After added successfully (refer to Add User, the user must be granted with certain priviledges. Only after the user gets privileges can the user carry out the operation.
User Authorization is just to grant the user some operating rights for MaxCompute object (for example, table, task, resource, etc.), which include read, write, list and so on. This section is mainly directed against the project administrator.
If you are an ordinary MaxCompute user, make sure you have gotten sufficient privileges and then browse this section quickly.
In this chapter, we will introduce ACL Authorization simply, which is widely used.
For ACL authorization, the objects of MaxCompute include: Project, Table, Function, Resource, Instance, Task. Each object has different operating privilege. For details, please refer to ACL authorization.
ACL authorization syntax is shown as follows:
GRANT privileges ON project_object TO project_subject
REVOKE privileges ON project_object FROM project_subject
privileges ::= action_item1, action_item2, ...
project_object ::= PROJECT project_name | TABLE schema_name |
INSTANCE inst_name | FUNCTION func_name |
RESOURCE res_name | JOB job_name
project_subject ::= USER full_username | ROLE role_name
Example: Suppose that the user email@example.com has been added into a project (here, we call the project as $user_project_name) and needs to be granted with the provileges to create tables, describe tables and select tables, etc.The project administrator or project owner can execute the following commands on MaxCompute console:
grant CreateTable on PROJECT $user_project_name to USER firstname.lastname@example.org;
-- Grant 'Create Table' privilege of project "$user_project_name" to email@example.com.
grant Describe to Table $user_table_name to USER firstname.lastname@example.org;
-- Grant ‘Describe’ privilege of the table ‘$user_table_name’ to email@example.com.
grant Execute on Function $user_function_name to USER firstname.lastname@example.org;
-- Grant ‘Execute’ privilege of the function ‘$user_function_name’ to email@example.com.
To view the privileges of a apecified user, you can execute the following command:
show grants for $user_name;
For more details of showing grants, refer to Show Grants.