Grant permissions to a RAM user (detailed version) - Data Lake Analytics - Deprecated

This topic describes how to grant permissions to a Resource Access Management (RAM) user. After the permissions are granted, the RAM user can submit jobs to the serverless Spark engine of Data Lake Analytics (DLA).

Prerequisites

A RAM user is created. For more information, see Create a RAM user.
A DLA sub-account is created.
The RAM user is bound with the DLA child account. For more information, see Bind a RAM user with a DLA sub-account.

Procedure

Log on to the RAM console and grant DLA access permissions to the RAM user.

For more information, see Grant permissions to a RAM user.

Note RAM provides three system policies for you to grant DLA access permissions. In the Add Permissions panel, you can select Alibaba Cloud account all resources for Authorization, click System Policy in the Select Policy section, and then enter DLA in the policy search box to select DLA-related policies.

The following table describes the DLA-related policies.


Policy	Description
AliyunDLAFullAccess	Provides the administrator-level permissions on DLA. After you add this policy for a RAM user, the RAM user has all permissions on DLA. For example, the RAM user can create and delete clusters and submit jobs.
AliyunDLAReadOnlyAccess	Provides the visitor-level permissions on DLA. After you add this policy for a RAM user, the RAM user has read-only permissions on DLA. For example, the RAM user can view the status of clusters and jobs. However, the RAM user cannot modify the status of clusters or submit jobs.
AliyunDLADeveloperAccess	Provides the developer-level permissions on DLA. After you add this policy for a RAM user, the RAM user can view the status of clusters and jobs, and submit and run jobs. However, the RAM user cannot create or delete clusters.

Note You can also create custom policies for fine-grained access control. For example, you can create a policy to specify the clusters that a RAM user can use. For more information, see Grant RAM users fine-grained permissions to access DLA. After the policy is created, you can add this policy for the RAM user.

To enable Spark jobs to access your data, create a role with the data access permission for DLA, and authorize the RAM user to use this role.
A user role is a concept in RAM user control. For more information, see Overview of a RAM user.
1. Log on to the RAM console. Click RAM Roles in the left-side navigation pane. On the RAM Roles page, click Create RAM Role. In the Create RAM Role panel, select Alibaba Cloud Service for Trusted entity type, and click Next.
2. In the Configure Role step of the Create RAM Role page, enter dla-sub-user-role in the RAM Role Name field, select Data Lake Analytics from the Select Trusted Service drop-down list, and then click OK.
3. After the role is created, click Add Permissions to RAM Role to assign DLA access permissions to this role. For example, if you add the AliyunOSSFullAccess policy for this role, the RAM user that uses this role can access all your OSS data.
  
  Note You can also select a custom policy for fine-grained authorization. For more information, see Overview. After you create a fine-grained policy, you can add a custom policy for the role in the custom policy shown in the preceding figure.
4. On the RAM Roles page, search for the role you just created and click the role name.
  
  Note Take note of the following information on this page: The value of Maximum Session Duration is 43200. ARN indicates the ID of the role. Record ARN and use it for subsequent steps.
Authorize dla-sub-user to use the role policy added in Substep c of Step 2.
1. Log on to the RAM console. In the left-side navigation tree, choose Permissions > Policies. On the Policies page, click Create Policy. On the Create Custom Policy page, enter dla-sub-user-auth in the Policy Name field, and select Script for Configuration Mode.
2. Enter the following code in Policy Document.
```
{
    "Statement": [
        {
            "Action": "ram:PassRole",
            "Resource": "<ARN recorded in Substep d of Step 2>",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "acs:Service": "openanalytics.aliyuncs.com"
                }
            }
        }
    ],
    "Version": "1"
}
```
Authorize dla-sub-user to use the dla-sub-user-auth policy created in Step 3. Detailed operations:
Log on to the RAM console. In the left-side navigation pane, choose Identities > Users. On the Users page, find your RAM user and click the RAM user name. On the page that appears, click the Permissions tab, and click Add Permissions. In the Add Permissions panel, click the Custom Policy tab, and add dla-sub-user-auth to the Selected section.

Verify the permissions of the RAM user

When you submit a job as the RAM user, you must add spark.dla.roleArn to conf. The value of spark.dla.roleArn is the ARN of the role created in Substep d of Step 2. Configuration example:

{
    "name": "SparkPi",
    "file": "oss://sparkRoleTest/original-spark-examples_2.11-2.4.5.jar",
    "className": "org.apache.spark.examples.SparkPi",
    "args": [
        "10"
    ],
    "conf": {
        "spark.dla.roleArn": "acs:ram::xxxxxx:role/dla-sub-user-role"
        "spark.driver.resourceSpec": "small",
        "spark.executor.instances": 2,
        "spark.executor.resourceSpec": "small"
    }
}

When the job is running, the RAM user is authorized to use the permission of the role queried in Substep d of Step 2.