All Products
Search
Document Center

MaxCompute:Grant a specified user the access permissions on a specific UDF

Last Updated:Feb 21, 2024

This topic describes how to grant specified users the access permissions on specific resources, such as tables and user-defined functions (UDFs). This operation involves data encryption and decryption algorithms and is related to data security.

Prerequisites

The MaxCompute client is installed. For more information, see Install and configure the MaxCompute client.

Background information

You can use one of the following methods to manage the access permissions of users:

  • Use packages to achieve fine-grained access control.

    This method is used for data sharing and resource authorization across projects. After you assign the developer role to a user by using a package, the user has full permissions on all objects in the package. This may cause uncontrollable risks. For more information, see Cross-project resource access based on packages.

    • The following figure shows the permissions of the developer role that is defined in DataWorks. **

      By default, the developer role has full permissions on all packages, functions, resources, and tables in a workspace. This does not meet the requirements for permission management.

    • The following figure shows the permissions that are granted to a RAM user that is assigned the developer role in DataWorks. **

    You cannot grant a specified user the access permissions on a specific UDF by using package-based authorization or by assigning the developer role in DataWorks to the user. For example, if you assign the developer role to the RAM user named RAM$xxxxx.pt@aliyun-test.com:ramtest, the RAM user has full permissions on all objects in the current workspace. For more information, see Authorize users.

  • Create a role in the DataWorks console to manage access permissions.

    For more information about MaxCompute projects for DataWorks workspaces, see Manage permissions on data in a MaxCompute compute engine instance.

  • Use a role policy and a project policy.

    Role and project policies allow you to grant a specified user the permissions on specific resources.

    Note

    To ensure security, we recommend that you verify role and project policies in a test workspace.

You can use a role policy and a project policy to grant access permissions on a specific UDF to a specified user.

  • To prevent a user from accessing a specific resource in a workspace, assign the developer role to the user in the DataWorks console and configure a role policy for the user to deny access requests for the resource on the MaxCompute client.

  • To allow a user to access a specific resource, assign the developer role to the user in the DataWorks console and configure a project policy for the user to allow access requests for the resource on the MaxCompute client.

Procedure

  1. Create a role that has no permission to access a UDF named getregion by default.

    1. On the MaxCompute client, run the following command to create a role named denyudfrole:

      create role denyudfrole;
    2. Create a role policy file that contains the following content:

      {
      "Version": "1", "Statement"
      
      [{
      "Effect":"Deny",
      "Action":["odps:Read","odps:List"],
      "Resource":"acs:odps:*:projects/sz_mc/resources/getaddr.jar"
      },
      {
      "Effect":"Deny",
      "Action":["odps:Read","odps:List"],
      "Resource":"acs:odps:*:projects/sz_mc/registration/functions/getregion"
      }
       ] }
    3. Configure the storage path for the role policy file.

      On the MaxCompute client, run the following command:

      put policy /Users/yangyi/Desktop/role_policy.json on role denyudfrole;
    4. On the MaxCompute client, run the following command to view the role policy:

      get policy on role denyudfrole;

      The following result is returned: **

    5. On the MaxCompute client, run the following command to assign the denyudfrole role to a RAM user:

      grant denyudfrole to RAM$xxxx.pt@aliyun-test.com:ramtest;
  2. Check whether the denyudfrole role is created.

    1. Log on to the MaxCompute client as the RAM user to which the denyudfrole role is assigned. Then, run the whoami; command to check the current logon user.

      **

    2. Run the show grants; command to check the permissions of the current logon user.

      **

      The result indicates that the RAM user has the following two roles: role_project_dev and denyudfrole. role_project_dev is the default developer role in DataWorks.

    3. Check the permissions of the RAM user on the getregion UDF and its dependencies.

      **

      The result indicates that the RAM user with the developer role in DataWorks does not have read permissions on the getregion UDF. You can perform the next step to configure a project policy to ensure that only a specified RAM user can access the UDF.

  3. Configure a project policy.

    1. Create a project policy file that contains the following content:

      {
      "Version": "1", "Statement":
      [{
      "Effect":"Allow",
      "Principal":"RAM$yangyi.pt@aliyun-test.com:yangyitest",
      "Action":["odps:Read","odps:List","odps:Select"],
      "Resource":"acs:odps:*:projects/sz_mc/resources/getaddr.jar"
      },
      {
      "Effect":"Allow",
       "Principal":"RAM$xxxx.pt@aliyun-test.com:yangyitest",
      "Action":["odps:Read","odps:List","odps:Select"],
      "Resource":"acs:odps:*:projects/sz_mc/registration/functions/getregion"
      }] }
    2. Configure the storage path for the project policy file.

      On the MaxCompute client, run the following command:

      put policy /Users/yangyi/Desktop/project_policy.json;
    3. On the MaxCompute client, run the following command to view the project policy:

      get policy;

      The following result is returned: **

    4. Run the whoami; command to check the current logon user. Then, run the show grants; command to check the permissions of the user.

      **

    5. Run an SQL job to check whether only the specified RAM user can access the specific UDF and its dependencies.

      • The following result indicates that the specified RAM user can access the specific UDF: **

      • The following result indicates that the specified RAM user can access the dependencies of the UDF: **