All Products
Search
Document Center

Microservices Engine:Grant permissions to RAM users

Last Updated:Apr 15, 2024

SchedulerX allows you to use Resource Access Management (RAM) to grant permissions to multiple users and user groups at a time. RAM provides fine-grained permission management, which allows you to grant permissions based on the principle of least privilege. This eliminates the need to share the AccessKey pair of your Alibaba Cloud account with other users and effectively reduces security risks. This topic describes how to grant RAM users the permissions to perform specific operations.

Background information

You can attach two types of RAM policies that define ScheudlerX permissions to RAM users for quick permission authorization. The effective scopes of the two types of RAM policies are different. You can attach the RAM policies based on your business requirements. If you want to grant permissions to RAM users in a more fine-grained manner, you can Sample custom policies.

Grant RAM users the permissions to create resources

By default, a RAM user does not have the permissions to create, view, or manage any resources in SchedulerX. You can grant a RAM user the permissions to create resources. By default, all resources created by the RAM user can be read and written by the RAM user.

Procedure:

  1. Log on to the RAM console.

  2. Create a custom policy. For more information, see Create a custom policy on the JSON tab.. The following code provides an example of a custom RAM policy. You can run the following code to grant a RAM user or user group the permissions to create namespaces and instance groups in the namespaces. A RAM user has the access permissions only to instance groups created by the RAM user. If a RAM user needs the access permissions to instance groups and resources created by another RAM user, you must create and attach a custom policy to the RAM user. For more information, see Sample custom policies.

    {
        "Version": "1",
        "Statement": [
            {
                "Action": ["edas:CreateSchedulerxNamespace*",
                           "edas:CreateSchedulerxAppGroup*"]
                "Effect": "Allow",
                "Resource": "acs:edas:*:*:*"
            }
        ]
    }
  3. (Optional) Create a RAM user or user group. For more information, see Create a RAM user or Create a RAM user group. If a RAM user or user group exists, you can skip this step.

  4. Attach the custom policy created in Step 2 to a single RAM user. For more information, see Grant permissions to a RAM user.

  5. Attach the custom policy created in Step 2 to a user group and add RAM users to the user group.

    1. Attach the policy to the user group. For more information, see Grant permissions to a RAM user group.8

    2. Add RAM users to the user group. For more information, see Method 2: Add a RAM user to a RAM user group on the Groups page.9

Create resources as an administrator and grant permissions to RAM users

In most cases, only the O&M personnel of software projects have the permissions to create resources. The development personnel have only the read and management permissions. You can create an administrator role for the O&M personnel to grant them the permissions to manage all resources in SchedulerX. Then, the administrator can create namespaces and instance groups. If RAM users want to access the namespaces and instance groups, the administrator creates policies that define the access permissions to the namespaces and instance groups and attaches the policies to the RAM users.

Procedure:

  1. Log on to the RAM console.

  2. Create a custom policy. For more information, see Create a custom policy on the JSON tab.. The following code provides an example of a custom RAM policy. You can run the code to grant a RAM user or user group the administrator permissions of SchedulerX. Then, the RAM user or user group can manage all resources in SchedulerX.

    {
      "Statement": [
        {
          "Action": "edas:*Schedulerx*",
          "Effect": "Allow",
          "Resource": [
                    "acs:edas:*:*:*"
                ]
        }
      ],
      "Version": "1"
    }
  3. (Optional) Create a RAM user or user group. For more information, see Create a RAM user or Create a RAM user group. If a RAM user or user group exists, you can skip this skip.

  4. Attach the custom policy created in Step 2 to a single RAM user. For more information, see Grant permissions to a RAM user.

  5. Attach the custom policy created in Step 2 to a user group and add RAM users to the user group.

    1. Attach the policy to the user group. For more information, see Grant permissions to a RAM user group.8

    2. Add RAM users to the user group. For more information, see Method 2: Add a RAM user to a RAM user group on the Groups page.9

SchedulerX permissions

By default, an Alibaba Cloud account has the permissions to manage all resources within the account. We recommend that you use RAM to grant specific permissions to different users. SchedulerX allows you to attach a policy to multiple RAM users or user groups at a time. This way, you do not need to grant permissions to users one by one. The following table describes the shared system policies supported by SchedulerX.

System policy

Description

AdministratorAccess

Provides the permissions to manage all Alibaba Cloud resources, including the permissions to perform all operations on all resources in SchedulerX.

The following code provides an example of a custom RAM policy that contains the Action and Resource elements. You can create a custom policy based on the rules that are defined by SchedulerX.

Principal structure

{
  "Statement": [
    { 
      "Action": "edas:*", // the actions that are allowed. For information about how to configure the Action element, see the "Action" section.
      "Effect": "Allow",
      "Resource": "*" // the resources that can be accessed. For information about how to configure the Resource element, see the "Resource" section.
    }
  ],
  "Version": "1",
}

Action

SchedulerX defines the Action element in the following structure:

edas:${type}Schedulerx*

${type}: The valid values of the ${type} parameter are Read, Manage, Delete, and Create. The following table lists the valid values and describes the operations related to each value.

Valid value

Operation

Create

Create namespaces, applications, jobs, and workflows.

Manage

  • Modify namespaces.

  • Import jobs, export jobs, modify jobs, enable jobs, disable jobs, manually run jobs, re-run jobs, and specify machines.

  • Stop job instances, re-run job instances, set the state of job instances to successful, set the state of workflow instances to successful, and re-run tasks.

  • Modify workflows, import job configurations to workflows, manually run workflows, re-run workflows, enable workflows, and disable workflows.

  • Modify instance groups.

Delete

Delete namespaces, instance groups, jobs, and workflows.

Read

Query instance groups, jobs, job instances, workflows, and online instances.

Resource

SchedulerX defines the Resource element in the following structure:

acs:edas:${regionid}:${accountid}:namespace/${namespace_id}/${resourceType}/${resourceId}

Parameter

Description

${regionid}

The region in which the resource that you want to access is deployed. If you want to use the default setting, enter an asterisk (*).

${accountid}

The Alibaba Cloud account to which the resource you want to access belongs. If you want to use the default setting, enter an asterisk (*).

${namespace_id}

The ID of the namespace to which the resource you want to access belongs.

  • SchedulerX users

    1. Log on to the SchedulerX console.

    2. In the left-side navigation pane, click Namespace. On the Namespace page, move the pointer over the Namespace ID column of the desired namespace, click the image.png icon to copy the ID, and then paste the ID as the value of the ${namespace_id} parameter.

      image.png

  • Enterprise Distributed Application Service (EDAS) users

    1. Log on to the EDAS console.

    2. In the left-side navigation pane, choose Resource Management > Microservice Namespaces. On the Microservice Namespaces page, move the pointer over the Microservices Namespace Name /ID/TID column of the desired namespace, click the image.png icon to copy the ID, and then paste the ID as the value of the ${namespace_id} parameter.

      image.png

${resourceType}

The type of the resource that you want to access. A value of JobGroup specifies a job group in SchedulerX. Jobs are grouped by application.

${resourceId}

The ID of the resource that you want to access. If you set the ${resourceType} parameter to JobGroup, the ${resourceId} parameter specifies an application ID in the Application Management module of SchedulerX.

To obtain the value of the ${resourceId} parameter, perform the following steps:

  1. Log on to the SchedulerX console.

  2. In the left-side navigation pane, click Application Management. On the Application Management page, move the pointer over the Application ID/Application key column of the desired application, click the image.png icon to copy the ID, and then paste the ID as the value of the ${resourceId} parameter.

    image.png

Sample custom policies

Grant RAM users the management permissions on all resources

RAM users that have the management permissions of SchedulerX can perform all operations on all resources in SchedulerX. Sample policy:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "edas:*Schedulerx*"
            ],
            "Resource": [
                "acs:edas:*:*:*"
            ]
        }
    ]
}

Grant RAM users the read-only permissions on all resources

RAM users that have the read-only permissions of SchedulerX can query all resources in SchedulerX. Sample policy:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "edas:ReadSchedulerx*"
            ],
            "Resource": [
                "acs:edas:*:*:*"
            ]
        }
    ]
}

Grant RAM users the management permissions on specified namespaces

The following code provides an example of a custom RAM policy that defines the management permissions on application and job resources in specified namespaces. The IDs of the specified namespaces must be obtained from the Microservices Namespace page of the EDAS console. In this example, the specified namespaces are ID-01 and ID-02. RAM users who have this custom policy can manage and schedule all resources in the specified namespaces. You can also modify the settings of the Action element to limit the access permissions to the preceding resources. For example, if you set the Action element to edas:ReadSchedulerx, RAM users who have this custom policy can only query resources in the specified namespaces.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "edas:*Schedulerx*"
            ],
            "Resource": [
                "acs:edas:*:*:namespace/Namespace ID-01/*",
              	"acs:edas:*:*:namespace/Namespace ID-02/*"
            ]
        }
    ]
}

Grant RAM users the management permissions on specified applications

The following code provides an example of a custom RAM policy that defines the management permissions on specific applications. The Resource element specifies the IDs of the applications whose management permissions you want to grant to RAM users. You can also include an asterisk (*) in the Resource element to grant the management permissions on multiple applications to RAM users at a time. For example, if you include TestGroup* in the Resource element of a custom policy, the custom policy defines the management permissions on all applications that are prefixed with TestGroup in the specified namespace.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "edas:*Schedulerx*"
            ],
            "Resource": [
                "acs:edas:*:*:namespace/Namespace ID-01/JobGroup/TestGroup*",
              	"acs:edas:*:*:namespace/Namespace ID-02/JobGroup/AppGroup"
            ]
        }
    ]
}