Configuring Fine-Grained OBS Access Permissions for MRS Cluster Users

When fine-grained permission control is enabled, you can configure OBS access permissions to implement access control on directories in OBS file systems.

This section does not apply to MRS 1.9.2.

This function enables you to control MRS users' access to OBS resources. For example, if you allow user group A to only access log files in a specified OBS file system, perform the following operations:

Configure an agency with OBS access permissions for an MRS cluster so that OBS can be accessed using the temporary AK/SK automatically obtained by the ECS.
Create a policy on the IAM console to allow access to log files in a specified OBS file system, and create an agency bound to the policy permission.
In the MRS cluster, bind the new agency to user group A so that user group A only has the permission to access log files in the specified OBS file system.

In the following scenarios, the username used for submitting jobs is an internal username so that MRS multi-user access to OBS is not supported.

In a cluster with Kerberos authentication enabled, the built-in username of spark-beeline for submitting jobs is spark. In a cluster with Kerberos authentication disabled, the built-in username is omm.
In a cluster with Kerberos authentication enabled, the built-in username of hbase shell for submitting jobs is hbase. In a cluster with Kerberos authentication disabled, the built-in username is omm.
In a cluster with Kerberos authentication enabled, the built-in usernames of Presto for submitting jobs is omm and hive. In a cluster with Kerberos authentication disabled, the built-in username is omm. On the cluster details page of the MRS console, choose Components > Presto > Service Configuration, set Type to All, search for hive.hdfs.impersonation.enabled, and change its value to true. In this way, multiple MRS users can access OBS with fine-grained permissions.

Prerequisites

Fine-grained permission control has been enabled. For details about permissions management, see Creating an IAM User and Granting MRS Permissions.
You have a basic knowledge of Cloud Service Delegation and OBS fine-grained policies.

Configuring an Agency with OBS Access Permissions for a Cluster

Follow instructions in Interconnecting an MRS Cluster with OBS Using an IAM Agency to configure an agency with OBS access permissions.

The agency takes effect for all users (including internal users) and user groups in the cluster. To control the permissions of users and user groups in the cluster to access OBS, perform the following operations.

When you configure permissions on an OBS path, if the write permission is configured, you need to configure the corresponding recycle bin path. The default recycle bin path is /user/${current.user}/.Trash/, where ${current.user} indicates the current username.

Creating a Policy and an Agency on IAM

Create policies with different access permissions and bind the policies to the agency. For details, see Reference: Creating a Policy and an Agency on IAM.

Configuring OBS Permission Control Mapping

On the MRS management console, choose Active Clusters and click the cluster name.
In the Basic Information area on the Dashboard tab page, click Manage next to OBS Permission Control.

Click Add Mapping and set parameters according to Table 1.

**Table 1** Adding an OBS permission control mapping
Parameter	Description
IAM Agency	Select the agency created in 2.
Type	User: User-level mapping Group: User group-level mapping NOTE: User-level mapping takes priority over user group-level mapping. If you select Group, you are advised to enter the primary group name in MRS User (User Group). Do not use the same username (group) in multiple mapping records.
MRS User (User Group)	Use commas (,) to separate multiple names of users or user groups. NOTE: If OBS permission control is not configured for a user and no AK and SK are configured, the OBS OperateAccess permission in MRS_ECS_DEFAULT_AGENCY will be used for accessing OBS. You are advised not to bind the internal user of a component to an agency. If you need to configure an agency for the internal user of a component when submitting a job in the following scenarios, the requirements are as follows: To control permissions on spark-beeline operations, configure the username spark for clusters with Kerberos authentication enabled and the username omm for clusters with Kerberos authentication disabled. To control permissions on HBase shell operations, configure the username hbase for clusters with Kerberos authentication enabled and the username omm for clusters with Kerberos authentication disabled. To control permissions on Presto operations, configure usernames omm, hive, and the one used to log in to the client for clusters with Kerberos authentication enabled, and configure usernames omm and the one used to log in to the client for clusters with Kerberos authentication disabled. If you want to use Hive to create tables in beeline mode, set the username to the internal user hive.

Click OK.
Select I agree to authorize the trust relationships between MRS Users (Groups) and IAM agencies, and click OK. The mapping between the MRS user and OBS permission is added.

If appears next to OBS Permission Control on the Dashboard tab page or the mapping table has been updated for OBS permission control, the mapping takes effect. It takes about 1 minute to for the mapping to take effect.

In the Operation column of the mapping list, you can edit or delete the added mapping.
- If OBS permission control is not configured for a user and no AK and SK are configured, the permissions owned by the agency configured for the cluster in the Object Storage Service (OBS) project will be used to access OBS.
- Regardless of whether OBS permission control is configured, AK/SK permission is used for accessing OBS once it is configured.
- Security Administrator permission is required to modify, create, or delete a mapping.
- To apply the mapping changes in spark-beeline, hive beeline, and Presto, you need to restart Spark, exit beeline and enter again, and restart Presto, respectively.

Component Access to OBS When OBS Permission Control Is Enabled

Log in to any node in a cluster as user root using the password set during cluster creation.
Run the following commands to set the environment variables:

cd Client installation directory

source Client installation directory/bigdata_env
If the Kerberos authentication is enabled for the current cluster, run the following command to authenticate the user. If the Kerberos authentication is disabled for the current cluster, skip this step:

kinit MRS cluster user

Example:

kinit admin
If Kerberos authentication is disabled for the current cluster, run the following commands to log in as a user who belongs to the supergroup group. Replace XXXX with the username. For how to create a user, refer to Creating an MRS Cluster User.

mkdir /home/XXXX

chown XXXX /home/XXXX

su - XXXX
To access OBS, you do not need to configure the AK, SK, and endpoint.

OBS path format: obs://OBS parallel file system name/XXX

hadoop fs -ls "obs://obs-example/job/hadoop-mapreduce-examples-3.1.2.jarobs-example/job/hadoop-mapreduce-examples-3.1.2.jar"
- To delete files on OBS using hadoop fs commands, run hadoop fs -rm -skipTrash.
- If data import is not involved when a table is created using spark-sql and spark-beeline, OBS will not be accessed. That is, if you create a table in an OBS directory on which you do not have permission, the CREATE TABLE operation will still be successful, but the error message "403 AccessDeniedException" is displayed when you insert data.

Reference: Creating a Policy and an Agency on IAM

Create a policy on IAM.

Log in to the IAM console.
In the navigation pane on the left, choose Permissions > Policies/Roles. On the displayed page, click Create Custom Policy.

Set parameters according to Table 2. Obtain the customized OBS policy samples that are frequently used by referring to OBS Custom Policies.

**Table 2** Policy parameters
Parameter	Description
Policy Name	Only letters, digits, spaces, and special characters (-_.,) are allowed.
Scope	Select Global services, because OBS is a global service.
Policy View	Select Visual editor.
Policy Content	Allow: Select Allow. Select service: Select Object Storage Service (OBS). Select action: Select ReadWrite, ReadOnly, and ListOnly. Resources under All: Select Specific and set the following parameters: object: Select Specify resource path and click Add Resource Path to add a path. The /tmp directory is used as an example. For example, enter obs_bucket_name/tmp/ and obs_bucket_name/tmp/. bucket: Select Specify resource path, click Add Resource Path, and enter obs_bucket_name*. (Optional) Request condition: not added.
Description	(Optional) Brief description about the policy.

If the data write operation of each component is implemented in rename mode, the permission to delete objects must be configured when data is written.

Click OK to save the policy.

Create an agency on IAM.

Log in to the IAM console.
Choose Agencies. On the displayed page, click Create Agency.

Set parameters according to Table 3.

**Table 3** Agency parameters
Parameter	Description
Agency Name	Only letters, digits, spaces, and special characters (-_.,) are allowed.
Agency Type	Select Common account.
Delegated Account	Enter your cloud account, that is, the account you register using your mobile phone number. It cannot be a federated user or an IAM user created using your cloud account.
Validity Period	Set this parameter as required.
Description	(Optional) Brief description about the agency.
Permissions	In the Project [Region] column, locate the row where OBS is, click Attach Policy. Select the policy created in 1 to display it in Selected Policies. Click OK.

Click OK to save the agency.

If you modify an agency and policies bound to it after using the agency to access OBS, the modification will take effect within 15 minutes.