All users, except the project owner, must be added to a MaxCompute project and granted the related permissions to manage data, jobs, resources, and functions in MaxCompute. This topic describes how a project owner can add, delete, and authorize other users, such as Alibaba Cloud accounts and RAM users.

If you are a project owner, we recommend that you read this topic carefully. If you are a common user, we recommend that you submit an application to the project owner to join the project and read the related content.

The operations described in this topic are performed on the MaxCompute client.

Add an Alibaba Cloud account

If the project owner Alice decides to authorize another user, Alice must add the user to its project. Only users added to the project can be authorized.

Run the following command to add a user:
add user username;
username can be an Alibaba Cloud account or a RAM user of the Alibaba Cloud account that runs this command. Example:
add user ALIYUN$odps_test_user@aliyun.com;
add user RAM$ram_test_user;
Assume that the Alibaba Cloud account of Alice is alice@aliyun.com. After Alice runs the preceding commands, it verifies whether the users are added.
list users;
-- The following output indicates that the Alibaba Cloud account odps_test_user@aliyun.com and the RAM user ram_test_user of alice@aliyun.com have been added to the project.
RAM$alice@aliyun.com:ram_test_user
ALIYUN$odps_test_user@aliyun.com

Add a RAM user

You can add a RAM user by using one of the following methods:
  • Use DataWorks to add a RAM user. For more information, see Prepare a RAM user.
  • Run the following command to add a RAM user on the MaxCompute client:
    add accountprovider ram;
    OK
    After the RAM user is added, the project owner can run the following command to check the account systems supported by the project and check whether the RAM user is added:
    list accountproviders;
    Note
    • MaxCompute only allows an Alibaba Cloud account to add its own RAM users to the project. Therefore, when you run the adduser command, you do not need to specify the Alibaba Cloud account of the RAM user. By default, the account that is used to run this command is the Alibaba Cloud account of the RAM user.
    • MaxCompute projects recognize only the RAM account system but not the RAM permission system. After RAM users of your Alibaba Cloud account are added to a MaxCompute project, MaxCompute authenticates these RAM users but does not consider the permission definitions in RAM.

Add a RAM role

To use a RAM role in MaxCompute, perform the following steps:
  1. Create a RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud account, Create a RAM role for a trusted IdP, or Create a RAM role for a trusted Alibaba Cloud service.

    Assume that the name of the created RAM role is vuser1.

  2. Define the policy attached to the RAM role. For more information, see Edit the trust policy of a RAM role.
    Subsequent operations need to be performed on DataWorks. Therefore, you must authorize the RAM role to DataWorks so that you can submit periodic scheduling jobs to MaxCompute on DataWorks. Example of a trust policy:
    {
        "Statement": [
            {
                "Action": "sts:AssumeRole",
                "Effect": "Allow",
                "Principal": {
                    "Service": [
                        "dataworks.aliyuncs.com"
                    ]
                }
            }
        ],
        "Version": "1"
    }
  3. Add the RAM role to a MaxCompute project. You can use one of the following methods:
    • Method 1: Use the MaxCompute client (odpscmd) or log on to the MaxCompute console (query editor) and run the following command in the MaxCompute project:
      add user `RAM$<Alibaba Cloud account>:role/RAM role name`;
      For example, if you want to authorize RAM user abc@example.com to use the RAM role vuser1, run the following command: RAM$abc@example.com:role/vuser1.

      You can run the list users; command to check whether the RAM role has been added to the MaxCompute project.

    • Method 2: Log on to the MaxCompute console. On the Project management tab, find your project and click Member management in the Actions column to go to the Member management page. Add the RAM role to the project. For more information about how to add members on the Member management page, see Add workspace members.

Authorize an Alibaba Cloud account

After a user is added to a project, the project owner or project administrator must authorize the user. The user can perform operations in the project only after it is authorized.

MaxCompute provides multiple policies, such as authorization, cross-project resource sharing, and project resource protection. This topic describes two common scenarios. For more information, see Authorization.
  • Scenario 1: Jack is the administrator of project prj1. A new user Alice with the Alibaba Cloud account alice@aliyun.com applies to be added to prj1 and requires the permissions to view tables, submit jobs, and create tables.
    Users with the Admin role in the project or the project owner can run the following command on the MaxCompute client:
    -- Enter prj1.
    use prj1; 
    -- Add Alice to the project. 
    add user aliyun$alice@aliyun.com; 
    -- Grant required permissions to Alice.
    grant List, CreateTable, CreateInstance on project prj1 to user aliyun$alice@aliyun.com; 
  • Scenario 2: The Alibaba Cloud account bob@aliyun.com has been added to a project named $user_project_name. It must be granted the permissions to create tables, obtain table information, and execute functions.
    Users with the Admin role in the project or the project owner can run the following command on the MaxCompute client:
    -- Grant bob@aliyun.com the CreateTable permission to create tables in the project named $user_project_name.
    grant CreateTable on PROJECT $user_project_name to USER ALIYUN$bob@aliyun.com;
    -- Grant bob@aliyun.com the Describe permission to obtain information from the table named $user_table_name.  
    grant Describe on Table $user_table_name to USER ALIYUN$bob@aliyun.com;
    -- Grant bob@aliyun.com the Execute permission to execute the function named $user_function_name. 
    grant Execute on Function $user_function_name to USER ALIYUN$bob@aliyun.com;  

Authorize a RAM user

Grant the RAM user Alice of the Alibaba Cloud account bob@aliyun.com the desc permission on table src.
  1. View the account systems supported by the project.
    list accountproviders;
    -- Return result:
    ALIYUN, RAM

    The output shows that the RAM account system is supported by the project, which means that you can add RAM users to this project. If RAM users are not supported, run the add accountprovider ram; command to add support for the RAM account system.

  2. Add a RAM user to the project and grant the Describe permission on the src table to the user:
    add user ram$bob@aliyun.com:Alice;
    -- Return result:
    OK: DisplayName=RAM$bob@aliyun.com:Alice
    -- Authorize a RAM user.
    grant Describe on table src to user ram$bob@aliyun.com:Alice;
    -- Return result:
    OK
Note
  • For more information about how to obtain the AccessKey ID and AccessKey secret of a RAM user, see Create a RAM user.
  • For more information about authorizing a user, see Authorize users.

Remove an Alibaba Cloud account

When a user leaves a project, the user must be removed from the project. After the user is removed, the user no longer has the permission to access resources in the project.

You can run the following command to remove a user:
remove user;
Note
  • Before you remove a user who has been assigned a role, you must first revoke the role. For more information about roles, see Manage roles.
  • After a user is removed, permissions related to the user are retained. If the user is added to the project again, the user's historical access permissions will be activated again.
  • MaxCompute does not support complete removal of a user and the related authorization data.
Example:
-- Remove users.
remove user ALIYUN$odps_test_user@aliyun.com;
remove user RAM$ram_test_user;
-- Run the following command to check whether the users are removed: If these two accounts are not found, they have been removed from the project. 
list users;

Remove a RAM user

  • Run the removeuser command to remove a RAM user of an Alibaba Cloud account.
    -- Revoke the permissions of RAM user Alice.
    odps@ ****>revoke describe on table src from user ram$bob@aliyun.com:Alice;
    OK
    -- Remove the RAM user.
    odps@ ****>remove user ram$bob@aliyun.com:Alice;
    Confirm to "remove user ram$bob@aliyun.com:Alice;" (yes/no)? yes
    OK
  • Run the removeaccountprovider command to remove the RAM account system from the current project. The command must be executed by the project owner.
    -- Remove the RAM account system.
    odps@ ****>remove accountprovider ram;
    Confirm to "remove accountprovider ram;" (yes/no)? yes
    OK
    -- Check whether the removal is successful.
    odps@ ****>list accountproviders;
    ALIYUN