All Products
Search
Document Center

E-MapReduce:Grant access to OSS or OSS-HDFS

Last Updated:Dec 11, 2024

This topic describes how to grant access to Object Storage Service (OSS) and OSS-HDFS.

Grant access to OSS

You can use custom policies to flexibly define the access permissions of RAM users on OSS data. Perform the following steps:

  1. Log on to the RAM console by using your Alibaba Cloud account.

  2. In the left-side navigation pane, choose Permissions > Policies.

  3. On the Policies page, click Create Policy.

  4. On the Create Policy page, click the JSON tab.

  5. Enter the policy document and click OK.

    OSS provides a complete system for data permission management. For more information about how to configure RAM policies for OSS, see RAM policies.

    Important

    We recommend that you follow the principle of least privilege when you configure policies. If you deploy Hive and Spark in your cluster, you must configure the oss:ListObjectVersions and oss:DeleteObjectVersion policies regardless of whether the versioning feature is enabled for OSS. EMR triggers the versioning feature for common temporary directories, such as _temporary, .staging, .hive-staging, and __magic.

    Sample custom policies:

           {
          "Version": "1",
          "Statement": [
            {
              "Action": [
                "oss:ListObjects",
                "oss:GetBucketInfo",
                "oss:PutObject",
                "oss:GetObject",
                "oss:DeleteObject",
                "oss:AbortMultipartUpload",
                "oss:ListMultipartUploads",
                "oss:ListParts",
                "oss:RestoreObject",
                "oss:ListObjectVersions",
                "oss:DeleteObjectVersion"
              ],
              "Resource": [
                "acs:oss:*:*:<yourBucketName>",
                "acs:oss:*:*:<yourBucketName>/*"
              ],
              "Effect": "Allow"
            },
            {
              "Action": [
                "oss:ListBuckets"
              ],
              "Resource": "*",
              "Effect": "Allow"
            }
          ]
        }
    Note

    In the policy document, replace <yourBucketName> with the name of the bucket on which you want to grant permissions.

  6. Configure the Name and Description parameters and click OK.

Other scenarios

  • Grant read-only access to OSS

    Important

    We recommend that you follow the principle of least privilege when you configure policies. If you deploy Hive and Spark in your cluster, you must configure the oss:ListObjectVersions policy regardless of whether the versioning feature is enabled for OSS. EMR triggers the versioning feature for common temporary directories, such as _temporary, .staging, .hive-staging, and __magic.

           {
          "Version": "1",
          "Statement": [
            {
              "Action": [
                "oss:ListObjects",
                "oss:GetBucketInfo",
                "oss:GetObject",
                "oss:RestoreObject",
                "oss:ListObjectVersions"
              ],
              "Resource": [
                "acs:oss:*:*:<yourBucketName>",
                "acs:oss:*:*:<yourBucketName>/*"
              ],
              "Effect": "Allow"
            },
            {
              "Action": [
                "oss:ListBuckets"
              ],
              "Resource": "*",
              "Effect": "Allow"
            }
          ]
        }
  • Grant access to OSS buckets in which the versioning feature is enabled

    Important

    We recommend that you do not enable the versioning feature for OSS. This may cause performance issues.

           {
          "Version": "1",
          "Statement": [
            {
              "Action": [
                "oss:ListObjects",
                "oss:GetBucketInfo",
                "oss:PutObject",
                "oss:GetObject",
                "oss:DeleteObject",
                "oss:AbortMultipartUpload",
                "oss:ListMultipartUploads",
                "oss:ListParts",
                "oss:RestoreObject",
                "oss:ListObjectVersions",
                "oss:GetObjectVersion",
                "oss:DeleteObjectVersion",
                "oss:RestoreObjectVersion"
              ],
              "Resource": [
                "acs:oss:*:*:<yourBucketName>",
                "acs:oss:*:*:<yourBucketName>/*"
              ],
              "Effect": "Allow"
            },
            {
              "Action": [
                "oss:ListBuckets"
              ],
              "Resource": "*",
              "Effect": "Allow"
            }
          ]
        }
    Note

    We recommend that you grant all required permissions on the OSS buckets to the related user to avoid AccessDenied issues.

Grant access to OSS-HDFS

  1. Log on to the RAM console by using your Alibaba Cloud account.

  2. In the left-side navigation pane, choose Permissions > Policies.

  3. On the Policies page, click Create Policy.

  4. On the Create Policy page, click the JSON tab.

  5. Enter the policy document and click OK. Sample custom policy:

    {
        "Statement": [
            {
              "Effect": "Allow",
              "Action": "oss:ListObjects",
              "Resource": [
                "acs:oss:*:*:*"
              ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:GetBucketInfo",
                    "oss:PostDataLakeStorageFileOperation",
                    "oss:PostDataLakeStorageAdminOperation"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "oss:*",
                "Resource": [
                    "acs:oss:*:*:*/.dlsdata",
                    "acs:oss:*:*:*/.dlsdata*"
                ]
            }
        ],
        "Version": "1"
    }
  6. Configure the Name and Description parameters and click OK.