- Release Notes
- Product Introduction
- Purchase guide
- Getting Started
- Operation Guide
- EMR Development Guide
- Hadoop Development Guide
- Spark Development Guide
- Hbase Development Guide
- Phoenix on Hbase Development Guide
- Hive Development Guide
- Presto Development Guide
- Sqoop Development Guide
- Hue Development Guide
- Flume Development Guide
- Kerberos Development Guide
- Knox Development Guide
- Alluxio Development Guide
- Kylin Development Guide
- Livy Development Guide
- Zeppelin Development Guide
- Hudi Development Guide
- Superset Development Guide
- Impala Development Guide
- ClickHouse Development Guide
- Druid Development Guide
- TensorFlow Development Guide
- Jupyter Development Guide
- Kudu Development Guide
- EMR Development Guide
- Ranger Development Guide
- Doris Development Guide
- Iceberg Development Guide
- Data Migration
- API documentation
- FAQs
- Service Level Agreement
- Notices
- Release Notes
- Product Introduction
- Purchase guide
- Getting Started
- Operation Guide
- EMR Development Guide
- Hadoop Development Guide
- Spark Development Guide
- Hbase Development Guide
- Phoenix on Hbase Development Guide
- Hive Development Guide
- Presto Development Guide
- Sqoop Development Guide
- Hue Development Guide
- Flume Development Guide
- Kerberos Development Guide
- Knox Development Guide
- Alluxio Development Guide
- Kylin Development Guide
- Livy Development Guide
- Zeppelin Development Guide
- Hudi Development Guide
- Superset Development Guide
- Impala Development Guide
- ClickHouse Development Guide
- Druid Development Guide
- TensorFlow Development Guide
- Jupyter Development Guide
- Kudu Development Guide
- EMR Development Guide
- Ranger Development Guide
- Doris Development Guide
- Iceberg Development Guide
- Data Migration
- API documentation
- FAQs
- Service Level Agreement
- Notices
Elastic MapReduce (EMR) will need to access or operate other cloud products. To ensure that sub-users or collaborators can use and operate EMR normally, this document describe how to grant sub-users or collaborators related permissions.
Permission Policy Overview
| Policy | Description | Required | Notes |
|---|---|---|---|
| QcloudCamSubaccountsAuthorizeRoleFullAccess | Permission required for CAM sub-users to obtain permissions granted by service roles | No | For more information, see Authorizing EMR to access other services. |
| QcloudCamRoleFullAccess | Full access to CAM roles | No | Permission to custom service roles to control access to data across services. For more information, see Custom Service Roles. |
| QcloudEMRFullAccess | Full access to EMR | No | Full permission to use all EMR features. For more information, see Purchasing and managing EMR clusters. |
| QcloudEMRReadOnlyAccess | Read-only access to EMR | No | Permission to view EMR features |
| QcloudCVMFinanceAccess | Financial access to CVM | No | For more information, see Purchasing and managing EMR clusters. This permission is not required if you don't need to purchase or change the configuration. |
| Custom TencentDB instance purchase policy | Permission to purchase TencentDB instances | No | For more information, see Purchasing and managing EMR clusters. This permission is not required if you don't need to add components after the cluster is deployed. |
Scenarios
Authorizing EMR to access other cloud services
Tencent Cloud root accounts and sub-users and collaborators with the QcloudCamSubaccountsAuthorizeRoleFullAccess permission can access other cloud services after being authorized.
- To use EMR to access CVM, CBS, TencentDB, and other services, you need to assign the
EMR_QCSRoleservice role and grant theQcloudAccessForEMRRolepermission (for EMR to read CVM, CBS, TencentDB, COS, and other services) to the first EMR instance you purchase. - To use EMR to access the data stored in COS, you need to assign the
EMR_QCSRoleservice role and grant theQcloudAccessForEMRRoleInApplicationDataAccesspermission (for EMR big data applications to access other data services, such as COS) to EMR.
The root account can grant the QcloudCamSubaccountsAuthorizeRoleFullAccess permission to sub-users or collaborators via the following steps:
- Log in to the CAM console, click Users > User List, find the target sub-user or collaborator, and click Authorize.
- Search for and select the
QcloudCamSubaccountsAuthorizeRoleFullAccesspolicy, then click Confirm.
You can associate theQcloudAccessForEMRRoleandQcloudAccessForEMRRoleInApplicationDataAccesspolicies with the root account, sub-user, or collaborator. The process is the same as step 2.
Purchasing and managing EMR clusters
To create a cluster, add a component, or scale out a cluster, a sub-user or collaborator must be associated with the QcloudEMRFullAccess and QcloudCVMFinanceAccess policies and the custom TencentDB purchase policy. In cases not involving resource purchase, such as service configuration management, only the QcloudEMRFullAccess policy is required.
Note:Only accounts with the financial permission can purchase pay-as-you-go EMR clusters.
| Policy Type | Policy Name | Description |
|---|---|---|
| Preset EMR policy | QcloudEMRFullAccess | Full access to EMR |
| Preset EMR policy | QcloudEMRReadOnlyAccess | Read-only access to EMR |
| Preset CVM policy | QcloudCVMFinanceAccess | Financial access to CVM |
| Custom policy | Users can custom the name as needed. | Permission to purchase TencentDB instances |
The root account can grant the above permissions to a sub-user or collaborator via the following steps:
- Log in to the CAM console, click Users > User List, find the target sub-user or collaborator, and click Authorize.
- Search for and select each policy listed in the above table in the Associate Policy dialog box, then click Confirm. The
QcloudEMRFullAccesspolicy is used as an example in the following figure:
- Custom a TencentDB purchase policy.
- (1). Create a custom policy.
Log in to the CAM console, click Policies > Create Custom Policy > Create by Policy Syntax, select Blank Template on the Create by Policy Syntax page, and click Next.
Enter a policy name (such as EMRvisitedCDB) and a description (such as permission to purchase TencentDB instances for new EMR components), enter the following JSON content under Policy Content, and click Done.{ "version": "2.0", "statement":[ { "effect": "allow", "resource": [ "*" ], "action": [ "cdb:CreateDBInstance", "cdb:CreateDBInstanceHour" ] } ] } - (2). Associate the sub-user or collaborator with the custom TencentDB policy.
Find the target sub-user or collaborator on the user list in the CAM console, click Authorize in the Action column, and search for and associate the custom policy (such as EMRvisitedCDB).
- (1). Create a custom policy.
Custom Service Roles
Tencent Cloud root accounts and collaborators and sub-users with the QcloudCamRoleFullAccess permission can precisely control COS bucket permissions and other cloud resource permissions. For more information see [Custom Service Roles](https://intl.cloud.tencent.com/document/ product/1026/39661).
A root account can grant the QcloudCamRoleFullAccess permission to a sub-user or collaborator via the following steps:
- Log in to the CAM console, click Users > User List, find the target sub-user or collaborator, and click Authorize.
- Search for and select the
QcloudCamRoleFullAccesspolicy, then click Confirm.
Yes
No
Was this page helpful?