百度智能云
All Product Document

          MapReduce

          • BMR
          • >
          • Operation Guide
          • >
          • Identity and Access Management

          Identity and Access Management

          Last Updated2020-09-23

          Introduction

          Identity and Access Management (IAM) helps users manage access rights to resources under cloud accounts. It applies to different roles in the enterprise and can give different rights to different employees to use products. It is recommended that you use identity and access management when your enterprise has multi-user collaborative operation resources.

          Applicable to the following scenarios:

          • Customers of medium and large enterprises: Perform the authorized management of multiple employees in the company;
          • Technology-based vendor or SAAS platform providers: Manage the resources and rights of the proxy clients;
          • Small and medium developers or small enterprises: Add the project members or collaborators to manage the resources.

          The identity and access management enables coordinated management and use of BMR resources by different persons or different departments in the company or organization. In the BMR, the clusters and scheduled tasks are resources. In the coordination, the master user creates the sub-user and assigns the access policy.

          Overview of access policy:

          The access control policies consist of the dimensions of permission and resource. The permission means the user's executable actions, such as creation, deletion, check, and modification; the resource means the cluster or scheduled task. The permissions comprise the types of coarse granularity and fine granularity. The coarse granularity permission does not limit resources, and it can correspond to different fine granularity permissions; the fine granularity permission needs to select one or more resources. The sub-user granted with a certain strategy has access to corresponding resources.

          Policy example:

          ACL{ //the policy has READ coarse granularity permission to all resources;
"resource": ["*"], //resource
"permission": [ //permission
         "READ"
]
};
   
ACL{ //the policy has ScaleCluster (expand/reduce capacity) fine granularity permission to a cluster;
"resource": ["cluster/ clusterID"], //resource
"permission": [ //permission
" ScaleCluster"
]
}.

          Notes:

          • Master user owns all resources of BMR, and the master user assumes the expenses on resources created or deleted by the sub-user.
          • The sub-user and master user have the same permissions to the operation of cluster templates, which have no permission control.
          • The policy change takes effect after 5 minutes.

          Create Sub-users

          1. After the user having a primary account number logs in, select "Identity and Access Management" in the console to enter the user administration page.

          image.png

          1. Click "User Management" in the left navigation bar, and click "New User" on the "Sub-user Management List" page.
          2. In the popped up "New User" dialog box, enter and confirm "User Name", and return to "Sub-user Management List" to view the new sub-user.

          Configuration Policies

          The permission policy has two types: [System Privilege Policy](#System Policy) and [Custom Privielge Policy](#Custom Policy). They are used to control BMR's product-level permission and resource-level permission, respectively.

          • System policy: A permission set predefined by Baidu AI Cloud system to manage resources. Such policies can directly grant permission to the sub-user, which is used rather than modified by the user.
          • Custom policy: It is created by users, more detailed permission set for managing resources, which can configure permission for a single instance, and can ensure differentiated permission management of accounts to different users more flexibly.

          System Policies

          Click "Resources Management" to enter the policy management page. The system policy is preset for users by BMR and cannot be modified by users. You can enter "bmr" in the right search box to view all BMR system policies.

          image.png

          The four system policies provided by BMR and their permissions are as follows:

          System Policies Privileges Included Description
          BMRListAllStepAccessPolicy LIST_ALL_STEP Privilege to view the list of all BMR jobs
          BMRUseOnlyAccessPolicy READ Privilege to use BMR policy only, including permission to use BMR only
          BMRCreateAndDeleteOnlyAccessPolicy "ReadCluster",
          "ReadExecutionPlan",
          "CREATE_DELETE"          		 Privilege to create and delete cluster and scheduled task policies only, including permission to create and delete BMR resources only and permission to read cluster and scheduled task
          BMROperateOnlyAccessPolicy "ReadCluster",
          "ReadExecutionPlan",
          "OPERATE"          		 Privilege to operation and maintenance of BMR policies only, including permission to operation and maintenance of BMR and permission to read cluster and scheduled task
          BMRFullControlAccessPolicy "FULL_CONTROL" Privilege to full control and management of BMR policies, including permission to full control and management of BMR

          Custom Policies

          By clicking "Custom Policy", entering the policy name, and selecting service type of "Baidu MapReduce BMR", the sub-user can add the custom policy to add custom permissions. You can add custom policies by configuring policy generator or editing policy files. The fine granularity permission is the only option for policy generator, and coarse granularity permission and fine granularity permission are two options for editing policy files. You can set and modify the policy according to specific permissions.

          Policy Generator

          For the policy generator, there are two resources: cluster and scheduled task. The resource box represents the fine granularity permission for that resource. After selecting the permission, you can click different regions in "Select resources" to see the resources under the region. Click "Finish" after selecting the resources.

          image.png

          Note: Cluster and scheduled tasks are parallel resources. In the policy, you can configure the permission to one or both of such resources.

          Editing Policy Files

          image.png

          Essentially, the policy file is a JSON file, and permission and resource in the file are used to define permission and resource. For easy editing, the permission list shows all coarse and fine granularity permissions by default, and you can delete elements in the list as needed.

          Note:

          You cannot add or delete any field (such as service and region) in the policy file, and you cannot change the field name.

          The definition of all fields in the policy file is as follows:

          Field Name Data Type Description
          accessControlList list Identify the start of main body of Access Control List (ACL), consisting of one or more configuration items.
          service string Service component influenced by the configuration item, and BMR fixed value is "bce:bmr" and cannot be changed.
          region string Region influenced by the configuration item, and the value is "bj", "gz", "su", "bd", "hkg" and "?". Among them, "bj" represents the Beijing region, "gz" represents the Guangzhou region, "su" represents the Suzhou region, "bd" represents the Baoding region, "hkg" represents the Hong Kong region, and "?" represents all regions. The value is inside quotes, and the punctuation is in English semi-angle format.
          effect string Specify whether to run the Request matching the configuration item, and the value is "Allow" or "Deny". "Allow" means execution and "Deny" means no execution.
          permission list Privilege included in the configuration item, and the value is the default element in the permission list.
          resource list Resources included in the configuration item, and the options include wildcard "?" and specific resource ID. "?" means all instances, different instances can be configured for resource ID, and the values are inside quotes in English semi-angle format and spaced with commas. Naming of resource ID: "cluster/cluster ID" or "executionPlan/scheduled task object ID". The scheduled task object ID can be selected from scheduled task resources of policy generator.

          User Authorization

          Select "Add Privilege" in the "Operation" column of the corresponding sub-user in "User Administration-> Sub-User Administration List" page, and select and authorize the system privileges or custom policies for users.

          Note:

          If you modify the permissions of the sub-user without modifying the existing policy rules, you can only delete the existing policies and add policies, but you cannot cancel the added policy permissions.

          Service Authorization

          For the sub-users to use BMR services, you need to authorize permission to other services in Baidu AI Cloud. The permission policy and influence the scope of services are as follows:

          Service Policy Name Description Influence Scope
          FCOrderAccessPolicy Full control over order service permission Query and create cluster
          VpcFullControlPolicy Full control over VPC service permission Create Clusters
          SubnetFullControlPolicy Full control over subnet service permission Create Clusters
          BosFullAccessPolicy Full control over BOS service permission Choose to store logs in BOS when creating cluster

          System policies cover all policies above.

          Sub-user Login

          After the user having a primary account number has authorized the sub-user, it can send the link to the sub-user; the sub-user can log in to the management console of the main account through the IAM user login link, and operate and view the main account resources based on authorized policies.

          image.png

          For other detailed operations, please see Identity and Access Management.

          Privilege Model

          Name of Coarse Granularity Privilege Description Name of Corresponding Fine Granularity Privilege Description
          READ Privilege to use BMR only ReadCluster Read cluster
          - - ReadStep View job details
          - - CreateStep Create step
          - - CancelStep Terminate step
          - - ReadExecutionPlan Read scheduled task
          - - UpdateExecutionPlan Update scheduled task, including adjusting the execution policy and adding and deleting jobs on the scheduled task
          LIST_ALL_STEP Produce job lists No -
          CREATE_DELETE Privilege to create and delete BMR resources only No -
          OPERATE Privilege to operation and maintenance of BMR only RenameCluster Change cluster name
          - - ScaleCluster Modify cluster configuration, i.e., capacity expansion and reduction
          - - SwitchExecutionPlan Start-stop of scheduled task
          FULL_CONTROL Privilege to full control and management of BMR No -

          Selecting a coarse granularity permission policy means selecting all fine granularity permissions corresponding to the coarse granularity permission. From the way of naming, it can be seen the name of coarse granularity permission includes uppercase characters only, and the name of fine granularity permission is camel case.

          Notes:

          • LIST_ALL_STEP coarse granularity permission means access to all job lists, including job lists on the cluster page;
          • READ coarse granularity permission or ReadStep fine granularity permission for specified cluster ID means access only to job lists on the cluster page, and you can view job details with such permission.
          Previous
          Practical Operation
          Next
          Tutorials