This topic describes how to configure access permissions for OSS and OSS-HDFS using RAM. You can create custom policies to meet your security and business requirements.
OSS authorization
Follow these steps to create a policy:
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
-
On the Policies page, click Create Policy.
-
On the Create Policy page, select the JSON Editor tab.
-
Enter the policy document and click OK.
OSS provides a comprehensive permission system. For more information about OSS authorization policies, see Overview of RAM Policies.
Important-
For users of Hive or Spark services in a cluster, include the
oss:ListObjectVersionsandoss:DeleteObjectVersionpermissions in the policy, regardless of whether versioning is enabled. EMR triggers versioning-related operations on common temporary directories, such as "_temporary", ".staging", ".hive-staging", and "__magic". -
When you configure a bucket policy, grant the
oss:*(full control) permission to prevent AccessDenied (HTTP 403) errors.
The following examples show custom policies for common scenarios.
Full access
This policy grants full control over data in OSS.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetBucketInfo", "oss:PutObject", "oss:GetObject", "oss:DeleteObject", "oss:AbortMultipartUpload", "oss:ListMultipartUploads", "oss:ListParts", "oss:RestoreObject", "oss:ListObjectVersions", "oss:DeleteObjectVersion" ], "Resource": [ "acs:oss:*:*:<yourBucketName>", "acs:oss:*:*:<yourBucketName>/*" ] }, { "Effect": "Allow", "Action": ["oss:ListBuckets"], "Resource": "*" } ] }Read-only access
This policy grants read-only access for data analysis or queries.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetBucketInfo", "oss:GetObject", "oss:RestoreObject", "oss:ListObjectVersions" ], "Resource": [ "acs:oss:*:*:<yourBucketName>", "acs:oss:*:*:<yourBucketName>/*" ] }, { "Effect": "Allow", "Action": ["oss:ListBuckets"], "Resource": "*" } ] }Versioning
Use this policy when versioning is enabled for an OSS bucket.
ImportantUse this feature with caution.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetBucketInfo", "oss:PutObject", "oss:GetObject", "oss:DeleteObject", "oss:AbortMultipartUpload", "oss:ListMultipartUploads", "oss:ListParts", "oss:RestoreObject", "oss:ListObjectVersions", "oss:GetObjectVersion", "oss:DeleteObjectVersion", "oss:RestoreObjectVersion" ], "Resource": [ "acs:oss:*:*:<yourBucketName>", "acs:oss:*:*:<yourBucketName>/*" ] }, { "Effect": "Allow", "Action": ["oss:ListBuckets"], "Resource": "*" } ] } -
-
Enter a Policy Name and Remarks, and then click OK.
OSS-HDFS authorization
OSS-HDFS is an Alibaba Cloud object storage service compatible with HDFS interfaces. Use this service when you need HDFS semantics on top of OSS storage.
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
-
On the Policies page, click Create Policy.
-
On the Create Policy page, select the JSON Editor tab.
-
Enter the policy document and click OK. The following is an example policy.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss:ListObjects", "Resource": "acs:oss:*:*:*" }, { "Effect": "Allow", "Action": [ "oss:GetBucketInfo", "oss:PostDataLakeStorageFileOperation", "oss:PostDataLakeStorageAdminOperation" ], "Resource": "*" }, { "Effect": "Allow", "Action": "oss:*", "Resource": [ "acs:oss:*:*:*/.dlsdata", "acs:oss:*:*:*/.dlsdata*" ] } ] }Note-
The
.dlsdatapath in the policy is a dedicated path for OSS-HDFS. Ensure the resource path is configured correctly. -
To avoid granting excessive permissions, adjust the Action and Resource scope based on your business requirements.
-
-
Enter a Policy Name and Remarks, and then click OK.