You can create custom RAM policies to grant RAM users fine-grained permissions to create, update, delete, or scale AI computing resource groups in PAI.
Background information
RAM permissions apply to the management of cloud-native resources (general computing resources and Lingjun resources) and resource quotas.
Resource pool
A resource pool manages purchased AI computing resources in dedicated resource groups (ResourceGroup).
For more information, see Overview.
Resource quota
A resource quota is a subset of AI computing resources allocated from a resource pool. After a resource quota is associated with a workspace, members can use the resources for AI development and online service deployment. For more information, see Overview.
Resource quotas follow a tree structure as shown below. A resource quota created from a resource pool is called a root resource quota. Each root quota can be divided into multiple child quotas, and each child quota can be further subdivided.
The following resource quota APIs support RAM permission management. You can use custom policies for fine-grained access control on AI computing resources.
|
API Name |
API Description |
|
Create a resource quota (supports both root and child resource quotas) |
|
|
Scale a resource quota (supports both root and child resource quotas) |
|
|
Get resource quota details (such as tags, description, and VPC information) |
|
|
Get resource quota list |
|
|
Update a resource quota (such as tags, description, and VPC information) |
|
|
Delete a resource quota |
Procedure
-
Create a RAM user. For more information, see Create a RAM user.
-
Create a custom policy. For more information, see the "Create a custom policy on the JSON tab" section in Create custom policies.
For the permissions granted by different custom policies, see Examples.
-
Attach the custom policy to the RAM user. For more information, see Grant permissions to a RAM user.
Examples
Resource pool management permissions
RAM users with resource pool management permissions can view, create, update, and delete dedicated resource groups in the resource pool.
Sample policy:
To grant resource pool management permissions to a RAM user, you must also grant Virtual Private Cloud (VPC) permissions. VPC configuration is required when you create a dedicated resource group on the Resource Pool page in the PAI console.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"pai:*ResourceGroup*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeSecurityGroups"
],
"Resource": "*"
}
]
}Root resource quota creation, scaling, and deletion permissions
A root resource quota (first-level) draws computing resources from associated resource groups in a resource pool. You can select one or more resource groups. Therefore, creating or scaling a root resource quota requires permissions for both the resource pool and the resource quota.
The following sample policy grants Get, List, and Update permissions for three resource pools: resourcegroup1, resourcegroup2, and resourcegroup3. An authorized RAM user can create a root resource quota only by allocating resources from these three resource pools.
"acs:pai:*:*:quota/*" indicates that a user with this policy can operate on all resource quota trees, but resource sources are limited to the resourcegroup1, resourcegroup2, and resourcegroup3 resource groups.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"pai:GetResourceGroup",
"pai:ListResourceGroups",
"pai:UpdateResourceGroup"
],
"Resource": [
"acs:pai:*:*:resourcegroup/resourcegroup1",
"acs:pai:*:*:resourcegroup/resourcegroup2",
"acs:pai:*:*:resourcegroup/resourcegroup3"
]
},
{
"Effect": "Allow",
"Action": [
"pai:CreateQuota",
"pai:UpdateQuota",
"pai:ScaleQuota",
"pai:DeleteQuota",
"pai:GetQuota",
"pai:ListQuotas"
],
"Resource": [
"acs:pai:*:*:quota/*"
]
}
]
}Root resource quota management permissions
Managing a root resource quota does not require resource pool permissions. For example, a RAM user with quota1 management permissions can:
-
View quota1.
-
Update the metadata of quota1, such as the tag and description.
-
Manage child resource quotas of quota1: create, update, scale, and delete.
The policy for quota1 contains two Statements. The first Statement defines permissions for the resource quota tree rooted at quota1. The second Statement defines permissions for quota1 itself.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"pai:CreateQuota",
"pai:UpdateQuota",
"pai:ScaleQuota",
"pai:DeleteQuota",
"pai:GetQuota",
"pai:ListQuotas"
],
"Resource": [
"acs:pai:*:*:quota/quota1/*"
]
},
{
"Effect": "Allow",
"Action": [
"pai:UpdateQuota",
"pai:GetQuota",
"pai:ListQuotas"
],
"Resource": [
"acs:pai:*:*:quota/quota1"
]
}
]
}Child resource quota management permissions
For example, a RAM user with quota1.2 management permissions can:
-
View quota1.2.
-
Update the metadata of quota1.2, such as the tag and description.
-
Manage child resource quotas of quota1.2: create, update, scale, and delete.
The policy for managing quota1.2 contains two Statements: the first defines permissions for the resource quota tree rooted at quota1.2, and the second defines permissions for quota1.2 itself.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"pai:CreateQuota",
"pai:UpdateQuota",
"pai:ScaleQuota",
"pai:DeleteQuota",
"pai:GetQuota",
"pai:ListQuotas"
],
"Resource": [
"acs:pai:*:*:quota/*/quota1.2/*"
]
},
{
"Effect": "Allow",
"Action": [
"pai:UpdateQuota",
"pai:GetQuota",
"pai:ListQuotas"
],
"Resource": [
"acs:pai:*:*:quota/*/quota1.2"
]
}
]
}VPC permissions
If you purchase Lingjun resources in the China (Ulanqab) region, VPC configuration is available when you create root and child resource quotas in the PAI console. Add the following VPC permissions to your quota-related policy:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeSecurityGroups"
],
"Resource": "*"
}
]
}