This topic describes how to create Resource Access Management (RAM) users and manage service accounts for RAM users. Currently, Knox and Kerberos accounts are supported.

Prerequisites

To allow an E-MapReduce cluster to support Kerberos accounts, you must enable the Kerberos cluster mode when you create the cluster. Alternatively, you can click Enable Kerberos Mode on the Cluster Management page to enable the high-security mode after the cluster is created.

After the high-security mode is enabled, all components in the cluster use Kerberos for authentication. For more information, see Introduction to Kerberos.

Create a RAM user

You can use RAM to create and manage user accounts, which include employee accounts, system accounts, and application accounts. You can also manage the operation permissions that these user accounts have on the resources of your account. To create a RAM user, follow these steps:

  1. Log on to the Alibaba Cloud E-MapReduce console.
  2. In the top navigation bar, select the region where your cluster resides. Select the resource group as required. By default, all resources of the account appear.
  3. Click the Cluster Management tab.
  4. On the Cluster Management page that appears, find the target cluster and click Details in the Actions column.
  5. In the left-side navigation pane of the Cluster Overview page that appears, click Users.
  6. On the Users page that appears, click Create RAM User in the upper-right corner to access the Overview page of the RAM console.
    You can use RAM to create users and groups, and add permissions. For more information, see the RAM documentation.

Activate a Knox account

After you create a RAM user, you can follow these steps to activate a Knox account for the RAM user:

  1. On the Users page, find the target the RAM user and click Set Knox Password in the Action column.
  2. In the Set Password dialog box that appears, set Password and Confirm password.
  3. Click OK.
  4. Click Refresh in the upper-right corner to refresh the Users page and view the status of the Knox account.
    If Synchronized appears in the Knox Account column, the Knox account is activated. Then you can use the username and password to log on to Knox.

    For information, see Knox.

Delete a Knox account

  1. On the Users page, find the target RAM user and click Delete Knox Account in the Action column.
  2. Click OK.
  3. Click Refresh in the upper-right corner to refresh the Users page and check whether the Knox account is deleted.
    If Not Synchronized appears in the Knox Account column, the Knox account is deleted.

Activate a Kerberos account

After you create a RAM user, you can follow these steps to activate a Kerberos account for the RAM user:

  1. On the Users page, find the target RAM user and click Set Kerberos Password in the Action column.
  2. In the Set Password dialog box that appears, set Password and Confirm password.
  3. Click OK.
  4. Click Refresh in the upper-right corner to refresh the Users page and view the status of the Kerberos account.
    If Synchronized appears in the Kerberos Account column, the Kerberos account is activated.

Delete a Kerberos account

  1. On the Users page, find the target RAM user and click Delete Kerberos Account in the Action column.
  2. Click OK.
  3. Click Refresh in the upper-right corner to refresh the Users page and check whether the Kerberos account is deleted.
    If Not Synchronized appears in the Kerberos Account column, the Kerberos account is deleted.

Note

Different clusters cannot share a Knox account. This is because Knox accounts are created in clusters separately. For example, Knox account A created in cluster-1 cannot be shared with cluster-2. To use Knox account A in cluster-2, you must create this account in cluster-2.