User management allows you to manage the accounts required to create related services on specific clusters. E-MapReduce (EMR) supports two types of accounts: Knox accounts and Kerberos accounts.
Create a RAM user
You can use Resource Access Management (RAM) to create and manage user accounts, which include employee accounts, system accounts, and application accounts. You can also manage the operation permissions that these user accounts have on the resources of your account. To create a RAM user, follow these steps:
- Log on to the Alibaba Cloud E-MapReduce console.
- Click the Cluster Management tab.
- Click the ID of the target cluster, or find the target cluster and click Details in the Actions column.
- In the left-side navigation pane of the Cluster Overview page that appears, click Users.
- On the Users page that appears, click Create RAM User in the upper-right corner to access the Overview page of the RAM console.
- On this page, you can perform operations, such as create a user, create a user group, and grant permissions. For more information, see Resource Access Management.
Add a Knox account
After you create a RAM user, you can follow these steps to add a Knox account to the RAM user:
- Go to the Users page. Select the account you want to add to the cluster, and click Set Knox Password in the Action column.
- In the Set Password dialog box that appears, specify Password and Confirm password, and click OK.
- Click Refresh in the upper-right corner to refresh the Users page and view the status of the Knox account.
If Synchronized is displayed in the Knox Account column, the Knox account is added. Then you can use the username and password set in the preceding step to log on to Knox.
For information about how to use Knox, see Knox.
Delete a Knox account
- Go to the Users page. Select the account you want to delete from the cluster, and click Delete Knox Account in the Action column.
- Click Refresh in the upper-right corner to refresh the Users page and check whether the Knox account is deleted.
If Not Synchronized is displayed in the Knox Account column, the Knox account is deleted.
After the high security mode is enabled, each component in a high-security cluster is authenticated by using Kerberos. For more information about Kerberos, see Introduction to Kerberos.
Different clusters cannot share a Knox account. This is because Knox accounts are created in clusters separately. For example, Knox account A added to cluster-1 cannot be shared with cluster-2. To use Knox account A in cluster-2, you must add this account to cluster-2.