Elastic MapReduce (EMR) will need to access or operate other cloud products. To ensure that sub-users or collaborators can use and operate EMR normally, this document describe how to grant sub-users or collaborators related permissions.
Policy | Description | Required | Notes |
---|---|---|---|
QcloudCamSubaccountsAuthorizeRoleFullAccess | Permission required for CAM sub-users to obtain permissions granted by service roles | No | For more information, see Authorizing EMR to access other services. |
QcloudCamRoleFullAccess | Full access to CAM roles | No | Permission to custom service roles to control access to data across services. For more information, see Custom Service Roles. |
QcloudEMRFullAccess | Full access to EMR | No | Full permission to use all EMR features. For more information, see Purchasing and managing EMR clusters. |
QcloudEMRReadOnlyAccess | Read-only access to EMR | No | Permission to view EMR features |
QcloudEMRPurchaseAccess | EMR finance permission | No | For more information, see Purchasing and managing EMR clusters. This permission is not required if you don't need to purchase EMR clusters or adjust their configurations. |
Custom TencentDB instance purchase policy | Permission to purchase TencentDB instances | No | For more information, see Purchasing and managing EMR clusters. This permission is not required if you don't need to add components after the cluster is deployed. |
Note:The
QcloudEMRPurchaseAccess
preset policy allows you to manage all users' permission to purchase EMR instances. It grants users the finance permissions of CVM, TencentDB, and EMR at the same time. To restrict users from purchasing CVM or TencentDB instances, do not grant the permission to place orders for the corresponding product.
Tencent Cloud root accounts and sub-users and collaborators with the QcloudCamSubaccountsAuthorizeRoleFullAccess
permission can access other cloud services after being authorized.
EMR_QCSRole
service role and grant the QcloudAccessForEMRRole
permission (for EMR to read CVM, CBS, TencentDB, COS, and other services) to the first EMR instance you purchase.EMR_QCSRole
service role and grant the QcloudAccessForEMRRoleInApplicationDataAccess
permission (for EMR big data applications to access other data services, such as COS) to EMR.The root account can grant the QcloudCamSubaccountsAuthorizeRoleFullAccess
permission to sub-users or collaborators via the following steps:
QcloudCamSubaccountsAuthorizeRoleFullAccess
policy, and then click Confirm.QcloudAccessForEMRRoleInApplicationDataAccess
and QcloudAccessForEMRRole
policies with the root account, sub-user, or collaborator. The process is the same as step 2.To create a cluster, add a component, or scale out a cluster, a sub-user or collaborator must be associated with the QcloudEMRFullAccess
and the custom TencentDB purchase policy. In cases not involving resource purchase, such as service configuration management, only the QcloudEMRFullAccess
policy is required.
Policy Type | Policy Name | Description |
---|---|---|
Preset EMR policy | QcloudEMRFullAccess | Full access to EMR |
Preset EMR policy | QcloudEMRReadOnlyAccess | Read-only access to EMR |
Preset EMR policy | QcloudEMRPurchaseAccess | EMR finance permission |
Custom policy | Users can custom the name as needed. | Permission to purchase TencentDB instances |
The root account can grant the above permissions to a sub-user or collaborator via the following steps:
QcloudEMRFullAccess
policy is used as an example in the following figure:
Note:The process of associating the EMR finance policy
QcloudEMRPurchaseAccess
is the same as step 2.
3. Custom a TencentDB purchase policy.
EMRvisitedCDB
) and a description (such as permission to purchase TencentDB instances for new EMR components), enter the following JSON content under Policy Content, and click Done.{
"version": "2.0",
"statement": [
{
"effect": "allow",
"resource": [
"*"
],
"action": [
"cdb:CreateDBInstance",
"cdb:CreateDBInstanceHour"
]
}
]
}
EMRvisitedCDB
) and bind it.Tencent Cloud root accounts and collaborators and sub-users with the QcloudCamRoleFullAccess
permission can precisely control COS bucket permissions and other cloud resource permissions. For more information see Custom Service Roles.
A root account can grant the QcloudCamRoleFullAccess
permission to a sub-user or collaborator via the following steps:
QcloudCamRoleFullAccess
policy, and then click Confirm.
Was this page helpful?