Synchronizing IAM Users to MRS

IAM user synchronization is to synchronize IAM users bound with MRS policies to the MRS system and create accounts with the same usernames but different passwords as the IAM users. Then, you can use an IAM username (the password needs to be reset by user admin of Manager) to log in to Manager for cluster management, and submit jobs on the GUI in a cluster with Kerberos authentication enabled.

Table 1 compares IAM users' permission policies and the synchronized users' permissions on MRS. For details about the default permissions on Manager, see Users and Permissions of MRS Clusters.

Table 1 Policy and permission mapping after synchronization

Policy Type

IAM Policy

User's Default Permissions on MRS After Synchronization

Have Permission to Perform the Synchronization

Have Permission to Submit Jobs

Fine-grained

MRS ReadOnlyAccess

Manager_viewer

No

No

MRS CommonOperations

  • Manager_viewer

  • default

  • launcher-job

No

Yes

MRS FullAccess

  • Manager_administrator

  • Manager_auditor

  • Manager_operator

  • Manager_tenant

  • Manager_viewer

  • System_administrator

  • default

  • launcher-job

Yes

Yes

RBAC

MRS Administrator

  • Manager_administrator

  • Manager_auditor

  • Manager_operator

  • Manager_tenant

  • Manager_viewer

  • System_administrator

  • default

  • launcher-job

No

Yes

Server Administrator, Tenant Guest, and MRS Administrator

  • Manager_administrator

  • Manager_auditor

  • Manager_operator

  • Manager_tenant

  • Manager_viewer

  • System_administrator

  • default

  • launcher-job

Yes

Yes

Tenant Administrator

  • Manager_administrator

  • Manager_auditor

  • Manager_operator

  • Manager_tenant

  • Manager_viewer

  • System_administrator

  • default

  • launcher-job

Yes

Yes

Custom

Custom policy

  • Manager_viewer

  • default

  • launcher-job

  • If custom policies use RBAC policies as a template, refer to the RBAC policies.

  • If custom policies use fine-grained policies as a template, refer to the fine-grained policies. The fine-grained policies are recommended.

Yes

Note

To facilitate user permission management, use fine-grained policies rather than RBAC policies. In fine-grained policies, the Deny action takes precedence over other actions.

  • A user has permission to synchronize IAM users only when the user has the Tenant Administrator role or has the Server Administrator, Tenant Guest, and MRS Administrator roles at the same time.

  • A user with the action:mrs:cluster:syncUser policy has permission to synchronize IAM users.

Procedure

  1. Create a user and authorize the user to use MRS. For details, see Creating an MRS User.

  2. Log in to the MRS management console and create a cluster. For details, see Creating a Custom Cluster.

  3. In the left navigation pane, choose Clusters > Active Clusters. Click the cluster name to go to the cluster details page.

  4. In the Basic Information area on the Dashboard page, click Synchronize on the right side of IAM User Sync to synchronize IAM users.

  5. After a synchronization request is sent, choose Operation Logs in the left navigation pane on the MRS console to check whether the synchronization is successful. For details about the logs, see Viewing MRS Operation Logs.

  6. After the synchronization is successful, use the user synchronized with IAM to perform subsequent operations.

    Note

    • When the policy of the user group to which the IAM user belongs changes from MRS ReadOnlyAccess to MRS CommonOperations, MRS FullAccess, or MRS Administrator, wait for 5 minutes until the new policy takes effect after the synchronization is complete because the SSSD (System Security Services Daemon) cache of cluster nodes needs time to be updated. Then, submit a job. Otherwise, the job may fail to be submitted.

    • When the policy of the user group to which the IAM user belongs changes from MRS CommonOperations, MRS FullAccess, or MRS Administrator to MRS ReadOnlyAccess, wait for 5 minutes until the new policy takes effect after the synchronization is complete because the SSSD cache of cluster nodes needs time to be updated.

    • After you click Synchronize on the right side of IAM User Sync, the cluster details page is blank for a short time, because user data is being synchronized. The page will be properly displayed after the data synchronization is complete.

    • Submitting jobs in a security cluster: Users can submit jobs using the job management function on the GUI in the security cluster. For details, see Running a MapReduce Job.

    • All tabs are displayed on the cluster details page, including Components, Tenants, and Backups & Restorations.

    • Logging in to Manager

      1. Log in to Manager as user admin. For details, see Accessing Manager.

      2. Initialize the password of the user synchronized with IAM. For details, see Initializing the Password of a System User.

      3. Modify the role bound to the user group to which the user belongs to control user permissions on Manager. For details, see Related Tasks. For details about how to create and modify a role, see Creating a Role. After the component role bound to the user group to which the user belongs is modified, it takes some time for the role permissions to take effect.

      4. Log in to Manager using the user synchronized with IAM and the password after the initialization in 6.b.

      Note

      If the IAM user's permission changes, go to 4 to perform second synchronization. After the second synchronization, a system user's permissions are the union of the permissions defined in the IAM system policy and the permissions of roles added by the system user on Manager. After the second synchronization, a custom user's permissions are subject to the permissions configured on Manager.

      • System user: If all user groups to which an IAM user belongs are bound to system policies (RABC policies and fine-grained policies belong to system policies), the IAM user is a system user.

      • Custom user: If the user group to which an IAM user belongs is bound to any custom policy, the IAM user is a custom user.