If you want to implement fine-grained permission control on AI computing resources for Platform for AI (PAI), you can create custom policies to grant Resource Access Management (RAM) users the permissions to create, update, delete, or scale resources.
Background information
RAM permissions are used for the management of cloud-native resources and resource quotas. Cloud-native resources include general computing resources and Lingjun resources.
Resource pool
The resource pool contains your purchased computing resources for AI development in dedicated resource groups (ResourceGroup).
For more information, see Overview.
Resource quota
A resource quota is a subcollection of the AI computing resources from the resource pool. After you associate a resource quota with a workspace, workspace members can use the corresponding resources to perform AI development and deploy online services. For more information, see Overview.
You can create resource quotas that follow a tree structure, as shown in the following figure. The resource quota that is created by using resources from the resource pool is called a root resource quota. Each root resource quota can be divided into multiple child resource quotas. Each child resource quota can also be further divided.
Procedure
Create a RAM user. For more information, see Create a RAM user.
Create a custom policy. For information about how to create a custom policy, see the "Create a custom policy on the JSON tab" section in the Create custom policies topic.
For information about the permissions that are granted by different custom policies, see the "Examples" section of this topic.
Attach the custom policy to the RAM user. For more information, see Grant permissions to a RAM user.
Examples
Permissions to manage the resource pool
RAM users who have permissions to manage the resource pool can view, create, update, and delete a dedicated resource group in the resource pool.
Sample policy configuration:
To grant a RAM user the permissions to manage the resource pool, you must grant Virtual Private Cloud (VPC) permissions to the user. This is because VPC configuration is required when the user creates a dedicated resource group on the Resource Pool page in the PAI console.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"pai:*ResourceGroup*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeSecurityGroups"
],
"Resource": "*"
}
]
}Permissions to create, scale, and delete root resource quotas
A root resource quota contains resources from one or more dedicated resource groups in the resource pool. To grant a RAM user the permissions to create, update, scale, or delete a root resource quota, you must grant the user the permissions to manage the resource pool and the quota.
The following example defines the Get, List, and Update permissions for three dedicated resource groups in the resource pool: resourcegroup1, resourcegroup2, and resourcegroup3. This indicates that the authorized RAM users can use only the three dedicated resource groups to create root resource quotas.
"acs:pai:*:*:quota/*" indicates that the authorized RAM users can manage all resource quotas that are created by using resources from resourcegroup1, resourcegroup2, and resourcegroup3.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"pai:GetResourceGroup",
"pai:ListResourceGroups",
"pai:UpdateResourceGroup"
],
"Resource": [
"acs:pai:*:*:resourcegroup/resourcegroup1",
"acs:pai:*:*:resourcegroup/resourcegroup2",
"acs:pai:*:*:resourcegroup/resourcegroup3"
]
},
{
"Effect": "Allow",
"Action": [
"pai:CreateQuota",
"pai:UpdateQuota",
"pai:ScaleQuota",
"pai:DeleteQuota",
"pai:GetQuota",
"pai:ListQuotas"
],
"Resource": [
"acs:pai:*:*:quota/*"
]
}
]
}Permissions to manage a root resource quota
The permissions to manage a root resource quota do not require the permissions to manage the resource pool. For example, a RAM user who has the permissions to manage quota1 can perform the following operations:
View quota1.
Update the metadata of quota1, such as the tag and description of the quota.
Manage the child resource quotas of quota1, such as create, update, scale, and delete the quotas.
The following sample policy configuration for quota1 contains two statements. The first statement defines the permissions to manage the child resource quotas of quota1 and the second statement defines the permissions to manage quota1.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"pai:CreateQuota",
"pai:UpdateQuota",
"pai:ScaleQuota",
"pai:DeleteQuota",
"pai:GetQuota",
"pai:ListQuotas"
],
"Resource": [
"acs:pai:*:*:quota/quota1/*"
]
},
{
"Effect": "Allow",
"Action": [
"pai:UpdateQuota",
"pai:GetQuota",
"pai:ListQuotas"
],
"Resource": [
"acs:pai:*:*:quota/quota1"
]
}
]
}Permissions to manage a child resource quota
For example, a RAM user who has the permissions to manage quota1.2 can perform the following operations:
View quota1.2.
Update the metadata of quota1.2, such as the tag and description of the quota.
Manage the child resource quotas of quota1.2, such as create, update, scale, and delete the quotas.
The following sample policy configuration for quota1.2 contains two statements. The first statement defines the permissions to manage the child resource quotas of quota1.2 and the second statement defines the permissions to manage quota1.2.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"pai:CreateQuota",
"pai:UpdateQuota",
"pai:ScaleQuota",
"pai:DeleteQuota",
"pai:GetQuota",
"pai:ListQuotas"
],
"Resource": [
"acs:pai:*:*:quota/*/quota1.2/*"
]
},
{
"Effect": "Allow",
"Action": [
"pai:UpdateQuota",
"pai:GetQuota",
"pai:ListQuotas"
],
"Resource": [
"acs:pai:*:*:quota/*/quota1.2"
]
}
]
}VPC permissions
If you purchase Lingjun resources in the China (Ulanqab) region, you can configure a VPC when you create root and child resource quotas in the PAI console. In this case, you must also add the VPC permissions to the policy related to quotas. Sample policy configuration:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeSecurityGroups"
],
"Resource": "*"
}
]
}