Before you ship data to OSS-HDFS, you must obtain management permissions on OSS-HDFS data shipping jobs and grant data access permissions to OSS-HDFS data shipping jobs.
Management permissions on OSS-HDFS data shipping jobs
To ensure the security of your cloud resources, we recommend that you use a Resource Access Management (RAM) user.
The management permissions include permissions on creating, deleting, modifying, and viewing OSS-HDFS data shipping jobs.
An Alibaba Cloud account has management permissions on Simple Log Service. The permissions are specified by the AliyunLogFullAccess system policy. If you use an Alibaba Cloud account to manage OSS-HDFS data shipping jobs, you do not need to grant permissions to the account.
If you use a RAM user to manage OSS-HDFS data shipping jobs, you must grant the RAM user the management permissions on OSS-HDFS data shipping jobs. We recommend that you use a RAM user. For more information, see Grant management permissions on OSS-HDFS data shipping jobs.
Data access permissions for OSS-HDFS data shipping jobs
OSS-HDFS data shipping jobs can read data from source Logstores and write data to Object Storage Service (OSS) buckets only after the jobs are granted the required data access permissions. You can use a default or custom RAM role to grant the data access permissions.
Default role: The AliyunLogDefaultRole default role has permissions to read data from source Logstores and write data to OSS buckets. You can authorize OSS-HDFS data shipping jobs to assume the default role to access the required data. For more information, see Access data by using a default role.
Custom role: You must grant a custom role the permissions to read data from source Logstores and write data to OSS buckets. Then, you can authorize OSS-HDFS data shipping jobs to assume the custom role to access the required data. For more information, see Access data within the same Alibaba Cloud account by using a custom RAM role and Access data across Alibaba Cloud accounts by using a custom RAM role.