This topic describes how to grant access to Object Storage Service (OSS) and OSS-HDFS.
Grant access to OSS
You can use custom policies to flexibly define the access permissions of RAM users on OSS data. Perform the following steps:
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose Permissions > Policies.
- On the Policies page, click Create Policy.
- On the Create Policy page, click the JSON tab.
- Enter the policy document and click Next to edit policy information.
OSS provides a complete system for data permission management. For more information about how to configure RAM policies for OSS, see Overview.
Important We recommend that you follow the principle of least privilege when you configure policies. If you deploy Hive and Spark in your cluster, you must configure theoss:ListObjectVersionsandoss:DeleteObjectVersionpolicies regardless of whether the versioning feature is enabled for OSS. EMR triggers the versioning feature for common temporary directories, such as _temporary, .staging, .hive-staging, and __magic.Sample custom policies:{ "Version": "1", "Statement": [ { "Action": [ "oss:ListObjects", "oss:GetBucketInfo", "oss:PutObject", "oss:GetObject", "oss:DeleteObject", "oss:AbortMultipartUpload", "oss:ListParts", "oss:RestoreObject", "oss:ListObjectVersions", "oss:DeleteObjectVersion" ], "Resource": [ "acs:oss:*:*:<yourBucketName>", "acs:oss:*:*:<yourBucketName>/*" ], "Effect": "Allow" }, { "Action": [ "oss:ListBuckets" ], "Resource": "*", "Effect": "Allow" } ] }Note In the policy document, replace<yourBucketName>with the name of the bucket on which you want to grant permissions. - Configure the Name and Description parameters and click OK.
Other scenarios
- Grant read-only access to OSSImportant We recommend that you follow the principle of least privilege when you configure policies. If you deploy Hive and Spark in your cluster, you must configure the
oss:ListObjectVersionspolicy regardless of whether the versioning feature is enabled for OSS. EMR triggers the versioning feature for common temporary directories, such as _temporary, .staging, .hive-staging, and __magic.{ "Version": "1", "Statement": [ { "Action": [ "oss:ListObjects", "oss:GetBucketInfo", "oss:GetObject", "oss:RestoreObject", "oss:ListObjectVersions" ], "Resource": [ "acs:oss:*:*:<yourBucketName>", "acs:oss:*:*:<yourBucketName>/*" ], "Effect": "Allow" }, { "Action": [ "oss:ListBuckets" ], "Resource": "*", "Effect": "Allow" } ] } - Grant access to OSS buckets in which the versioning feature is enabledImportant We recommend that you do not enable the versioning feature for OSS. This may cause performance issues.
{ "Version": "1", "Statement": [ { "Action": [ "oss:ListObjects", "oss:GetBucketInfo", "oss:PutObject", "oss:GetObject", "oss:DeleteObject", "oss:AbortMultipartUpload", "oss:ListParts", "oss:RestoreObject", "oss:ListObjectVersions", "oss:GetObjectVersion", "oss:DeleteObjectVersion", "oss:RestoreObjectVersion" ], "Resource": [ "acs:oss:*:*:<yourBucketName>", "acs:oss:*:*:<yourBucketName>/*" ], "Effect": "Allow" }, { "Action": [ "oss:ListBuckets" ], "Resource": "*", "Effect": "Allow" } ] }Note We recommend that you grant all required permissions on the OSS buckets to the related user to avoid AccessDenied issues.
Grant access to OSS-HDFS
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose Permissions > Policies.
- On the Policies page, click Create Policy.
- On the Create Policy page, click the JSON tab.
- Enter the policy document and click Next to edit policy information. Sample custom policy:
{ "Statement": [ { "Effect": "Allow", "Action": "oss:ListObjects", "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:GetBucketInfo", "oss:PostDataLakeStorageFileOperation", "oss:PostDataLakeStorageAdminOperation" ], "Resource": "*" }, { "Effect": "Allow", "Action": "oss:*", "Resource": [ "acs:oss:*:*:*/.dlsdata", "acs:oss:*:*:*/.dlsdata*" ] } ], "Version": "1" } - Configure the Name and Description parameters and click OK.