Help Center > > User Guide> Managing Active Clusters> MRS Multi-User Permission Management> Configuring Fine-Grained Permissions for MRS Multi-User Access to OBS

Configuring Fine-Grained Permissions for MRS Multi-User Access to OBS

Updated at: Apr 28, 2020 GMT+08:00

When fine-grained permission control is enabled, you can configure OBS access permissions to implement multi-user access control on directories in OBS buckets. MRS 2.0.3 or later supports this function.

This function enables you to control MRS users' access to OBS resources. For example, if you allow user group A to only access log files in a specified OBS bucket, perform the following operations:

  1. Configure an agency with OBS access permissions for an MRS cluster so that OBS can be accessed using the temporary AK/SK automatically obtained by the ECS. This prevents the AK/SK from being exposed in the configuration file.
  2. Create a policy on the IAM console to allow access to log files in a specified OBS bucket, and create an agency bound to the policy permission.
  3. In the MRS cluster, bind the new agency to user group A so that user group A has only permission to access log files in the specified OBS bucket.
In the following scenarios, the username used for submitting jobs is an internal username so that MRS multi-user access to OBS is not supported.
  • For spark-beeline, the internal username used for submitting jobs is spark in a security cluster and omm in a normal cluster.
  • For the HBase shell, the internal username used for submitting jobs is hbase in a security cluster and omm in a normal cluster.
  • For Presto, the internal username used for submitting jobs is omm and hive in a security cluster and omm in a normal cluster.

Prerequisites

Step 1: Enabling OBS Permission Control When Creating an MRS Cluster

  1. Log in to the MRS management console.
  2. Click Buy Cluster.
  3. Click Try the new edition in the upper right corner of the page. Only the new edition supports this function.
  4. Follow instructions in Custom Purchase of a Cluster to set parameters for purchasing a cluster.

    1. In the Agency area on the Set Advanced Options tab page, select an agency with the OBS access permission. For details, see Accessing OBS Using an ECS Agency.
    2. In the More area on the Set Advanced Options tab page, select OBS permission control.

    After the cluster is created, an agency named MRS_ECS_DEFAULT_AGENCY is generated on IAM. The agency has the OBS OperateAccess permissions and takes effect for all users (including internal users) and user groups in the cluster. To control the permissions of users and user groups in the cluster to access OBS, perform the following operations. The agency can be modified but cannot be deleted.

Step 2: Creating a Policy and an Agency on IAM

Create policies with different access permissions and bind the policies to the agency. For details, see Reference.

Step 3: Configuring OBS Permission Control Mappings on the MRS Cluster Details Page

  1. On the MRS management console, choose Clusters > Active Clusters and click the cluster name.
  2. In the Basic Information area on the Dashboard tab page, click Manage next to OBS Permission Control.
  3. Click Add and set parameters according to Table 1.

    Table 1 OBS permission control parameters

    Parameter

    Description

    IAM Agency

    Select the agency created in 2.

    Type

    • User: User-level mapping
    • Group: User group-level mapping
    NOTE:
    • User-level mapping takes priority over user group-level mapping. If you select Group, you are advised to enter the primary group name in MRS User (User Group).
    • Do not use the same username (user group) for multiple mapping records.

    MRS User (User Group)

    Use commas (,) to separate multiple names of users or user groups.

    NOTE:
    • If OBS permission control is not configured for a user and no AK and SK are configured, the OBS OperateAccess permission in MRS_ECS_DEFAULT_AGENCY will be used for accessing OBS. You are advised not to bind the internal user of a component to an agency.
    • If you need to configure an agency for the internal user of a component when submitting a job in the following scenarios, the requirements are as follows:
      • To control permissions on spark-beeline operations, set the username to spark for a security cluster and to omm for a normal cluster.
      • To control permissions on HBase shell operations, set the username to hbase for a security cluster and to omm for a normal cluster.
      • To control permissions on Presto, set the username to omm, hive, and the username used for logging in to the client for a security cluster and to omm and the username used for logging in to the client for a normal cluster.
      • If you want to use Hive to create tables in beeline mode, set the username to the internal user hive.

  4. Click OK.
  5. Select I confirm the trust relationship between the MRS user and the IAM agency, and click OK. The mapping between the MRS user and OBS permission is added.

    If appears next to OBS Permission Control on the Dashboard tab page or the mapping table has been updated for OBS permission control, the mapping takes effect. It takes about 1 minute to for the mapping to take effect.

    In the Operation column of the mapping list, you can edit or delete the added mapping.

    • If OBS permission control is not configured for a user and no AK and SK are configured, the permissions owned by the agency configured for the cluster in the Object Storage Service (OBS) project will be used to access OBS.
    • Regardless of whether OBS permission control is configured, AK/SK permission is used for accessing OBS once it is configured.
    • Security Administrator permission is required to modify, create, or delete a mapping.
    • To enable mapping changes take effect, you need to restart Spark in spark-beeline, exit beeline and enter again in hive beeline, or restart Presto in Presto.

Component Access to OBS When OBS Permission Control Is Enabled

  1. Log in to any node in a cluster as user root using the password set during cluster creation.
  2. Run the following command to set the environment variables:

    source /opt/client/bigdata_env

  3. If Kerberos authentication is enabled for the current cluster, run the following command to authenticate the user. If the Kerberos authentication is disabled for the current cluster, skip this step.

    kinit MRS cluster user

    Example: kinit admin

  4. If the Kerberos authentication is disabled for the current cluster, run the following commands to log in. Note that you should create a user that belongs to the supergroup group by referring to Creating a User and replace XXXX with the username.

    mkdir /home/XXXX

    chown XXXX /home/XXXX

    su - XXXX

  5. Access OBS. You do not need to configure the AK, SK, and endpoint. The OBS path format is obs://buck_name/XXX.

    Example: hadoop fs -ls "obs://obs-example/job/hadoop-mapreduce-examples-3.1.2.jar"

    • If you want to use hadoop fs to delete files on OBS, use hadoop fs -rm -skipTrash to delete the files.
    • If data import is not involved when a table is created using spark-sql and spark-beeline, OBS will not be accessed. That is, if you create a table in an OBS directory on which you do not have permission, the CREATE TABLE operation will still be successful, but the error message "403 AccessDeniedException" is displayed when you insert data.

Reference

  1. Create a policy on IAM.

    1. Log in to the IAM console.
    2. Choose Policies. On the displayed page, click Create Custom Policy.
    3. Set parameters according to Table 2.
      Table 2 Policy parameters

      Parameter

      Description

      Policy Name

      Only letters, digits, spaces, and special characters (-_.,) are allowed.

      Scope

      Select Global services, because OBS is a global service.

      Policy View

      Select JSON.

      Policy Content

      After you select a template, you can customize the content. For details, see Policy Structure and Syntax, Actions, and Configuring an Object Policy.

      Description

      (Optional) Brief description about the policy

      If the data write operation of each component is implemented in rename mode, the permission to delete objects must be configured when data is written.

      Policy example:

      • The following example shows that there is read-only permission on the specified directory and its subdirectories in a bucket. (XXXX in the example indicates the specified directory under permission control. Replace it with an actual directory.)
        {
        	"Version": "1.1",
        	"Statement": [{
        			"Condition": {
        				"StringStartWithIfExists": {
        					"obs:prefix": [
        						"XXXX/"
        					]
        				},
        				"StringEqualsIfExists": {
        					"obs:delimiter": [
        						"/"
        					]
        				}
        			},
        			"Action": [
        				"obs:bucket:ListBucket"
        			],
        			"Resource": [
                                        "OBS:*:*:bucket:Bucket name"
        			],
        			"Effect": "Allow"
        		},
        		{
        			"Action": [
        				"obs:bucket:HeadBucket"
        			],
        			"Resource": [
                                        "OBS:*:*:bucket:Bucket name"
        			],
        			"Effect": "Allow"
        		},
        		{
        			"Action": [
        				"obs:object:Get*"
        			],
        			"Resource": [
                                        "OBS:*:*:object:Bucket name/XXXX/*"
        			],
        			"Effect": "Allow"
        		}
        	]
        }
      • The following example shows that there are all permissions on the specified directory and its subdirectories in a bucket. (XXXX in the example indicates the specified directory under permission control. Replace it with an actual directory.)
        {
        	"Version": "1.1",
        	"Statement": [{
        			"Condition": {
        				"StringStartWithIfExists": {
        					"obs:prefix": [
        						"XXXX/"
        					]
        				},
        				"StringEqualsIfExists": {
        					"obs:delimiter": [
        						"/"
        					]
        				}
        			},
        			"Action": [
        				"obs:bucket:ListBucket"
        			],
        			"Resource": [
                                        "OBS:*:*:bucket:Bucket name"
        			],
        			"Effect": "Allow"
        		},
        		{
        			"Action": [
        				"obs:bucket:HeadBucket"
        			],
        			"Resource": [
                                        "OBS:*:*:bucket:Bucket name"
        			],
        			"Effect": "Allow"
        		},
        		{
        			"Action": [
        				"obs:object:*"
        			],
        			"Resource": [
                                        "OBS:*:*:object:Bucket name/XXXX/*"
        			],
        			"Effect": "Allow"
        		}
        	]
        }
    4. Click OK to save the policy.

  2. Create an agency on IAM.

    1. Log in to the IAM console.
    2. Choose Agencies. On the displayed page, click Create Agency.
    3. Set parameters according to Table 3.
      Table 3 Agency parameters

      Parameter

      Description

      Agency Name

      Only letters, digits, spaces, and special characters (-_.,) are allowed.

      Agency Type

      Select Common account.

      Delegated Account

      Enter your cloud account, that is, the account you register using your mobile phone number. It cannot be a federated user or an IAM user created using your cloud account.

      Validity Period

      Select 1 day or Unlimited.

      Description

      (Optional) Brief description about the agency

      Permissions

      1. Click Attach Policy in the Operation column corresponding to the row where Project Name is OBS.
      2. Select the policy created in 1 to display it in Selected Policies.
      3. Click OK.
    4. Click OK to save the agency.

      If you modify an agency and policies bound to it after using the agency to access OBS, the modification will take effect within 15 minutes.

Did you find this page helpful?

Submit successfully!

Thank you for your feedback. Your feedback helps make our documentation better.

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?







Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel