Resource Access Management (RAM) users who manage XXL-JOB job scheduling need two sets of permissions:
Job scheduling permissions -- Control access to XXL-JOB clusters, applications, jobs, and operations.
CloudMonitor read-only permissions -- Display scheduling statistics dashboards on XXL-JOB instance pages.
Grant both sets of permissions to each RAM user. Without the CloudMonitor read-only policy, scheduling statistics dashboards on the basic information page of XXL-JOB instances are hidden.
Job scheduling permissions
You can grant XXL-JOB permissions by using a system policy or a custom policy:
System policy -- Attach a system policy in the RAM console for common scenarios such as full access or read-only access. See Grant permissions to a RAM user.
Custom policy -- Create a custom policy for fine-grained, instance-level control. See Custom policy examples.
Permission scopes
XXL-JOB permissions are scoped at two levels:
Account-level -- Applies to all resources. Every RAM user needs this permission to access the XXL-JOB console.
Instance-level -- Scoped to specific XXL-JOB instances. Use these to grant fine-grained access per instance.
Account-level permission
Every RAM user who accesses XXL-JOB must have the following permission. It applies globally and is not filtered by instance.
| Action | Description | Read-only |
|---|---|---|
| ListClusters | List clusters | Yes |
Instance-level permissions
Grant these permissions selectively based on what each RAM user needs to do. Each permission is scoped to specific instances.
Query
| Action | Description | Read-only |
|---|---|---|
| ListAppNames | List application names | Yes |
| ListApps | List applications | Yes |
| ListCalendarNames | List custom calendar names | Yes |
| ListExecutors | List executors | Yes |
| ListJobs | List jobs | Yes |
| ListJobExecutions | List job executions | Yes |
| ListScheduleTimes | List the next five scheduling times | Yes |
Create
| Action | Description | Read-only |
|---|---|---|
| CreateCluster | Create a cluster | No |
| CreateApp | Create an application in an XXL-JOB instance | No |
| CreateJob | Create an XXL-JOB job | No |
Update
| Action | Description | Read-only |
|---|---|---|
| UpdateCluster | Update a cluster | No |
| UpdateApp | Update an application in an XXL-JOB instance | No |
| UpdateJob | Update an XXL-JOB job | No |
Delete
| Action | Description | Read-only |
|---|---|---|
| DeleteCluster | Delete a cluster | No |
| DeleteApp | Delete an application | No |
| DeleteJobs | Delete multiple jobs at a time | No |
O&M operations
| Action | Description | Read-only |
|---|---|---|
| OperateDesignateExecutors | Designate executors for a job | No |
| OperateDisableJobs | Disable multiple jobs at a time | No |
| OperateEnableJobs | Enable multiple jobs at a time | No |
| OperateExecuteJob | Run a job once | No |
| OperateRerunJob | Rerun a job within a specified period | No |
| OperateRetryJobExecution | Retry a failed job execution | No |
| OperateStopJobExecution | Stop a running job execution | No |
Custom policy examples
XXL-JOB uses the schedulerx3 service namespace. Resource ARNs follow this format:
acs:schedulerx3:<region>:<account-id>:cluster/<instance-id>| ARN segment | Description | Wildcard |
|---|---|---|
<region> | Region ID, such as cn-hangzhou | * matches all regions |
<account-id> | Alibaba Cloud account ID | * matches all accounts |
<instance-id> | XXL-JOB instance ID, such as xxljob-0pp1j8om80a | * matches all instances |
For example, acs:schedulerx3:*:*:cluster/* matches all XXL-JOB instances across all regions and accounts.
Every custom policy requires two statements:
Account-level statement -- Grants
ListClusterson all resources (acs:schedulerx3:*:*:*). Required for console access.Instance-level statement -- Grants specific actions on target instances.
To create a custom policy, go to the RAM console. Choose Permissions > Policies > Create Policy, select Script editing mode, and paste the JSON.
Full access to a specific instance
Grants read and write access to all operations on instance xxljob-0pp1j8om80a. The RAM user can create, update, delete, and run jobs on this instance. Other instances are not accessible.
{
"Statement": [
{
"Action": "schedulerx3:ListClusters",
"Resource": "acs:schedulerx3:*:*:*",
"Effect": "Allow"
},
{
"Action": "schedulerx3:*",
"Resource": "acs:schedulerx3:*:*:cluster/xxljob-0pp1j8om80a",
"Effect": "Allow"
}
],
"Version": "1"
}Replace xxljob-0pp1j8om80a with the ID of your XXL-JOB instance. Find the instance ID on the Clusters page in the MSE console.
Read-only access to a specific instance
Grants read-only access to instance xxljob-0pp1j8om80a. The RAM user can view clusters, applications, jobs, and executions. Creating, modifying, or running jobs is not allowed.
{
"Statement": [
{
"Action": "schedulerx3:ListClusters",
"Resource": "acs:schedulerx3:*:*:*",
"Effect": "Allow"
},
{
"Action": [
"schedulerx3:List*",
"schedulerx3:Get*"
],
"Resource": "acs:schedulerx3:*:*:cluster/xxljob-0pp1j8om80a",
"Effect": "Allow"
}
],
"Version": "1"
}The List* and Get* wildcards match all query actions. New read-only actions added in the future are automatically included.
Read-only access to all instances
Grants read-only access to every XXL-JOB instance under the account. The cluster/* wildcard matches all instances.
{
"Statement": [
{
"Action": "schedulerx3:ListClusters",
"Resource": "acs:schedulerx3:*:*:*",
"Effect": "Allow"
},
{
"Action": [
"schedulerx3:List*",
"schedulerx3:Get*"
],
"Resource": "acs:schedulerx3:*:*:cluster/*",
"Effect": "Allow"
}
],
"Version": "1"
}CloudMonitor read-only permissions
XXL-JOB integrates with CloudMonitor for scheduling statistics. Attach the CloudMonitor read-only system policy to the RAM user. This displays dashboards on the basic information page of XXL-JOB instances.
Without this policy, the scheduling statistics dashboards are hidden:
To attach the policy, go to the RAM console, find the target RAM user, choose Permissions > Grant Permission, search for the CloudMonitor read-only policy, and attach it.