tencent cloud

Feedback

Collaborator/Sub-account Permissions

Last updated: 2022-05-16 12:19:12

    Elastic MapReduce (EMR) will need to access or operate other cloud products. To ensure that sub-users or collaborators can use and operate EMR normally, this document describe how to grant sub-users or collaborators related permissions.

    Permission Policy Overview

    Policy Description Required Notes
    QcloudCamSubaccountsAuthorizeRoleFullAccess Permission required for CAM sub-users to obtain permissions granted by service roles No For more information, see Authorizing EMR to access other services.
    QcloudCamRoleFullAccess Full access to CAM roles No Permission to custom service roles to control access to data across services. For more information, see Custom Service Roles.
    QcloudEMRFullAccess Full access to EMR No Full permission to use all EMR features. For more information, see Purchasing and managing EMR clusters.
    QcloudEMRReadOnlyAccess Read-only access to EMR No Permission to view EMR features
    QcloudEMRPurchaseAccess EMR finance permission No For more information, see Purchasing and managing EMR clusters. This permission is not required if you don't need to purchase EMR clusters or adjust their configurations.
    Custom TencentDB instance purchase policy Permission to purchase TencentDB instances No For more information, see Purchasing and managing EMR clusters. This permission is not required if you don't need to add components after the cluster is deployed.
    Note:

    The QcloudEMRPurchaseAccess preset policy allows you to manage all users' permission to purchase EMR instances. It grants users the finance permissions of CVM, TencentDB, and EMR at the same time. To restrict users from purchasing CVM or TencentDB instances, do not grant the permission to place orders for the corresponding product.

    Use Cases

    Authorizing EMR to access other cloud services

    Tencent Cloud root accounts and sub-users and collaborators with the QcloudCamSubaccountsAuthorizeRoleFullAccess permission can access other cloud services after being authorized.

    • To use EMR to access CVM, CBS, TencentDB, and other services, you need to assign the EMR_QCSRole service role and grant the QcloudAccessForEMRRole permission (for EMR to read CVM, CBS, TencentDB, COS, and other services) to the first EMR instance you purchase.
    • To use EMR to access the data stored in COS, you need to assign the EMR_QCSRole service role and grant the QcloudAccessForEMRRoleInApplicationDataAccess permission (for EMR big data applications to access other data services, such as COS) to EMR.

    The root account can grant the QcloudCamSubaccountsAuthorizeRoleFullAccess permission to sub-users or collaborators via the following steps:

    1. Log in to the CAM console, click Users > User List, find the target sub-user or collaborator, and click Authorize.
    2. Search for and select the QcloudCamSubaccountsAuthorizeRoleFullAccess policy, and then click Confirm.

      You can associate the QcloudAccessForEMRRoleInApplicationDataAccess and QcloudAccessForEMRRole policies with the root account, sub-user, or collaborator. The process is the same as step 2.

    Purchasing and managing EMR clusters

    To create a cluster, add a component, or scale out a cluster, a sub-user or collaborator must be associated with the QcloudEMRFullAccess and the custom TencentDB purchase policy. In cases not involving resource purchase, such as service configuration management, only the QcloudEMRFullAccess policy is required.

    Policy Type Policy Name Description
    Preset EMR policy QcloudEMRFullAccess Full access to EMR
    Preset EMR policy QcloudEMRReadOnlyAccess Read-only access to EMR
    Preset EMR policy QcloudEMRPurchaseAccess EMR finance permission
    Custom policy Users can custom the name as needed. Permission to purchase TencentDB instances

    The root account can grant the above permissions to a sub-user or collaborator via the following steps:

    1. Log in to the CAM console, click Users > User List, find the target sub-user or collaborator, and click Authorize.
    2. Search for and select each policy listed in the above table in the Associate Policy dialog box, and then click Confirm. The QcloudEMRFullAccess policy is used as an example in the following figure:
      Note:

      The process of associating the EMR finance policy QcloudEMRPurchaseAccess is the same as step 2.


    3. Custom a TencentDB purchase policy.

    • (1). Create a custom policy.
      Log in to the CAM console, click Policies > Create Custom Policy > Create by Policy Syntax, select Blank Template on the Create by Policy Syntax page, and click Next.

      Enter a policy name (such as EMRvisitedCDB) and a description (such as permission to purchase TencentDB instances for new EMR components), enter the following JSON content under Policy Content, and click Done.
      {
            "version": "2.0",
            "statement": [
                {
                    "effect": "allow",
                    "resource": [
                        "*"
                    ],
                    "action": [
                        "cdb:CreateDBInstance",
                        "cdb:CreateDBInstanceHour"
                    ]
                }
            ]
      }
      
    • (2). Associate the sub-user or collaborator with the custom TencentDB policy.
      Log in to the CAM console, select the target user name in User List, and select Operation > Authorize. Then, search for a custom policy (such as EMRvisitedCDB) and bind it.

    Custom Service Roles

    Tencent Cloud root accounts and collaborators and sub-users with the QcloudCamRoleFullAccess permission can precisely control COS bucket permissions and other cloud resource permissions. For more information see Custom Service Roles.
    A root account can grant the QcloudCamRoleFullAccess permission to a sub-user or collaborator via the following steps:

    1. Log in to the CAM console, click Users > User List, find the target sub-user or collaborator, and click Authorize.
    2. Search for and select the QcloudCamRoleFullAccess policy, and then click Confirm.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support