本文介绍如何创建RAM角色,以及如何在E-MapReduce中使用自定义的角色进行OSS的数据权限隔离。
背景信息
通过在创建集群的时候设置相应的ECS权限,可以使用户通过基于MetaService免AccessKey访问阿里云资源访问获取到的AccessKey,都是对应这个角色权限的,从而可以实现以下限制:
- 指定集群只能访问指定oss的数据目录。
- 指定集群访问指定的外部资源。
创建RAM角色
按以下步骤在访问控制RAM控制台创建一个实例RAM角色:
- 创建一个授权策略。
- 填写策略名称,选择脚本配置,输入策略内容。
策略内容如下:{ "Version": "1", "Statement": [ { "Action": [ "oss:GetObject", "oss:ListObjects" ], "Resource": [ "acs:oss:*:*:bigdata001", "acs:oss:*:*:bigdata001/*" ], "Effect": "Allow" } ] }说明Action表示了oss的可以使用的权限,这里是读取和查询目录的权限。Resource表示我们可以访问的oss bucket资源,这里是bigdata001,具体可以根据实际情况来修改。
- 填写策略名称,选择脚本配置,输入策略内容。
- 创建RAM角色。
- 设置角色名称,选择授信服务云服务器。
说明 因为没有EMR的服务,因为这里先选择云服务,后面再修改授信服务。
- 设置角色名称,选择授信服务云服务器。
- 修改授信服务。
- 修改
ecs.aliyuncs.com为emr.aliyuncs.com。
- 修改
使用自定义角色
目前在E-MapReduce控制台上,还不支持直接配置自定义的角色,需要使用sdk,参照以下方式来指定和创建集群。
其中request.UserDefinedEmrEcsRole = "EMRUserDefineRole"。
- Java版本
package main import ( "fmt" "github.com/aliyun/alibaba-cloud-sdk-go/services/emr" "github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests" ) func main() { client, err := emr.NewClientWithAccessKey("cn-huhehaote", "<accessKeyId>", "<accessSecret>") request := emr.CreateCreateClusterV2Request() request.Scheme = "https" request.Name = "test" request.EmrVer = "EMR-3.22.0" request.ClusterType = "HADOOP" request.HostGroup = &[]emr.CreateClusterV2HostGroup{ { HostGroupType: "MASTER", NodeCount: "1", InstanceType: "ecs.g5.2xlarge", DiskType: "CLOUD_SSD", DiskCapacity: "80", DiskCount: "4", SysDiskType: "CLOUD_SSD", SysDiskCapacity: "80", }, { HostGroupType: "CORE", NodeCount: "3", InstanceType: "ecs.g5.2xlarge", DiskType: "CLOUD_SSD", DiskCapacity: "80", DiskCount: "4", SysDiskType: "CLOUD_SSD", SysDiskCapacity: "80", }, } request.ZoneId = "cn-huhehaote-a" request.SecurityGroupId = "sg-hp39gm8n17f3u0i****" request.IsOpenPublicIp = requests.NewBoolean(true) request.ChargeType = "PostPaid" request.VpcId = "vpc-hp32dbx98fhcjp9kr****" request.VSwitchId = "vsw-hp34pmwcw8i5was4s****" request.NetType = "vpc" request.UserDefinedEmrEcsRole = "EMRUserDefineRole" request.SshEnable = requests.NewBoolean(true) request.MasterPwd = "ABCtest1****" response, err := client.CreateClusterV2(request) if err != nil { fmt.Print(err.Error()) } fmt.Printf("response is %#v\n", response) } - Python版本
#!/usr/bin/env python #coding=utf-8 from aliyunsdkcore.client import AcsClient from aliyunsdkcore.acs_exception.exceptions import ClientException from aliyunsdkcore.acs_exception.exceptions import ServerException from aliyunsdkemr.request.v20160408.CreateClusterV2Request import CreateClusterV2Request client = AcsClient('<accessKeyId>', '<accessSecret>', 'cn-huhehaote') request = CreateClusterV2Request() request.set_accept_format('json') request.set_Name("test") request.set_EmrVer("EMR-3.22.0") request.set_ClusterType("HADOOP") request.set_HostGroups([ { "HostGroupType": "MASTER", "NodeCount": 1, "InstanceType": "ecs.g5.2xlarge", "DiskType": "CLOUD_SSD", "DiskCapacity": 80, "DiskCount": 4, "SysDiskType": "CLOUD_SSD", "SysDiskCapacity": 80 }, { "HostGroupType": "CORE", "NodeCount": 3, "InstanceType": "ecs.g5.2xlarge", "DiskType": "CLOUD_SSD", "DiskCapacity": 80, "DiskCount": 4, "SysDiskType": "CLOUD_SSD", "SysDiskCapacity": 80 } ]) request.set_ZoneId("cn-huhehaote-a") request.set_SecurityGroupId("sg-hp39gm8n17f3u0ii****") request.set_IsOpenPublicIp(True) request.set_ChargeType("PostPaid") request.set_VpcId("vpc-hp32dbx98fhcjp9kr****") request.set_VSwitchId("vsw-hp34pmwcw8i5was4s****") request.set_NetType("vpc") request.set_UserDefinedEmrEcsRole("EMRUserDefineRole") request.set_SshEnable(True) request.set_MasterPwd("ABCtest1****") response = client.do_action_with_exception(request) # python2: print(response) print(str(response, encoding='utf-8')) - Go版本
package main import ( "fmt" "github.com/aliyun/alibaba-cloud-sdk-go/services/emr" "github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests" ) func main() { client, err := emr.NewClientWithAccessKey("cn-huhehaote", "<accessKeyId>", "<accessSecret>") request := emr.CreateCreateClusterV2Request() request.Scheme = "https" request.Name = "test" request.EmrVer = "EMR-3.22.0" request.ClusterType = "HADOOP" request.HostGroup = &[]emr.CreateClusterV2HostGroup{ { HostGroupType: "MASTER", NodeCount: "1", InstanceType: "ecs.g5.2xlarge", DiskType: "CLOUD_SSD", DiskCapacity: "80", DiskCount: "4", SysDiskType: "CLOUD_SSD", SysDiskCapacity: "80", }, { HostGroupType: "CORE", NodeCount: "3", InstanceType: "ecs.g5.2xlarge", DiskType: "CLOUD_SSD", DiskCapacity: "80", DiskCount: "4", SysDiskType: "CLOUD_SSD", SysDiskCapacity: "80", }, } request.ZoneId = "cn-huhehaote-a" request.SecurityGroupId = "sg-hp39gm8n17f3u0ii****" request.IsOpenPublicIp = requests.NewBoolean(true) request.ChargeType = "PostPaid" request.VpcId = "vpc-hp32dbx98fhcjp9kr****" request.VSwitchId = "vsw-hp34pmwcw8i5was4s****" request.NetType = "vpc" request.UserDefinedEmrEcsRole = "EMRUserDefineRole" request.SshEnable = requests.NewBoolean(true) request.MasterPwd = "ABCtest1234!" response, err := client.CreateClusterV2(request) if err != nil { fmt.Print(err.Error()) } fmt.Printf("response is %#v\n", response) }
在文档使用中是否遇到以下问题
更多建议
匿名提交