Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ Service Authorization Reference/ Identity Policy–based Authorization/ Analytics/ MapReduce Service (MRS)
Updated on 2025-12-08 GMT+08:00
View PDF
Share

MapReduce Service (MRS)

IAM provides system-defined identity policies to define common actions supported by cloud services. MRS provides system-defined policies that can be directly used in IAM. You can also create custom policies to supplement system-defined policies for more refined access control.

In addition to IAM, the Organizations service provides Service Control Policies (SCPs) to set access control policies.

SCPs do not actually grant any permissions to an entity. They only set the permissions boundary for the entity. When SCPs are attached to an organizational unit (OU) or a member account, the SCPs do not directly grant permissions to that OU or member account. Instead, the SCPs only determine what permissions are available for that member account or those member accounts under that OU. The granted permissions can be applied only if they are allowed by the SCPs.

To learn more about how IAM is different from Organizations for access control, see What Are the Differences in Access Control Between IAM and Organizations?.

This section describes the elements used by IAM custom identity policies and Organizations SCPs. The elements include actions, resources, and conditions.

Actions

Actions are specific operations that are allowed or denied in an identity policy.

  • The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in a policy.
  • The Resource Type column indicates whether the action supports resource-level permissions.
    • You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions and you must specify all resources ("*") in your policy statements.
    • If this column includes a resource type, you must specify the URN in the Resource element of your policy statements.
    • Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.

    For details about the resource types defined by MRS, see Resources.

  • Condition Key contains keys that you can specify in the Condition element of an identity policy statement for MRS.
    • If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
    • If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
    • If the Condition Key column is empty (-) for an action, the action does not support any condition keys.

    For details about the condition keys defined by MRS, see Conditions.

  • The Alias column lists the policy actions that are configured in identity policies. With these actions, you can use APIs for policy-based authorization. For details, see Policies and Identity Policies.

The following table lists the actions that you can define in policy statements for MRS.

Table 1 Actions supported by MRS

Action

Description

Access Level

Resource Type (*: required)

Condition Key

Alias

mrs:cluster:createCluster

Grants permissions to create a cluster.

write

mrs:<region>:<account-id>:cluster:<cluster-id>

g:RequestTag/<tag-key>,g:TagKeys,g:EnterpriseProjectId

mrs:cluster:create

mrs:cluster:deleteCluster

Grants the permission to delete a cluster.

write

mrs:<region>:<account-id>:cluster:<cluster-id>

g:EnterpriseProjectId

mrs:cluster:delete

mrs:cluster:listHosts

Grants permissions to query nodes in the cluster.

list

mrs:<region>:<account-id>:cluster:<cluster-id>

g:EnterpriseProjectId

mrs:host:list

mrs:cluster:listFiles

Grants permissions to query the file list in the cluster.

list

mrs:<region>:<account-id>:cluster:<cluster-id>

g:EnterpriseProjectId

mrs:file:list

mrs:cluster:createJob

Grants permissions to execute jobs in the cluster.

write

mrs:<region>:<account-id>:cluster:<cluster-id>

g:EnterpriseProjectId

mrs:job:submit

mrs:cluster:list

Grants permissions to query the cluster list.

list

-

g:RequestTag/<tag-key>,g:TagKeys,g:EnterpriseProjectId

-

mrs:cluster:listJobs

Grants permissions to query the job list of the cluster.

list

mrs:<region>:<account-id>:cluster:<cluster-id>

g:EnterpriseProjectId

mrs:job:list

mrs:cluster:getJob

Grants permissions to query job details in the cluster.

read

mrs:<region>:<account-id>:cluster:<cluster-id>

g:EnterpriseProjectId

mrs:job:get

mrs:cluster:getCluster

Grants permissions to query cluster details.

read

mrs:<region>:<account-id>:cluster:<cluster-id>

-

mrs:cluster:get

mrs:cluster:resizeNodes

Grants permissions to adjust cluster nodes.

write

mrs:<region>:<account-id>:cluster:<cluster-id>

g:EnterpriseProjectId

mrs:cluster:resize

mrs:cluster:updateClusterName

Grants permissions to rename a cluster.

write

mrs:<region>:<account-id>:cluster:<cluster-id>

g:EnterpriseProjectId

-

mrs:cluster:listTags

Grants permissions to query cluster tags.

list

-

g:EnterpriseProjectId

mrs:tag:list

mrs:cluster:updateTags

Grants permissions to add or delete cluster tags.

tagging

-

g:RequestTag/<tag-key>,g:TagKeys,g:EnterpriseProjectId

mrs:tag:create

mrs:tag:delete

mrs:tag:batchOperate

mrs:cluster:listClustersByTag

Grants permissions to query the list of clusters with specific tags.

list

-

g:RequestTag/<tag-key>,g:TagKeys

mrs:tag:listResource

mrs:cluster:stopJob

Grants permissions to stop cluster jobs.

write

mrs:<region>:<account-id>:cluster:<cluster-id>

g:EnterpriseProjectId

mrs:job:stop

mrs:cluster:deleteJobs

Grants permissions to delete cluster jobs in batches.

write

mrs:<region>:<account-id>:cluster:<cluster-id>

g:EnterpriseProjectId

mrs:job:batchDelete

mrs:cluster:stopSql

Grants permissions to cancel SQL execution.

write

mrs:<region>:<account-id>:cluster:<cluster-id>

g:EnterpriseProjectId

mrs:sql:cancel

mrs:cluster:createSql

Grants permissions to submit a SQL statement for execution.

write

mrs:<region>:<account-id>:cluster:<cluster-id>

g:EnterpriseProjectId

mrs:sql:execute

mrs:job:checkSql

mrs:cluster:listPolicies

Grants permissions to obtain all auto scaling policies in a cluster.

list

mrs:<region>:<account-id>:cluster:<cluster-id>

g:EnterpriseProjectId

mrs:cluster:policy

mrs:cluster:updatePolicies

Grants permissions to modify auto scaling policies of a cluster.

write

mrs:<region>:<account-id>:cluster:<cluster-id>

g:EnterpriseProjectId

mrs:cluster:policy

mrs:cluster:getAgencyMapping

Grants permissions to obtain user agent information.

read

mrs:<region>:<account-id>:cluster:<cluster-id>

g:EnterpriseProjectId

-

mrs:cluster:updateAgencyMapping

Grants permissions to update user agent information.

write

mrs:<region>:<account-id>:cluster:<cluster-id>

g:EnterpriseProjectId

mrs:cluster:syncUser

mrs:cluster:getSql

Grants permissions to obtain the SQL execution result.

read

mrs:<region>:<account-id>:cluster:<cluster-id>

g:EnterpriseProjectId

mrs:sql:get

Resources

A resource type indicates the resources that a policy applies to. If you specify a resource type for any action in Table 2, the resource URN must be specified in the policy statements using that action, and the policy applies only to resources of this type. If no resource type is specified, the Resource element is marked with an asterisk (*) and the policy applies to all resources. You can also set condition keys in a policy to define resource types.

The following table lists the resource types that you can define in policy statements for MRS.

Table 2 Resource types supported by MRS

Resource Type

URN

cluster

mrs:<region>:<account-id>:cluster:<cluster-id>

Conditions

MRS does not support service-specific condition keys in identity policies.

It can only use global condition keys applicable to all services. For details, see Global Condition Keys.

Parent topic: Analytics