forked from docs/doc-exports
chenxiaoxiong
f9e2808b7c
Reviewed-by: Pruthi, Vineet <vineet.pruthi@t-systems.com> Co-authored-by: chenxiaoxiong <chenxiaoxiong@huawei.com> Co-committed-by: chenxiaoxiong <chenxiaoxiong@huawei.com>
204 lines
41 KiB
HTML
204 lines
41 KiB
HTML
<a name="dataartsstudio_01_0555"></a><a name="dataartsstudio_01_0555"></a>
|
|
|
|
<h1 class="topictitle1">Configuring a Scheduling Identity</h1>
|
|
<div id="body1596529831165"><p id="dataartsstudio_01_0555__p1895113223176">The following problems may occur during job execution in DataArts Factory:</p>
|
|
<ul id="dataartsstudio_01_0555__ul19389161012309"><li id="dataartsstudio_01_0555__li238910102304">The job execution mechanism of the DataArts Factory module is to execute the job as the user who starts the job. For a job that is executed in periodic scheduling mode, if the IAM account used to start the job is suspended or deleted during the scheduling period, the system cannot obtain the user identity authentication information. As a result, the job fails to be executed.</li><li id="dataartsstudio_01_0555__li61461714193011">If a job is started by a low-privilege user, the job fails to be executed due to insufficient permissions.</li></ul>
|
|
<p id="dataartsstudio_01_0555__p31731944183915">To address these issues, you can configure an identity for scheduling jobs. During job scheduling, this identity interacts with other services, preventing the above job execution failures.</p>
|
|
<div class="note" id="dataartsstudio_01_0555__note951135975420"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dataartsstudio_01_0555__p1552205995419">During the periodic scheduling of a job, if the default user of the job is deleted and another user submits a version and schedules the job, the user who submits the version is considered as the executor of the job by default.</p>
|
|
</div></div>
|
|
<div class="section" id="dataartsstudio_01_0555__section20865253113417"><h4 class="sectiontitle">Classification of Scheduling Identities</h4><p id="dataartsstudio_01_0555__p62940589340">Scheduling identities are classified into agencies and IAM accounts.</p>
|
|
<ul id="dataartsstudio_01_0555__ul11128102411359"><li id="dataartsstudio_01_0555__li133486319320">Agencies: Cloud services interwork with each other, and some cloud services are dependent on other services. You can create an agency to delegate cloud services to access other services and perform resource O&M on your behalf.<div class="p" id="dataartsstudio_01_0555__p16385205123213"><a name="dataartsstudio_01_0555__li133486319320"></a><a name="li133486319320"></a>Agencies are classified into the following types:<ul id="dataartsstudio_01_0555__ul123741512171417"><li id="dataartsstudio_01_0555__li13128122411353">Public agencies: They apply to all jobs in the workspace. For details about how to configure a public agency, see <a href="#dataartsstudio_01_0555__section3485198599">Configuring a Public Agency</a>.</li><li id="dataartsstudio_01_0555__li826104163613">Job agencies: They apply only to a single job. For details about how to configure a job agency, see <a href="#dataartsstudio_01_0555__section20224154881414">Configuring a Job-Level Agency</a>.</li></ul>
|
|
</div>
|
|
</li><li id="dataartsstudio_01_0555__li16304614123119">IAM accounts: You can configure IAM accounts through user groups in a unified manner and manage permissions in an easier way than agencies. IAM accounts also have better compatibility and support MRS nodes (MRS Presto SQL, MRS Spark, MRS Spark Python, MRS Flink Job, and MRS MapReduce), directly connected nodes (MRS Spark SQL and MRS Hive SQL), and ETL Job nodes whose destination is DWS, so IAM accounts can be used to submit jobs for some MRS clusters and ETL Job nodes that cannot be submitted through agencies.<div class="p" id="dataartsstudio_01_0555__p1921384453115"><a name="dataartsstudio_01_0555__li16304614123119"></a><a name="li16304614123119"></a>IAM accounts are classified into the following types:<ul id="dataartsstudio_01_0555__ul37822411318"><li id="dataartsstudio_01_0555__li53111917156">Public IAM accounts: They apply to all jobs in the workspace. For details about how to configure a public IAM account, see <a href="#dataartsstudio_01_0555__section11898926149">Configuring a Public IAM Account</a>.</li><li id="dataartsstudio_01_0555__li1791324203110">Execution users: They apply only to a single job. For details about how to configure an execution user, see <a href="#dataartsstudio_01_0555__section177601853153314">Configuring an Executor</a>.<div class="note" id="dataartsstudio_01_0555__note165672261718"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dataartsstudio_01_0555__p162860248590">You can configure execution users only after <span id="dataartsstudio_01_0555__text175851336145811">apply for the whitelist membership</span>. To use this feature, contact <span id="dataartsstudio_01_0555__text132972019722843">customer service or technical support</span>.</p>
|
|
</div></div>
|
|
</li></ul>
|
|
</div>
|
|
</li></ul>
|
|
</div>
|
|
<div class="section" id="dataartsstudio_01_0555__section1823151295819"><h4 class="sectiontitle">Priorities of Scheduling Identities</h4><p id="dataartsstudio_01_0555__p13890123414528">The system obtains permissions for the job agency, public agency, execution user, and public IAM account in sequence, and then executes jobs with the permissions.</p>
|
|
<p id="dataartsstudio_01_0555__p1851613523257">By default, a job is executed by the user who starts the job. If a job is started by a user without the required permissions, the job fails to be executed due to insufficient permissions. You can configure a scheduling identity to resolve this issue.</p>
|
|
</div>
|
|
<div class="section" id="dataartsstudio_01_0555__section185321847143910"><h4 class="sectiontitle">Constraints</h4><ul id="dataartsstudio_01_0555__ul67442024237"><li id="dataartsstudio_01_0555__li18744112410313">To create or modify an agency, you must have the <strong id="dataartsstudio_01_0555__b493517419138">Security Administrator</strong> permissions.</li><li id="dataartsstudio_01_0555__li119554261535">To configure a workspace-level scheduling identity, you must have the <strong id="dataartsstudio_01_0555__b2094321231317"><span id="dataartsstudio_01_0555__text3903125112174">DARTS</span> Administrator</strong> or <strong id="dataartsstudio_01_0555__b494412129132">Tenant Administrator</strong> policy.</li><li id="dataartsstudio_01_0555__li1736905311411">To configure a job-level agency, you must have the permission to view the list of agencies.</li></ul>
|
|
</div>
|
|
<div class="section" id="dataartsstudio_01_0555__section3485198599"><a name="dataartsstudio_01_0555__section3485198599"></a><a name="section3485198599"></a><h4 class="sectiontitle">Configuring a Public Agency</h4><div class="caution" id="dataartsstudio_01_0555__note1461521817711"><span class="cautiontitle"><img src="public_sys-resources/caution_3.0-en-us.png"> </span><div class="cautionbody"><p id="dataartsstudio_01_0555__p76151118178">A public agency applies to all jobs in the workspace, especially those that contain MRS nodes. Exercise caution when performing this operation.</p>
|
|
</div></div>
|
|
<ol id="dataartsstudio_01_0555__ol7401296512"><li id="dataartsstudio_01_0555__li2848154165110">Log in to the <span id="dataartsstudio_01_0555__en-us_topic_0000001987511677_en-us_topic_0000001127311125_text5574448155719">DataArts Studio</span> console by following the instructions in <a href="dataartsstudio_01_0001.html">Accessing the DataArts Studio Instance Console</a>.</li><li id="dataartsstudio_01_0555__li10888120591">On the <span id="dataartsstudio_01_0555__en-us_topic_0181092879_text185611381448">DataArts Studio</span> console, locate a workspace and click <strong id="dataartsstudio_01_0555__en-us_topic_0181092879_b65382814249">DataArts Factory</strong>.</li><li id="dataartsstudio_01_0555__li1315281410719">In the navigation pane, choose <span class="menucascade" id="dataartsstudio_01_0555__menucascade105321839146"><b><span class="uicontrol" id="dataartsstudio_01_0555__uicontrol053119391247">Configuration</span></b> > <b><span class="uicontrol" id="dataartsstudio_01_0555__uicontrol185310391247">Configure</span></b></span>.</li><li id="dataartsstudio_01_0555__li3819151713916">Choose <span class="uicontrol" id="dataartsstudio_01_0555__uicontrol1620425031010"><b>Scheduling Identities</b></span> and set <strong id="dataartsstudio_01_0555__b198681976154">Public Scheduling Identity</strong> to <strong id="dataartsstudio_01_0555__b205381992167">Public agency</strong>.</li><li id="dataartsstudio_01_0555__li613619134128">Click <strong id="dataartsstudio_01_0555__b1285533101612">+</strong> to select an agency or create one. For how to create an agency and configure permissions, see <a href="#dataartsstudio_01_0555__section17505112912402">Reference: Creating an Agency</a> and <a href="#dataartsstudio_01_0555__section1813152013116">Reference: Configuring Agency Permissions</a>.<div class="fignone" id="dataartsstudio_01_0555__fig9136111316120"><span class="figcap"><b>Figure 1 </b>Configuring a workspace-level agency</span><br><span><img id="dataartsstudio_01_0555__image372816471252" src="en-us_image_0000002269195201.png" title="Click to enlarge" class="imgResize"></span></div>
|
|
</li><li id="dataartsstudio_01_0555__li19353193513310">Click <span class="uicontrol" id="dataartsstudio_01_0555__uicontrol1775012591132"><b>OK</b></span> to return to the <strong id="dataartsstudio_01_0555__b94043151919">Scheduling Identities</strong> page and click <span><img id="dataartsstudio_01_0555__image16925183418563" src="en-us_image_0000002269115113.png"></span>.<div class="note" id="dataartsstudio_01_0555__note61591141862"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dataartsstudio_01_0555__p5159148610">For a batch processing job, a public agency takes effect in the next cycle. For a real-time processing job, you must restart the job for a public agency to take effect.</p>
|
|
</div></div>
|
|
</li></ol>
|
|
</div>
|
|
<div class="section" id="dataartsstudio_01_0555__section20224154881414"><a name="dataartsstudio_01_0555__section20224154881414"></a><a name="section20224154881414"></a><h4 class="sectiontitle">Configuring a Job-Level Agency</h4><div class="note" id="dataartsstudio_01_0555__note16460152210415"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dataartsstudio_01_0555__p14619224419">You can create a job-level agency when creating a job. You can also modify the agency of an existing job.</p>
|
|
</div></div>
|
|
<p id="dataartsstudio_01_0555__p127596615911"><strong id="dataartsstudio_01_0555__b23168161326">Configuring an agency when creating a job</strong></p>
|
|
<ol id="dataartsstudio_01_0555__ol2066914439106"><li id="dataartsstudio_01_0555__li352066162">On the <span id="dataartsstudio_01_0555__en-us_topic_0181092879_text185611381448_1">DataArts Studio</span> console, locate a workspace and click <strong id="dataartsstudio_01_0555__en-us_topic_0181092879_b65382814249_1">DataArts Factory</strong>.</li><li id="dataartsstudio_01_0555__li136681143141011">In the navigation pane of the DataArts Factory homepage, choose <strong id="dataartsstudio_01_0555__b1889551614329">Development</strong> > <strong id="dataartsstudio_01_0555__b1289617164327">Develop Job</strong>.</li><li id="dataartsstudio_01_0555__li17669643131016">Right-click the job directory and choose <strong id="dataartsstudio_01_0555__b24991019183319">Create Job</strong> from the shortcut menu. The <strong id="dataartsstudio_01_0555__b102195285337">Create Job</strong> dialog box is displayed. If a workspace-level agency has been configured, it is used for the job by default. You can also select another agency from the agency list. For how to create an agency and configure permissions, see <a href="#dataartsstudio_01_0555__section17505112912402">Reference: Creating an Agency</a> and <a href="#dataartsstudio_01_0555__section1813152013116">Reference: Configuring Agency Permissions</a>.<div class="fignone" id="dataartsstudio_01_0555__fig5669343131014"><span class="figcap"><b>Figure 2 </b>Configuring an agency for a job</span><br><span><img id="dataartsstudio_01_0555__image15552193820112" src="en-us_image_0000002234235800.png" title="Click to enlarge" class="imgResize"></span></div>
|
|
<p id="dataartsstudio_01_0555__p966984391020"><strong id="dataartsstudio_01_0555__b1749913013348">Modifying the agency of an existing job</strong></p>
|
|
</li></ol>
|
|
<ol id="dataartsstudio_01_0555__ol7667943191018"><li id="dataartsstudio_01_0555__li16667124314107">In the navigation pane of the DataArts Factory homepage, choose <strong id="dataartsstudio_01_0555__b141451016345">Development</strong> > <strong id="dataartsstudio_01_0555__b201511133417">Develop Job</strong>.</li><li id="dataartsstudio_01_0555__li1119314731018">In the job directory, double-click an existing job. On the far right of the displayed page, click <span class="uicontrol" id="dataartsstudio_01_0555__uicontrol11667154318108"><b>Basic Info</b></span>. The dialog box of the job's basic settings is displayed. If a workspace-level agency has been configured, it is used by default. You can also select another agency from the agency list.</li></ol>
|
|
</div>
|
|
<div class="section" id="dataartsstudio_01_0555__section11898926149"><a name="dataartsstudio_01_0555__section11898926149"></a><a name="section11898926149"></a><h4 class="sectiontitle">Configuring a Public IAM Account</h4><ol id="dataartsstudio_01_0555__ol1546017234158"><li id="dataartsstudio_01_0555__li175211289155">On the <span id="dataartsstudio_01_0555__en-us_topic_0181092879_text185611381448_2">DataArts Studio</span> console, locate a workspace and click <strong id="dataartsstudio_01_0555__en-us_topic_0181092879_b65382814249_2">DataArts Factory</strong>.</li><li id="dataartsstudio_01_0555__li37531528121512">In the navigation pane, choose <span class="menucascade" id="dataartsstudio_01_0555__menucascade373143397"><b><span class="uicontrol" id="dataartsstudio_01_0555__uicontrol1386664505">Configuration</span></b> > <b><span class="uicontrol" id="dataartsstudio_01_0555__uicontrol1465106032">Configure</span></b></span>.</li><li id="dataartsstudio_01_0555__li187545284158">Choose <span class="uicontrol" id="dataartsstudio_01_0555__uicontrol1881358181320"><b>Scheduling Identities</b></span> and set <strong id="dataartsstudio_01_0555__b1181158171320">Public Scheduling Identity</strong> to <strong id="dataartsstudio_01_0555__b1691158181320">Public IAM account</strong>.</li><li id="dataartsstudio_01_0555__li98021544132118">Enter the public IAM account in the text box.</li><li id="dataartsstudio_01_0555__li155017254232">Click <span><img id="dataartsstudio_01_0555__image48151639194620" src="en-us_image_0000002234075964.png"></span>.</li></ol>
|
|
</div>
|
|
<div class="section" id="dataartsstudio_01_0555__section177601853153314"><a name="dataartsstudio_01_0555__section177601853153314"></a><a name="section177601853153314"></a><h4 class="sectiontitle">Configuring an Executor</h4><p id="dataartsstudio_01_0555__p33191920153013"><strong id="dataartsstudio_01_0555__b0319820153014">Configuring a Job Executor</strong></p>
|
|
<ol id="dataartsstudio_01_0555__ol1532032013013"><li id="dataartsstudio_01_0555__li34591356143014">In the job directory, double-click a job.</li><li id="dataartsstudio_01_0555__li332011204303">Click the <strong id="dataartsstudio_01_0555__b757815518226">Basic Info</strong> tab and set the executor for the job.</li></ol>
|
|
</div>
|
|
<div class="section" id="dataartsstudio_01_0555__section17505112912402"><a name="dataartsstudio_01_0555__section17505112912402"></a><a name="section17505112912402"></a><h4 class="sectiontitle">Reference: Creating an Agency</h4><ol id="dataartsstudio_01_0555__en-us_topic_0205775032_ol137329193214"><li id="dataartsstudio_01_0555__en-us_topic_0205775032_li12732312328">Log in to the IAM console.</li><li id="dataartsstudio_01_0555__en-us_topic_0205775032_li11714201914329">In the navigation pane, choose <strong id="dataartsstudio_01_0555__b0744204343211">Agencies</strong> and click <strong id="dataartsstudio_01_0555__b6946151643318">Create</strong><strong id="dataartsstudio_01_0555__b17946141612337"> Agency</strong>.</li><li id="dataartsstudio_01_0555__en-us_topic_0205775032_li143969904818">Enter an agency name, for example, <strong id="dataartsstudio_01_0555__b1866194210331">DGC_agency</strong>.</li><li id="dataartsstudio_01_0555__li1375152103217">On the displayed page, select <strong id="dataartsstudio_01_0555__b17238038113515">Cloud service</strong> for <strong id="dataartsstudio_01_0555__b15440454173516">Agency Type</strong> and <strong id="dataartsstudio_01_0555__b1357412217362">Data Lake Governance Center (DGC)</strong> for <strong id="dataartsstudio_01_0555__b913453915368">Cloud Service</strong>. This grants operation permissions to <span id="dataartsstudio_01_0555__text4370182312010">DataArts Studio</span> so that <span id="dataartsstudio_01_0555__text156871724102013">DataArts Studio</span> can use cloud services and perform O&M for you.<p id="dataartsstudio_01_0555__p187191013132817"></p>
|
|
<p id="dataartsstudio_01_0555__p1455843435811"></p>
|
|
</li><li id="dataartsstudio_01_0555__en-us_topic_0205775032_li164043560429">Click <strong id="dataartsstudio_01_0555__b533183183911">Next</strong>.</li><li id="dataartsstudio_01_0555__li11214112017473">On the <strong id="dataartsstudio_01_0555__b13976287457">Authorize Agency</strong> page, search for and select the <strong id="dataartsstudio_01_0555__b5611415124620">Tenant Administrator</strong> policy. Then click <strong id="dataartsstudio_01_0555__b112393110478">Next</strong>.<ul id="dataartsstudio_01_0555__ul14123204295314"><li id="dataartsstudio_01_0555__li111241742205318">Users assigned the <strong id="dataartsstudio_01_0555__b6644113813228">Tenant Administrator</strong> policy have all permissions on all services except on IAMIAM. Therefore, delegate the <strong id="dataartsstudio_01_0555__b1292646122416">Tenant Administrator</strong> policy to <span id="dataartsstudio_01_0555__text10253152115387">DataArts Studio</span> so that <span id="dataartsstudio_01_0555__text74684962713">DataArts Studio</span> can access all related services.</li><li id="dataartsstudio_01_0555__li230201145410">If you want to meet the security control requirements for fewer permissions, you only need to configure the <strong id="dataartsstudio_01_0555__b10864141317564">OBS OperateAccess</strong> permissions (During job execution, execution log information needs to be written to OBS. Therefore, you need to add the <strong id="dataartsstudio_01_0555__b186431375610">OBS OperateAccess</strong> permissions.) Then, configure different agency permissions based on the node type in the job. For example, if a job contains only the <strong id="dataartsstudio_01_0555__b478725810255">Import GES</strong> node, you can configure the <strong id="dataartsstudio_01_0555__b1922014719261">GES Administrator</strong> and <strong id="dataartsstudio_01_0555__b628141313267">OBS OperateAccess</strong> permissions. For details, see <a href="#dataartsstudio_01_0555__section1813152013116">Reference: Configuring Agency Permissions</a>.<div class="fignone" id="dataartsstudio_01_0555__fig13792331596"><span class="figcap"><b>Figure 3 </b>Assigning permissions</span><br><span><img id="dataartsstudio_01_0555__image7243143685916" src="en-us_image_0000002269195241.png" title="Click to enlarge" class="imgResize"></span></div>
|
|
<p id="dataartsstudio_01_0555__p738835113313"></p>
|
|
<p id="dataartsstudio_01_0555__p39802227596"></p>
|
|
</li></ul>
|
|
</li><li id="dataartsstudio_01_0555__en-us_topic_0205775032_li45511910204415">Click <strong id="dataartsstudio_01_0555__b5764153317281">OK</strong>.</li></ol>
|
|
</div>
|
|
<div class="section" id="dataartsstudio_01_0555__section1813152013116"><a name="dataartsstudio_01_0555__section1813152013116"></a><a name="section1813152013116"></a><h4 class="sectiontitle">Reference: Configuring Agency Permissions</h4><p id="dataartsstudio_01_0555__p1283612023415">After the operation permissions of an account are delegated to <span id="dataartsstudio_01_0555__text784194964614">DataArts Studio</span>, you must configure the permissions of the agency identity so that <span id="dataartsstudio_01_0555__text584449154613">DataArts Studio</span> can interact with other services.</p>
|
|
<p id="dataartsstudio_01_0555__p616214355113">For purposes of permissions minimization, you can configure the <strong id="dataartsstudio_01_0555__b935772622910">Admin</strong> permissions for services based on the node types in jobs. For details, see <a href="#dataartsstudio_01_0555__table18185359163814">Table 1</a>.</p>
|
|
<p id="dataartsstudio_01_0555__p1547562316345">The <strong id="dataartsstudio_01_0555__b68801526205314">Admin</strong> permissions can also be configured based on the operations, resources, and request conditions for a specific service. Based on the node types in jobs, permissions are defined by service APIs to allow for more fine-grained, secure access control of cloud resources. Configure the permissions according to <a href="#dataartsstudio_01_0555__table116756441498">Table 2</a>. For example, for a job containing the <strong id="dataartsstudio_01_0555__b983214225613">Import GES</strong> node, you only need to create a custom policy and select<strong id="dataartsstudio_01_0555__b696399165619"> ges:graph:getDetail</strong> (viewing graph details), <strong id="dataartsstudio_01_0555__b191315156568">ges:jobs:getDetail</strong> (querying task status), and <strong id="dataartsstudio_01_0555__b1073982165618">ges:graph:access </strong>(using graphs).</p>
|
|
<div class="notice" id="dataartsstudio_01_0555__note67051536174914"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><ul id="dataartsstudio_01_0555__ul5350161818506"><li id="dataartsstudio_01_0555__li2247142365017">An MRS cluster supports job submission through an agency if either of the following conditions is met:<ul id="dataartsstudio_01_0555__ul1194455019502"><li id="dataartsstudio_01_0555__li567394815017">It is a non-security cluster.</li><li id="dataartsstudio_01_0555__li146423573500">It is a security cluster whose version is later than 2.1.0 and which has MRS 2.1.0.1 or later installed.</li></ul>
|
|
</li><li id="dataartsstudio_01_0555__li4856723144420">If an MRS cluster does not support job submission through an agency, agencies cannot be configured for the jobs that contain the following nodes:<p id="dataartsstudio_01_0555__p4481824174410"><a name="dataartsstudio_01_0555__li4856723144420"></a><a name="li4856723144420"></a>MRS-related nodes (MRS Presto SQL, MRS Spark, MRS Spark Python, MRS Flink Job, and MRS MapReduce) and MRS Spark SQL and MRS Hive SQL nodes connected through APIs.</p>
|
|
</li></ul>
|
|
</div></div>
|
|
<ul id="dataartsstudio_01_0555__ul172310448533"><li id="dataartsstudio_01_0555__li5231544155315">Configure the service-level <strong id="dataartsstudio_01_0555__b1041016321415">Admin</strong> permissions.<p id="dataartsstudio_01_0555__p6444104515150">During job execution, execution log information needs to be written to OBS. Therefore, the <strong id="dataartsstudio_01_0555__b97511156193317">OBS</strong> <strong id="dataartsstudio_01_0555__b147511565337">OperateAccess</strong> permissions must be added for all jobs during coarse-grained authorization.</p>
|
|
</li></ul>
|
|
|
|
<div class="tablenoborder"><a name="dataartsstudio_01_0555__table18185359163814"></a><a name="table18185359163814"></a><table cellpadding="4" cellspacing="0" summary="" id="dataartsstudio_01_0555__table18185359163814" frame="border" border="1" rules="all"><caption><b>Table 1 </b>The admin permissions for related nodes</caption><thead align="left"><tr id="dataartsstudio_01_0555__row7185105916385"><th align="left" class="cellrowborder" valign="top" width="27.089999999999996%" id="mcps1.3.13.7.2.4.1.1"><p id="dataartsstudio_01_0555__p1918575933819">Node Name</p>
|
|
</th>
|
|
<th align="left" class="cellrowborder" valign="top" width="22.68%" id="mcps1.3.13.7.2.4.1.2"><p id="dataartsstudio_01_0555__p8749122618406">System Permission</p>
|
|
</th>
|
|
<th align="left" class="cellrowborder" valign="top" width="50.23%" id="mcps1.3.13.7.2.4.1.3"><p id="dataartsstudio_01_0555__p1918514591386">Description</p>
|
|
</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr id="dataartsstudio_01_0555__row121861359123816"><td class="cellrowborder" valign="top" width="27.089999999999996%" headers="mcps1.3.13.7.2.4.1.1 "><p id="dataartsstudio_01_0555__p161861359143816">CDM Job</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="22.68%" headers="mcps1.3.13.7.2.4.1.2 "><p id="dataartsstudio_01_0555__p167501926104010"><span id="dataartsstudio_01_0555__text7249953191716">DARTS</span> Administrator</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="50.23%" headers="mcps1.3.13.7.2.4.1.3 "><p id="dataartsstudio_01_0555__p6186159143818">All <span id="dataartsstudio_01_0555__text433513424217">DataArts Studio</span> permissions</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="dataartsstudio_01_0555__row2186559113815"><td class="cellrowborder" valign="top" width="27.089999999999996%" headers="mcps1.3.13.7.2.4.1.1 "><p id="dataartsstudio_01_0555__p1118665915382">Import GES</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="22.68%" headers="mcps1.3.13.7.2.4.1.2 "><p id="dataartsstudio_01_0555__p47509266403">GES Administrator</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="50.23%" headers="mcps1.3.13.7.2.4.1.3 "><p id="dataartsstudio_01_0555__p419618593157">Permissions required to perform all operations on GES. This role depends on the <strong id="dataartsstudio_01_0555__b463845415286">Tenant Guest</strong> and <strong id="dataartsstudio_01_0555__b116865432916">Server Administrator</strong> roles in the same project.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="dataartsstudio_01_0555__row1618615595381"><td class="cellrowborder" valign="top" width="27.089999999999996%" headers="mcps1.3.13.7.2.4.1.1 "><ul id="dataartsstudio_01_0555__ul64961737858"><li id="dataartsstudio_01_0555__li1549710376518">MRS Presto SQL, MRS Spark, MRS Spark Python, MRS Flink Job, and MRS MapReduce</li><li id="dataartsstudio_01_0555__li1889543914516">MRS Spark SQL and MRS Hive SQL (connecting to MRS clusters through MRS APIs)</li></ul>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="22.68%" headers="mcps1.3.13.7.2.4.1.2 "><p id="dataartsstudio_01_0555__p11750626134010">MRS Administrator</p>
|
|
<p id="dataartsstudio_01_0555__p036331173418">MRS Fullaccess</p>
|
|
<p id="dataartsstudio_01_0555__p1478815271765">KMS Administrator</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="50.23%" headers="mcps1.3.13.7.2.4.1.3 "><p id="dataartsstudio_01_0555__p1013313485616">MRS Administrator: all execute permissions of MRS specified in the RBAC policy This role depends on the <strong id="dataartsstudio_01_0555__b21593526293">Tenant Guest</strong> and <strong id="dataartsstudio_01_0555__b1616495213298">Server Administrator</strong> roles in the same project.</p>
|
|
<p id="dataartsstudio_01_0555__p13265531113415">MRS Fullaccess: MRS administrator permission specified in the fine-grained policy</p>
|
|
<p id="dataartsstudio_01_0555__p101861159143813">Users assigned the <strong id="dataartsstudio_01_0555__b102211728113817">KMS Administrator</strong> role have the administrator permissions for encryption keys in DEW.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="dataartsstudio_01_0555__row518675913383"><td class="cellrowborder" valign="top" width="27.089999999999996%" headers="mcps1.3.13.7.2.4.1.1 "><p id="dataartsstudio_01_0555__p157393413110">MRS Spark SQL, MRS Hive SQL, MRS Kafka, and Kafka Client (connecting to the clusters in proxy mode)</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="22.68%" headers="mcps1.3.13.7.2.4.1.2 "><p id="dataartsstudio_01_0555__p175012612403"><span id="dataartsstudio_01_0555__text49708531176">DARTS</span> Administrator</p>
|
|
<p id="dataartsstudio_01_0555__p10238154351219">KMS Administrator</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="50.23%" headers="mcps1.3.13.7.2.4.1.3 "><p id="dataartsstudio_01_0555__p5186115912385"><span id="dataartsstudio_01_0555__text79231114131714">DARTS</span> Administrator has all permissions required for <span id="dataartsstudio_01_0555__text592313140174">DataArts Studio</span>.</p>
|
|
<p id="dataartsstudio_01_0555__p970054351315">Users assigned the <strong id="dataartsstudio_01_0555__b1655412215393">KMS Administrator</strong> policy have the administrator permissions for encryption keys in DEW.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="dataartsstudio_01_0555__row17186115916388"><td class="cellrowborder" valign="top" width="27.089999999999996%" headers="mcps1.3.13.7.2.4.1.1 "><p id="dataartsstudio_01_0555__p718665915383">DLI Flink Job, DLI SQL, and DLI Spark</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="22.68%" headers="mcps1.3.13.7.2.4.1.2 "><p id="dataartsstudio_01_0555__p1875032619404">DLI Service Admin</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="50.23%" headers="mcps1.3.13.7.2.4.1.3 "><p id="dataartsstudio_01_0555__p13186155915387">All operation permissions for DLI.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="dataartsstudio_01_0555__row121861259173817"><td class="cellrowborder" valign="top" width="27.089999999999996%" headers="mcps1.3.13.7.2.4.1.1 "><p id="dataartsstudio_01_0555__p21861859103816">DWS SQL, RDS SQL (connecting to data sources in proxy mode), and Shell</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="22.68%" headers="mcps1.3.13.7.2.4.1.2 "><p id="dataartsstudio_01_0555__p275022613403"><span id="dataartsstudio_01_0555__text164979581178">DARTS</span> Administrator</p>
|
|
<p id="dataartsstudio_01_0555__p6109115619167">KMS Administrator</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="50.23%" headers="mcps1.3.13.7.2.4.1.3 "><p id="dataartsstudio_01_0555__p181143061710"><span id="dataartsstudio_01_0555__text981812163178">DARTS</span> Administrator has all permissions required for <span id="dataartsstudio_01_0555__text5818616111714">DataArts Studio</span>.</p>
|
|
<p id="dataartsstudio_01_0555__p911414071713">Users assigned the <strong id="dataartsstudio_01_0555__b484994213401">KMS Administrator</strong> policy have the administrator permissions for encryption keys in DEW.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="dataartsstudio_01_0555__row18186759113812"><td class="cellrowborder" valign="top" width="27.089999999999996%" headers="mcps1.3.13.7.2.4.1.1 "><p id="dataartsstudio_01_0555__p5132133261711">CSS</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="22.68%" headers="mcps1.3.13.7.2.4.1.2 "><p id="dataartsstudio_01_0555__p1750102684014"><span id="dataartsstudio_01_0555__text19833259181711">DARTS</span> Administrator</p>
|
|
<p id="dataartsstudio_01_0555__p1666038122418">Elasticsearch Administrator</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="50.23%" headers="mcps1.3.13.7.2.4.1.3 "><p id="dataartsstudio_01_0555__p2883135252412"><span id="dataartsstudio_01_0555__text1943590151814">DARTS</span> Administrator has all permissions required for <span id="dataartsstudio_01_0555__text974921214169">DataArts Studio</span>.</p>
|
|
<p id="dataartsstudio_01_0555__p566714166252">Users assigned the <strong id="dataartsstudio_01_0555__b24549259417">Elasticsearch Administrator</strong> policy have all permissions for CSS. This role depends on the <strong id="dataartsstudio_01_0555__b72221926124111">Tenant Guest</strong> and <strong id="dataartsstudio_01_0555__b022202614415">Server Administrator</strong> roles in the same project.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="dataartsstudio_01_0555__row9848017191714"><td class="cellrowborder" valign="top" width="27.089999999999996%" headers="mcps1.3.13.7.2.4.1.1 "><p id="dataartsstudio_01_0555__p584871712178">Create OBS, Delete OBS, and OBS Manager</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="22.68%" headers="mcps1.3.13.7.2.4.1.2 "><p id="dataartsstudio_01_0555__p1184918171174">OBS OperateAccess</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="50.23%" headers="mcps1.3.13.7.2.4.1.3 "><p id="dataartsstudio_01_0555__p15849417161720">Basic object operation permissions, such as viewing buckets, uploading objects, obtaining objects, deleting objects, and obtaining object ACLs.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="dataartsstudio_01_0555__row11507113141714"><td class="cellrowborder" valign="top" width="27.089999999999996%" headers="mcps1.3.13.7.2.4.1.1 "><p id="dataartsstudio_01_0555__p8508181313179">SMN</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="22.68%" headers="mcps1.3.13.7.2.4.1.2 "><p id="dataartsstudio_01_0555__p15508913151717">SMN Administrator</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="50.23%" headers="mcps1.3.13.7.2.4.1.3 "><p id="dataartsstudio_01_0555__p1950971315173">All operation permissions for SMN.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
<ul id="dataartsstudio_01_0555__ul134927555536"><li id="dataartsstudio_01_0555__li3493855105320">Configure fine-grained permissions. (Create custom policies based on the actions supported by each service.)<p id="dataartsstudio_01_0555__p137367005717"><a name="dataartsstudio_01_0555__li3493855105320"></a><a name="li3493855105320"></a>For details on how to create a custom policy, see "Creating a Custom Policy" in the <i><cite id="dataartsstudio_01_0555__cite1560014339215">Identity and Access Management User Guide</cite></i>.</p>
|
|
</li></ul>
|
|
<div class="note" id="dataartsstudio_01_0555__note12670182215122"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="dataartsstudio_01_0555__ul7473113911371"><li id="dataartsstudio_01_0555__li9172721153916">During job execution, you must write execution logs to OBS. When the fine-grained authorization mode is used, the following OBS permissions need to be added for all types of jobs:<ul id="dataartsstudio_01_0555__ul15577132616397"><li id="dataartsstudio_01_0555__li204731839113712">obs:bucket:GetBucketLocation</li><li id="dataartsstudio_01_0555__li105928112388">obs:object:GetObject</li><li id="dataartsstudio_01_0555__li23301319386">obs:bucket:CreateBucket</li><li id="dataartsstudio_01_0555__li11762109203812">obs:object:PutObject</li><li id="dataartsstudio_01_0555__li208556204381">obs:bucket:ListAllMyBuckets</li><li id="dataartsstudio_01_0555__li1527243210385">obs:bucket:ListBucket</li></ul>
|
|
</li><li id="dataartsstudio_01_0555__li1610683253919">CDM Job nodes belong to the <span id="dataartsstudio_01_0555__text1251063119377">DataArts Studio</span> module. <span id="dataartsstudio_01_0555__text25102031103714">DataArts Studio</span> does not support fine-grained authorization. Therefore, only the <strong id="dataartsstudio_01_0555__b889711084620"><span id="dataartsstudio_01_0555__text77981049456">DataArts Studio</span> Administrator</strong> policy can be configured for jobs containing these types of nodes.</li><li id="dataartsstudio_01_0555__li133955158507">CSS does not support fine-grained authorization and requires a proxy. Therefore, the <strong id="dataartsstudio_01_0555__b16648174124612"><span id="dataartsstudio_01_0555__text83721518164517">DataArts Studio</span> Administrator</strong> and <strong id="dataartsstudio_01_0555__b1126054416464">Elasticsearch Administrator</strong> policies can be configured for jobs containing these nodes.</li><li id="dataartsstudio_01_0555__li39265298522">SMN does not support fine-grained authorization. Therefore, jobs containing these nodes require the <strong id="dataartsstudio_01_0555__b04021250114712">SMN Administrator</strong> permissions.</li></ul>
|
|
</div></div>
|
|
|
|
<div class="tablenoborder"><a name="dataartsstudio_01_0555__table116756441498"></a><a name="table116756441498"></a><table cellpadding="4" cellspacing="0" summary="" id="dataartsstudio_01_0555__table116756441498" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Creating a custom policy</caption><thead align="left"><tr id="dataartsstudio_01_0555__row1767674416911"><th align="left" class="cellrowborder" valign="top" width="28.32%" id="mcps1.3.13.10.2.3.1.1"><p id="dataartsstudio_01_0555__p186766442095">Node Name</p>
|
|
</th>
|
|
<th align="left" class="cellrowborder" valign="top" width="71.67999999999999%" id="mcps1.3.13.10.2.3.1.2"><p id="dataartsstudio_01_0555__p10676124414918">Action</p>
|
|
</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr id="dataartsstudio_01_0555__row1967615441992"><td class="cellrowborder" valign="top" width="28.32%" headers="mcps1.3.13.10.2.3.1.1 "><p id="dataartsstudio_01_0555__p1367618449914">Import GES</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="71.67999999999999%" headers="mcps1.3.13.10.2.3.1.2 "><ul id="dataartsstudio_01_0555__ul1062164034420"><li id="dataartsstudio_01_0555__li06215403448">ges:graph:access</li><li id="dataartsstudio_01_0555__li10621940164417">ges:graph:getDetail</li><li id="dataartsstudio_01_0555__li4621340144411">ges:jobs:getDetail</li></ul>
|
|
</td>
|
|
</tr>
|
|
<tr id="dataartsstudio_01_0555__row867694410919"><td class="cellrowborder" valign="top" width="28.32%" headers="mcps1.3.13.10.2.3.1.1 "><ul id="dataartsstudio_01_0555__ul12953202074512"><li id="dataartsstudio_01_0555__li495332010456">MRS Presto SQL, MRS Spark, MRS Spark Python, MRS Flink Job, and MRS MapReduce</li><li id="dataartsstudio_01_0555__li18953820114516">MRS Spark SQL and MRS Hive SQL (connecting to MRS clusters through MRS APIs)</li></ul>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="71.67999999999999%" headers="mcps1.3.13.10.2.3.1.2 "><ul id="dataartsstudio_01_0555__ul156651573462"><li id="dataartsstudio_01_0555__li4665127114615">mrs:job:delete</li><li id="dataartsstudio_01_0555__li16665177124614">mrs:job:stop</li><li id="dataartsstudio_01_0555__li86656718467">mrs:job:submit</li><li id="dataartsstudio_01_0555__li76660710464">mrs:cluster:get</li><li id="dataartsstudio_01_0555__li146663720464">mrs:cluster:list</li><li id="dataartsstudio_01_0555__li46661671469">mrs:job:get</li><li id="dataartsstudio_01_0555__li56665724611">mrs:job:list</li><li id="dataartsstudio_01_0555__li266610714616">kms:dek:crypto</li><li id="dataartsstudio_01_0555__li566677114610">kms:cmk:get</li></ul>
|
|
</td>
|
|
</tr>
|
|
<tr id="dataartsstudio_01_0555__row146777442093"><td class="cellrowborder" valign="top" width="28.32%" headers="mcps1.3.13.10.2.3.1.1 "><p id="dataartsstudio_01_0555__p129535205451">MRS Spark SQL, MRS Hive SQL, MRS Kafka, and Kafka Client (connecting to the clusters in proxy mode)</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="71.67999999999999%" headers="mcps1.3.13.10.2.3.1.2 "><ul id="dataartsstudio_01_0555__ul523134534617"><li id="dataartsstudio_01_0555__li1297646194614">kms:dek:crypto</li><li id="dataartsstudio_01_0555__li1297194674611">kms:cmk:get</li><li id="dataartsstudio_01_0555__li457534811469"><span id="dataartsstudio_01_0555__text1461720328450">DataArts Studio</span> Administrator (role)</li></ul>
|
|
</td>
|
|
</tr>
|
|
<tr id="dataartsstudio_01_0555__row867711441095"><td class="cellrowborder" valign="top" width="28.32%" headers="mcps1.3.13.10.2.3.1.1 "><p id="dataartsstudio_01_0555__p15954192018454">DLI Flink Job, DLI SQL, and DLI Spark</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="71.67999999999999%" headers="mcps1.3.13.10.2.3.1.2 "><ul id="dataartsstudio_01_0555__ul127530291471"><li id="dataartsstudio_01_0555__li14753192984712">dli:jobs:get</li><li id="dataartsstudio_01_0555__li3753192964719">dli:jobs:update</li><li id="dataartsstudio_01_0555__li6753729164717">dli:jobs:create</li><li id="dataartsstudio_01_0555__li1375382924716">dli:queue:submit_job</li><li id="dataartsstudio_01_0555__li11753182912478">dli:jobs:list</li><li id="dataartsstudio_01_0555__li11753029154717">dli:jobs:list_all</li></ul>
|
|
</td>
|
|
</tr>
|
|
<tr id="dataartsstudio_01_0555__row767720442097"><td class="cellrowborder" valign="top" width="28.32%" headers="mcps1.3.13.10.2.3.1.1 "><p id="dataartsstudio_01_0555__p38348617482">DWS SQL, RDS SQL (connecting to data sources in proxy mode), and Shell</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="71.67999999999999%" headers="mcps1.3.13.10.2.3.1.2 "><ul id="dataartsstudio_01_0555__ul3260032114818"><li id="dataartsstudio_01_0555__li14260193224814">kms:dek:crypto</li><li id="dataartsstudio_01_0555__li726183215481">kms:cmk:get</li><li id="dataartsstudio_01_0555__li1626118329480"><span id="dataartsstudio_01_0555__text0904736124513">DataArts Studio</span> Administrator (role)</li></ul>
|
|
</td>
|
|
</tr>
|
|
<tr id="dataartsstudio_01_0555__row1967711449910"><td class="cellrowborder" valign="top" width="28.32%" headers="mcps1.3.13.10.2.3.1.1 "><p id="dataartsstudio_01_0555__p4834156174811">Create OBS, Delete OBS, and OBS Manager</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="71.67999999999999%" headers="mcps1.3.13.10.2.3.1.2 "><ul id="dataartsstudio_01_0555__ul113439196493"><li id="dataartsstudio_01_0555__li134311196493">obs:bucket:GetBucketLocation</li><li id="dataartsstudio_01_0555__li234391913491">obs:bucket:ListBucketVersions</li><li id="dataartsstudio_01_0555__li93434199494">obs:object:GetObject</li><li id="dataartsstudio_01_0555__li13343191994912">obs:bucket:CreateBucket</li><li id="dataartsstudio_01_0555__li834331994918">obs:bucket:DeleteBucket</li><li id="dataartsstudio_01_0555__li1334381954916">obs:object:DeleteObject</li><li id="dataartsstudio_01_0555__li83431919194919">obs:object:PutObject</li><li id="dataartsstudio_01_0555__li173431119114917">obs:bucket:ListAllMyBuckets</li><li id="dataartsstudio_01_0555__li634331914915">obs:bucket:ListBucket</li></ul>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="dataartsstudio_01_0510.html">Configuring Resources</a></div>
|
|
</div>
|
|
</div>
|
|
|
|
|
|
<script language="JavaScript">
|
|
<!--
|
|
initImageViewer('.imgResize');
|
|
var msg_imageMax = "view original image";
|
|
var msg_imageClose = "close";
|
|
//--></script> |