Agencies and Dependencies

Function Dependency

Function Dependency Policies

When using ModelArts to develop algorithms or manage training jobs, you are required to use other Cloud services. For example, before submitting a training job, select an OBS path for storing the dataset and logs, respectively. Therefore, when configuring fine-grained authorization policies for a user, the administrator must configure dependent permissions so that the user can use required functions.

Note

If you use ModelArts as the root user (default IAM user with the same name as the account), the root user has all permissions by default.

Table 1 Basic configuration

Application Scenario

Dependent Service

Dependent Policy

Supported Function

Global configuration

IAM

iam:users:listUsers

Obtain a user list. This action is required by the administrator only.

Basic function

IAM

iam:tokens:assume

(Mandatory) Use an agency to obtain temporary authentication credentials.

Table 2 Managing workspaces

Application Scenario

Dependent Service

Dependent Policy

Supported Function

Workspace

IAM

iam:users:listUsers

Authorize workspaces by user.

ModelArts

modelarts:*:delete*

Clear resources in a workspace when the workspace is deleted.

Table 3 Managing development environment notebook

Application Scenario

Dependent Service

Dependent Policy

Supported Function

DevEnviron

SWR

swr:repository:getNamespace (obtaining the details about an organization)

swr:repository:listNamespace (querying the list of organizations)

swr:repository:deleteTag (deleting an artifact version)

swr:repository:getRepository (obtaining the details about artifact repositories)

swr:repository:listTags (obtaining the version list of an artifact)

swr:instance:createTempCredential (creating a temporary access credential)

Create a notebook instance using a custom image.

DevEnviron

MRS

mrs:cluster:get (obtaining details about a cluster)

Interconnect notebook with an MRS cluster.

DevEnviron

ECS

ecs:serverKeypairs:list (querying the list of SSH key pairs)

ecs:serverKeypairs:get (obtaining ECS key pairs)

ecs:serverKeypairs:delete (deleting an SSH key pair)

ecs:serverKeypairs:create (creating and importing an SSH key pair)

Configure a login key for a notebook instance.

DevEnviron

IAM

iam:users:listUsers (querying users)

View the creators of notebook instances on the ModelArts console.

VS Code plug-in (on-premises)/PyCharm Toolkit (on-premises)

ModelArts

modelarts:notebook:update (updating the notebook development environment)

modelarts:notebook:list (obtaining the list of notebook development environments)

modelarts:notebook:start (starting a development environment instance)

modelarts:notebook:stop (stopping a development environment instance)

modelarts:notebook:get (obtaining the details about a notebook development environment)

Access a notebook instance on the cloud through on-premises VS Code.

OBS

obs:object:PutObject (uploading objects using PUT method, uploading objects using POST method, copying objects, appending an object, initializing a multipart task, uploading parts, and merging parts)

obs:object:GetObject (obtaining object content and metadata)

obs:object:GetObjectVersion (obtaining object content and metadata)

obs:bucket:HeadBucket (obtaining bucket metadata)

Manage OBS data through local PyCharm.

PyCharm Toolkit (on-premises)

IAM

iam:projects:listProjects (querying tenant projects)

Obtain an IAM project list through local PyCharm for access configurations.

PyCharm Toolkit (on-premises)

ModelArts

modelarts:pool:list (viewing dedicated resource pools)

modelarts:trainJob:list (viewing training job details)

modelarts:trainJob:update (modifying a training job)

modelarts:trainJobVersion:delete (deleting a training job version)

Use ModelArts through local PyCharm.

DevEnviron

AOM

aom:alarm:put (reporting alarms)

aom:metric:get

aom:metric:list

aom:alarm:list (querying alarms)

Call the AOM API to obtain monitoring data and events of notebook instances and display them in ModelArts notebook.

Table 4 Managing training jobs

Application Scenario

Dependent Service

Dependent Policy

Supported Function

Training management

IAM

iam:credentials:listCredentials (querying permanent access keys)

iam:agencies:listAgencies (querying agencies based on specified conditions)

Use the configured agency authorization.

SFS

sfsturbo:shares:getShare (obtaining details about a file system)

sfsturbo:shares:getAllShares (obtaining details about all file systems)

Use SFS in a training job.

SWR

swr:repository:listTags (obtaining the version list of an artifact)

swr:repository:getRepository (obtaining the details about artifact repositories)

swr:repository:listRepositories (obtaining the list of artifact repositories)

Use a custom image to create a training job.

SMN

smn:topic:publish (publishing a message)

smn:topic:list (obtaining a topic)

Notify training job status changes through SMN.

OBS

obs:bucket:ListAllMybuckets (obtaining a bucket list)

obs:bucket:HeadBucket (obtaining bucket metadata)

obs:bucket:ListBucket (listing objects in a bucket)

obs:bucket:GetBucketLocation (obtaining the bucket location)

obs:object:GetObject (obtaining object content and metadata)

obs:object:GetObjectVersion (obtaining object content and metadata)

obs:object:PutObject (uploading objects using PUT method, uploading objects using POST method, copying objects, appending an object, initializing a multipart task, uploading parts, and merging parts)

obs:object:DeleteObject (deleting an object or batch deleting objects)

obs:object:DeleteObjectVersion (deleting an object or batch deleting objects)

obs:object:ListMultipartUploadParts (listing uploaded parts)

obs:object:AbortMultipartUpload (aborting multipart uploads)

obs:object:GetObjectAcl (obtaining an object ACL)

obs:object:GetObjectVersionAcl (obtaining an object ACL)

obs:bucket:PutBucketAcl (configuring a bucket ACL)

obs:object:PutObjectAcl (configuring an object ACL)

obs:object:ModifyObjectMetaData (modifying object metadata)

Run a training job using a dataset in an OBS bucket.

Federated training

IEF

ief:node:get (obtaining edge node information)

Run a federated learning-powered training job.

Table 5 Using workflows

Application Scenario

Dependent Service

Dependent Policy

Supported Function

Using a dataset

ModelArts

modelarts:dataset:getDataset

modelarts:dataset:createDataset

modelarts:dataset:createDatasetVersion

modelarts:dataset:createImportTask

modelarts:dataset:updateDataset

modelarts:processTask:createProcessTask

modelarts:processTask:getProcessTask

modelarts:dataset:listDatasets

Use ModelArts datasets in a workflow.

Managing AI applications

ModelArts

modelarts:model:list

modelarts:model:get

modelarts:model:create

modelarts:model:delete

modelarts:model:update

Manage ModelArts AI applications in a workflow.

Deploying a service

ModelArts

modelarts:service:get

modelarts:service:create

modelarts:service:update

modelarts:service:delete

modelarts:service:getLogs

Manage ModelArts real-time services in a workflow.

Training jobs

ModelArts

modelarts:trainJob:get

modelarts:trainJob:create

modelarts:trainJob:list

modelarts:trainJobVersion:list

modelarts:trainJobVersion:create

modelarts:trainJob:delete

modelarts:trainJobVersion:delete

modelarts:trainJobVersion:stop

Manage ModelArts training jobs in a workflow.

Workspace

ModelArts

modelarts:workspace:get

modelarts:workspace:getQuotas

Use ModelArts workspaces in a workflow.

Managing data

OBS

obs:bucket:ListAllMybuckets (obtaining a bucket list)

obs:bucket:HeadBucket (obtaining bucket metadata)

obs:bucket:ListBucket (listing objects in a bucket)

obs:bucket:GetBucketLocation (obtaining the bucket location)

obs:object:GetObject (obtaining object content and metadata)

obs:object:GetObjectVersion (obtaining object content and metadata)

obs:object:PutObject (uploading objects using PUT method, uploading objects using POST method, copying objects, appending an object, initializing a multipart task, uploading parts, and merging parts)

obs:object:DeleteObject (deleting an object or batch deleting objects)

obs:object:DeleteObjectVersion (deleting an object or batch deleting objects)

obs:object:ListMultipartUploadParts (listing uploaded parts)

obs:object:AbortMultipartUpload (aborting multipart uploads)

obs:object:GetObjectAcl (obtaining an object ACL)

obs:object:GetObjectVersionAcl (obtaining an object ACL)

obs:bucket:PutBucketAcl (configuring a bucket ACL)

obs:object:PutObjectAcl (configuring an object ACL)

Use OBS data in a workflow.

Executing a workflow

IAM

iam:users:listUsers (querying users)

iam:agencies:getAgency (obtaining details about a specified agency)

iam:tokens:assume (obtaining an agency token)

Call other ModelArts services when the workflow is running.

Integrating DLI

DLI

dli:jobs:get (obtaining job details)

dli:jobs:list_all (viewing a job list)

dli:jobs:create (creating a job)

Integrate DLI into a workflow.

Integrating MRS

MRS

mrs:job:get (obtaining job details)

mrs:job:submit (creating and executing a job)

mrs:job:list (viewing a job list)

mrs:job:stop (stopping a job)

mrs:job:batchDelete (batch deleting jobs)

mrs:file:list (viewing a file list)

Integrate MRS into a workflow.

Table 6 Managing AI applications

Application Scenario

Dependent Service

Dependent Policy

Supported Function

Managing AI applications

SWR

swr:repository:deleteRepository

swr:repository:deleteTag

swr:repository:getRepository

swr:repository:listTags

Import a model from a custom image.

Use a custom engine when importing a model from OBS.

OBS

obs:bucket:ListAllMybuckets (obtaining a bucket list)

obs:bucket:HeadBucket (obtaining bucket metadata)

obs:bucket:ListBucket (listing objects in a bucket)

obs:bucket:GetBucketLocation (obtaining the bucket location)

obs:object:GetObject (obtaining object content and metadata)

obs:object:GetObjectVersion (obtaining object content and metadata)

obs:object:PutObject (uploading objects using PUT method, uploading objects using POST method, copying objects, appending an object, initializing a multipart task, uploading parts, and merging parts)

obs:object:DeleteObject (deleting an object or batch deleting objects)

obs:object:DeleteObjectVersion (deleting an object or batch deleting objects)

obs:object:ListMultipartUploadParts (listing uploaded parts)

obs:object:AbortMultipartUpload (aborting multipart uploads)

obs:object:GetObjectAcl (obtaining an object ACL)

obs:object:GetObjectVersionAcl (obtaining an object ACL)

obs:bucket:PutBucketAcl (configuring a bucket ACL)

obs:object:PutObjectAcl (configuring an object ACL)

Import a model from a template.

Specify an OBS path for model conversion.

Table 7 Managing service deployment

Application Scenario

Dependent Service

Dependent Policy

Supported Function

Deploying a service

LTS

lts:logs:list (querying the log list)

Show LTS logs.

Batch services

OBS

obs:object:GetObject (obtaining object content and metadata)

obs:object:PutObject (uploading objects using PUT method, uploading objects using POST method, copying objects, appending an object, initializing a multipart task, uploading parts, and merging parts)

obs:bucket:CreateBucket (creating a bucket)

obs:bucket:ListBucket (listing objects in a bucket)

obs:bucket:ListAllMyBuckets (obtaining a bucket list)

Create a batch service.

Edge services

CES

ces:metricData:list: (obtaining metric data)

View monitoring metrics.

IEF

ief:deployment:delete (deleting a deployment)

Manage edge services.

Table 8 Managing datasets

Application Scenario

Dependent Service

Dependent Policy

Supported Function

Managing datasets and labels

OBS

obs:bucket:ListBucket (listing objects in a bucket)

obs:object:GetObject (obtaining object content and metadata)

obs:object:PutObject (uploading objects using PUT method, uploading objects using POST method, copying objects, appending an object, initializing a multipart task, uploading parts, and merging parts)

obs:object:DeleteObject (deleting an object or batch deleting objects)

obs:bucket:HeadBucket (obtaining bucket metadata)

obs:bucket:GetBucketAcl (obtaining a bucket ACL)

obs:bucket:PutBucketAcl (configuring a bucket ACL)

obs:bucket:GetBucketPolicy (obtaining a bucket policy)

obs:bucket:PutBucketPolicy (configuring a bucket policy)

obs:bucket:DeleteBucketPolicy (deleting a bucket policy)

obs:bucket:PutBucketCORS (configuring or deleting CORS rules of a bucket)

obs:bucket:GetBucketCORS (obtaining the CORS rules of a bucket)

obs:object:PutObjectAcl (configuring an object ACL)

Manage datasets in OBS.

Label OBS data.

Create a data management job.

Managing table datasets

DLI

dli:database:displayAllDatabases

dli:database:displayAllTables

dli:table:describe_table

Manage DLI data in a dataset.

Managing table datasets

DWS

dws:openAPICluster:list

dws:openAPICluster:getDetail

Manage DWS data in a dataset.

Managing table datasets

MRS

mrs:job:submit

mrs:job:list

mrs:cluster:list

mrs:cluster:get

Manage MRS data in a dataset.

Auto labeling

ModelArts

modelarts:service:list

modelarts:model:list

modelarts:model:get

modelarts:model:create

modelarts:trainJobInnerModel:list

modelarts:workspace:get

modelarts:workspace:list

Enable auto labeling.

Team labeling

IAM

iam:projects:listProjects (querying tenant projects)

iam:users:listUsers (querying users)

iam:agencies:createAgency (creating an agency)

iam:quotas:listQuotasForProject (querying the quotas of a project)

Manage labeling teams.

Table 9 Managing resources

Application Scenario

Dependent Service

Dependent Policy

Supported Function

Managing resource pools

BSS

bss:coupon:view

bss:order:view

bss:balance:view

bss:discount:view

bss:renewal:view

bss:bill:view

bss:contract:update

bss:order:pay

bss:unsubscribe:update

bss:renewal:update

bss:order:update

Create, renew, and unsubscribe from a resource pool. Dependent permissions must be configured in the IAM project view.

ECS

ecs:availabilityZones:list

Show AZs. Dependent permissions must be configured in the IAM project view.

Network management

VPC

vpc:routes:create

vpc:routes:list

vpc:routes:get

vpc:routes:delete

vpc:peerings:create

vpc:peerings:accept

vpc:peerings:get

vpc:peerings:delete

vpc:routeTables:update

vpc:routeTables:get

vpc:routeTables:list

vpc:vpcs:create

vpc:vpcs:list

vpc:vpcs:get

vpc:vpcs:delete

vpc:subnets:create

vpc:subnets:get

vpc:subnets:delete

vpcep:endpoints:list

vpcep:endpoints:create

vpcep:endpoints:delete

vpcep:endpoints:get

vpc:ports:create

vpc:ports:get

vpc:ports:update

vpc:ports:delete

vpc:networks:create

vpc:networks:get

vpc:networks:update

vpc:networks:delete

Create and delete ModelArts networks, and interconnect VPCs. Dependent permissions must be configured in the IAM project view.

SFS Turbo

sfsturbo:shares:addShareNic

sfsturbo:shares:deleteShareNic

sfsturbo:shares:showShareNic

sfsturbo:shares:listShareNics

Interconnect your network with SFS Turbo. Dependent permissions must be configured in the IAM project view.

Edge resource pool

IEF

ief:node:list

ief:group:get

ief:application:list

ief:application:get

ief:node:listNodeCert

ief:node:get

ief:IEFInstance:get

ief:deployment:list

ief:group:listGroupInstanceState

ief:IEFInstance:list

ief:deployment:get

ief:group:list

Add, delete, modify, and search for edge pools

Agency authorization

To simplify operations when you use ModelArts to run jobs, certain operations are automatically performed on the ModelArts backend, for example, downloading the datasets in an OBS bucket to a workspace before a training job is started and dumping training job logs to the OBS bucket.

ModelArts does not save your token authentication credentials. Before performing operations on your resources (such as OBS buckets) in a backend asynchronous job, you are required to explicitly authorize ModelArts through an IAM agency. ModelArts will use the agency to obtain a temporary authentication credential for performing operations on your resources. For details, see Adding Authorization.

**Figure 1** Agency authorization

Figure 1 Agency authorization

As shown in Figure 1, after authorization is configured on ModelArts, ModelArts uses the temporary credential to access and operate your resources, relieving you from some complex and time-consuming operations. The agency credential will also be synchronized to your jobs (including notebook instances and training jobs). You can use the agency credential to access your resources in the jobs.

You can use either of the following methods to authorize ModelArts using an agency:

One-click authorization

ModelArts provides one-click automatic authorization. You can quickly configure agency authorization on the Global Configuration page of ModelArts. Then, ModelArts will automatically create an agency for you and configure it in ModelArts.

In this mode, the authorization scope is specified based on the preset system policies of dependent services to ensure sufficient permissions for using services. The created agency has almost all permissions of dependent services. If you want to precisely control the scope of permissions granted to an agency, use the second method.

Custom authorization

The administrator creates different agency authorization policies for different users in IAM, and configures the created agency for ModelArts users. When creating an agency for an IAM user, the administrator specifies the minimum permissions for the agency based on the user's permissions to control the resources that the user can access when they use ModelArts.

Risks in Unauthorized Operations

The agency authorization of a user is independent. Theoretically, the agency authorization scope of a user can be beyond the authorization scope of the authorization policy configured for the user group. Any improper configuration will result in unauthorized operations.

To prevent unauthorized operations, only a tenant administrator is allowed to configure agencies for users in the ModelArts global configuration to ensure the security of agency authorization.

Minimal Agency Authorization

When configuring agency authorization, an administrator must strictly control the authorization scope.

ModelArts asynchronously and automatically performs operations such as job preparation and clearing. The required agency authorization is within the basic authorization scope. If you use only some functions of ModelArts, the administrator can filter out the basic permissions that are not used according to the agency authorization configuration. Conversely, if you need to obtain resource permissions beyond the basic authorization scope in a job, the administrator can add new permissions to the agency authorization configuration. In a word, the agency authorization scope must be minimized and customized based on service requirements.

Basic Agency Authorization Scope

To customize the permissions for an agency, select permissions based on your service requirements.

Table 10 Basic agency authorization for a development environment

Application Scenario

Dependent Service

Agency Authorization

Description

ModelArts SDK

OBS

obs:object:DeleteObject

obs:object:GetObject

obs:object:GetObjectVersion

obs:object:PutObject

obs:bucket:CreateBucket

obs:bucket:ListBucket

obs:bucket:HeadBucket

Access OBS through ModelArts SDKs.

ModelArts

modelarts:dataset:listDatasets

modelarts:dataset:createDataset

modelarts:dataset:updateDataset

modelarts:dataset:deleteDataset

modelarts:dataset:getDataset

modelarts:dataset:createDatasetVersion

modelarts:dataset:deleteDatasetVersion

modelarts:sample:listSamples

modelarts:sample:addSamples

modelarts:sample:deleteSamples

modelarts:sample:getSample

modelarts:dataset:createImportTask

modelarts:dataset:createExportTask

modelarts:image:get

modelarts:image:register

modelarts:notebook:get

modelarts:image:create

modelarts:pool:list

modelarts:dataset:list

modelarts:trainJob:create

modelarts:trainJob:update

modelarts:trainJob:delete

modelarts:model:create

modelarts:model:list

modelarts:model:get

modelarts:model:delete

modelarts:service:create

modelarts:service:list

modelarts:service:get

modelarts:service:delete

Use ModelArts SDKs to operate ModelArts.

SWR

swr:repository:createNamespace

swr:repository:listNamespaces

swr:repository:getNamespace

swr:repository:deleteRepository

swr:instance:createTempCredential

Access SWR through ModelArts SDKs.

Algorithm suite

ModelArts

modelarts:aiAlgorithm:create

Use algorithm suites through ModelArts notebook.

JupyterLab plug-ins

OBS

obs:object:DeleteObject

obs:object:GetObject

obs:object:GetObjectVersion

obs:bucket:CreateBucket

obs:bucket:ListBucket

obs:object:PutObject

obs:bucket:GetBucketAcl

obs:bucket:PutBucketAcl

obs:bucket:PutBucketCORS

Use OBS to upload and download data in JupyterLab through ModelArts notebook.

DevEnviron monitoring

AOM

aom:alarm:put

aom:metric:get

aom:metric:list

aom:alarm:list

Call the AOM API to obtain monitoring data and events of notebook instances and display them in ModelArts notebook.

Table 11 Basic agency authorization for managing training jobs

Application Scenario

Dependent Service

Agency Authorization

Description

Training jobs

OBS

obs:bucket:ListBucket

obs:object:GetObject

obs:object:PutObject

Download data, models, and code before starting a training job.

Upload logs and models when a training job is running.

Table 12 Basic agency authorization for deploying services

Application Scenario

Dependent Service

Agency Authorization

Description

Real-time services

LTS

lts:groups:create

lts:groups:list

lts:topics:create

lts:topics:delete

lts:topics:list

Configure LTS for reporting logs of real-time services.

Batch services

OBS

obs:bucket:ListBucket

obs:object:GetObject

obs:object:PutObject

Run a batch service.

Edge services

IEF

ief:deployment:list

ief:deployment:create

ief:deployment:update

ief:deployment:delete

ief:node:createNodeCert

ief:iefInstance:list

ief:node:list

Deploy an edge service using IEF.

Table 13 Basic agency authorization for managing data

Application Scenario

Dependent Service

Agency Authorization

Description

Dataset and data labeling

OBS

obs:object:GetObject

obs:object:PutObject

obs:object:DeleteObject

obs:object:PutObjectAcl

obs:bucket:ListBucket

obs:bucket:HeadBucket

obs:bucket:GetBucketAcl

obs:bucket:PutBucketAcl

obs:bucket:GetBucketPolicy

obs:bucket:PutBucketPolicy

obs:bucket:DeleteBucketPolicy

obs:bucket:PutBucketCORS

obs:bucket:GetBucketCORS

Manage datasets in an OBS bucket.

Labeling data

ModelArts inference

modelarts:service:get

modelarts:service:create

modelarts:service:update

Perform auto labeling based on ModelArts inference.

Table 14 Basic agency authorization for managing dedicated resource pools

Application Scenario

Dependent Service

Agency Authorization

Description

Network management (new version)

VPC

vpc:routes:create

vpc:routes:list

vpc:routes:get

vpc:routes:delete

vpc:peerings:create

vpc:peerings:accept

vpc:peerings:get

vpc:peerings:delete

vpc:routeTables:update

vpc:routeTables:get

vpc:routeTables:list

vpc:vpcs:create

vpc:vpcs:list

vpc:vpcs:get

vpc:vpcs:delete

vpc:subnets:create

vpc:subnets:get

vpc:subnets:delete

vpcep:endpoints:list

vpcep:endpoints:create

vpcep:endpoints:delete

vpcep:endpoints:get

vpc:ports:create

vpc:ports:get

vpc:ports:update

vpc:ports:delete

vpc:networks:create

vpc:networks:get

vpc:networks:update

vpc:networks:delete

Create and delete ModelArts networks, and interconnect VPCs. Dependent permissions must be configured in the IAM project view.

SFS Turbo

sfsturbo:shares:addShareNic

sfsturbo:shares:deleteShareNic

sfsturbo:shares:showShareNic

sfsturbo:shares:listShareNics

Interconnect your network with SFS Turbo. Dependent permissions must be configured in the IAM project view.

Managing resource pools

ECS

ecs:availabilityZones:list

Show AZs. Dependent permissions must be configured in the IAM project view.