本文介绍如何创建RAM角色,以及如何在E-MapReduce中使用自定义的角色进行OSS数据权限隔离。
背景信息
通过创建RAM角色,方便您通过访问MetaService服务时获取到的AccessKey,都是对应这个角色权限的,从而可以实现以下限制:
- 指定集群只能访问指定OSS的数据目录。
- 指定集群访问指定的外部资源。
访问MetaService详情请参见基于MetaService免AccessKey访问阿里云资源。
创建RAM角色
- 使用云账号登录RAM控制台。
- 创建一个授权策略。
- 填写策略名称,选择脚本配置,输入策略内容。
本示例策略内容如下。{ "Version": "1", "Statement": [ { "Action": [ "oss:GetObject", "oss:ListObjects" ], "Resource": [ "acs:oss:*:*:bigdata001", "acs:oss:*:*:bigdata001/*" ], "Effect": "Allow" } ] }说明Action表示OS可以使用的读取和查询目录的权限。Resource表示您可以访问的OSS bucket资源,本示例中为bigdata001。
- 填写策略名称,选择脚本配置,输入策略内容。
- 创建RAM角色。
- 设置角色名称,选择授信服务云服务器。
说明 创建RAM角色时选择云服务器,后面再修改RAM角色的可信实体为EMR云服务。
- 设置角色名称,选择授信服务云服务器。
- 修改授信服务。
- 修改
ecs.aliyuncs.com为emr.aliyuncs.com。
- 修改
- 添加相应权限。
- 单击权限管理页签。
- 单击添加权限,选中自定义策略,添加相应的权限。
- 单击确定。
- 单击完成。
使用自定义角色
目前在E-MapReduce控制台上,还不支持直接配置自定义的角色,需要使用SDK,可以参照以下方式来指定和创建集群。
- Java版本
package main import ( "fmt" "github.com/aliyun/alibaba-cloud-sdk-go/services/emr" "github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests" ) func main() { client, err := emr.NewClientWithAccessKey("cn-huhehaote", "<accessKeyId>", "<accessSecret>") request := emr.CreateCreateClusterV2Request() request.Scheme = "https" request.Name = "test" request.EmrVer = "EMR-3.22.0" request.ClusterType = "HADOOP" request.HostGroup = &[]emr.CreateClusterV2HostGroup{ { HostGroupType: "MASTER", NodeCount: "1", InstanceType: "ecs.g5.2xlarge", DiskType: "CLOUD_SSD", DiskCapacity: "80", DiskCount: "4", SysDiskType: "CLOUD_SSD", SysDiskCapacity: "80", }, { HostGroupType: "CORE", NodeCount: "3", InstanceType: "ecs.g5.2xlarge", DiskType: "CLOUD_SSD", DiskCapacity: "80", DiskCount: "4", SysDiskType: "CLOUD_SSD", SysDiskCapacity: "80", }, } request.ZoneId = "cn-huhehaote-a" request.SecurityGroupId = "sg-hp39gm8n17f3u0i****" request.IsOpenPublicIp = requests.NewBoolean(true) request.ChargeType = "PostPaid" request.VpcId = "vpc-hp32dbx98fhcjp9kr****" request.VSwitchId = "vsw-hp34pmwcw8i5was4s****" request.NetType = "vpc" request.UserDefinedEmrEcsRole = "EMRUserDefineRole" request.SshEnable = requests.NewBoolean(true) request.MasterPwd = "ABCtest1****" response, err := client.CreateClusterV2(request) if err != nil { fmt.Print(err.Error()) } fmt.Printf("response is %#v\n", response) } - Python版本
#!/usr/bin/env python #coding=utf-8 from aliyunsdkcore.client import AcsClient from aliyunsdkcore.acs_exception.exceptions import ClientException from aliyunsdkcore.acs_exception.exceptions import ServerException from aliyunsdkemr.request.v20160408.CreateClusterV2Request import CreateClusterV2Request client = AcsClient('<accessKeyId>', '<accessSecret>', 'cn-huhehaote') request = CreateClusterV2Request() request.set_accept_format('json') request.set_Name("test") request.set_EmrVer("EMR-3.22.0") request.set_ClusterType("HADOOP") request.set_HostGroups([ { "HostGroupType": "MASTER", "NodeCount": 1, "InstanceType": "ecs.g5.2xlarge", "DiskType": "CLOUD_SSD", "DiskCapacity": 80, "DiskCount": 4, "SysDiskType": "CLOUD_SSD", "SysDiskCapacity": 80 }, { "HostGroupType": "CORE", "NodeCount": 3, "InstanceType": "ecs.g5.2xlarge", "DiskType": "CLOUD_SSD", "DiskCapacity": 80, "DiskCount": 4, "SysDiskType": "CLOUD_SSD", "SysDiskCapacity": 80 } ]) request.set_ZoneId("cn-huhehaote-a") request.set_SecurityGroupId("sg-hp39gm8n17f3u0ii****") request.set_IsOpenPublicIp(True) request.set_ChargeType("PostPaid") request.set_VpcId("vpc-hp32dbx98fhcjp9kr****") request.set_VSwitchId("vsw-hp34pmwcw8i5was4s****") request.set_NetType("vpc") request.set_UserDefinedEmrEcsRole("EMRUserDefineRole") request.set_SshEnable(True) request.set_MasterPwd("ABCtest1****") response = client.do_action_with_exception(request) # python2: print(response) print(str(response, encoding='utf-8')) - Go版本
package main import ( "fmt" "github.com/aliyun/alibaba-cloud-sdk-go/services/emr" "github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests" ) func main() { client, err := emr.NewClientWithAccessKey("cn-huhehaote", "<accessKeyId>", "<accessSecret>") request := emr.CreateCreateClusterV2Request() request.Scheme = "https" request.Name = "test" request.EmrVer = "EMR-3.22.0" request.ClusterType = "HADOOP" request.HostGroup = &[]emr.CreateClusterV2HostGroup{ { HostGroupType: "MASTER", NodeCount: "1", InstanceType: "ecs.g5.2xlarge", DiskType: "CLOUD_SSD", DiskCapacity: "80", DiskCount: "4", SysDiskType: "CLOUD_SSD", SysDiskCapacity: "80", }, { HostGroupType: "CORE", NodeCount: "3", InstanceType: "ecs.g5.2xlarge", DiskType: "CLOUD_SSD", DiskCapacity: "80", DiskCount: "4", SysDiskType: "CLOUD_SSD", SysDiskCapacity: "80", }, } request.ZoneId = "cn-huhehaote-a" request.SecurityGroupId = "sg-hp39gm8n17f3u0ii****" request.IsOpenPublicIp = requests.NewBoolean(true) request.ChargeType = "PostPaid" request.VpcId = "vpc-hp32dbx98fhcjp9kr****" request.VSwitchId = "vsw-hp34pmwcw8i5was4s****" request.NetType = "vpc" request.UserDefinedEmrEcsRole = "EMRUserDefineRole" request.SshEnable = requests.NewBoolean(true) request.MasterPwd = "ABCtest1234!" response, err := client.CreateClusterV2(request) if err != nil { fmt.Print(err.Error()) } fmt.Printf("response is %#v\n", response) }
在文档使用中是否遇到以下问题
更多建议
匿名提交