Before members in a workspace can use various compute engine instances in the workspace, the members must be granted the permissions that are required to access the data in the compute engine instances. The methods that are used to obtain the permissions vary based on the compute engine type. This topic describes how to manage permissions on data in compute engine instances in DataWorks.
Prerequisites
- You are familiar with the physical attributes of workspaces. For more information, see Differences between workspaces in basic mode and workspaces in standard mode.
- You are familiar with the environment types of compute engine instances that are used in different DataWorks services. For more information, see the Appendix: Compute engines that correspond to different DataWorks service modules in workspaces in basic and standard modes section in Differences between workspaces in basic mode and workspaces in standard mode.
Permissions required to access data in different types of compute engine instances
The following table describes the permissions that are required to access data in different types of compute engine instances and the methods that can be used to grant the permissions to the members in a workspace.
| Compute engine type | Permission description | References |
|---|---|---|
| MaxCompute |
Built-in role The built-in workspace-level roles of DataWorks are mapped to the roles of a MaxCompute compute engine instance. If you assign a built-in workspace-level role to a RAM user, the RAM user is automatically granted the permissions of the mapped role of the MaxCompute compute engine instance in the development environment.
Custom workspace-level role If you create a custom workspace-level role and map the role to a role of a MaxCompute compute engine instance, the custom workspace-level role has the permissions of the mapped role of the MaxCompute compute engine instance. |
|
| E-MapReduce (EMR) | You can configure mappings between the members in a workspace and the accounts of the EMR compute engine instance that is associated with the workspace. This way, the members in the workspace are granted the permissions of the accounts of the EMR compute engine instance. | |
| Cloudera's Distribution including Apache Hadoop (CDH) | When you associate a CDH compute engine with a workspace as a compute engine instance, you can configure mappings between the members in the workspace and Linux or Kerberos accounts of the CDH compute engine instance. This way, the members in the workspace are granted the permissions on the CDH compute engine instance. | Associate a CDH compute engine with a workspace |
| Hologres | You can grant the permissions on a Hologres compute engine instance to the members in a workspace by using policies supported by Hologres. If you want to grant the permissions on a Hologres compute engine instance associated with a workspace to the members in the workspace, you must perform the authorization based on the authorization-related topic in Hologres. | Permission management overview |
| Other types of compute engines | The permissions on the compute engine instances are determined by the scheduling access
identities that are specified for different environments when you associate the compute
engines with a workspace.
Note
|
- |