Agencies and Dependencies
Function Dependency
Function Dependency Policies
When using ModelArts to develop algorithms or manage training jobs, you are required to use other Cloud services. For example, before submitting a training job, select an OBS path for storing the dataset and logs, respectively. Therefore, when configuring fine-grained authorization policies for a user, the administrator must configure dependent permissions so that the user can use required functions.
If you use ModelArts as the root user (default IAM user with the same name as the account), the root user has all permissions by default.
|
Application Scenario |
Dependent Service |
Dependent Policy |
Supported Function |
|---|---|---|---|
|
Global configuration |
IAM |
iam:users:listUsers |
Obtain a user list. This action is required by the administrator only. |
|
Basic function |
IAM |
iam:tokens:assume |
(Mandatory) Use an agency to obtain temporary authentication credentials. |
|
Basic function |
BSS |
bss:balance:view |
Show the balance of the current account on the page after resources are created on the ModelArts console. |
|
Application Scenario |
Dependent Service |
Dependent Policy |
Supported Function |
|---|---|---|---|
|
Workspace |
IAM |
iam:users:listUsers |
Authorize an IAM user to use a workspace. |
|
ModelArts |
modelarts:*:*delete* |
Clear resources in a workspace when deleting it. |
|
Application Scenario |
Dependent Service |
Dependent Policy |
Supported Function |
|---|---|---|---|
|
Lifecycle management of development environment instances |
ModelArts |
modelarts:notebook:create modelarts:notebook:list modelarts:notebook:get modelarts:notebook:update modelarts:notebook:delete modelarts:notebook:start modelarts:notebook:stop modelarts:notebook:updateStopPolicy modelarts:image:delete modelarts:image:list modelarts:image:create modelarts:image:get modelarts:pool:list modelarts:tag:list modelarts:network:get aom:metric:get aom:metric:list aom:alarm:list |
Start, stop, create, delete, and update an instance. |
|
Dynamically mounting storage |
ModelArts |
modelarts:notebook:listMountedStorages modelarts:notebook:mountStorage modelarts:notebook:getMountedStorage modelarts:notebook:umountStorage |
Dynamically mount storage. |
|
OBS |
obs:bucket:ListAllMyBuckets obs:bucket:ListBucket |
||
|
Image management |
ModelArts |
modelarts:image:register modelarts:image:listGroup |
Register and view an image on the Image Management page. |
|
Saving an image |
SWR |
SWR Admin |
The SWR Admin policy contains the maximum scope of SWR permissions, which can be used to:
|
|
Using the SSH function |
ECS |
ecs:serverKeypairs:list ecs:serverKeypairs:get ecs:serverKeypairs:delete ecs:serverKeypairs:create |
Configure a login key for a notebook instance. |
|
Mounting an SFS Turbo file system |
SFS Turbo |
SFS Turbo FullAccess |
Read and write an SFS directory as an IAM user. Mount an SFS file system that is not created by you to a notebook instance using a dedicated resource pool. |
|
Viewing all Instances |
ModelArts |
modelarts:notebook:listAllNotebooks |
View development environment instances of all users on the ModelArts management console. This action is required by the development environment instance administrator. |
|
IAM |
iam:users:listUsers |
||
|
Local VS Code plug-in or PyCharm Toolkit |
ModelArts |
modelarts:notebook:listAllNotebooks modelarts:trainJob:create modelarts:trainJob:list modelarts:trainJob:update modelarts:trainJobVersion:delete modelarts:trainJob:get modelarts:trainJob:logExport modelarts:workspace:getQuotas (This policy is required if the workspace function is enabled.) |
Access a notebook instance from local VS Code and submit training jobs. |
|
OBS |
obs:bucket:ListAllMybuckets obs:bucket:HeadBucket obs:bucket:ListBucket obs:bucket:GetBucketLocation obs:object:GetObject obs:object:GetObjectVersion obs:object:PutObject obs:object:DeleteObject obs:object:DeleteObjectVersion obs:object:ListMultipartUploadParts obs:object:AbortMultipartUpload obs:object:GetObjectAcl obs:object:GetObjectVersionAcl obs:bucket:PutBucketAcl obs:object:PutObjectAcl obs:object:ModifyObjectMetaData |
||
|
IAM |
iam:projects:listProjects |
Obtain an IAM project list through local PyCharm for access configurations. |
|
Application Scenario |
Dependent Service |
Dependent Policy |
Supported Function |
|---|---|---|---|
|
Training management |
ModelArts |
modelarts:trainJob:* modelarts:trainJobLog:* modelarts:aiAlgorithm:* modelarts:image:list |
Create a training job and view training logs. |
|
modelarts:workspace:getQuotas |
Obtain a workspace quota. This policy is required if the workspace function is enabled. |
||
|
modelarts:tag:list |
Use Tag Management Service (TMS) in a training job. |
||
|
IAM |
iam:credentials:listCredentials iam:agencies:listAgencies |
Use the configured agency authorization. |
|
|
SFS Turbo |
sfsturbo:shares:getShare sfsturbo:shares:getAllShares |
Use SFS Turbo in a training job. |
|
|
SWR |
swr:repository:listTags swr:repository:getRepository swr:repository:listRepositories |
Use a custom image to create a training job. |
|
|
SMN |
smn:topic:publish smn:topic:list |
Notify training job status changes through SMN. |
|
|
OBS |
obs:bucket:ListAllMybuckets obs:bucket:HeadBucket obs:bucket:ListBucket obs:bucket:GetBucketLocation obs:object:GetObject obs:object:GetObjectVersion obs:object:PutObject obs:object:DeleteObject obs:object:DeleteObjectVersion obs:object:ListMultipartUploadParts obs:object:AbortMultipartUpload obs:object:GetObjectAcl obs:object:GetObjectVersionAcl obs:bucket:PutBucketAcl obs:object:PutObjectAcl obs:object:ModifyObjectMetaData |
Run a training job using a dataset in an OBS bucket. |
|
Application Scenario |
Dependent Service |
Dependent Policy |
Supported Function |
|---|---|---|---|
|
Using a dataset |
ModelArts |
modelarts:dataset:getDataset modelarts:dataset:createDataset modelarts:dataset:createDatasetVersion modelarts:dataset:createImportTask modelarts:dataset:updateDataset modelarts:processTask:createProcessTask modelarts:processTask:getProcessTask modelarts:dataset:listDatasets |
Use ModelArts datasets in a workflow. |
|
Managing AI applications |
ModelArts |
modelarts:model:list modelarts:model:get modelarts:model:create modelarts:model:delete modelarts:model:update |
Manage ModelArts AI applications in a workflow. |
|
Deploying a service |
ModelArts |
modelarts:service:get modelarts:service:create modelarts:service:update modelarts:service:delete modelarts:service:getLogs |
Manage ModelArts real-time services in a workflow. |
|
Training jobs |
ModelArts |
modelarts:trainJob:get modelarts:trainJob:create modelarts:trainJob:list modelarts:trainJobVersion:list modelarts:trainJobVersion:create modelarts:trainJob:delete modelarts:trainJobVersion:delete modelarts:trainJobVersion:stop |
Manage ModelArts training jobs in a workflow. |
|
Workspace |
ModelArts |
modelarts:workspace:get modelarts:workspace:getQuotas |
Use ModelArts workspaces in a workflow. |
|
Managing data |
OBS |
obs:bucket:ListAllMybuckets (Obtaining a bucket list) obs:bucket:HeadBucket (Obtaining bucket metadata) obs:bucket:ListBucket (Listing objects in a bucket) obs:bucket:GetBucketLocation (Obtaining the bucket location) obs:object:GetObject (Obtaining object content and metadata) obs:object:GetObjectVersion (Obtaining object content and metadata) obs:object:PutObject (Uploading objects using PUT method, uploading objects using POST method, copying objects, appending an object, initializing a multipart task, uploading parts, and merging parts) obs:object:DeleteObject (Deleting an object or batch deleting objects) obs:object:DeleteObjectVersion (Deleting an object or batch deleting objects) obs:object:ListMultipartUploadParts (Listing uploaded parts) obs:object:AbortMultipartUpload (Aborting multipart uploads) obs:object:GetObjectAcl (Obtaining an object ACL) obs:object:GetObjectVersionAcl (Obtaining an object ACL) obs:bucket:PutBucketAcl (Configuring a bucket ACL) obs:object:PutObjectAcl (Configuring an object ACL) |
Use OBS data in a workflow. |
|
Executing a workflow |
IAM |
iam:users:listUsers (Obtaining users) iam:agencies:getAgency (Obtaining details about a specified agency) iam:tokens:assume (Obtaining an agency token) |
Call other ModelArts services when the workflow is running. |
|
Integrating DLI |
DLI |
dli:jobs:get (Obtaining job details) dli:jobs:list_all (Viewing a job list) dli:jobs:create (Creating a job) |
Integrate DLI into a workflow. |
|
Integrating MRS |
MRS |
mrs:job:get (Obtaining job details) mrs:job:submit (Creating and executing a job) mrs:job:list (Viewing a job list) mrs:job:stop (Stopping a job) mrs:job:batchDelete (Batch deleting jobs) mrs:file:list (Viewing a file list) |
Integrate MRS into a workflow. |
|
Application Scenario |
Dependent Service |
Dependent Policy |
Supported Function |
|---|---|---|---|
|
Managing AI applications |
SWR |
swr:repository:deleteRepository swr:repository:deleteTag swr:repository:getRepository swr:repository:listTags |
Import a model from a custom image. Use a custom engine when importing a model from OBS. |
|
OBS |
obs:bucket:ListAllMybuckets (Obtaining a bucket list) obs:bucket:HeadBucket (Obtaining bucket metadata) obs:bucket:ListBucket (Listing objects in a bucket) obs:bucket:GetBucketLocation (Obtaining the bucket location) obs:object:GetObject (Obtaining object content and metadata) obs:object:GetObjectVersion (Obtaining object content and metadata) obs:object:PutObject (Uploading objects using PUT method, uploading objects using POST method, copying objects, appending an object, initializing a multipart task, uploading parts, and merging parts) obs:object:DeleteObject (Deleting an object or batch deleting objects) obs:object:DeleteObjectVersion (Deleting an object or batch deleting objects) obs:object:ListMultipartUploadParts (Listing uploaded parts) obs:object:AbortMultipartUpload (Aborting multipart uploads) obs:object:GetObjectAcl (Obtaining an object ACL) obs:object:GetObjectVersionAcl (Obtaining an object ACL) obs:bucket:PutBucketAcl (Configuring a bucket ACL) obs:object:PutObjectAcl (Configuring an object ACL) |
Import a model from a template. Specify an OBS path for model conversion. |
|
Application Scenario |
Dependent Service |
Dependent Policy |
Supported Function |
|---|---|---|---|
|
Real-time services |
LTS |
lts:logs:list (Obtaining the log list) |
Show LTS logs. |
|
OBS |
obs:bucket:GetBucketPolicy (Obtaining a bucket policy) obs:bucket:HeadBucket (Obtaining bucket metadata) obs:bucket:ListAllMyBuckets (Obtaining a bucket list) obs:bucket:PutBucketPolicy (Configuring a bucket policy) obs:bucket:DeleteBucketPolicy (Deleting a bucket policy) |
Mount external volumes to a container when services are running. |
|
|
Batch services |
OBS |
obs:object:GetObject (Obtaining object content and metadata) obs:object:PutObject (Uploading objects using PUT method, uploading objects using POST method, copying objects, appending an object, initializing a multipart task, uploading parts, and merging parts) obs:bucket:CreateBucket (Creating a bucket) obs:bucket:ListBucket (Listing objects in a bucket) obs:bucket:ListAllMyBuckets (Obtaining a bucket list) |
Create batch services and perform batch inference. |
|
Edge services |
CES |
ces:metricData:list: (Obtaining metric data) |
View monitoring metrics. |
|
IEF |
ief:deployment:delete (Deleting a deployment) |
Manage edge services. |
|
Application Scenario |
Dependent Service |
Dependent Policy |
Supported Function |
|---|---|---|---|
|
Managing datasets and labels |
OBS |
obs:bucket:ListBucket (Listing objects in a bucket) obs:object:GetObject (Obtaining object content and metadata) obs:object:PutObject (Uploading objects using PUT method, uploading objects using POST method, copying objects, appending an object, initializing a multipart task, uploading parts, and merging parts) obs:object:DeleteObject (Deleting an object or batch deleting objects) obs:bucket:HeadBucket (Obtaining bucket metadata) obs:bucket:GetBucketAcl (Obtaining a bucket ACL) obs:bucket:PutBucketAcl (Configuring a bucket ACL) obs:bucket:GetBucketPolicy (Obtaining a bucket policy) obs:bucket:PutBucketPolicy (Configuring a bucket policy) obs:bucket:DeleteBucketPolicy (Deleting a bucket policy) obs:bucket:PutBucketCORS (Configuring or deleting CORS rules of a bucket) obs:bucket:GetBucketCORS (Obtaining the CORS rules of a bucket) obs:object:PutObjectAcl (Configuring an object ACL) |
Manage datasets in OBS. Label OBS data. Create a data management job. |
|
Managing table datasets |
DLI |
dli:database:displayAllDatabases dli:database:displayAllTables dli:table:describe_table |
Manage DLI data in a dataset. |
|
Managing table datasets |
DWS |
dws:openAPICluster:list dws:openAPICluster:getDetail |
Manage DWS data in a dataset. |
|
Managing table datasets |
MRS |
mrs:job:submit mrs:job:list mrs:cluster:list mrs:cluster:get |
Manage MRS data in a dataset. |
|
Auto labeling |
ModelArts |
modelarts:service:list modelarts:model:list modelarts:model:get modelarts:model:create modelarts:trainJobInnerModel:list modelarts:workspace:get modelarts:workspace:list |
Enable auto labeling. |
|
Team labeling |
IAM |
iam:projects:listProjects (Obtaining tenant projects) iam:users:listUsers (Obtaining users) iam:agencies:createAgency (Creating an agency) iam:quotas:listQuotasForProject (Obtaining the quotas of a project) |
Manage labeling teams. |
|
Application Scenario |
Dependent Service |
Dependent Policy |
Supported Function |
|---|---|---|---|
|
Managing resource pools |
BSS |
bss:coupon:view bss:order:view bss:balance:view bss:discount:view bss:renewal:view bss:bill:view bss:contract:update bss:order:pay bss:unsubscribe:update bss:renewal:update bss:order:update |
Create, renew, and unsubscribe from a resource pool. Dependent permissions must be configured in the IAM project view. |
|
ECS |
ecs:availabilityZones:list |
Show AZs. Dependent permissions must be configured in the IAM project view. |
|
|
Network management |
VPC |
vpc:routes:create vpc:routes:list vpc:routes:get vpc:routes:delete vpc:peerings:create vpc:peerings:accept vpc:peerings:get vpc:peerings:delete vpc:routeTables:update vpc:routeTables:get vpc:routeTables:list vpc:vpcs:create vpc:vpcs:list vpc:vpcs:get vpc:vpcs:delete vpc:subnets:create vpc:subnets:get vpc:subnets:delete vpcep:endpoints:list vpcep:endpoints:create vpcep:endpoints:delete vpcep:endpoints:get vpc:ports:create vpc:ports:get vpc:ports:update vpc:ports:delete vpc:networks:create vpc:networks:get vpc:networks:update vpc:networks:delete |
Create and delete ModelArts networks, and interconnect VPCs. Dependent permissions must be configured in the IAM project view. |
|
SFS Turbo |
sfsturbo:shares:addShareNic sfsturbo:shares:deleteShareNic sfsturbo:shares:showShareNic sfsturbo:shares:listShareNics |
Interconnect your network with SFS Turbo. Dependent permissions must be configured in the IAM project view. |
|
|
Edge resource pool |
IEF |
ief:node:list ief:group:get ief:application:list ief:application:get ief:node:listNodeCert ief:node:get ief:IEFInstance:get ief:deployment:list ief:group:listGroupInstanceState ief:IEFInstance:list ief:deployment:get ief:group:list |
Add, delete, modify, and search for edge pools |
Agency authorization
To simplify operations when you use ModelArts to run jobs, certain operations are automatically performed on the ModelArts backend, for example, downloading the datasets in an OBS bucket to a workspace before a training job is started and dumping training job logs to the OBS bucket.
ModelArts does not save your token authentication credentials. Before performing operations on your resources (such as OBS buckets) in a backend asynchronous job, you are required to explicitly authorize ModelArts through an IAM agency. ModelArts will use the agency to obtain a temporary authentication credential for performing operations on your resources. For details, see Adding Authorization.
As shown in Figure 1, after authorization is configured on ModelArts, ModelArts uses the temporary credential to access and operate your resources, relieving you from some complex and time-consuming operations. The agency credential will also be synchronized to your jobs (including notebook instances and training jobs). You can use the agency credential to access your resources in the jobs.
You can use either of the following methods to authorize ModelArts using an agency:
One-click authorization
ModelArts provides one-click automatic authorization. You can quickly configure agency authorization on the Global Configuration page of ModelArts. Then, ModelArts will automatically create an agency for you and configure it in ModelArts.
In this mode, the authorization scope is specified based on the preset system policies of dependent services to ensure sufficient permissions for using services. The created agency has almost all permissions of dependent services. If you want to precisely control the scope of permissions granted to an agency, use the second method.
Custom authorization
The administrator creates different agency authorization policies for different users in IAM, and configures the created agency for ModelArts users. When creating an agency for an IAM user, the administrator specifies the minimum permissions for the agency based on the user's permissions to control the resources that the user can access when they use ModelArts. For details, see Assigning Basic Permissions for Using ModelArts.
Risks in Unauthorized Operations
The agency authorization of a user is independent. Theoretically, the agency authorization scope of a user can be beyond the authorization scope of the authorization policy configured for the user group. Any improper configuration will result in unauthorized operations.
To prevent unauthorized operations, only a tenant administrator is allowed to configure agencies for users in the ModelArts global configuration to ensure the security of agency authorization.
Minimal Agency Authorization
When configuring agency authorization, an administrator must strictly control the authorization scope.
ModelArts asynchronously and automatically performs operations such as job preparation and clearing. The required agency authorization is within the basic authorization scope. If you use only some functions of ModelArts, the administrator can filter out the basic permissions that are not used according to the agency authorization configuration. Conversely, if you need to obtain resource permissions beyond the basic authorization scope in a job, the administrator can add new permissions to the agency authorization configuration. In a word, the agency authorization scope must be minimized and customized based on service requirements.
Basic Agency Authorization Scope
To customize the permissions for an agency, select permissions based on your service requirements.
|
Application Scenario |
Dependent Service |
Agency Authorization |
Description |
Configuration Suggestion |
|---|---|---|---|---|
|
JupyterLab |
OBS |
obs:object:DeleteObject obs:object:GetObject obs:object:GetObjectVersion obs:bucket:CreateBucket obs:bucket:ListBucket obs:bucket:ListAllMyBuckets obs:object:PutObject obs:bucket:GetBucketAcl obs:bucket:PutBucketAcl obs:bucket:PutBucketCORS |
Use OBS to upload and download data in JupyterLab through ModelArts notebook. |
Recommended |
|
Development environment monitoring |
AOM |
aom:alarm:put |
Call the AOM API to obtain monitoring data and events of notebook instances and display them in ModelArts notebook. |
Recommended |
|
Application Scenario |
Dependent Service |
Agency Authorization |
Description |
|---|---|---|---|
|
Training jobs |
OBS |
obs:bucket:ListBucket obs:object:GetObject obs:object:PutObject |
Download data, models, and code before starting a training job. Upload logs and models when a training job is running. |
|
Application Scenario |
Dependent Service |
Agency Authorization |
Description |
|---|---|---|---|
|
Real-time services |
LTS |
lts:groups:create lts:groups:list lts:topics:create lts:topics:delete lts:topics:list |
Configure LTS for reporting logs of real-time services. |
|
Batch services |
OBS |
obs:bucket:ListBucket obs:object:GetObject obs:object:PutObject |
Run a batch service. |
|
Edge services |
IEF |
ief:deployment:list ief:deployment:create ief:deployment:update ief:deployment:delete ief:node:createNodeCert ief:iefInstance:list ief:node:list |
Deploy an edge service using IEF. |
|
Application Scenario |
Dependent Service |
Agency Authorization |
Description |
|---|---|---|---|
|
Dataset and data labeling |
OBS |
obs:object:GetObject obs:object:PutObject obs:object:DeleteObject obs:object:PutObjectAcl obs:bucket:ListBucket obs:bucket:HeadBucket obs:bucket:GetBucketAcl obs:bucket:PutBucketAcl obs:bucket:GetBucketPolicy obs:bucket:PutBucketPolicy obs:bucket:DeleteBucketPolicy obs:bucket:PutBucketCORS obs:bucket:GetBucketCORS |
Manage datasets in an OBS bucket. |
|
Labeling data |
ModelArts inference |
modelarts:service:get modelarts:service:create modelarts:service:update |
Perform auto labeling based on ModelArts inference. |
|
Application Scenario |
Dependent Service |
Agency Authorization |
Description |
|---|---|---|---|
|
Network management (New version) |
VPC |
vpc:routes:create vpc:routes:list vpc:routes:get vpc:routes:delete vpc:peerings:create vpc:peerings:accept vpc:peerings:get vpc:peerings:delete vpc:routeTables:update vpc:routeTables:get vpc:routeTables:list vpc:vpcs:create vpc:vpcs:list vpc:vpcs:get vpc:vpcs:delete vpc:subnets:create vpc:subnets:get vpc:subnets:delete vpcep:endpoints:list vpcep:endpoints:create vpcep:endpoints:delete vpcep:endpoints:get vpc:ports:create vpc:ports:get vpc:ports:update vpc:ports:delete vpc:networks:create vpc:networks:get vpc:networks:update vpc:networks:delete |
Create and delete ModelArts networks, and interconnect VPCs. Dependent permissions must be configured in the IAM project view. |
|
SFS Turbo |
sfsturbo:shares:addShareNic sfsturbo:shares:deleteShareNic sfsturbo:shares:showShareNic sfsturbo:shares:listShareNics |
Interconnect your network with SFS Turbo. Dependent permissions must be configured in the IAM project view. |
|
|
Managing resource pools |
BSS |
bss:coupon:view bss:order:view bss:balance:view bss:discount:view bss:renewal:view bss:bill:view bss:contract:update bss:order:pay bss:unsubscribe:update bss:renewal:update bss:order:update |
Create, renew, and unsubscribe from a resource pool. Dependent permissions must be configured in the IAM project view. |
|
Managing resource pools |
ECS |
ecs:availabilityZones:list |
Show AZs. Dependent permissions must be configured in the IAM project view. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
