Grant a RAM user the permissions to access OSS-HDFS - Object Storage Service

This topic describes how to use an Alibaba Cloud account to enable OSS-HDFS and grant permissions to a RAM user to access OSS-HDFS.

Prerequisites

A RAM user is created and an AccessKey pair of the RAM user is recorded. For more information, see Create a RAM user.

Grant a RAM user the permissions to connect EMR clusters to OSS-HDFS

E-MapReduce (EMR) clusters that meet the version requirements are integrated with OSS-HDFS by default. If you want to use a RAM user to access OSS-HDFS in an EMR cluster and perform common operations, you need to only attach the AliyunEMRFullAccess system policy to the RAM user. The system policy contains all the required permissions to allow the EMR cluster to access OSS-HDFS. This way, the EMR cluster can perform all necessary operations, including object reading and writing and metadata management.

For more information about how to grant permissions to a RAM user, see Grant permissions to a RAM user.

Grant a RAM user the permissions to connect non-EMR clusters to OSS-HDFS

If you want to use a RAM user to connect non-EMR clusters to OSS-HDFS and perform common operations, you must attach the following custom policies to the RAM user.

The following custom policies are used to ensure that JindoSDK integrates and interacts with OSS-HDFS and can perform all necessary operations, from basic object reading and writing to advanced data lake management.

oss:ListObjects ("acs:oss:*:*:*")
Allows a RAM user to list all objects in a bucket. In the HDFS API, a RAM user can use the policy to view the objects and subdirectories in a directory.
oss:GetBucketInfo, oss:PostDataLakeStorageFileOperation, oss:PostDataLakeStorageAdminOperation (corresponding resource: "*")
- oss:GetBucketInfo: allows a RAM user to query basic information about a bucket and establish a connection to check the status of the bucket.
- oss:PostDataLakeStorageFileOperation and oss:PostDataLakeStorageAdminOperation: allows operations on OSS data lake, including basic object read and write and advanced metadata management that are compatible with HDFS.
oss:*(corresponding resource: "acs:oss:*:*:*/.dlsdata", "acs:oss:*:*:*/.dlsdata*")
Allows a RAM user to perform operations on all objects whose names contain the .dlsdata/ prefix in the bucket. In most cases, internal metadata is stored in the .dlsdata path in OSS-HDFS. This policy ensures that JindoSDK can perform all object operations and meet management requirements related to OSS-HDFS, including but not limited to creating, deleting, and modifying the objects or directories in the path.

{
    "Statement": [
        {
          "Effect": "Allow",
          "Action": "oss:ListObjects",
          "Resource": [
            "acs:oss:*:*:*"
          ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss:GetBucketInfo",                
                "oss:PostDataLakeStorageFileOperation",
                "oss:PostDataLakeStorageAdminOperation"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "oss:*",
            "Resource": [
                "acs:oss:*:*:*/.dlsdata",
                "acs:oss:*:*:*/.dlsdata*"
            ]
        }
    ],
    "Version": "1"
}

For more information about how to grant permissions to a RAM user, see Grant permissions to a RAM user.