Configuring Fine-Grained OBS Access Permissions for MRS Cluster Users

When fine-grained permission control is enabled, you can configure OBS access permissions to implement access control on directories in OBS file systems.

This function enables you to control MRS users' access to OBS resources. For example, if you allow user group A to only access log files in a specified OBS file system, perform the following operations:

Configure an agency with OBS access permissions for an MRS cluster so that OBS can be accessed using the temporary AK/SK automatically obtained by the ECS.
Create a policy on the IAM console to allow access to log files in a specified OBS file system, and create an agency bound to the policy permission.
In the MRS cluster, bind the new agency to user group A so that user group A only has the permission to access log files in the specified OBS file system.

In the following scenarios, the username used for submitting jobs is an internal username so that MRS multi-user access to OBS is not supported.

In a cluster with Kerberos authentication enabled, the built-in username of spark-beeline for submitting jobs is spark. In a cluster with Kerberos authentication disabled, the built-in username is omm.
In a cluster with Kerberos authentication enabled, the built-in usernames of Presto for submitting jobs is omm and hive. In a cluster with Kerberos authentication disabled, the built-in username is omm. On the cluster details page of the MRS console, choose Components > Presto > Service Configuration, set Type to All, search for hive.hdfs.impersonation.enabled, and change its value to true. In this way, multiple MRS users can access OBS with fine-grained permissions.

Notes and Constraints

This section does not apply to MRS 1.9.2.

Prerequisites

Fine-grained permission control has been enabled. For details about permissions management, see Creating an IAM User and Granting MRS Permissions.
You have a basic knowledge of Cloud Service Delegation and OBS fine-grained policies.

Configuring an Agency with OBS Access Permissions for a Cluster

Follow instructions in Interconnecting an MRS Cluster with OBS Using an IAM Agency to configure an agency with OBS access permissions.

The agency takes effect for all users (including internal users) and user groups in the cluster. To control the permissions of users and user groups in the cluster to access OBS, perform the following operations.

When configuring permissions on an OBS path, if you grant write permissions, you must also configure the corresponding recycle bin path. The default recycle bin path is /user/${current.user}/.Trash/, where ${current.user} indicates the current username.

Creating a Policy and an Agency on IAM

Create policies with different access permissions and bind the policies to the agency. For details, see Reference: Creating a Policy and an Agency on IAM.

Configuring OBS Permission Control Mapping

On the MRS management console, choose Active Clusters and click the cluster name.
In the Basic Information area on the Dashboard tab page, click Manage next to OBS Permission Control.

Click Add Mapping and set parameters according to Table 1.

**Table 1** Adding an OBS permission control mapping
Parameter	Description
IAM Agency	Select the agency created in Step 2.
Type	User: User-level mapping Group: User group-level mapping User-level mapping takes priority over user group-level mapping. If you select Group, you are advised to enter the primary group name in MRS User (User Group). Do not use the same username (group) in multiple mapping records.
MRS User (User Group)	Use commas (,) to separate multiple names of users or user groups. If OBS permission control is not configured for a user and no AK/SK is set, the OBS OperateAccess permission in MRS_ECS_DEFAULT_AGENCY will be used to access OBS. It is recommended that you do not bind the internal user of a component to any agency. If you need to configure an agency for a component's internal user when submitting a job in the following scenarios, observe the following requirements: To control permissions on spark-beeline operations, configure the username spark for clusters with Kerberos authentication enabled and the username omm for clusters with Kerberos authentication disabled. To control permissions on Presto operations, configure usernames omm, hive, and the one used to log in to the client for clusters with Kerberos authentication enabled, and configure usernames omm and the one used to log in to the client for clusters with Kerberos authentication disabled. If you want to use Hive to create tables in beeline mode, configure the internal user hive.

Click OK.
Select I agree to authorize the trust relationships between MRS Users (Groups) and IAM agencies, and click OK. The mapping between the MRS user and OBS permission is added.

If appears next to OBS Permission Control on the Dashboard tab page or the mapping table has been updated for OBS permission control, the mapping takes effect. It takes about 1 minute to for the mapping to take effect.

In the Operation column of the mapping list, you can edit or delete the added mapping.
- If OBS permission control is not configured for a user and no AK/SK is set, OBS access is granted using the permissions of the agency configured for the cluster in the Object Storage Service (OBS) project.
- Once AK/SK credentials are configured, OBS access is performed using those credentials, regardless of whether OBS permission control is configured.
- Security Administrator permissions are required to modify, create, or delete a mapping.
- To apply the mapping changes in Spark Beeline, Hive Beeline, and Presto, you must restart Spark, exit and re-enter Beeline, and restart Presto, respectively.

Component Access to OBS When OBS Permission Control Is Enabled

Log in to any node in a cluster as user root using the password set during cluster creation.
Run the following commands to set the environment variables:

cd Client installation directory

source Client installation directory/bigdata_env
If the Kerberos authentication is enabled for the current cluster, run the following command to authenticate the user. If the Kerberos authentication is disabled for the current cluster, skip this step:

kinit MRS cluster user

Example:

kinit admin
If Kerberos authentication is disabled for the current cluster, run the following commands to log in as a user who belongs to the supergroup group. Replace XXXX with the username. For how to create a user, refer to Creating an MRS Cluster User.

mkdir /home/XXXX

chown XXXX /home/XXXX

su - XXXX
Access OBS. You do not need to configure AK/SK credentials or endpoints. The OBS path format is obs://OBS parallel file system name/XXX.

hadoop fs -ls "obs://obs-example/job/hadoop-mapreduce-examples-3.1.2.jar"

Note that:
- To delete files from OBS using the hadoop fs command, run hadoop fs -rm -skipTrash.
- If table creation in Spark SQL or Spark Beeline does not involve data import, OBS access is not triggered. That is, if you create a table in an OBS directory on which you do not have permission, the CREATE TABLE operation will still be successful, but the error message "403 AccessDeniedException" is displayed when you insert data.

Reference: Creating a Policy and an Agency on IAM

Create a policy on IAM.

Log in to the IAM console.
In the navigation pane on the left, choose Permissions > Policies/Roles. On the displayed page, click Create Custom Policy.

Set parameters according to Table 2. Obtain the customized OBS policy samples that are frequently used by referring to OBS Custom Policies.

**Table 2** Policy parameters
Parameter	Description
Policy Name	Only letters, digits, spaces, and special characters (-_.,) are allowed.
Scope	Select Global services, because OBS is a global service.
Policy View	Select Visual editor.
Policy Content	Allow: Select Allow. Select service: Select Object Storage Service (OBS). Select action: Select ReadWrite, ReadOnly, and ListOnly. Resources under All: Select Specific and set the following parameters: object: Select Specify resource path and click Add Resource Path to add a path. The /tmp directory is used as an example. For example, enter obs_bucket_name/tmp/ and obs_bucket_name/tmp/. bucket: Select Specify resource path, click Add Resource Path, and enter obs_bucket_name*. (Optional) Request condition: not added.
Description	(Optional) Brief description about the policy.

If the data write operation of each component is implemented in rename mode, the permission to delete objects must be configured when data is written.

Click OK to save the policy.

Create an agency on IAM.

Log in to the IAM console.
Choose Agencies. On the displayed page, click Create Agency.

Set parameters according to Table 3.

**Table 3** Agency parameters
Parameter	Description
Agency Name	Only letters, digits, spaces, and special characters (-_.,) are allowed.
Agency Type	Select Common account.
Delegated Account	Enter your cloud account, that is, the account you register using your mobile phone number. It cannot be a federated user or an IAM user created using your cloud account.
Validity Period	Set this parameter as required.
Description	(Optional) Brief description about the agency.
Permissions	In the Project [Region] column, locate the row where OBS is, click Attach Policy. Select the policy created in Step 1 to display it in Selected Policies. Click OK.

Click OK to save the agency.
If you modify an agency or its bound policies after it has been used to access OBS, the changes take effect within 15 minutes.