To prevent security risks such as data leakage and misoperations when you use E-MapReduce (EMR), you must properly manage the permissions of members. This topic describes the permission management system of EMR.
Permission management system
Item | Description |
Principals | EMR supports the following principals:
|
Objects | EMR supports fine-grained permission management on objects, such as Elastic Compute Service (ECS) instances, virtual private clouds (VPCs), Object Storage Service (OSS) buckets, and Data Lake Formation (DLF) metadata. You can manage user permissions on the objects in a fine-grained manner based on the authorization solutions that are provided by EMR. |
User group authorization | If you want to grant the same permissions to multiple users, you can assign a role to the users as a group. This simplifies the authorization operation. For more information, see Grant permissions to a RAM user group. |
User authorization | You can grant permissions to users by using one of the following methods:
|
References
The first time you use EMR, you must use your Alibaba Cloud account to assign specified roles to EMR. For more information, see Assign roles to an Alibaba Cloud account.
For information about how to manage permissions of different roles such as developers and O&M engineers, see Grant permissions to RAM users.
EMR service roles allow you to use EMR to access other Alibaba Cloud services when you configure resources or perform service-level operations on your EMR cluster. For more information, see EMR service roles.
EMR application roles allow applications that run on an EMR cluster to access other Alibaba Cloud resources. For more information, see ECS application role (used in a minor version later than EMR V3.32.0 or EMR V4.5.0 and EMR 5.X series).
For information about how to use a custom ECS application role, see Use a custom ECS application role to access other cloud resources in your Alibaba Cloud account.