This topic describes the permissions related to using XXL-JOB to schedule jobs, including the permissions required for scheduling jobs and read-only permissions on CloudMonitor. You must grant appropriate permissions to accounts to ensure adequate permissions as well as system security.
If you want to schedule jobs as a Resource Access Management (RAM) user, the RAM user must be granted both job scheduling permissions and read-only permissions on CloudMonitor.
Job scheduling permissions
Permissions
Permissions on the following API operation are granted at the account level. The return data is not filtered based on whether an account is granted permissions on the instances in the clusters. All accounts must be granted permissions on this API operation.
Action | Description | Read-only |
ListClusters | Queries a list of clusters. | Yes |
Permissions on the following API operations are granted at the instance level. You can grant fine-grained permissions to RAM users based on actions.
Category | Action | Description | Read-only |
Query | ListAppNames | Queries a list of application names. | Yes |
ListApps | Queries a list of applications. | Yes | |
ListCalendarNames | Queries a list of custom calendar names. | Yes | |
ListExecutors | Queries a list of executors. | Yes | |
ListJobs | Queries a list of jobs. | Yes | |
ListJobExecutions | Queries a list of executions. | Yes | |
ListScheduleTimes | Queries the next five scheduling times. | Yes | |
Creation | CreateCluster | Creates a cluster. | No |
CreateApp | Creates an application in an XXL-JOB instance. | No | |
CreateJob | Creates an XXL-JOB job. | No | |
Update | UpdateCluster | Updates a cluster. | No |
UpdateApp | Updates an application in an XXL-JOB instance. | No | |
UpdateJob | Updates an XXL-JOB job. | No | |
Deletion | DeleteCluster | Deletes a cluster. | No |
DeleteApp | Deletes an application. | No | |
DeleteJobs | Deletes multiple jobs at a time. | No | |
O&M operation | OperateDesignateExecutors | Designates executors for a job. | No |
OperateDisableJobs | Disables multiple jobs at a time. | No | |
OperateEnableJobs | Enables multiple jobs at a time. | No | |
OperateExecuteJob | Runs a job once. | No | |
OperateRerunJob | Reruns a job within a period. | No | |
OperateRetryJobExecution | Reruns a failed execution. | No | |
OperateStopJobExecution | Stops a running execution. | No |
Examples of custom policies
Grant a RAM user the read and write permissions on the instance xxljob-0pp1j8om80a.
{ "Statement": [ { "Action": "schedulerx3:ListClusters", "Resource": "acs:schedulerx3:*:*:*", "Effect": "Allow" }, { "Action": "schedulerx3:*", "Resource": "acs:schedulerx3:*:*:cluster/xxljob-0pp1j8om80a", "Effect": "Allow" } ], "Version": "1" }Grant a RAM user the read-only permissions on the instance xxljob-0pp1j8om80a.
{ "Statement": [ { "Action": "schedulerx3:ListClusters", "Resource": "acs:schedulerx3:*:*:*", "Effect": "Allow" }, { "Action": [ "schedulerx3:List*", "schedulerx3:Get*" ], "Resource": "acs:schedulerx3:*:*:cluster/xxljob-0pp1j8om80a", "Effect": "Allow" } ], "Version": "1" }Grant a RAM user the read-only permissions on all instances.
{ "Statement": [ { "Action": "schedulerx3:ListClusters", "Resource": "acs:schedulerx3:*:*:*", "Effect": "Allow" }, { "Action": [ "schedulerx3:List*", "schedulerx3:Get*" ], "Resource": "acs:schedulerx3:*:*:cluster/*", "Effect": "Allow" } ], "Version": "1" }
Read-only permissions on CloudMonitor
XXL-JOB is integrated with CloudMonitor. If you want to perform operations as a RAM user, the RAM user must be attached with the read-only system policy of CloudMonitor. Otherwise, you cannot view the scheduling statistics dashboards on the basic information page of XXL-JOB instances.
