SDK for Java can be used to query the permissions of a specified user or role and permissions on resources. The permission query results are displayed in the JSON format to meet various display requirements. This topic describes how to query permissions by using SDK for Java and provides examples of query results in the JSON format.
Prerequisites
MaxCompute Studio is installed and connected to MaxCompute projects. A MaxCompute Java module is created.
For more information about how to install MaxCompute Studio, see Install MaxCompute Studio.
For more information about how to connect MaxCompute Studio to MaxCompute projects, see Manage project connections.
For more information about how to create a MaxCompute Java module, see Create a MaxCompute Java module.
For example, a project named Project2 and a MaxCompute Java module named mc_java are created in MaxCompute Studio, as shown in the following figure.
Background information
MaxCompute allows you to run commands to query permissions by using one of the following methods based on your business requirements:
Write Java scripts by using SDK for Java to display the permission query results in the JSON format. This topic describes only how to implement this method.
Run commands to query permissions on the MaxCompute client, in the DataWorks console, in MaxCompute Studio, or by using the query editor of MaxCompute. After you run the permission query commands, the permission query results are displayed in the command-line window.
Permissions that can be queried
MaxCompute allows you to query the following permissions by using SDK for Java:
Permissions of a user or role in a MaxCompute project
Query the permissions of a user or role on the non-shared resources in a MaxCompute project. Syntax:
show grants for {<user_name>|<role_name>};user_name: required when you query user permissions. Set the value to an Alibaba Cloud account or the account of a Resource Access Management (RAM) user. For more information about how to obtain usernames, see View users.
role_name: required when you query role permissions. The name of the role whose permissions you want to query. For more information about how to obtain role names, see View roles.
Query the permissions of a user or role on the shared resources in a MaxCompute project. Syntax:
show grants for {<user_name>|<role_name>} privilegeproperties ("refobject"="true");user_name: required when you query user permissions. Set the value to an Alibaba Cloud account or the account of a Resource Access Management (RAM) user. For more information about how to obtain usernames, see View users.
role_name: required when you query role permissions. The name of the role whose permissions you want to query. For more information about how to obtain role names, see View roles.
Permissions on a table or permissions of a role in a MaxCompute project
Query the ACL-based permissions on a specified table. Syntax:
show grants on table <table_name>;table_name: required. The name of the table on which you want to query permissions. For more information about how to obtain table names, see Display tables and views in a project.
Query the policy-based permissions on a specified table. Syntax:
show grants on table <table_name> privilegeproperties ("policy"="true");table_name: required. The name of the table on which you want to query permissions. For more information about how to obtain table names, see Display tables and views in a project.
Query the ACL-based permissions on a table in a package that is installed in a MaxCompute project. Syntax:
show grants on table <table_name> privilegeproperties ("refobject"="true", "refproject"="<project_name>");table_name: required. The name of the table on which you want to query permissions. For more information about how to obtain table names, see Display tables and views in a project.
project_name: required. The name of the MaxCompute project.
Query the information of the users who assume a specified role. Syntax:
show principals <role_name>;role_name: required. The name of the role whose permissions you want to query. For more information about how to obtain role names, see View roles.
For more information about the examples of how to query the preceding permissions, see Examples of query results.
Procedure
Start IntelliJ IDEA. In the main menu bar, choose to open the created project, such as
Project2.In the left-side navigation pane, find the directory where your MaxCompute Java module is created. Choose , right-click the
javafolder, and then choose .
Specify UDF as the Java class type, enter the Java class name, such as
OdpsSdk, and then press Enter.
Develop a Java program in the editor.
The following code shows the Java syntax.
import com.aliyun.odps.Odps; import com.aliyun.odps.OdpsException; import com.aliyun.odps.account.Account; import com.aliyun.odps.account.AliyunAccount; public class <class_name> { public static void main(String[] args) { // TODO Auto-generated method stub // The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using these credentials to perform operations in OSS is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. To create a RAM user, log on to the RAM console. // In this example, the AccessKey ID and AccessKey secret are configured as environment variables. You can also save your AccessKey pair in the configuration file based on your business requirements. // We recommend that you do not hard-code the AccessKey ID and AccessKey secret in your code. Otherwise, the AccessKey pair may be leaked. Account account = new AliyunAccount(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"), System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")); Odps odps = new Odps(account); String odpsUrl = "<endpoint>"; odps.setEndpoint(odpsUrl); odps.setDefaultProject("<project_name>"); try { String out = odps.projects().get("<project_name>").getSecurityManager().runQuery("<SQL>", true); //true indicates that the output is displayed in the JSON format. System.out.print("out: " + out + "\n"); //success if return {} } catch (OdpsException e) { //Exception handling } } }class_name: required. The name of the Java class that you create. The value of this parameter must be the same as that you entered in 3.
AccessKey_ID: required. The AccessKey ID of the Alibaba Cloud account that is used to access the MaxCompute project. You can obtain the AccessKey ID from the Security Management page.
AccessKey_Secret: required. The AccessKey secret that corresponds to the AccessKey ID. You can obtain the AccessKey secret from the Security Management page.
endpoint: required. The endpoint of MaxCompute. Set this parameter based on the region where the MaxCompute project resides. For more information about endpoints, see Endpoints.
project_name: required. The name of the MaxCompute project.
SQL: required. The SQL statement that is used to query permissions. For more information about the syntax of SQL statements, see Permissions that can be queried.
The following example shows the Java script.
import com.aliyun.odps.Odps; import com.aliyun.odps.OdpsException; import com.aliyun.odps.account.Account; import com.aliyun.odps.account.AliyunAccount; public class OdpsSdk { public static void main(String[] args) { // TODO Auto-generated method stub // The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using these credentials to perform operations in OSS is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. To create a RAM user, log on to the RAM console. // In this example, the AccessKey ID and AccessKey secret are configured as environment variables. You can also save your AccessKey pair in the configuration file based on your business requirements. // We recommend that you do not hard-code the AccessKey ID and AccessKey secret in your code. Otherwise, the AccessKey pair may be leaked. Account account = new AliyunAccount(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"), System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")); Odps odps = new Odps(account); String odpsUrl = "http://service.cn-hangzhou.maxcompute.aliyun.com/api"; odps.setEndpoint(odpsUrl); odps.setDefaultProject("doc_test_dev"); try { String out = odps.projects().get("doc_test_dev").getSecurityManager().runQuery("show grants for ALIYUN$****@test.aliyunid.com;", true); System.out.print("out: " + out + "\n"); //success if return {} } catch (OdpsException e) { //Exception handling } } }In the left-side navigation pane, find the Java class that you created. Right-click the Java class, select Run 'class_name.main()', and then run the Java script.
View the permission query results in the script output section at the lower part of IntelliJ IDEA.
Examples of query results
Permissions of a user or role in a MaxCompute project
Example 1: Query the permissions of a user or role on the non-shared resources in a MaxCompute project.
Sample SQL statement:
show grants for ALIYUN$odpstest2@aliyun.com;The following code shows the output in the command-line window.
# The role that is assigned to ALIYUN$odpstest2@aliyun.com. [roles] r1 # The ACL-based permissions that are assigned to ALIYUN$odpstest2@aliyun.com. Authorization Type: ACL [user/ALIYUN$odpstest2@aliyun.com] A projects/new_priv_prj_1: All A projects/new_priv_prj_1/tables/test_1: All # The policy-based permissions that are assigned to ALIYUN$odpstest2@aliyun.com. Authorization Type: Policy [role/r1] # A in AC indicates Allow, and C in AC indicates authorization with a condition. If D appears, it means Deny. AC projects/new_priv_prj_1/tables/test2: Select # The table created by ALIYUN$odpstest2@aliyun.com. Authorization Type: ObjectCreator # A in AG indicates Allow, and G in AG indicates Grant. AG projects/new_priv_prj_1/tables/user_t: AllThe following code shows the JSON-formatted output generated by an SDK:
{ "ACL": {"user/ALIYUN$odpstest2@aliyun.com": [{ "Action": ["All"], "Effect": "", "Resource": ["acs:odps:*:projects/new_priv_prj_1/tables/test_1"]}, { "Action": ["All"], "Effect": "", "Resource": ["projects/new_priv_prj_1"]}]}, "POLICY": {"role/r1": [{ "Action": ["odps:Select"], "Condition": {"IpAddress": {"acs:SourceIp": ["10.10.10.10", "10.10.10.10/4"]}}, "Effect": "Allow", "Resource": ["acs:odps:*:projects/new_priv_prj_1/tables/test2"]}]}, "SuperPrivs": [] }Example 2: Query the permissions of a user or role on the shared resources in a MaxCompute project.
Sample SQL statement:
show grants for ALIYUN$odpstest2@aliyun.com privilegeproperties ("refobject" = "true");The following code shows the output in the command-line window.
# The roles that are assigned to ALIYUN$odpstest2@aliyun.com. [roles] r1 # The permissions that are assigned to ALIYUN$odpstest2@aliyun.com on the shared resources. Authorization Type: InstalledObjecACL [pkg1_prj1_1] A projects/new_priv_prj_2/tables/prj2_tb1: SelectThe following code shows the JSON-formatted output generated by an SDK:
{"SharedObjectACL": {"pkg1_prj1_1": [{ "Action": ["Select"], "Effect": "", "Resource": ["acs:odps:*:projects/new_priv_prj_2/tables/prj2_tb1"]}]}}
Query the permissions on a specified table or permissions of a role in a MaxCompute project
Example 1: Query the ACL-based permissions on a specified table.
Sample SQL statement:
show grants on table test_1;The following code shows the output in the command-line window.
# The user who grants permissions on the test_1 table is the project owner or the creator of the table. Authorization Type: Implicit AG project_owner/ALIYUN$odpstest1@aliyun.com: All AG object_creator/ALIYUN$odpstest1@aliyun.com: All # The users who are granted permissions on the test_1 table by using an ACL. Authorization Type: ACL A user/ALIYUN$odpstest2@aliyun.com: AllThe following code shows the JSON-formatted output generated by an SDK:
{"ACL": {"": [{ "Action": ["All"], "Effect": "", "Principal": ["user/ALIYUN$odpstest2@aliyun.com"]}]}}Example 2: Query the policy-based permissions on a specified table.
Sample SQL statement:
show grants on table test2 privilegeproperties ("policy" = "true");The following code shows the output in the command-line window.
# The user who grants permissions on the test2 table is the project owner. Authorization Type: Implicit AG project_owner/: All # The role to which permissions on the test2 table are granted by using policy-based access control. Authorization Type: Policy [role/r1]The following code shows the JSON-formatted output generated by an SDK:
{"POLICY": {"role/r1": [{ "Action": ["odps:Select"], "Condition": {"IpAddress": {"acs:SourceIp": ["10.10.10.10", "10.10.10.10/4"]}}, "Effect": "Allow", "Resource": ["acs:odps:*:projects/new_priv_prj_1/tables/test2"]}]}}Example 3: Query the ACL-based permissions on a package that is installed in a MaxCompute project.
Sample SQL statement:
show grants on table prj2_tb1 privilegeproperties ("refobject" = "true", "refproject"="new_priv_prj_2");The following code shows the output in the command-line window.
# The user who grants permissions on the test2 table is the project owner. Authorization Type: Implicit AG project_owner/: All Authorization Type: InstalledObjecACL # The name of the package. [pkg1_prj1_1] # The user to which permissions on the package is granted by specifying an ACL. A user/ALIYUN$odpstest2@aliyun.com: SelectThe following code shows the JSON-formatted output generated by an SDK:
{"SharedObjectACL": {"pkg1_prj1_1": [{ "Action": ["Select"], "Effect": "", "Principal": ["user/ALIYUN$odpstest2@aliyun.com"]}]}}Example 4: Query the information of the user to which the role is assigned.
Sample SQL statement:
show principals r1;The following code shows the output in the command-line window.
# The user to which the role is granted. ALIYUN$odpstest2@aliyun.comThe following code shows the JSON-formatted output generated by an SDK:
["ALIYUN$odpstest2@aliyun.com"]