Platform For AI:Grant permissions on AI computing resource groups

Background information

RAM permissions control the management of cloud-native resources and resource quotas. Cloud-native resources include general computing resources and Lingjun resources.

Resource pool

A resource pool contains purchased computing resources for AI development in dedicated resource groups (ResourceGroup).

For more information, see Overview.

Resource quota

A resource quota is a subset of AI computing resources from a resource pool. After a resource quota is associated with a workspace, workspace members can use the resources for AI development and online service deployment. For more information, see Overview.

Resource quotas follow a tree structure, as shown in the following figure. A resource quota created from the resource pool is called a root resource quota. Each root resource quota can be divided into multiple child resource quotas, and each child quota can be further divided.

Procedure

1. Create a RAM user. For more information, see Create a RAM user.

2. Create a custom policy. For more information, see the "Create a custom policy on the JSON tab" section in Create custom policies.

   For the permissions granted by different custom policies, see Examples.

3. Attach the custom policy to the RAM user. For more information, see Grant permissions to a RAM user.

Examples

Resource pool management permissions

RAM users with resource pool management permissions can view, create, update, and delete dedicated resource groups in the resource pool.

Sample policy:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "pai:*ResourceGroup*"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches",
        "ecs:DescribeSecurityGroups"
      ],
      "Resource": "*"
    }
  ]
}

Root resource quota creation, scaling, and deletion permissions

A root resource quota (first-level) obtains computing resources from associated resource groups in a resource pool. One or more resource groups can be selected. Therefore, creating or scaling a root resource quota requires permissions for both the resource pool and the resource quota.

The following sample policy defines Get, List, and Update permissions for three resource pools: resourcegroup1, resourcegroup2, and resourcegroup3. An authorized RAM user can create a root resource quota only by allocating resources from these three resource pools.

"acs:pai:*:*:quota/*" indicates that a user with this policy can operate on all resource quota trees, but resource sources are limited to the resourcegroup1, resourcegroup2, and resourcegroup3 dedicated resource groups.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "pai:GetResourceGroup",
        "pai:ListResourceGroups",
        "pai:UpdateResourceGroup"
      ],
      "Resource": [
        "acs:pai:*:*:resourcegroup/resourcegroup1",
        "acs:pai:*:*:resourcegroup/resourcegroup2",
        "acs:pai:*:*:resourcegroup/resourcegroup3"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "pai:CreateQuota",
        "pai:UpdateQuota",
        "pai:ScaleQuota",
        "pai:DeleteQuota",
        "pai:GetQuota",
        "pai:ListQuotas"
      ],
      "Resource": [
        "acs:pai:*:*:quota/*"
      ]
    }
  ]
}

Root resource quota management permissions

Managing a root resource quota does not require resource pool permissions. For example, a RAM user with quota1 management permissions can perform the following operations:

• View quota1.

• Update the metadata of quota1, such as the tag and description.

• Manage child resource quotas of quota1: create, update, scale, and delete.

The policy for quota1 contains two Statements. The first Statement defines permissions for the resource quota tree rooted at quota1. The second Statement defines permissions for quota1 itself.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "pai:CreateQuota",
        "pai:UpdateQuota",
        "pai:ScaleQuota",
        "pai:DeleteQuota",
        "pai:GetQuota",
        "pai:ListQuotas"
      ],
      "Resource": [
        "acs:pai:*:*:quota/quota1/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "pai:UpdateQuota",
        "pai:GetQuota",
        "pai:ListQuotas"
      ],
      "Resource": [
        "acs:pai:*:*:quota/quota1"
      ]
    }
  ]
}

Child resource quota management permissions

For example, a RAM user with quota1.2 management permissions can perform the following operations:

• View quota1.2.

• Update the metadata of quota1.2, such as the tag and description.

• Manage child resource quotas of quota1.2: create, update, scale, and delete.

The policy for managing quota1.2 contains two Statements: the first defines permissions for the resource quota tree rooted at quota1.2, and the second defines permissions for quota1.2 itself.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "pai:CreateQuota",
        "pai:UpdateQuota",
        "pai:ScaleQuota",
        "pai:DeleteQuota",
        "pai:GetQuota",
        "pai:ListQuotas"
      ],
      "Resource": [
        "acs:pai:*:*:quota/*/quota1.2/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "pai:UpdateQuota",
        "pai:GetQuota",
        "pai:ListQuotas"
      ],
      "Resource": [
        "acs:pai:*:*:quota/*/quota1.2"
      ]
    }
  ]
}

VPC permissions

If you purchase Lingjun resources in the China (Ulanqab) region, VPC configuration is available when creating root and child resource quotas in the PAI console. Add VPC permissions to the quota-related policy. Sample policy:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches",
        "ecs:DescribeSecurityGroups"
      ],
      "Resource": "*"
    }
  ]
}