All Products
Search

This Product

    Object Storage Service:Grant a RAM user the permissions to access OSS-HDFS

    Document Center

    Object Storage Service:Grant a RAM user the permissions to access OSS-HDFS

    Last Updated:Mar 20, 2026

    To access OSS-HDFS, a Resource Access Management (RAM) user needs specific permissions. The required permissions depend on how the RAM user connects to OSS-HDFS: through an E-MapReduce (EMR) cluster or a non-EMR cluster.

    Prerequisites

    Before you begin, ensure that you have:

    Grant access for EMR clusters

    If the RAM user connects through an EMR cluster, attach the AliyunEMRFullAccess system policy to the RAM user. EMR clusters that meet the version requirements integrate with OSS-HDFS by default, and this policy grants all permissions the cluster needs, including object read/write and metadata management.

    For instructions, see Grant permissions to a RAM user.

    Grant access for non-EMR clusters

    If the RAM user connects through a non-EMR cluster, create and attach the following custom policy. The policy grants JindoSDK the permissions to integrate with OSS-HDFS, from basic object read/write to metadata management.

    Permissions required

    ActionResourcePurpose
    oss:ListObjectsacs:oss:*:*:*List objects in a bucket, including objects and subdirectories when accessed through the HDFS API
    oss:GetBucketInfo*Query basic bucket information and verify bucket status when establishing a connection
    oss:PostDataLakeStorageFileOperation*Read and write objects through the HDFS-compatible interface
    oss:PostDataLakeStorageAdminOperation*Manage HDFS-compatible metadata
    oss:*acs:oss:*:*:*/.dlsdata acs:oss:*:*:*/.dlsdata*Perform all operations on objects under the .dlsdata prefix, where OSS-HDFS stores internal metadata. This covers creating, modifying, and deleting objects and directories in that path.

    Custom policy JSON

    Create a custom policy using the following JSON:

    {
    "Statement": [
        {
          "Effect": "Allow",
          "Action": "oss:ListObjects",
          "Resource": [
            "acs:oss:*:*:*"
          ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss:GetBucketInfo",
                "oss:PostDataLakeStorageFileOperation",
                "oss:PostDataLakeStorageAdminOperation"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "oss:*",
            "Resource": [
                "acs:oss:*:*:*/.dlsdata",
                "acs:oss:*:*:*/.dlsdata*"
            ]
        }
    ],
    "Version": "1"
}

    After creating the policy, attach it to the RAM user. See Grant permissions to a RAM user.

    Limitations

    RAM policies and bucket policies cannot restrict access to specific paths or files within HDFS.