This topic describes how to grant access to a specific user-defined function (UDF) only to a specified user. This best practice relates to data security as it involves data encryption and decryption algorithms.

Prerequisites

The MaxCompute client is installed. For more information, see Install and configure the odpscmd client.

Background information

Typically, you can use one of the following methods to control users' access permissions:
  • Create a package to include all objects in a workspace that are required by another target workspace, and authorize use of the package in the target workspace.

    This method applies to scenarios where you want to authorize shared access to resources across workspaces. However, after you grant access to the package to a user with the developer role, the user has full permissions on all objects in the package. This may incur uncontrollable risks. For more information, see Resource sharing across projects based on package.

    • The following figure shows the permissions that the developer role has on a DataWorks workspace.**

      As shown in the preceding figure, the developer role has full permissions on all packages, functions, resources, and tables in the workspace by default. This does not meet permission management requirements.

    • The following figure shows the permissions that a Resource Access Management (RAM) user has on a DataWorks workspace after the RAM user is assigned the developer role.**

    In view of the above, you cannot precisely grant access to a specific UDF to a specified user by using package-based authorization or by assigning the default role of DataWorks to the user. For example, if you assign the developer role to the RAM user RAM$xxxxx.pt@aliyun-test.com:ramtest, the RAM user has full permissions on all objects in the current workspace. For more information, see Authorize users.

  • Create a role in the DataWorks console for permission control.

    Log on to the DataWorks console. In the left-side navigation pane, click Workspaces. On the page that appears, find the target workspace and click Data Analytics in the Actions column. On the DataStudio page that appears, click the Workspace Manage icon in the upper-right corner. On the page that appears, click Maxcompute Management in the left-side navigation pane and then Custom User Roles. On the Custom User Roles page that appears, click Create Role to create a role for permission control. This method, however, can only grant permissions on a table or workspace, but not on a specific UDF.

  • Use a role policy and a project policy to grant access to a specific UDF only to a specified user.
    Role and project policies allow you to grant a specific permission on a specific resource to a specified user.
    Note For security purposes, we recommend that you apply role and project policies in a test workspace if you are a beginner of DataWorks.
To sum up, you can use a role policy and a project policy to grant access to a specific UDF only to a specified user.
  • To forbid users from accessing a specific resource in a workspace, follow these steps: Assign the developer role to the users and configure a role policy to deny the users' requests for accessing the resource on the MaxCompute client.
  • To permit one of these forbidden users to access the resource, configure a project policy to allow the user's requests for accessing the resource on the MaxCompute client.

Procedure

  1. Create a role that is by default denied access to the UDF named getregion.
    1. On the MaxCompute client, run the following command to create the role denyudfrole:
      create role denyudfrole;
    2. Create a role policy file with the following content:
      {
      "Version": "1", "Statement"
      
      [{
      "Effect":"Deny",
      "Action":["odps:Read","odps:List"],
      "Resource":"acs:odps:*:projects/sz_mc/resources/getaddr.jar"
      },
      {
      "Effect":"Deny",
      "Action":["odps:Read","odps:List"],
      "Resource":"acs:odps:*:projects/sz_mc/registration/functions/getregion"
      }
       ] }
    3. On the MaxCompute client, set the storage path for the role policy file.
      Run the following command:
      put policy /Users/yangyi/Desktop/role_policy.json on role denyudfrole;
    4. On the MaxCompute client, run the following command to check the role policy:
      get policy on role denyudfrole;
      The following figure shows the command output.**
    5. On the MaxCompute client, run the following command to assign the denyudfrole role to a RAM user with the developer role:
      grant denyudfrole to RAM$xxxx.pt@aliyun-test.com:ramtest;
  2. Verify that the denyudfrole role is created.
    1. Log on to the MaxCompute client as the RAM user to which the denyudfrole role is assigned. Then, run the whoami; command to check the current logon user.
      **
    2. Run the show grants; command to check the permissions of the current logon user.
      **

      The command output indicates that the RAM user has two roles: role_project_dev and denyudfrole. role_project_dev is the default developer role in a DataWorks workspace.

    3. Check the permissions of the RAM user on the UDF getregion and its dependent package.
      **

      The command output indicates that the RAM user with the developer role of a DataWorks workspace does not have the read permission on the UDF getregion. To grant access to the UDF getregion only to the RAM user, you need to further configure a project policy.

  3. Configure a project policy.
    1. Create a project policy file with the following content:
      {
      "Version": "1", "Statement":
      [{
      "Effect":"Allow",
      "Principal":"RAM$yangyi.pt@aliyun-test.com:yangyitest",
      "Action":["odps:Read","odps:List","odps:Select"],
      "Resource":"acs:odps:*:projects/sz_mc/resources/getaddr.jar"
      },
      {
      "Effect":"Allow",
       "Principal":"RAM$xxxx.pt@aliyun-test.com:yangyitest",
      "Action":["odps:Read","odps:List","odps:Select"],
      "Resource":"acs:odps:*:projects/sz_mc/registration/functions/getregion"
      }] }
    2. On the MaxCompute client, set the storage path for the project policy file.
      Run the following command:
      put policy /Users/yangyi/Desktop/project_policy.json;
    3. On the MaxCompute client, run the following command to check the project policy:
      get policy;
      The following figure shows the command output.**
    4. Run the whoami; command to check the current logon user. Then, run the show grants; command to check the permissions of the user.
      **
    5. Run an SQL node and check whether only the specified RAM user can access the specific UDF and its dependent package.
      • The following command output indicates that the specified RAM user can access the specific UDF.**
      • The following command output indicates that the specified RAM user can access the dependent package of the UDF.**