This topic describes how to enable MaxCompute security features based on Project security configurations, Project data protection, and Column-level access control.

Configure the project protection rule (data protection mechanism)

Project data protection is mainly used to prevent the transfer of data out of a project.
Item Description
Operation Set ProjectProtection to prevent the download of data in batches to personal computers.
Role Project owner.
View the feature status To check whether project protection is enabled, run the show SecurityConfiguration; command.
Configure the feature Project protection is disabled by default. You can use one of the following methods to enable project protection:
  • Log on to the DataWorks console and choose MaxCompute Management > Basic Settings > Protect workspace data.
  • In MaxCompute, run the SET ProjectProtection=true [WITH EXCEPTION <policyFile>]; command.

If some Alibaba Cloud accounts or private accounts require the permissions to transfer data out of projects after project protection is enabled, you can configure exception policies (whitelist feature) as required.

We recommend that you configure exception policies if:
  • Alibaba Cloud accounts or IP addresses of application systems require data transfer permissions.
  • A private account requires permissions to download specific tables.
You can use the trusted project feature to ensure smooth data transfer for projects that share data with each other.
  • To view all the trusted projects of the current project, run the list trustedprojects; command.
  • To add a trusted project to the current project, run the add trustedproject <projectname>; command.
  • To remove a trusted project from the current project, run the remove trustedproject <projectname>; command.

If project A requires data from project B but it is not a trusted project of project B, use a package to authorize project A.

Roll back settings

To disable project protection for the current project, run the SET ProjectProtection=false; command.

To remove a trusted project, run the remove trustedproject <projectname>; command.

Enable label-based security (column-level access control)

Label-based security (LabelSecurity) is a mandatory access control (MAC) policy at the project level. It allows project administrators to control user access to sensitive data at the column level.

Item Description
Operation Enable LabelSecurity for field-level security control to take effect. By default, the LabelSecurity mechanism is disabled for projects.
Role Project owner.
View the feature status To check whether label-based security is enabled, run the show SecurityConfiguration; command.
Configure the feature To enable LabelSecurity, run the Set LabelSecurity=true; command. This feature is disabled by default.
Roll back settings To disable LabelSecurity, run the Set LabelSecurity=false; command. Before you disable LabelSecurity for a project, check whether the labels for tables in this project are also used in other projects.

Configure the field label

Item Description
Operation MaxCompute data sensitivity is classified into the following levels: 0, 1, 2, 3, and 4. Security levels can be configured for all data tables to avoid unauthorized access.
View the feature status You can view the labels of MaxCompute table fields by using one of the following methods:
  • Run the DESCRIBE <tablename>; command.
  • View field information in the table details on the data management page of DataWorks.
Configure the feature You can configure labels for table fields by using one of the following methods:
  • Method 1 (recommended)

    On the data management page of DataWorks, create a table or edit the field information in an existing table.

    Note The label of a field is visible on the data management page only when LabelSecurity of a project is set to true.
  • Method 2

    Run the SET LABEL <number> TO TABLE tablename[(column_list)]; command. The value of <number> ranges from 0 to 4.

    Examples:
    • To set the label of the t1 table to 1, run the SET LABEL 1 TO TABLE t1; command.
    • To set the labels of the mobile and addr columns in the t1 table to 2, run the SET LABEL 2 TO TABLE t1(mobile, addr); command.
    • To set the label of the t1 table to 3, run the SET LABEL 3 TO TABLE t1; command. In this case, the labels of both the mobile and addr columns are still 2.
    Note If you configure labels by using the CLI, the labels of table fields cannot be updated to the data management page of DataWorks. Therefore, we recommend that you configure labels for table fields in DataWorks.
Roll back settings Change the security level back to the original level.
Note If you reconfigure labels for fields to make them more secure, the original permissions owned by packages, production accounts, and private accounts are no longer valid. To mitigate these impacts, you must notify the involved users before reconfiguration.

Configure a whitelist of IP addresses that are allowed to access projects

Item Description
Operation After an IP address whitelist is configured for a project, only IP addresses, such as the outbound IP addresses of the console or SDK, in the whitelist can be used to access the project.
Note
  • The whitelist takes effect on all the users of the project, which includes your Alibaba Cloud account.
  • The whitelist is not suitable for servers that run DataWorks. If your server runs DataWorks, you can submit MaxCompute tasks by using DataWorks even though the IP address of your server is not included in the whitelist.
Role Project owner.
View the feature status

To view the status, run the setproject; command in the console and then check the information after the equal sign (=) in odps.security.ip.whitelist=;. If no information is displayed after the equal sign (=), the whitelist is disabled.

Configure the feature

Before you enable a whitelist, you must add the IP address of your computer to it. Otherwise, you cannot manage the project after the whitelist takes effect.

Run the setproject odps.security.ip.whitelist=xxx.xxx.xxx.xxx,xxx.xxx.x.x/xx,xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx; command on the MaxCompute client.

A whitelist supports IPv6 addresses. The IP addresses in a whitelist can be expressed in one of the following ways:
  • IP addresses, for example, 101.132.236.134 and FE80:0202:B3FF:FE1E:8329
  • Subnet masks, for example, 100.116.0.0/16 and FE80:0101:4567:F456:0202:B3FF:1111:1111/126
  • CIDR blocks, for example, 101.132.236.134-101.132.236.144 and FE80:0101:4567:F456:0202:B3FF:FE1E:8330-FE80:0101:4567:F456:0202:B3FF:FE1E:8331

The whitelist takes effect five minutes after you configure it. If you want to manage permissions at finer levels, you can use policies to grant permissions.

Roll back settings To clear an IP address whitelist, run the setproject odps.security.ip.whitelist=; command. When a whitelist is cleared for a project, the whitelist feature is disabled for the project in MaxCompute.

Disable the download of the results of SELECT statements from DataWorks to a local directory

Item Description
Operation After developers analyze data by using DataWorks, the results are usually displayed in the integrated development environment (IDE) and can be downloaded. If project protection is enabled for a project and you have the read permissions on tables in the project, you can execute the SELECT statements in DataWorks and download the execution results.
Role DataWorks administrator.
View the feature status To check whether the feature of downloading SELECT results is enabled, log on to the DataWorks console and click Workspaces. On the page that appears, find a workspace and click Workspace Settings in the Actions column.
Configure the feature To disable the feature of downloading SELECT results, log on to the DataWorks console and click Workspaces. On the page that appears, find a workspace and click Workspace Settings in the Actions column.
Roll back settings To enable the feature of downloading SELECT results, log on to the DataWorks console and click Workspaces. On the page that appears, find a workspace and click Workspace Settings in the Actions column.

Improve security management by using other cloud services

You may use other cloud services while you use MaxCompute. Therefore, you can improve the security management of MaxCompute by using other associated cloud services. For example, when you use MaxCompute in the DataWorks console, you need to use RAM users to add members to projects. This section describes how to improve security management by using RAM users.

You can use MaxCompute by using an Alibaba Cloud account or the credentials of a RAM users. MaxCompute can identify RAM users but cannot identify their permissions, which allows you to add any RAM user under your Alibaba Cloud account to this project. When MaxCompute authenticates these RAM users, it does not verify their permissions. Therefore, you only need to improve security management for the logons of RAM users.

Configure password policies for RAM users

If you allow RAM users to change the logon passwords, strong password policies are required and the intervals at which RAM users can change their passwords must be specified.

You can configure password policies, such as the minimum length, whether non-letter characters are required, or the change frequency, in the RAM console.

Set logon address masks for RAM users

You can configure logon address masks to specify from which IP addresses RAM users can log on to the DataWorks console.

Revoke the permissions that RAM users no longer require

When the permissions of a RAM user are no longer used because of changes in work requirements, you need to revoke these permissions promptly.