This topic describes the actions and resources specified in the custom policies that are attached to a Resource Access Management (RAM) user of Data Lake Analytics (DLA). This topic provides guidelines for creating custom policies to grant RAM users fine-grained permissions.
Custom policies
You can use the RAM console or call the CreatePolicy API operation to create a custom policy. If you select Script for Configuration Mode when you create a custom policy, you need to specify actions and resources in the code editor of the Policy Document section based on the JSON template. For more information, see Create a custom policy.
Examples
Example 1:1234567890
deploys a virtual cluster named dla-vc1
in the China (Hangzhou) region and configures the policy dla-vc1-policy
. The permissions provided by the policy allow a RAM user to submit jobs in this cluster,
terminate these jobs, and view the detailed log information of these jobs.
- View the detailed log information of the jobs that are submitted by other RAM users.
- Terminate jobs that are submitted by other RAM users.
- Commit code for interactive jobs of other RAM users.
The created policy contains the following content:
{
"Version": "1",
"Statement": [
{
"Action": [
"openanalytics:ConsolePermission",
"openanalytics:ListSparkJobs",
"openanalytics:SubmitSparkJob",
"openanalytics:ListVirtualCluster",
"openanalytics:GetVirtualCluster"
],
"Resource": "acs:openanalytics:cn-hangzhou:1234567890:virtualcluster/dla-vc1",
"Effect": "Allow"
}
]
}
Example 2:1234567890
is expected to grant a RAM user permissions to manage the assets of all data lakes
in the China (Hangzhou) region. The Alibaba Cloud account creates a policy
named dla-cn-hangzhou-admin
. The created policy contains the following content: {
"Version": "1",
"Statement": [
{
"Action": [
"openanalytics:*"
],
"Resource": "acs:openanalytics:cn-hangzhou:1234567890:*",
"Effect": "Allow"
}
]
}
Actions and resources of custom policies
Console permissionsAction | Resource | Action description |
---|---|---|
ConsolePermission | * | Allows a RAM user to access the DLA console. If the RAM user is not granted this permission, the RAM user can use only API operations to access the DLA console. |
(*)
represents all resources. For more information, see Policy elements.
Action | Resource | Action description |
---|---|---|
ListSparkJobs | acs:openanalytics:<region>:<account-id>:virtualcluster/<virtualClusteName>/sparkjobs/* | Allows a RAM user to query all Spark jobs. |
SubmitSparkJob | Allows a RAM user to submit a Spark job. | |
Allows a RAM user to submit a Spark SQL statement. | ||
GetSparkJob | acs:openanalytics:<region>:<account-id>:virtualcluster/<virtualClusteName>/sparkjobs/jobid | Allows a RAM user to obtain the status of a Spark job. |
Allows a RAM user to obtain the logs of a Spark job. | ||
Allows a RAM user to obtain the detailed configurations and Spark web UI of a Spark job. | ||
Allows a RAM user to obtain the status of the current session. | ||
KillSparkJob | acs:openanalytics:<region>:<account-id>:virtualcluster/<virtualClusteName>/sparkjobs/jobid | Allows a RAM user to kill a Spark job. |
ExecuteSparkStatement | acs:openanalytics:<region>:<account-id>:virtualcluster/<virtualClusteName>/sparkjobs/<jobid>/statements/* | Allows a RAM user to execute a code block in a session and obtain the ID of the code block. |
ListSparkStatements | Allows a RAM user to obtain the execution information of all code blocks in the session cache. | |
CancelSparkStatement | acs:openanalytics:<region>:<account-id>:virtualcluster/<virtualClusteName>/sparkjobs/<jobid>/statements/<statementid> | Allows a RAM user to attempt to terminate the execution of a code block. |
GetSparkStatement | Allows a RAM user to obtain the execution information of a specified code block. |
Action | Resource | Action description |
---|---|---|
ListLakehouses | acs:openanalytics:${regionId}:${parentId}:lakehouse/* | Allows a RAM user to view lakehouses. |
CreateLakehouse | acs:openanalytics:${regionId}:${parentId}:lakehouse/* | Allows a RAM user to create a lakehouse. |
ListLakehouseWorkloads | acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/* | Allows a RAM user to view workloads of a lakehouse. |
CreateLakehouseWorkload | acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/* | Allows a RAM user to create a workload for a lakehouse. |
DeleteLakehouseWorkload | acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/${workloadId} | Allows a RAM user to delete a workload from a lakehouse. |
StartLakehouseWorkload | acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/${workloadId} | Allows a RAM user to start a workload. |
StopLakehouseWorkload | acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/${workloadId} | Allows a RAM user to stop a workload that is running. |
RedoLakehouseWorkload | acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/${workloadId} | Allows a RAM user to redo a workload, for example, export some data again. |
DescribeLakehouseWorkload | acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/${workloadId} | Allows a RAM user to view the details of a workload. |
GetLakehouseWorkloadMonitorInfo | acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/${workloadId} | Allows a RAM user to view the failure logs of a workload and the Spark web UI. |