Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Configuring Fine-Grained OBS Access Permissions for MRS Cluster Users

Updated on 2024-09-23 GMT+08:00

When fine-grained permission control is enabled, you can configure OBS access permissions to implement access control on directories in OBS file systems.

NOTE:

This section does not apply to MRS 1.9.2.

This function enables you to control MRS users' access to OBS resources. For example, if you allow user group A to only access log files in a specified OBS file system, perform the following operations:

  1. Configure an agency with OBS access permissions for an MRS cluster so that OBS can be accessed using the temporary AK/SK automatically obtained by the ECS.
  2. Create a policy on the IAM console to allow access to log files in a specified OBS file system, and create an agency bound to the policy permission.
  3. In the MRS cluster, bind the new agency to user group A so that user group A only has the permission to access log files in the specified OBS file system.
In the following scenarios, the username used for submitting jobs is an internal username so that MRS multi-user access to OBS is not supported.
  • In a cluster with Kerberos authentication enabled, the built-in username of spark-beeline for submitting jobs is spark. In a cluster with Kerberos authentication disabled, the built-in username is omm.
  • In a cluster with Kerberos authentication enabled, the built-in username of hbase shell for submitting jobs is hbase. In a cluster with Kerberos authentication disabled, the built-in username is omm.
  • In a cluster with Kerberos authentication enabled, the built-in usernames of Presto for submitting jobs is omm and hive. In a cluster with Kerberos authentication disabled, the built-in username is omm. On the cluster details page of the MRS console, choose Components > Presto > Service Configuration, set Type to All, search for hive.hdfs.impersonation.enabled, and change its value to true. In this way, multiple MRS users can access OBS with fine-grained permissions.

Prerequisites

Configuring an Agency with OBS Access Permissions for a Cluster

Follow instructions in Interconnecting an MRS Cluster with OBS Using an IAM Agency to configure an agency with OBS access permissions.

The agency takes effect for all users (including internal users) and user groups in the cluster. To control the permissions of users and user groups in the cluster to access OBS, perform the following operations.

NOTE:

When you configure permissions on an OBS path, if the write permission is configured, you need to configure the corresponding recycle bin path. The default recycle bin path is /user/${current.user}/.Trash/, where ${current.user} indicates the current username.

Creating a Policy and an Agency on IAM

Create policies with different access permissions and bind the policies to the agency. For details, see Reference: Creating a Policy and an Agency on IAM.

Configuring OBS Permission Control Mapping

  1. On the MRS management console, choose Active Clusters and click the cluster name.
  2. In the Basic Information area on the Dashboard tab page, click Manage next to OBS Permission Control.
  3. Click Add Mapping and set parameters according to Table 1.

    Table 1 Adding an OBS permission control mapping

    Parameter

    Description

    IAM Agency

    Select the agency created in 2.

    Type

    • User: User-level mapping
    • Group: User group-level mapping
    NOTE:
    • User-level mapping takes priority over user group-level mapping. If you select Group, you are advised to enter the primary group name in MRS User (User Group).
    • Do not use the same username (group) in multiple mapping records.

    MRS User (User Group)

    Use commas (,) to separate multiple names of users or user groups.

    NOTE:
    • If OBS permission control is not configured for a user and no AK and SK are configured, the OBS OperateAccess permission in MRS_ECS_DEFAULT_AGENCY will be used for accessing OBS. You are advised not to bind the internal user of a component to an agency.
    • If you need to configure an agency for the internal user of a component when submitting a job in the following scenarios, the requirements are as follows:
      • To control permissions on spark-beeline operations, configure the username spark for clusters with Kerberos authentication enabled and the username omm for clusters with Kerberos authentication disabled.
      • To control permissions on HBase shell operations, configure the username hbase for clusters with Kerberos authentication enabled and the username omm for clusters with Kerberos authentication disabled.
      • To control permissions on Presto operations, configure usernames omm, hive, and the one used to log in to the client for clusters with Kerberos authentication enabled, and configure usernames omm and the one used to log in to the client for clusters with Kerberos authentication disabled.
      • If you want to use Hive to create tables in beeline mode, set the username to the internal user hive.

  4. Click OK.
  5. Select I agree to authorize the trust relationships between MRS Users (Groups) and IAM agencies, and click OK. The mapping between the MRS user and OBS permission is added.

    If appears next to OBS Permission Control on the Dashboard tab page or the mapping table has been updated for OBS permission control, the mapping takes effect. It takes about 1 minute to for the mapping to take effect.

    In the Operation column of the mapping list, you can edit or delete the added mapping.

    NOTE:
    • If OBS permission control is not configured for a user and no AK and SK are configured, the permissions owned by the agency configured for the cluster in the Object Storage Service (OBS) project will be used to access OBS.
    • Regardless of whether OBS permission control is configured, AK/SK permission is used for accessing OBS once it is configured.
    • Security Administrator permission is required to modify, create, or delete a mapping.
    • To apply the mapping changes in spark-beeline, hive beeline, and Presto, you need to restart Spark, exit beeline and enter again, and restart Presto, respectively.

Component Access to OBS When OBS Permission Control Is Enabled

  1. Log in to any node in a cluster as user root using the password set during cluster creation.
  2. Run the following commands to set the environment variables:

    cd Client installation directory

    source Client installation directory/bigdata_env

  3. If the Kerberos authentication is enabled for the current cluster, run the following command to authenticate the user. If the Kerberos authentication is disabled for the current cluster, skip this step:

    kinit MRS cluster user

    Example:

    kinit admin

  4. If Kerberos authentication is disabled for the current cluster, run the following commands to log in as a user who belongs to the supergroup group. Replace XXXX with the username. For how to create a user, refer to Creating an MRS Cluster User.

    mkdir /home/XXXX

    chown XXXX /home/XXXX

    su - XXXX

  5. To access OBS, you do not need to configure the AK, SK, and endpoint.

    OBS path format: obs://OBS parallel file system name/XXX

    hadoop fs -ls "obs://obs-example/job/hadoop-mapreduce-examples-3.1.2.jarobs-example/job/hadoop-mapreduce-examples-3.1.2.jar"

    NOTE:
    • To delete files on OBS using hadoop fs commands, run hadoop fs -rm -skipTrash.
    • If data import is not involved when a table is created using spark-sql and spark-beeline, OBS will not be accessed. That is, if you create a table in an OBS directory on which you do not have permission, the CREATE TABLE operation will still be successful, but the error message "403 AccessDeniedException" is displayed when you insert data.

Reference: Creating a Policy and an Agency on IAM

  1. Create a policy on IAM.

    1. Log in to the IAM console.
    2. In the navigation pane on the left, choose Permissions > Policies/Roles. On the displayed page, click Create Custom Policy.
    3. Set parameters according to Table 2. Obtain the customized OBS policy samples that are frequently used by referring to OBS Custom Policies.
      Table 2 Policy parameters

      Parameter

      Description

      Policy Name

      Only letters, digits, spaces, and special characters (-_.,) are allowed.

      Scope

      Select Global services, because OBS is a global service.

      Policy View

      Select Visual editor.

      Policy Content

      • Allow: Select Allow.
      • Select service: Select Object Storage Service (OBS).
      • Select action: Select ReadWrite, ReadOnly, and ListOnly.
      • Resources under All: Select Specific and set the following parameters:
        • object: Select Specify resource path and click Add Resource Path to add a path. The /tmp directory is used as an example.

          For example, enter obs_bucket_name/tmp/ and obs_bucket_name/tmp/*.

        • bucket: Select Specify resource path, click Add Resource Path, and enter obs_bucket_name.
      • (Optional) Request condition: not added.

      Description

      (Optional) Brief description about the policy.

      NOTE:

      If the data write operation of each component is implemented in rename mode, the permission to delete objects must be configured when data is written.

    4. Click OK to save the policy.

  2. Create an agency on IAM.

    1. Log in to the IAM console.
    2. Choose Agencies. On the displayed page, click Create Agency.
    3. Set parameters according to Table 3.
      Table 3 Agency parameters

      Parameter

      Description

      Agency Name

      Only letters, digits, spaces, and special characters (-_.,) are allowed.

      Agency Type

      Select Common account.

      Delegated Account

      Enter your cloud account, that is, the account you register using your mobile phone number. It cannot be a federated user or an IAM user created using your cloud account.

      Validity Period

      Set this parameter as required.

      Description

      (Optional) Brief description about the agency.

      Permissions

      1. In the Project [Region] column, locate the row where OBS is, click Attach Policy.
      2. Select the policy created in 1 to display it in Selected Policies.
      3. Click OK.
    4. Click OK to save the agency.
      NOTE:

      If you modify an agency and policies bound to it after using the agency to access OBS, the modification will take effect within 15 minutes.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback