table describes the API operations.
API Description
openanalytics:ConsolePermission Allows a RAM user to access the DLA console. If the RAM user is not assigned this permission, the user can use only Alibaba Cloud OpenAPI Explorer to access the DLA console.
openanalytics:CreateVirtualCluster Allows a RAM user to create a VC in DLA.
openanalytics:GetVirtualCluster Allows a RAM user to obtain the status and configurations of a VC in DLA.
openanalytics:ListVirtualClusters Allows a RAM user to query VCs.
openanalytics:UpdateVirtualCluster Allows a RAM user to change the status and configurations of a VC. For example, you can call this API operation to modify the CPU and memory configurations of the VC and enable or disable the VC.
openanalytics:DeleteVirtualCluster Allows a RAM user to delete a VC.
openanalytics:ExecuteOnVirtualCluster Allows a RAM user to submit jobs in a VC.
If you want a RAM user to obtain the status of a VC and submit jobs in the VC, you can create a custom policy for the RAM user in the RAM console and configure the following script. For more information, see Create a custom policy.
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "openanalytics:ConsolePermission",
                "openanalytics:ListVirtualCluster",
                "openanalytics:GetVirtualCluster",
                "openanalytics:ExecuteOnVirtualCluster"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

After the preceding operations are complete, the RAM user that is granted the custom policy is allowed to access the DLA console, search for VCs in the DLA console, and submit jobs in VCs.

Configure a RAM user to access specific VCs

If you want a RAM user to access specific VCs, you must change the setting of Resource in the custom policy to impose fine-grained permission control over the RAM user. The following example shows the values of Resource. The following table describes the values of Resource.
 acs:openanalytics:${RegionId}:${OwnerId}:virtualcluster/${VirtualClusteName}
Parameter Description
RegionId The ID of the region. Mapping between regions and region IDs:
  • China (Hangzhou): cn-hangzhou
  • China (Beijing): cn-beijing
  • China (Shanghai): cn-shanghai
  • China (Shenzhen): cn-shenzhen
  • China (Zhangjiakou): cn-zhangjiakou
  • China (Hong Kong): cn-hongkong
  • Singapore (Singapore): ap-southeast-1
  • Indonesia (Jakarta): ap-southeast-5
  • All the above regions: *
OwnerId The ID of the Alibaba Cloud account to which the resource belongs. You can view your own account ID in Security Settings of your Alibaba Cloud account.
VirtualClusterName The name of the VC.
You can create a unique ResourceId that corresponds to a VC based on the preceding parameter description. Then, you can add ResourceId to custom policies in the RAM console. This way, you can control the behavior of the RAM user in a fine-grained manner. The following example shows the policy configuration.
// This example allows the RAM user to manage only thedaily-test VC in the China (Hangzhou) region.
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "openanalytics:ConsolePermission",
                "openanalytics:ListVirtualCluster",
                "openanalytics:GetVirtualCluster",
                "openanalytics:ExecuteOnVirtualCluster"
            ],
            "Resource": "acs:openanalytics:cn-hangzhou:123456:virtualcluster/daily-test"
            "Effect": "Allow"
        }
    ]
}