All Products
Search
Document Center

E-MapReduce:OSS and OSS-HDFS authorization

Last Updated:Apr 17, 2026

This topic describes how to configure access permissions for OSS and OSS-HDFS using RAM. You can create custom policies to meet your security and business requirements.

OSS authorization

Follow these steps to create a policy:

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Permissions > Policies.

  3. On the Policies page, click Create Policy.

  4. On the Create Policy page, select the JSON Editor tab.

  5. Enter the policy document and click OK.

    OSS provides a comprehensive permission system. For more information about OSS authorization policies, see Overview of RAM Policies.

    Important
    • For users of Hive or Spark services in a cluster, include the oss:ListObjectVersions and oss:DeleteObjectVersion permissions in the policy, regardless of whether versioning is enabled. EMR triggers versioning-related operations on common temporary directories, such as "_temporary", ".staging", ".hive-staging", and "__magic".

    • When you configure a bucket policy, grant the oss:* (full control) permission to prevent AccessDenied (HTTP 403) errors.

    The following examples show custom policies for common scenarios.

    Full access

    This policy grants full control over data in OSS.

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
             "oss:ListObjects",
             "oss:GetBucketInfo",
             "oss:PutObject",
             "oss:GetObject",
             "oss:DeleteObject",
             "oss:AbortMultipartUpload",
             "oss:ListMultipartUploads",
             "oss:ListParts",
             "oss:RestoreObject",
             "oss:ListObjectVersions",
             "oss:DeleteObjectVersion"
          ],
          "Resource": [
            "acs:oss:*:*:<yourBucketName>",
            "acs:oss:*:*:<yourBucketName>/*"
          ]
        },
        {
          "Effect": "Allow",
          "Action": ["oss:ListBuckets"],
          "Resource": "*"
        }
      ]
    }
    

    Read-only access

    This policy grants read-only access for data analysis or queries.

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "oss:ListObjects",
            "oss:GetBucketInfo",
            "oss:GetObject",
            "oss:RestoreObject",
            "oss:ListObjectVersions"
          ],
          "Resource": [
            "acs:oss:*:*:<yourBucketName>",
            "acs:oss:*:*:<yourBucketName>/*"
          ]
        },
        {
          "Effect": "Allow",
          "Action": ["oss:ListBuckets"],
          "Resource": "*"
        }
      ]
    }
    

    Versioning

    Use this policy when versioning is enabled for an OSS bucket.

    Important

    Use this feature with caution.

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "oss:ListObjects",
            "oss:GetBucketInfo",
            "oss:PutObject",
            "oss:GetObject",
            "oss:DeleteObject",
            "oss:AbortMultipartUpload",
            "oss:ListMultipartUploads",
            "oss:ListParts",
            "oss:RestoreObject",
            "oss:ListObjectVersions",
            "oss:GetObjectVersion",
            "oss:DeleteObjectVersion",
            "oss:RestoreObjectVersion"
          ],
          "Resource": [
            "acs:oss:*:*:<yourBucketName>",
            "acs:oss:*:*:<yourBucketName>/*"
          ]
        },
        {
          "Effect": "Allow",
          "Action": ["oss:ListBuckets"],
          "Resource": "*"
        }
      ]
    }
    
  6. Enter a Policy Name and Remarks, and then click OK.

OSS-HDFS authorization

OSS-HDFS is an Alibaba Cloud object storage service compatible with HDFS interfaces. Use this service when you need HDFS semantics on top of OSS storage.

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Permissions > Policies.

  3. On the Policies page, click Create Policy.

  4. On the Create Policy page, select the JSON Editor tab.

  5. Enter the policy document and click OK. The following is an example policy.

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "oss:ListObjects",
          "Resource": "acs:oss:*:*:*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "oss:GetBucketInfo",
            "oss:PostDataLakeStorageFileOperation",
            "oss:PostDataLakeStorageAdminOperation"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": "oss:*",
          "Resource": [
            "acs:oss:*:*:*/.dlsdata",
            "acs:oss:*:*:*/.dlsdata*"
          ]
        }
      ]
    }
    
    Note
    • The .dlsdata path in the policy is a dedicated path for OSS-HDFS. Ensure the resource path is configured correctly.

    • To avoid granting excessive permissions, adjust the Action and Resource scope based on your business requirements.

  6. Enter a Policy Name and Remarks, and then click OK.