Updated on 2025-09-16 GMT+08:00
Creating a Custom Policy for MRS
Custom policies can be created to supplement the system-defined policies of MRS. For the actions that can be added to custom policies, see Permissions Policies and Supported Actions.
You can create custom policies in either of the following ways:
- Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
Parameters for creating a custom policy for MRS:
- Select service: Select MapReduce Service (MRS).
- Select action: Set it as required.
- (Optional) Select resource: Select Specific for Resources. If you select Specify resource path for cluster, Path is the ID of the specified MRS cluster. For details, see MRS Resource Objects.
- JSON: Create a JSON policy or edit an existing one.
For details, see Creating a Custom Policy.
Custom policy modifications do not take effect immediately. You need to wait about 15 minutes.
The following section contains examples of common MRS custom policies.
Example Custom Policies
- Example 1: Allowing users to create MRS clusters only
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "mrs:cluster:create", "ecs:*:*", "bms:*:*", "evs:*:*", "vpc:*:*", "smn:*:*" ] } ] } - Example 2: Allowing users to modify MRS clusters.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "mrs:cluster:resize" ] } ] } - Example 3: Allowing users to create a cluster, create and execute a job, and delete a single job, but denying cluster deletion
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "mrs:cluster:create", "mrs:job:submit", "mrs:job:delete" ] }, { "Effect": "Deny", "Action": [ "mrs:cluster:delete" ] } ] } - Example 4: Granting users the minimum permission to create an MRS cluster with ECS specifications
- Add the ecs:serverKeypairs:get and ecs:serverKeypairs:list permissions to use a key pair during cluster creation.
- Add the kms:cmk:list permission to encrypt data disks during cluster creation.
- Add the mrs:alarm:subscribe permission to enable the alarm function during cluster creation.
- Add the rds:instance:list permission to use external data sources during cluster creation.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "mrs:cluster:create" ] }, { "Effect": "Allow", "Action": [ "ecs:cloudServers:updateMetadata", "ecs:cloudServerFlavors:get", "ecs:cloudServerQuotas:get", "ecs:servers:list", "ecs:servers:get", "ecs:cloudServers:delete", "ecs:cloudServers:list", "ecs:serverInterfaces:get", "ecs:serverGroups:manage", "ecs:servers:setMetadata", "ecs:cloudServers:get", "ecs:cloudServers:create" ] }, { "Effect": "Allow", "Action": [ "vpc:securityGroups:create", "vpc:securityGroupRules:delete", "vpc:vpcs:create", "vpc:ports:create", "vpc:securityGroups:get", "vpc:subnets:create", "vpc:privateIps:delete", "vpc:quotas:list", "vpc:networks:get", "vpc:publicIps:list", "vpc:securityGroups:delete", "vpc:securityGroupRules:create", "vpc:privateIps:create", "vpc:ports:get", "vpc:ports:delete", "vpc:publicIps:update", "vpc:subnets:get", "vpc:publicIps:get", "vpc:ports:update", "vpc:vpcs:list" ] }, { "Effect": "Allow", "Action": [ "evs:quotas:get", "evs:types:get" ] }, { "Effect": "Allow", "Action": [ "bms:serverFlavors:get" ] } ] } - Example 5: Granting users the minimum permission to create an MRS cluster with BMS specifications
- Add the ecs:serverKeypairs:get and ecs:serverKeypairs:list permissions to use a key pair during cluster creation.
- Add the kms:cmk:list permission to encrypt data disks during cluster creation.
- Add the mrs:alarm:subscribe permission to enable the alarm function during cluster creation.
- Add the rds:instance:list permission to use external data sources during cluster creation.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "mrs:cluster:create" ] }, { "Effect": "Allow", "Action": [ "ecs:servers:list", "ecs:servers:get", "ecs:cloudServers:delete", "ecs:serverInterfaces:get", "ecs:serverGroups:manage", "ecs:servers:setMetadata", "ecs:cloudServers:create", "ecs:cloudServerFlavors:get", "ecs:cloudServerQuotas:get" ] }, { "Effect": "Allow", "Action": [ "vpc:securityGroups:create", "vpc:securityGroupRules:delete", "vpc:vpcs:create", "vpc:ports:create", "vpc:securityGroups:get", "vpc:subnets:create", "vpc:privateIps:delete", "vpc:quotas:list", "vpc:networks:get", "vpc:publicIps:list", "vpc:securityGroups:delete", "vpc:securityGroupRules:create", "vpc:privateIps:create", "vpc:ports:get", "vpc:ports:delete", "vpc:publicIps:update", "vpc:subnets:get", "vpc:publicIps:get", "vpc:ports:update", "vpc:vpcs:list" ] }, { "Effect": "Allow", "Action": [ "evs:quotas:get", "evs:types:get" ] }, { "Effect": "Allow", "Action": [ "bms:servers:get", "bms:servers:list", "bms:serverQuotas:get", "bms:servers:updateMetadata", "bms:serverFlavors:get" ] } ] } - Example 6: Allowing users to create a hybrid ECS and BMS cluster with the minimum permission
- Add the ecs:serverKeypairs:get and ecs:serverKeypairs:list permissions to use a key pair during cluster creation.
- Add the kms:cmk:list permission to encrypt data disks during cluster creation.
- Add the mrs:alarm:subscribe permission to enable the alarm function during cluster creation.
- Add the rds:instance:list permission to use external data sources during cluster creation.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "mrs:cluster:create" ] }, { "Effect": "Allow", "Action": [ "ecs:cloudServers:updateMetadata", "ecs:cloudServerFlavors:get", "ecs:cloudServerQuotas:get", "ecs:servers:list", "ecs:servers:get", "ecs:cloudServers:delete", "ecs:cloudServers:list", "ecs:serverInterfaces:get", "ecs:serverGroups:manage", "ecs:servers:setMetadata", "ecs:cloudServers:get", "ecs:cloudServers:create" ] }, { "Effect": "Allow", "Action": [ "vpc:securityGroups:create", "vpc:securityGroupRules:delete", "vpc:vpcs:create", "vpc:ports:create", "vpc:securityGroups:get", "vpc:subnets:create", "vpc:privateIps:delete", "vpc:quotas:list", "vpc:networks:get", "vpc:publicIps:list", "vpc:securityGroups:delete", "vpc:securityGroupRules:create", "vpc:privateIps:create", "vpc:ports:get", "vpc:ports:delete", "vpc:publicIps:update", "vpc:subnets:get", "vpc:publicIps:get", "vpc:ports:update", "vpc:vpcs:list" ] }, { "Effect": "Allow", "Action": [ "evs:quotas:get", "evs:types:get" ] }, { "Effect": "Allow", "Action": [ "bms:servers:get", "bms:servers:list", "bms:serverQuotas:get", "bms:servers:updateMetadata", "bms:serverFlavors:get" ] } ] }
MRS Resource Objects
Resources are objects in a service. Resources in MRS include clusters. You can select a specific resource by specifying the resource path when creating a custom policy.
|
Resource |
Name |
Path |
|---|---|---|
|
cluster |
Cluster |
[Format] MRS:*:*:cluster:Cluster ID [Description] Grant permissions on a specific resource to an IAM user. For example, to grant permissions on a specified MRS cluster to an IAM user, set cluster to Specify resource path and add the resource path. The cluster ID is used to specify the cluster. To view the cluster ID, perform the following steps:
|
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot
