What Should I Do If a Message Indicating Insufficient Permissions Is Displayed When I Use ModelArts?
If a message indicating insufficient permissions is displayed when you use ModelArts, perform the operations described in this section to grant permissions for related services as needed.
The permissions to use ModelArts depend on OBS authorization. Therefore, ModelArts users require OBS system permissions as well.
- For details about how to grant a user full permissions for OBS and common operations permissions for ModelArts, see Configuring Common Operations Permissions.
- For details about how to manage user permissions on OBS and ModelArts in a refined manner and configure custom policies, see Creating a Custom Policy for ModelArts.
Configuring Common Operations Permissions
To use the basic functions of ModelArts, the ModelArts CommonOperations policy needs to be in effect for project-level services. The use of ModelArts depends on OBS permissions. The Tenant Administrator policy needs to be applied globally for all users of the project.
The procedure is as follows:
- Create a user group.
Log in to the IAM console and choose User Groups > Create User Group. Enter a user group name, and click OK.
- Assign permissions to the user group.
In the user group list, click Manage Permissions in the Operation column of the row that contains the user group created in Step 1. On the Permissions tab page, click Assign Permissions. Configure the following permissions:
- Set Scope to Global service project and select the Tenant Administrator policy. See Figure 1.
- Set Scope to Region-specific projects and select the ModelArts CommonOperations policy. See Figure 2.
The authorization of a regional-specific project takes effect only in the authorized region. If the authorization needs to take effect in all regions, the authorization needs to be repeated for every region involved.
- Create a user and add it to the user group.
Create a user on the IAM console and add the user to the group created in 1.
- Log in and verify permissions.
Log in to the ModelArts console as the created user, switch to the authorized region, and verify the ModelArts CommonOperations and Tenant Administrator policies are in effect.
- Choose Service List > ModelArts. Choose Dedicated Resource Pools. On the page that is displayed, select a resource pool type and click Create. You should not be able to create a new resource pool.
- Choose any other service in Service List. Assuming that the current permissions contain only ModelArts CommonOperations, you should get a message indicating that you have insufficient permissions.
- Choose Service List > ModelArts. On the ModelArts console, choose Data Management > Datasets > Create Dataset. You should be able to access the corresponding OBS path.
Creating a Custom Policy for ModelArts
In addition to the default system policies of ModelArts, you can create custom policies, which can address OBS permissions as well. For more information, see Creating a Custom Policy.
You can create custom policies in the visual editor or by creating a JSON file. This section describes how to use a JSON file to configure a custom policy to grant permissions required to use the development environment, and how to configure the minimum OBS permissions for ModelArts users.
A custom policy can contain actions for multiple services that are accessible globally or only for region-specific projects.
ModelArts is a project-level service, but OBS is a global service, so you need to create separate policies for the two services and then apply these policies to the users.
- Create a custom policy for minimizing permissions for OBS that ModelArts depends on. See Figure 3.
Log in to the IAM console and choose Permissions > Create Custom Policy. Configure the parameters as follows:
- Policy Name: Choose a custom policy name.
- Scope: Global services.
- Policy View: JSON.
- Policy Content: Follow the instructions in Example Custom Policies of OBS. For more information about OBS system permissions, see OBS Permissions Management.
- Create a custom policy for the permission to use the ModelArts development environment. See Figure 4. Configure the parameters as follows:
- Policy Name: Choose a custom policy name.
- Scope: Project-level services.
- Policy View: JSON.
- Policy Content: Follow the instructions in Example Custom Policies for Using the ModelArts Development Environment. For the actions that can be added for custom policies, see ModelArts API Reference > Permissions Policies and Supported Actions.
- For the system policies of other services, see System Permissions.
- On the IAM console, create a user group and grant permissions to it.
After creating a user group on the IAM console, grant the custom policy created in 1 to the user group.
- Create a user and add it to the user group.
Create a user on the IAM console and add the user to the group created in 3.
- Log in and verify permissions.
Log in to the ModelArts console as the created user, switch to the authorized region, and verify the ModelArts CommonOperations and Tenant Administrator policies are in effect.
- Choose Service List > ModelArts. On the ModelArts console, choose Data Management > Datasets. If you cannot create a dataset, the permissions (for using the development environment) granted only to ModelArts users have taken effect.
- Choose Service List > ModelArts. On the ModelArts console, choose DevEnviron > Notebooks > Create. You should be able to access the OBS path specified in Storage Path.
Example Custom Policies of OBS
The permissions to use ModelArts require OBS authorization. The following example shows the minimum OBS required, including the permissions for OBS buckets and objects. After being granted the minimum permissions for OBS, users can access OBS from ModelArts without restrictions.
{
"Version": "1.1",
"Statement": [
{
"Action": [
"obs:bucket:ListAllMybuckets",
"obs:bucket:HeadBucket",
"obs:bucket:ListBucket",
"obs:bucket:GetBucketLocation",
"obs:object:GetObject",
"obs:object:GetObjectVersion",
"obs:object:PutObject",
"obs:object:DeleteObject",
"obs:object:DeleteObjectVersion",
"obs:object:ListMultipartUploadParts",
"obs:object:AbortMultipartUpload",
"obs:object:GetObjectAcl",
"obs:object:GetObjectVersionAcl",
"obs:bucket:PutBucketAcl",
"obs:object:PutObjectAcl"
],
"Effect": "Allow"
}
]
}
Example Custom Policies for Using the ModelArts Development Environment
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"modelarts:notebook:list",
"modelarts:notebook:create" ,
"modelarts:notebook:get" ,
"modelarts:notebook:update" ,
"modelarts:notebook:delete" ,
"modelarts:notebook:action" ,
"modelarts:notebook:access"
]
}
]
}
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.