All Products
Search

This Product

    E-MapReduce:Grant access to OSS or OSS-HDFS

    Document Center

    E-MapReduce:Grant access to OSS or OSS-HDFS

    Last Updated:Sep 25, 2024

    This topic describes how to grant access to Object Storage Service (OSS) and OSS-HDFS.

    Grant access to OSS

    You can use custom policies to flexibly define the access permissions of RAM users on OSS data. Perform the following steps:

    1. Log on to the RAM console by using your Alibaba Cloud account.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. On the Policies page, click Create Policy.

    4. On the Create Policy page, click the JSON tab.

    5. Enter the policy document and click Next to edit policy information.

      OSS provides a complete system for data permission management. For more information about how to configure RAM policies for OSS, see RAM policies.

      Important

      We recommend that you follow the principle of least privilege when you configure policies. If you deploy Hive and Spark in your cluster, you must configure the oss:ListObjectVersions and oss:DeleteObjectVersion policies regardless of whether the versioning feature is enabled for OSS. EMR triggers the versioning feature for common temporary directories, such as _temporary, .staging, .hive-staging, and __magic.

      Sample custom policies: 

             {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "oss:ListObjects",
            "oss:GetBucketInfo",
            "oss:PutObject",
            "oss:GetObject",
            "oss:DeleteObject",
            "oss:AbortMultipartUpload",
            "oss:ListMultipartUploads",
            "oss:ListParts",
            "oss:RestoreObject",
            "oss:ListObjectVersions",
            "oss:DeleteObjectVersion"
          ],
          "Resource": [
            "acs:oss:*:*:<yourBucketName>",
            "acs:oss:*:*:<yourBucketName>/*"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "oss:ListBuckets"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
      Note

      In the policy document, replace <yourBucketName> with the name of the bucket on which you want to grant permissions.

    6. Configure the Name and Description parameters and click OK.

    Other scenarios

    • Grant read-only access to OSS

      Important

      We recommend that you follow the principle of least privilege when you configure policies. If you deploy Hive and Spark in your cluster, you must configure the oss:ListObjectVersions policy regardless of whether the versioning feature is enabled for OSS. EMR triggers the versioning feature for common temporary directories, such as _temporary, .staging, .hive-staging, and __magic. 

             {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "oss:ListObjects",
            "oss:GetBucketInfo",
            "oss:GetObject",
            "oss:RestoreObject",
            "oss:ListObjectVersions"
          ],
          "Resource": [
            "acs:oss:*:*:<yourBucketName>",
            "acs:oss:*:*:<yourBucketName>/*"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "oss:ListBuckets"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }

    • Grant access to OSS buckets in which the versioning feature is enabled

      Important

      We recommend that you do not enable the versioning feature for OSS. This may cause performance issues. 

             {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "oss:ListObjects",
            "oss:GetBucketInfo",
            "oss:PutObject",
            "oss:GetObject",
            "oss:DeleteObject",
            "oss:AbortMultipartUpload",
            "oss:ListMultipartUploads",
            "oss:ListParts",
            "oss:RestoreObject",
            "oss:ListObjectVersions",
            "oss:GetObjectVersion",
            "oss:DeleteObjectVersion",
            "oss:RestoreObjectVersion"
          ],
          "Resource": [
            "acs:oss:*:*:<yourBucketName>",
            "acs:oss:*:*:<yourBucketName>/*"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "oss:ListBuckets"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
      Note

      We recommend that you grant all required permissions on the OSS buckets to the related user to avoid AccessDenied issues.

    Grant access to OSS-HDFS

    1. Log on to the RAM console by using your Alibaba Cloud account.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. On the Policies page, click Create Policy.

    4. On the Create Policy page, click the JSON tab.

    5. Enter the policy document and click Next to edit policy information. Sample custom policy: 

      {
    "Statement": [
        {
          "Effect": "Allow",
          "Action": "oss:ListObjects",
          "Resource": [
            "acs:oss:*:*:*"
          ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss:GetBucketInfo",
                "oss:PostDataLakeStorageFileOperation",
                "oss:PostDataLakeStorageAdminOperation"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "oss:*",
            "Resource": [
                "acs:oss:*:*:*/.dlsdata",
                "acs:oss:*:*:*/.dlsdata*"
            ]
        }
    ],
    "Version": "1"
}

    6. Configure the Name and Description parameters and click OK.