This topic describes how to enable MaxCompute security features based on Security configurations, Project data protection, and Column-level access control.
Configure the project protection rule (data protection mechanism)
Item | Description |
---|---|
Operation | Set ProjectProtection to prevent the download of data in batches to personal computers. |
Role | Project owner. |
View the feature status | To check whether project protection is enabled, run the show SecurityConfiguration; command. |
Configure the feature | Project protection is disabled by default. You can use one of the following methods
to enable project protection:
If some Alibaba Cloud accounts or private accounts require the permissions to transfer data out of projects after project protection is enabled, you can configure exception policies (whitelist feature) as required. We recommend that you configure exception policies if:
You can use the trusted project feature to ensure smooth data transfer for projects
that share data with each other.
If project A requires data from project B but it is not a trusted project of project B, use a package to authorize project A. |
Roll back settings |
To disable project protection for the current project, run the SET ProjectProtection=false; command. To remove a trusted project, run the remove trustedproject <projectname>; command. |
Enable label-based security (column-level access control)
Label-based security (LabelSecurity) is a mandatory access control (MAC) policy at the project level. It allows project administrators to control user access to sensitive data at the column level.
Item | Description |
---|---|
Operation | Enable LabelSecurity for field-level security control to take effect. By default, the LabelSecurity mechanism is disabled for projects. |
Role | Project owner. |
View the feature status | To check whether label-based security is enabled, run the show SecurityConfiguration; command. |
Configure the feature | To enable LabelSecurity, run the Set LabelSecurity=true; command. This feature is disabled by default. |
Roll back settings | To disable LabelSecurity, run the Set LabelSecurity=false; command. Before you disable LabelSecurity for a project, check whether the labels for tables in this project are also used in other projects. |
Configure the field label
Item | Description |
---|---|
Operation | MaxCompute data sensitivity is classified into the following levels: 0, 1, 2, 3, and 4. Security levels can be configured for all data tables to avoid unauthorized access. |
View the feature status | You can view the labels of MaxCompute table fields by using one of the following methods:
|
Configure the feature | You can configure labels for table fields by using one of the following methods:
|
Roll back settings | Change the security level back to the original level.
Note If you reconfigure labels for fields to make them more secure, the original permissions
owned by packages, production accounts, and private accounts are no longer valid.
To mitigate these impacts, you must notify the involved users before reconfiguration.
|
Configure a whitelist of IP addresses that are allowed to access projects
Item | Description |
---|---|
Operation | After an IP address whitelist is configured for a project, only IP addresses, such
as the outbound IP addresses of the console or SDK, in the whitelist can be used to access the project.
Note
|
Role | Project owner. |
View the feature status |
To view the status, run the setproject; command in the console and then check the information after the equal sign (=) in odps.security.ip.whitelist=;. If no information is displayed after the equal sign (=), the whitelist is disabled. |
Configure the feature |
Before you enable a whitelist, you must add the IP address of your computer to it. Otherwise, you cannot manage the project after the whitelist takes effect. Run the setproject odps.security.ip.whitelist=xxx.xxx.xxx.xxx,xxx.xxx.x.x/xx,xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx; command on the MaxCompute client. A whitelist supports IPv6 addresses. The IP addresses in a whitelist can be expressed
in one of the following ways:
The whitelist takes effect five minutes after you configure it. If you want to manage permissions at finer levels, you can use policies to grant permissions. |
Roll back settings | To clear an IP address whitelist, run the setproject odps.security.ip.whitelist=; command. When a whitelist is cleared for a project, the whitelist feature is disabled for the project in MaxCompute. |
Disable the download of the results of SELECT statements from DataWorks to a local directory
Item | Description |
---|---|
Operation | After developers analyze data by using DataWorks, the results are usually displayed in the integrated development environment (IDE) and can be downloaded. If project protection is enabled for a project and you have the read permissions on tables in the project, you can execute the SELECT statements in DataWorks and download the execution results. |
Role | DataWorks administrator. |
View the feature status | To check whether the feature of downloading SELECT results is enabled, log on to the DataWorks console and click Workspaces. On the page that appears, find a workspace and click Workspace Settings in the Actions column. |
Configure the feature | To disable the feature of downloading SELECT results, log on to the DataWorks console and click Workspaces. On the page that appears, find a workspace and click Workspace Settings in the Actions column. |
Roll back settings | To enable the feature of downloading SELECT results, log on to the DataWorks console and click Workspaces. On the page that appears, find a workspace and click Workspace Settings in the Actions column. |
Improve security management by using other cloud services
You may use other cloud services while you use MaxCompute. Therefore, you can improve the security management of MaxCompute by using other associated cloud services. For example, when you use MaxCompute in the DataWorks console, you need to use RAM users to add members to projects. This section describes how to improve security management by using RAM users.
You can use MaxCompute by using an Alibaba Cloud account or the credentials of a RAM users. MaxCompute can identify RAM users but cannot identify their permissions, which allows you to add any RAM user under your Alibaba Cloud account to this project. When MaxCompute authenticates these RAM users, it does not verify their permissions. Therefore, you only need to improve security management for the logons of RAM users.
Configure password policies for RAM users
If you allow RAM users to change the logon passwords, strong password policies are required and the intervals at which RAM users can change their passwords must be specified.
You can configure password policies, such as the minimum length, whether non-letter characters are required, or the change frequency, in the RAM console.
Set logon address masks for RAM users
You can configure logon address masks to specify from which IP addresses RAM users can log on to the DataWorks console.
Revoke the permissions that RAM users no longer require
When the permissions of a RAM user are no longer used because of changes in work requirements, you need to revoke these permissions promptly.