This topic describes how to grant access to Object Storage Service (OSS) and OSS-HDFS.
Grant access to OSS
You can use custom policies to flexibly define the access permissions of RAM users on OSS data. Perform the following steps:
Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
Enter the policy document and click OK.
OSS provides a complete system for data permission management. For more information about how to configure RAM policies for OSS, see RAM policies.
ImportantWe recommend that you follow the principle of least privilege when you configure policies. If you deploy Hive and Spark in your cluster, you must configure the
oss:ListObjectVersions
andoss:DeleteObjectVersion
policies regardless of whether the versioning feature is enabled for OSS. EMR triggers the versioning feature for common temporary directories, such as _temporary, .staging, .hive-staging, and __magic.Sample custom policies:
{ "Version": "1", "Statement": [ { "Action": [ "oss:ListObjects", "oss:GetBucketInfo", "oss:PutObject", "oss:GetObject", "oss:DeleteObject", "oss:AbortMultipartUpload", "oss:ListMultipartUploads", "oss:ListParts", "oss:RestoreObject", "oss:ListObjectVersions", "oss:DeleteObjectVersion" ], "Resource": [ "acs:oss:*:*:<yourBucketName>", "acs:oss:*:*:<yourBucketName>/*" ], "Effect": "Allow" }, { "Action": [ "oss:ListBuckets" ], "Resource": "*", "Effect": "Allow" } ] }
NoteIn the policy document, replace
<yourBucketName>
with the name of the bucket on which you want to grant permissions.Configure the Name and Description parameters and click OK.
Other scenarios
Grant read-only access to OSS
ImportantWe recommend that you follow the principle of least privilege when you configure policies. If you deploy Hive and Spark in your cluster, you must configure the
oss:ListObjectVersions
policy regardless of whether the versioning feature is enabled for OSS. EMR triggers the versioning feature for common temporary directories, such as _temporary, .staging, .hive-staging, and __magic.{ "Version": "1", "Statement": [ { "Action": [ "oss:ListObjects", "oss:GetBucketInfo", "oss:GetObject", "oss:RestoreObject", "oss:ListObjectVersions" ], "Resource": [ "acs:oss:*:*:<yourBucketName>", "acs:oss:*:*:<yourBucketName>/*" ], "Effect": "Allow" }, { "Action": [ "oss:ListBuckets" ], "Resource": "*", "Effect": "Allow" } ] }
Grant access to OSS buckets in which the versioning feature is enabled
ImportantWe recommend that you do not enable the versioning feature for OSS. This may cause performance issues.
{ "Version": "1", "Statement": [ { "Action": [ "oss:ListObjects", "oss:GetBucketInfo", "oss:PutObject", "oss:GetObject", "oss:DeleteObject", "oss:AbortMultipartUpload", "oss:ListMultipartUploads", "oss:ListParts", "oss:RestoreObject", "oss:ListObjectVersions", "oss:GetObjectVersion", "oss:DeleteObjectVersion", "oss:RestoreObjectVersion" ], "Resource": [ "acs:oss:*:*:<yourBucketName>", "acs:oss:*:*:<yourBucketName>/*" ], "Effect": "Allow" }, { "Action": [ "oss:ListBuckets" ], "Resource": "*", "Effect": "Allow" } ] }
NoteWe recommend that you grant all required permissions on the OSS buckets to the related user to avoid AccessDenied issues.
Grant access to OSS-HDFS
Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
Enter the policy document and click OK. Sample custom policy:
{ "Statement": [ { "Effect": "Allow", "Action": "oss:ListObjects", "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:GetBucketInfo", "oss:PostDataLakeStorageFileOperation", "oss:PostDataLakeStorageAdminOperation" ], "Resource": "*" }, { "Effect": "Allow", "Action": "oss:*", "Resource": [ "acs:oss:*:*:*/.dlsdata", "acs:oss:*:*:*/.dlsdata*" ] } ], "Version": "1" }
Configure the Name and Description parameters and click OK.