This topic describes how to grant permissions to a RAM user. After the permissions are granted, the RAM user can submit jobs to the serverless Spark engine of Data Lake Analytics (DLA).

Prerequisites

  • A RAM user is created. For more information, see Create a RAM user.
  • A DLA sub-account is created.

Procedure

  1. Log on to the RAM console and grant the DLA access permissions to the RAM user. For more information, see Grant permissions to a RAM user.
    RAM provides three system policies for you to grant DLA access permissions. In the Add Permissions panel, you can select Alibaba Cloud account all resources for Authorization, click System Policy in the Select Policy section, and then enter DLA in the search box to search for DLA-related policies, as shown in the following figure.
    The following table describes the DLA-related system policies.
    Policy Description
    AliyunDLAFullAccess Provides the administrator-level permissions on DLA. After you add this policy for a RAM user, the RAM user has all permissions on DLA. For example, the RAM user can create and delete clusters and submit jobs.
    AliyunDLAReadOnlyAccess Provides the visitor-level permissions on DLA. After you add this policy for a RAM user, the RAM user has read-only permissions on DLA. For example, the RAM user can view the status of clusters and jobs. However, the RAM user cannot change the status of clusters or submit jobs.
    AliyunDLADeveloperAccess Provides the developer-level permissions on DLA. After you add this policy for a RAM user, the RAM user can view the status of clusters and jobs, and submit and run jobs. However, the RAM user cannot create or delete clusters.
  2. Bind a RAM user with a DLA sub-account. For more information, see Bind a DLA child account with a RAM user.
  3. Click here to grant the RAM user the permissions to access resources.
    This operation automatically creates the AliyunDLASparkProcessingDataRole role. If the system policies AliyunDLAFullAccess and AliyunDLADeveloperAccess are added for a RAM user, this RAM user has the permissions that this role has.

Verify the permissions of the RAM user

After you complete the preceding operations, you can log on to the DLA console as the RAM user. In the left-side navigation tree, choose Serverless Spark > Submit job. Then, submit a Spark job to check whether the permissions of the RAM user are properly configured. For more information, see Create and run Spark jobs and Configure a Serverless Spark job. Configuration example:
{
    "name": "SparkPi",
    "file": "local:///tmp/spark-examples.jar",
    "className": "org.apache.spark.examples.SparkPi",
    "args": [
        "100"
    ],
    "conf": {
        "spark.driver.resourceSpec": "medium",
        "spark.executor.instances": 1,
        "spark.executor.resourceSpec": "medium"
    }
}
Note If you do not specify spark.dla.roleArn in conf, the system automatically uses the ARN of AliyunDLASparkProcessingDataRole. You can also manually specify spark.dla.roleArn. For more information, see Grant permissions to a RAM user.