Agencies and Dependencies¶
Function Dependency¶
Function Dependency Policies
When using ModelArts to develop algorithms or manage training jobs, you are required to use other Cloud services. For example, before submitting a training job, select an OBS path for storing the dataset and logs, respectively. Therefore, when configuring fine-grained authorization policies for a user, the administrator must configure dependent permissions so that the user can use required functions.
Note
If you use ModelArts as the root user (default IAM user with the same name as the account), the root user has all permissions by default.
Application Scenario | Dependent Service | Dependent Policy | Supported Function |
---|---|---|---|
Global configuration | IAM | iam:users:listUsers | Obtain a user list. This action is required by the administrator only. |
Basic function | IAM | iam:tokens:assume | (Mandatory) Use an agency to obtain temporary authentication credentials. |
Application Scenario | Dependent Service | Dependent Policy | Supported Function |
---|---|---|---|
Workspace | IAM | iam:users:listUsers | Authorize workspaces by user. |
ModelArts | modelarts: | Clear resources in a workspace when the workspace is deleted. |
Application Scenario | Dependent Service | Dependent Policy | Supported Function |
---|---|---|---|
DevEnviron | SWR | swr:repository:getNamespace (obtaining the details about an organization) swr:repository:listNamespace (querying the list of organizations) swr:repository:deleteTag (deleting an artifact version) swr:repository:getRepository (obtaining the details about artifact repositories) swr:repository:listTags (obtaining the version list of an artifact) swr:instance:createTempCredential (creating a temporary access credential) | Create a notebook instance using a custom image. |
DevEnviron | MRS | mrs:cluster:get (obtaining details about a cluster) | Interconnect notebook with an MRS cluster. |
DevEnviron | ECS | ecs:serverKeypairs:list (querying the list of SSH key pairs) ecs:serverKeypairs:get (obtaining ECS key pairs) ecs:serverKeypairs:delete (deleting an SSH key pair) ecs:serverKeypairs:create (creating and importing an SSH key pair) | Configure a login key for a notebook instance. |
DevEnviron | IAM | iam:users:listUsers (querying users) | View the creators of notebook instances on the ModelArts console. |
VS Code plug-in (on-premises)/PyCharm Toolkit (on-premises) | ModelArts | modelarts:notebook:update (updating the notebook development environment) modelarts:notebook:list (obtaining the list of notebook development environments) modelarts:notebook:start (starting a development environment instance) modelarts:notebook:stop (stopping a development environment instance) modelarts:notebook:get (obtaining the details about a notebook development environment) | Access a notebook instance on the cloud through on-premises VS Code. |
OBS | obs:object:PutObject (uploading objects using PUT method, uploading objects using POST method, copying objects, appending an object, initializing a multipart task, uploading parts, and merging parts) obs:object:GetObject (obtaining object content and metadata) obs:object:GetObjectVersion (obtaining object content and metadata) obs:bucket:HeadBucket (obtaining bucket metadata) | Manage OBS data through local PyCharm. | |
PyCharm Toolkit (on-premises) | IAM | iam:projects:listProjects (querying tenant projects) | Obtain an IAM project list through local PyCharm for access configurations. |
PyCharm Toolkit (on-premises) | ModelArts | modelarts:pool:list (viewing dedicated resource pools) modelarts:trainJob:list (viewing training job details) modelarts:trainJob:update (modifying a training job) modelarts:trainJobVersion:delete (deleting a training job version) | Use ModelArts through local PyCharm. |
DevEnviron | AOM | aom:alarm:put (reporting alarms) aom:metric:get aom:metric:list aom:alarm:list (querying alarms) | Call the AOM API to obtain monitoring data and events of notebook instances and display them in ModelArts notebook. |
Application Scenario | Dependent Service | Dependent Policy | Supported Function |
---|---|---|---|
Training management | IAM | iam:credentials:listCredentials (querying permanent access keys) iam:agencies:listAgencies (querying agencies based on specified conditions) | Use the configured agency authorization. |
SFS | sfsturbo:shares:getShare (obtaining details about a file system) sfsturbo:shares:getAllShares (obtaining details about all file systems) | Use SFS in a training job. | |
SWR | swr:repository:listTags (obtaining the version list of an artifact) swr:repository:getRepository (obtaining the details about artifact repositories) swr:repository:listRepositories (obtaining the list of artifact repositories) | Use a custom image to create a training job. | |
SMN | smn:topic:publish (publishing a message) smn:topic:list (obtaining a topic) | Notify training job status changes through SMN. | |
OBS | obs:bucket:ListAllMybuckets (obtaining a bucket list) obs:bucket:HeadBucket (obtaining bucket metadata) obs:bucket:ListBucket (listing objects in a bucket) obs:bucket:GetBucketLocation (obtaining the bucket location) obs:object:GetObject (obtaining object content and metadata) obs:object:GetObjectVersion (obtaining object content and metadata) obs:object:PutObject (uploading objects using PUT method, uploading objects using POST method, copying objects, appending an object, initializing a multipart task, uploading parts, and merging parts) obs:object:DeleteObject (deleting an object or batch deleting objects) obs:object:DeleteObjectVersion (deleting an object or batch deleting objects) obs:object:ListMultipartUploadParts (listing uploaded parts) obs:object:AbortMultipartUpload (aborting multipart uploads) obs:object:GetObjectAcl (obtaining an object ACL) obs:object:GetObjectVersionAcl (obtaining an object ACL) obs:bucket:PutBucketAcl (configuring a bucket ACL) obs:object:PutObjectAcl (configuring an object ACL) obs:object:ModifyObjectMetaData (modifying object metadata) | Run a training job using a dataset in an OBS bucket. | |
Federated training | IEF | ief:node:get (obtaining edge node information) | Run a federated learning-powered training job. |
Application Scenario | Dependent Service | Dependent Policy | Supported Function |
---|---|---|---|
Using a dataset | ModelArts | modelarts:dataset:getDataset modelarts:dataset:createDataset modelarts:dataset:createDatasetVersion modelarts:dataset:createImportTask modelarts:dataset:updateDataset modelarts:processTask:createProcessTask modelarts:processTask:getProcessTask modelarts:dataset:listDatasets | Use ModelArts datasets in a workflow. |
Managing AI applications | ModelArts | modelarts:model:list modelarts:model:get modelarts:model:create modelarts:model:delete modelarts:model:update | Manage ModelArts AI applications in a workflow. |
Deploying a service | ModelArts | modelarts:service:get modelarts:service:create modelarts:service:update modelarts:service:delete modelarts:service:getLogs | Manage ModelArts real-time services in a workflow. |
Training jobs | ModelArts | modelarts:trainJob:get modelarts:trainJob:create modelarts:trainJob:list modelarts:trainJobVersion:list modelarts:trainJobVersion:create modelarts:trainJob:delete modelarts:trainJobVersion:delete modelarts:trainJobVersion:stop | Manage ModelArts training jobs in a workflow. |
Workspace | ModelArts | modelarts:workspace:get modelarts:workspace:getQuotas | Use ModelArts workspaces in a workflow. |
Managing data | OBS | obs:bucket:ListAllMybuckets (obtaining a bucket list) obs:bucket:HeadBucket (obtaining bucket metadata) obs:bucket:ListBucket (listing objects in a bucket) obs:bucket:GetBucketLocation (obtaining the bucket location) obs:object:GetObject (obtaining object content and metadata) obs:object:GetObjectVersion (obtaining object content and metadata) obs:object:PutObject (uploading objects using PUT method, uploading objects using POST method, copying objects, appending an object, initializing a multipart task, uploading parts, and merging parts) obs:object:DeleteObject (deleting an object or batch deleting objects) obs:object:DeleteObjectVersion (deleting an object or batch deleting objects) obs:object:ListMultipartUploadParts (listing uploaded parts) obs:object:AbortMultipartUpload (aborting multipart uploads) obs:object:GetObjectAcl (obtaining an object ACL) obs:object:GetObjectVersionAcl (obtaining an object ACL) obs:bucket:PutBucketAcl (configuring a bucket ACL) obs:object:PutObjectAcl (configuring an object ACL) | Use OBS data in a workflow. |
Executing a workflow | IAM | iam:users:listUsers (querying users) iam:agencies:getAgency (obtaining details about a specified agency) iam:tokens:assume (obtaining an agency token) | Call other ModelArts services when the workflow is running. |
Integrating DLI | DLI | dli:jobs:get (obtaining job details) dli:jobs:list_all (viewing a job list) dli:jobs:create (creating a job) | Integrate DLI into a workflow. |
Integrating MRS | MRS | mrs:job:get (obtaining job details) mrs:job:submit (creating and executing a job) mrs:job:list (viewing a job list) mrs:job:stop (stopping a job) mrs:job:batchDelete (batch deleting jobs) mrs:file:list (viewing a file list) | Integrate MRS into a workflow. |
Application Scenario | Dependent Service | Dependent Policy | Supported Function |
---|---|---|---|
Managing AI applications | SWR | swr:repository:deleteRepository swr:repository:deleteTag swr:repository:getRepository swr:repository:listTags | Import a model from a custom image. Use a custom engine when importing a model from OBS. |
OBS | obs:bucket:ListAllMybuckets (obtaining a bucket list) obs:bucket:HeadBucket (obtaining bucket metadata) obs:bucket:ListBucket (listing objects in a bucket) obs:bucket:GetBucketLocation (obtaining the bucket location) obs:object:GetObject (obtaining object content and metadata) obs:object:GetObjectVersion (obtaining object content and metadata) obs:object:PutObject (uploading objects using PUT method, uploading objects using POST method, copying objects, appending an object, initializing a multipart task, uploading parts, and merging parts) obs:object:DeleteObject (deleting an object or batch deleting objects) obs:object:DeleteObjectVersion (deleting an object or batch deleting objects) obs:object:ListMultipartUploadParts (listing uploaded parts) obs:object:AbortMultipartUpload (aborting multipart uploads) obs:object:GetObjectAcl (obtaining an object ACL) obs:object:GetObjectVersionAcl (obtaining an object ACL) obs:bucket:PutBucketAcl (configuring a bucket ACL) obs:object:PutObjectAcl (configuring an object ACL) | Import a model from a template. Specify an OBS path for model conversion. |
Application Scenario | Dependent Service | Dependent Policy | Supported Function |
---|---|---|---|
Deploying a service | LTS | lts:logs:list (querying the log list) | Show LTS logs. |
Batch services | OBS | obs:object:GetObject (obtaining object content and metadata) obs:object:PutObject (uploading objects using PUT method, uploading objects using POST method, copying objects, appending an object, initializing a multipart task, uploading parts, and merging parts) obs:bucket:CreateBucket (creating a bucket) obs:bucket:ListBucket (listing objects in a bucket) obs:bucket:ListAllMyBuckets (obtaining a bucket list) | Create a batch service. |
Edge services | CES | ces:metricData:list: (obtaining metric data) | View monitoring metrics. |
IEF | ief:deployment:delete (deleting a deployment) | Manage edge services. |
Application Scenario | Dependent Service | Dependent Policy | Supported Function |
---|---|---|---|
Managing datasets and labels | OBS | obs:bucket:ListBucket (listing objects in a bucket) obs:object:GetObject (obtaining object content and metadata) obs:object:PutObject (uploading objects using PUT method, uploading objects using POST method, copying objects, appending an object, initializing a multipart task, uploading parts, and merging parts) obs:object:DeleteObject (deleting an object or batch deleting objects) obs:bucket:HeadBucket (obtaining bucket metadata) obs:bucket:GetBucketAcl (obtaining a bucket ACL) obs:bucket:PutBucketAcl (configuring a bucket ACL) obs:bucket:GetBucketPolicy (obtaining a bucket policy) obs:bucket:PutBucketPolicy (configuring a bucket policy) obs:bucket:DeleteBucketPolicy (deleting a bucket policy) obs:bucket:PutBucketCORS (configuring or deleting CORS rules of a bucket) obs:bucket:GetBucketCORS (obtaining the CORS rules of a bucket) obs:object:PutObjectAcl (configuring an object ACL) | Manage datasets in OBS. Label OBS data. Create a data management job. |
Managing table datasets | DLI | dli:database:displayAllDatabases dli:database:displayAllTables dli:table:describe_table | Manage DLI data in a dataset. |
Managing table datasets | DWS | dws:openAPICluster:list dws:openAPICluster:getDetail | Manage DWS data in a dataset. |
Managing table datasets | MRS | mrs:job:submit mrs:job:list mrs:cluster:list mrs:cluster:get | Manage MRS data in a dataset. |
Auto labeling | ModelArts | modelarts:service:list modelarts:model:list modelarts:model:get modelarts:model:create modelarts:trainJobInnerModel:list modelarts:workspace:get modelarts:workspace:list | Enable auto labeling. |
Team labeling | IAM | iam:projects:listProjects (querying tenant projects) iam:users:listUsers (querying users) iam:agencies:createAgency (creating an agency) iam:quotas:listQuotasForProject (querying the quotas of a project) | Manage labeling teams. |
Application Scenario | Dependent Service | Dependent Policy | Supported Function |
---|---|---|---|
Managing resource pools | BSS | bss:coupon:view bss:order:view bss:balance:view bss:discount:view bss:renewal:view bss:bill:view bss:contract:update bss:order:pay bss:unsubscribe:update bss:renewal:update bss:order:update | Create, renew, and unsubscribe from a resource pool. Dependent permissions must be configured in the IAM project view. |
ECS | ecs:availabilityZones:list | Show AZs. Dependent permissions must be configured in the IAM project view. | |
Network management | VPC | vpc:routes:create vpc:routes:list vpc:routes:get vpc:routes:delete vpc:peerings:create vpc:peerings:accept vpc:peerings:get vpc:peerings:delete vpc:routeTables:update vpc:routeTables:get vpc:routeTables:list vpc:vpcs:create vpc:vpcs:list vpc:vpcs:get vpc:vpcs:delete vpc:subnets:create vpc:subnets:get vpc:subnets:delete vpcep:endpoints:list vpcep:endpoints:create vpcep:endpoints:delete vpcep:endpoints:get vpc:ports:create vpc:ports:get vpc:ports:update vpc:ports:delete vpc:networks:create vpc:networks:get vpc:networks:update vpc:networks:delete | Create and delete ModelArts networks, and interconnect VPCs. Dependent permissions must be configured in the IAM project view. |
SFS Turbo | sfsturbo:shares:addShareNic sfsturbo:shares:deleteShareNic sfsturbo:shares:showShareNic sfsturbo:shares:listShareNics | Interconnect your network with SFS Turbo. Dependent permissions must be configured in the IAM project view. | |
Edge resource pool | IEF | ief:node:list ief:group:get ief:application:list ief:application:get ief:node:listNodeCert ief:node:get ief:IEFInstance:get ief:deployment:list ief:group:listGroupInstanceState ief:IEFInstance:list ief:deployment:get ief:group:list | Add, delete, modify, and search for edge pools |