Authorization

Last Updated: Dec 26, 2016

After added successfully (refer to Add User, the user must be granted with certain priviledges. Only after the user gets privileges can the user carry out the operation.

User Authorization is just to grant the user some operating rights for MaxCompute object (for example, table, task, resource, etc.), which include read, write, list and so on. This section is mainly directed against the project administrator.

If you are an ordinary MaxCompute user, make sure you have gotten sufficient privileges and then browse this section quickly.

In this chapter, we will introduce ACL Authorization simply, which is widely used.

ACL Authorization

For ACL authorization, the objects of MaxCompute include: Project, Table, Function, Resource, Instance, Task. Each object has different operating privilege. For details, please refer to ACL authorization.

ACL authorization syntax is shown as follows:

  1. GRANT privileges ON project_object TO project_subject
  2. REVOKE privileges ON project_object FROM project_subject
  3. privileges ::= action_item1, action_item2, ...
  4. project_object ::= PROJECT project_name | TABLE schema_name |
  5. INSTANCE inst_name | FUNCTION func_name |
  6. RESOURCE res_name | JOB job_name
  7. project_subject ::= USER full_username | ROLE role_name

Example: Suppose that the user bob@aliyun.com has been added into a project (here, we call the project as $user_project_name) and needs to be granted with the provileges to create tables, describe tables and select tables, etc.The project administrator or project owner can execute the following commands on MaxCompute console:

  1. grant CreateTable on PROJECT $user_project_name to USER bob@aliyun.com;
  2. -- Grant 'Create Table' privilege of project "$user_project_name" to bob@aliyun.com.
  3. grant Describe to Table $user_table_name to USER bob@aliyun.com;
  4. -- Grant Describe privilege of the table $user_table_name to bob@aliyun.combob@aliyun.com.
  5. grant Execute on Function $user_function_name to USER bob@aliyun.com;
  6. -- Grant Execute privilege of the function $user_function_name to bob@aliyun.com.

Show Grants

To view the privileges of a apecified user, you can execute the following command:

  1. show grants for $user_name;

Notes:

  • For more details of showing grants, refer to Show Grants.
Thank you! We've received your feedback.