Join us at the Alibaba Cloud ACtivate Online Conference on March 5-6 to challenge assumptions, exchange ideas, and explore what is possible through digital transformation.
Alibaba Cloud MaxCompute and DataWorks are two independent products, and their permission systems have similarities as well as differences. Before handling the permission problems, you must first understand the respective permission systems of these two products.
MaxCompute has its own security systems, including ACL and policy authorization systems. For more information, visit https://www.alibabacloud.com/help/doc-detail/27924.htm
DataWorks is an upper-layer cloud warehouse development tool for MaxCompute. It has its own permission model and supports the MaxCompute underlying data authorization system. For more information, visit https://www.alibabacloud.com/help/product/72772.htm
Run "list roles" on the MaxCompute console to view the MaxCompute role system. Items that start with "role_" are roles that are encapsulated by DataWorks based on MaxCompute. The roles are described as follows:
|Role name||Corresponding product and permission|
|admin||Default MaxCompute admin role|
|role_project_admin||DataWorks project administrator|
|role_project_deploy||DataWorks deployer role|
|role_project_dev||DataWorks developer role|
|role_project_guest||DataWorks guest role|
|role_project_pe||DataWorks O&M role|
|role_project_scheduler||DataWorks scheduler account|
|role_project_security||DataWorks security administrator|
The admin role is the default admin role of MaxCompute. This role can access all objects in the project and manage and authorize users or roles. Compared with the project owner, the admin role cannot assign the admin permissions to any user, specify the security configurations of the project, or change the authentication model of the project. The permissions of the admin role cannot be modified. Generally, if the permissions are not modified, the user who is assigned the admin role has only one account "project owner".
odps@ clouder_bi>describe role admin; [users] ALIYUNfirstname.lastname@example.org Authorization Type: Admin
The MaxCompute project owner can assign the admin role to other sub-accounts, allowing them to perform permission model management for MaxCompute.
You can run "describe role" to view the permissions and user list of a role that starts with "role_". Using the role_project_dev as an example:
odps@ clouder_bi>describe role role_project_dev;
[users] RAMemail@example.com:yangyitest Authorization Type: Policy A projects/clouder_bi: * A projects/clouder_bi/instances/*: * A projects/clouder_bi/jobs/*: * A projects/clouder_bi/offlinemodels/*: * A projects/clouder_bi/packages/*: * A projects/clouder_bi/registration/functions/*: * A projects/clouder_bi/resources/*: * A projects/clouder_bi/tables/*: * A projects/clouder_bi/volumes/*: *
After learning the permission systems of the two products, you can troubleshoot permission-related problems in the following way:
By running the commands below, you can see the roles and permissions of the user.
show grants; --View permissions of the current user. show grants for <username>; --View access permissions of a specified user. Only the project owner and admin are authorized to perform this operation. show grants for RAM$Primary account:Sub-account;
Generally, the list of users who are authorized to access the current table is displayed.
show acl for <objectName> [on type <objectType>];--View the list of authorized users and roles of a specified object Supported object types: project, table, job, volume, instance, resource, function, package, topology, matrix, xflow, offline model, and stream job
Permission verification often fails even if OK is returned after authorization.
show SecurityConfiguration;--View the security configuration of the project
In addition to the command line, you can check whether the ACL switch is enabled on the + +DataWorks > Project Management > MaxCompute Config+ + page.
There are two common types of policy authorization: project-level and role-level.
get policy;--Obtain the project-level policy configuration get policy on role <rolename>;--Obtain the policy configuration of the specified role
Alibaba Cloud MaxCompute - March 4, 2019
Alibaba Clouder - February 11, 2021
Alibaba Cloud MaxCompute - February 15, 2019
Alibaba Cloud MaxCompute - December 8, 2020
Alibaba Cloud MaxCompute - March 2, 2020
Alibaba Cloud MaxCompute - February 19, 2019
Alibaba Cloud experts provide retailers with a lightweight and customized big data consulting service to help you assess your big data maturity and plan your big data journey.Learn More
Alibaba Cloud provides big data consulting services to help enterprises leverage advanced data technology.Learn More
ApsaraDB for HBase is a NoSQL database engine that is highly optimized and 100% compatible with the community edition of HBase.Learn More
TSDB is a stable, reliable, and cost-effective online high-performance time series database service.Learn More
More Posts by Alibaba Cloud MaxCompute