All Products
Search
Document Center

E-MapReduce:Grant permissions to RAM users

Last Updated:Oct 23, 2024

If you want to allow a RAM user to use the E-MapReduce (EMR) console, you must grant the required permissions to the RAM user by using your Alibaba Cloud account in the RAM console.

Background information

RAM is a resource access control service provided by Alibaba Cloud. For more information, see What is RAM? The following examples describe how RAM is used to implement access control in EMR:

  • RAM users: If you purchased multiple instances for an EMR cluster, you can create a policy that allows specific users who are responsible for O&M, development, or data analysis to use these instances. This eliminates the risk of AccessKey pair leaks and ensures account security.

  • RAM user groups: You can create multiple user groups and grant different permissions to them. The authorization process is the same as that for RAM users. The user groups can be used to manage multiple RAM users at the same time.

Policies and roles

The following table describes the policies that are used in EMR.

Policy name

Description

Permission

AliyunEMRFullAccess

Provides RAM users with full access to EMR.

This policy allows RAM users to perform all operations on resources on the EMR on ECS and EMR on ACK pages.

AliyunEMRDevelopAccess

Provides RAM users with the developer permissions of EMR.

This policy allows RAM users to perform operations on all EMR resources, except for the operations to create and release clusters.

AliyunEMRFlowAdmin

Provides RAM users with the administrator permissions on the Data Platform module in EMR.

This policy allows RAM users to create projects and develop and manage jobs. This policy does not allow RAM users to add members to projects or manage clusters.

AliyunEMRDlsFullAccess

Provides RAM users with full access to EMR DLS.

This policy allows RAM users to manage data of EMR DLS.

The following table describes the roles that are used in EMR.

Role name

Description

AliyunOSSDlsDefaultRole

Allows Alibaba Cloud Object Storage Service (OSS) to access the resources in other cloud services.

AliyunEMRDlsDefaultRole

Allows EMR to access the resources in other cloud services.

Procedure

Perform the following steps to grant permissions on EMR resources to a RAM user in the RAM console:

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

    image

    You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.

  4. In the Grant Permission panel, configure the following parameters based on your business requirements.

    image

    Parameter

    Description

    Resource Scope

    • Account: If you select this option, permissions take effect on the current Alibaba Cloud account.

    • ResourceGroup: If you select this option, permissions take effect on a specified resource group.

    Principal

    The RAM user to which you want to grant permissions.

    Policy

    Select System Policy from the drop-down list, enter EMR in the search box to search for EMR system policies, and then click the required policies to add the policies to the Selected Policy section. For more information about EMR policies, see Policies.

  5. Click Grant permissions.

    The granted permissions immediately take effect. You can log on to the EMR console by using the RAM user to which you granted permissions to check the permissions.

    Note

    If the RAM user no longer requires the permissions, you can revoke the permissions from the RAM user. For more information, see Revoke permissions from a RAM user.