edit-icon download-icon

OSS ACL

Last Updated: Dec 06, 2017

Operating Steps

E-MapReduce supports using RAM to isolate the data of different sub-accounts. The operating steps are shown as follows:

  1. Log on to the Alibaba Cloud RAM Management console.

  2. Create the sub-account in RAM with the process in How to create the sub-account in RAM.

  3. Click Authorization Policy Management at the left of Alibaba Cloud RAM Management console to enter the page of authorization policy management.

  4. Click Customized Authorization Policy.

  5. Click New Authorization Policy at the upper right of the page to enter the authorization policy creation page. Create the policy according to the prompted steps. You can create as many policies as the sets of authorization control you need.

    It is assumed that you need the following 2 sets of data control policies:

    • Testing environment, bucketname: test-bucket. The corresponding complete policy is as follows.

      1. {
      2. "Version": "1",
      3. "Statement": [
      4. {
      5. "Effect": "Allow",
      6. "Action": [
      7. "oss:ListBuckets"
      8. ],
      9. "Resource": [
      10. "acs:oss:*:*:*"
      11. ]
      12. },
      13. {
      14. "Effect": "Allow",
      15. "Action": [
      16. "oss:Listobjects",
      17. "oss:GetObject",
      18. "oss:PutObject",
      19. "oss:DeleteObject"
      20. ],
      21. "Resource": [
      22. "acs:oss:*:*:test-bucket",
      23. "acs:oss:*:*:test-bucket/*"
      24. ]
      25. }
      26. ]
      27. }
    • Production environment, bucketname: prod-bucket. The corresponding complete policy is as follows:

      1. {
      2. "Version": "1",
      3. "Statement": [
      4. {
      5. "Effect": "Allow",
      6. "Action": [
      7. "oss:ListBuckets"
      8. ],
      9. "Resource": [
      10. "acs:oss:*:*:*"
      11. ]
      12. },
      13. {
      14. "Effect": "Allow",
      15. "Action": [
      16. "oss:Listobjects",
      17. "oss:GetObject",
      18. "oss:PutObject"
      19. ],
      20. "Resource": [
      21. "acs:oss:*:*:prod-bucket",
      22. "acs:oss:*:*:prod-bucket/*"
      23. ]
      24. }
      25. ]
      26. }
  6. Click User Management at the left of Alibaba Cloud RAM Management console.

  7. Find out the sub-account item which the policy is given to and click the right Management button to enter the user management page.

  8. Click User Authorization Policy at the left of page.

  9. Click Edit Authorization Policy at the upper right to enter the authorization policy page.

  10. Select and add authorization policy.

  11. Click Confirm to complete the policy authorization of sub-account.

  12. Click User Details at the left of user management page to enter the user details page of sub-account.

  13. Click Start Console Logon in the Web console logon management bar to start up the authorization of sub-account logon console.

Complete and use

After completing all preceding steps, use the corresponding sub-account to log on to E-MapReduce with following limits:

  • All buckets can be seen in the OSS selection interface for cluster, operation, and plan execution creations, but the authorized bucket can only be entered.

  • The content under authorized bucket can only be seen, rather than those under other buckets.

  • The authorized bucket can only be read and written. Otherwise, an error is reported.

Thank you! We've received your feedback.