Resource Access Management (RAM) is an Alibaba Cloud service that manages user identities and resource access. You can use RAM to create and manage RAM users, such as employees, systems, or applications. You can also control the permissions of RAM users to access resources. For example, you can grant a RAM user permissions for only a specific file system.
Configure RAM user permissions
Create a RAM user. For more information, see Create a RAM user.
Select an access policy to grant to the RAM user.
Access policies fall into two categories: system policies and custom policies.
System policies: Alibaba Cloud provides several default access policies for various management purposes. The two common system policies for Apsara File Storage for HDFS are:
AliyunHDFSFullAccess (Not recommended): Grants the RAM user full control over the Apsara File Storage for HDFS management system. This permission poses a high security threat and is not recommended.
AliyunHDFSReadOnlyAccess: Grants the RAM user read-only access to the Apsara File Storage for HDFS management system.
Custom policies: These policies allow for fine-grained permission management to meet your specific requirements. For more information, see Create a custom policy.
Grant permissions to the RAM user.
Grant the access policy selected in Step 2 to the RAM user. For more information, see Manage RAM user permissions.
Set multi-factor authentication (MFA) for the RAM user. For more information, see Attach an MFA device to a RAM user.
Example 1: Grant a RAM user read-only permission for the Apsara File Storage for HDFS management system
{
"Version": "1",
"Statement": [
{
"Action": [
"dfs:Get*",
"dfs:List*"
],
"Resource": "*",
"Effect": "Allow"
}
]
}Example 2: Grant a RAM user permissions for a file system
<file-system-id> is the instance ID of the Apsara File Storage for HDFS file system. Replace it with the actual value.
Grant a RAM user permission to view the details of a file system.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "dfs:GetFileSystem", "Resource": "acs:dfs:*:*:filesystem/<file-system-id>" } ] }Grant a RAM user permission to modify the properties of a file system.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "dfs:GetFileSystem", "dfs:ModifyFileSystem" ], "Resource": "acs:dfs:*:*:filesystem/<file-system-id>" } ] }
Example 3: Grant a RAM user permissions for a mount target
Grant a RAM user full control over the mount targets of a file system.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dfs:CreateMountPoint",
"dfs:DeleteMountPoint",
"dfs:ModifyMountPoint",
"dfs:GetMountPoint",
"dfs:ListMountPoints"
],
"Resource": [
"acs:dfs:*:*:filesystem/<file-system-id>",
"acs:vpc:*:*:vswitch/*"
]
}
]
}Example 4: Grant a RAM user permissions for a permission group
Grant a RAM user full control over all permission groups.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dfs:CreateAccessGroup",
"dfs:DeleteAccessGroup",
"dfs:ModifyAccessGroup",
"dfs:GetAccessGroup",
"dfs:ListAccessGroups",
"dfs:CreateAccessRule",
"dfs:DeleteAccessRule",
"dfs:ModifyAccessRule",
"dfs:GetAccessRule",
"dfs:ListAccessRules"
],
"Resource":"acs:dfs:*:*:accessgroup/*"
}
]
}Appendix: Authentication list for custom policies
You can create a custom policy in the RAM console. When you configure the policy using a script, specify the policy content based on the JSON template. For the values of the Action and Resource parameters, see the following authentication list. For more information, see Basic elements of an access policy.
Resource | API | Action | Resource | Description |
File system | CreateFileSystem | dfs:CreateFileSystem | acs:dfs:<region-id>:<account-id>:filesystem/* | Create a file system. |
DeleteFileSystem | dfs:DeleteFileSystem | acs:dfs:<region-id>:<account-id>:filesystem/<file-system-id> | Delete an existing file system instance. | |
ModifyFileSystem | dfs:ModifyFileSystem | acs:dfs:<region-id>:<account-id>:filesystem/<file-system-id> | Modify the properties of a file system. | |
GetFileSystem | dfs:GetFileSystem | acs:dfs:<region-id>:<account-id>:filesystem/<file-system-id> | Get the details of a file system. | |
ListFileSystems | dfs:ListFileSystems | acs:dfs:<region-id>:<account-id>:filesystem/* | Get the details of multiple file systems. | |
Permission group | CreateAccessGroup | dfs:CreateAccessGroup | acs:dfs:<region-id>:<account-id>:accessgroup/* | Create a permission group. |
DeleteAccessGroup | dfs:DeleteAccessGroup | acs:dfs:<region-id>:<account-id>:accessgroup/<access-group-id> | Delete a permission group. | |
ModifyAccessGroup | dfs:ModifyAccessGroup | acs:dfs:<region-id>:<account-id>:accessgroup/<access-group-id> | Modify the properties of a permission group. | |
GetAccessGroup | dfs:GetAccessGroup | acs:dfs:<region-id>:<account-id>:accessgroup/<access-group-id> | Get the information about a permission group. | |
ListAccessGroups | dfs:ListAccessGroups | acs:dfs:<region-id>:<account-id>:accessgroup/* | Get the information about multiple permission groups. | |
CreateAccessRule | dfs:CreateAccessRule | acs:dfs:<region-id>:<account-id>:accessgroup/<access-group-id> | Create a permission rule. | |
DeleteAccessRule | dfs:DeleteAccessRule | acs:dfs:<region-id>:<account-id>:accessgroup/<access-group-id> | Delete a permission rule. | |
ModifyAccessRule | dfs:ModifyAccessRule | acs:dfs:<region-id>:<account-id>:accessgroup/<access-group-id> | Modify the properties of a rule. | |
GetAccessRule | dfs:GetAccessRule | acs:dfs:<region-id>:<account-id>:accessgroup/<access-group-id> | Get the details of a rule. | |
ListAccessRules | dfs:ListAccessRules | acs:dfs:<region-id>:<account-id>:accessgroup/<access-group-id> | Get multiple rules. | |
Mount target | CreateMountPoint | dfs:CreateMountPoint | acs:dfs:<region-id>:<account-id>:filesystem/<file-system-id> acs:vpc:<region-id>:<account-id>:vswitch/<vswitch-id> | Create a mount target. |
DeleteMountPoint | dfs:DeleteMountPoint | acs:dfs:<region-id>:<account-id>:filesystem/<file-system-id> | Delete a mount target. | |
ModifyMountPoint | dfs:ModifyMountPoint | acs:dfs:<region-id>:<account-id>:filesystem/<file-system-id> | Modify the properties of a mount target. | |
GetMountPoint | dfs:GetMountPoint | acs:dfs:<region-id>:<account-id>:filesystem/<file-system-id> | Get the details of a mount target. | |
ListMountPoints | dfs:ListMountPoints | acs:dfs:<region-id>:<account-id>:filesystem/<file-system-id> | Get multiple mount targets. |