This topic describes the actions and resources specified in the custom policies that are attached to a Resource Access Management (RAM) user of Data Lake Analytics (DLA). This topic provides guidelines for creating custom policies to grant RAM users fine-grained permissions.
Custom policies
You can use the RAM console or call the CreatePolicy API operation to create a custom policy. If you select Script for Configuration Mode when you create a custom policy, you need to specify actions and resources in the code editor of the Policy Document section based on the JSON template. For more information, see Create a custom policy.
Examples
Example 1:The Alibaba Cloud account with the ID of
1234567890 deploys a virtual cluster named dla-vc1 in the China (Hangzhou) region and configures the policy dla-vc1-policy. The permissions provided by the policy allow a RAM user to submit jobs in this cluster,
terminate these jobs, and view the detailed log information of these jobs.
Note The RAM user that is granted these permissions is not authorized to perform the following
operations:
- View the detailed log information of the jobs that are submitted by other RAM users.
- Terminate jobs that are submitted by other RAM users.
- Commit code for interactive jobs of other RAM users.
The created policy contains the following content:
{
"Version": "1",
"Statement": [
{
"Action": [
"openanalytics:ConsolePermission",
"openanalytics:ListSparkJobs",
"openanalytics:SubmitSparkJob",
"openanalytics:ListVirtualCluster",
"openanalytics:GetVirtualCluster"
],
"Resource": "acs:openanalytics:cn-hangzhou:1234567890:virtualcluster/dla-vc1",
"Effect": "Allow"
}
]
}The Alibaba Cloud account with the ID of
1234567890 is expected to grant a RAM user permissions to manage the assets of all data lakes
in the China (Hangzhou) region. The Alibaba Cloud account creates a policy named dla-cn-hangzhou-admin. The created policy contains the following content: {
"Version": "1",
"Statement": [
{
"Action": [
"openanalytics:*"
],
"Resource": "acs:openanalytics:cn-hangzhou:1234567890:*",
"Effect": "Allow"
}
]
}Note For more information about the parameters in the policy, see Actions and resources of custom policies.
Actions and resources of custom policies
Console permissions| Action | Resource | Action description |
|---|---|---|
| ConsolePermission | * | Allows a RAM user to access the DLA console. If the RAM user is not granted this permission, the RAM user can use only API operations to access the DLA console. |
Note The resource syntax is acs:openanalytics:${RegionId}:${OwnerId}:virtualcluster/${VirtualClusteName}.
An asterisk
(*) represents all resources. For more information, see Policy elements.
| Action | Resource | Action description |
|---|---|---|
| ListSparkJobs | acs:openanalytics:<region>:<account-id>:virtualcluster/<virtualClusteName>/sparkjobs/* | Allows a RAM user to query all Spark jobs. |
| SubmitSparkJob | Allows a RAM user to submit a Spark job. | |
| Allows a RAM user to submit a Spark SQL statement. | ||
| GetSparkJob | acs:openanalytics:<region>:<account-id>:virtualcluster/<virtualClusteName>/sparkjobs/jobid | Allows a RAM user to obtain the status of a Spark job. |
| Allows a RAM user to obtain the logs of a Spark job. | ||
| Allows a RAM user to obtain the detailed configurations and Spark web UI of a Spark job. | ||
| Allows a RAM user to obtain the status of the current session. | ||
| KillSparkJob | acs:openanalytics:<region>:<account-id>:virtualcluster/<virtualClusteName>/sparkjobs/jobid | Allows a RAM user to kill a Spark job. |
| ExecuteSparkStatement | acs:openanalytics:<region>:<account-id>:virtualcluster/<virtualClusteName>/sparkjobs/<jobid>/statements/* | Allows a RAM user to execute a code block in a session and obtain the ID of the code block. |
| ListSparkStatements | Allows a RAM user to obtain the execution information of all code blocks in the session cache. | |
| CancelSparkStatement | acs:openanalytics:<region>:<account-id>:virtualcluster/<virtualClusteName>/sparkjobs/<jobid>/statements/<statementid> | Allows a RAM user to attempt to terminate the execution of a code block. |
| GetSparkStatement | Allows a RAM user to obtain the execution information of a specified code block. |
| Action | Resource | Action description |
|---|---|---|
| ListLakehouses | acs:openanalytics:${regionId}:${parentId}:lakehouse/* | Allows a RAM user to view lakehouses. |
| CreateLakehouse | acs:openanalytics:${regionId}:${parentId}:lakehouse/* | Allows a RAM user to create a lakehouse. |
| ListLakehouseWorkloads | acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/* | Allows a RAM user to view workloads of a lakehouse. |
| CreateLakehouseWorkload | acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/* | Allows a RAM user to create a workload for a lakehouse. |
| DeleteLakehouseWorkload | acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/${workloadId} | Allows a RAM user to delete a workload from a lakehouse. |
| StartLakehouseWorkload | acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/${workloadId} | Allows a RAM user to start a workload. |
| StopLakehouseWorkload | acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/${workloadId} | Allows a RAM user to stop a workload that is running. |
| RedoLakehouseWorkload | acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/${workloadId} | Allows a RAM user to redo a workload, for example, export some data again. |
| DescribeLakehouseWorkload | acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/${workloadId} | Allows a RAM user to view the details of a workload. |
| GetLakehouseWorkloadMonitorInfo | acs:openanalytics:${regionId}:${parentId}:lakehouse/${lakehouseId}/workload/${workloadId} | Allows a RAM user to view the failure logs of a workload and the Spark web UI. |