All users, except the project owner, must be added to a MaxCompute project and granted the related permissions to manage data, jobs, resources, and functions in MaxCompute. This topic describes how a project owner can add, delete, and authorize other users, such as Alibaba Cloud accounts and RAM users.
If you are a project owner, we recommend that you read this topic carefully. If you are a common user, we recommend that you submit an application to the project owner to join the project and read the related content.
The operations described in this topic are performed on the MaxCompute client.
Add an Alibaba Cloud account
If the project owner Alice decides to authorize another user, Alice must add the user to its project. Only users added to the project can be authorized.
add user username;add user ALIYUN$odps_test_user@aliyun.com;
add user RAM$ram_test_user;list users;
-- The following output indicates that the Alibaba Cloud account odps_test_user@aliyun.com and the RAM user ram_test_user of alice@aliyun.com have been added to the project.
RAM$alice@aliyun.com:ram_test_user
ALIYUN$odps_test_user@aliyun.comAdd a RAM user
- Use DataWorks to add a RAM user. For more information, see Prepare a RAM user.
- Run the following command to add a RAM user on the MaxCompute client:
add accountprovider ram; OKAfter the RAM user is added, the project owner can run the following command to check the account systems supported by the project and check whether the RAM user is added:list accountproviders;Note- MaxCompute only allows an Alibaba Cloud account to add its own RAM users to the project.
Therefore, when you run the
addusercommand, you do not need to specify the Alibaba Cloud account of the RAM user. By default, the account that is used to run this command is the Alibaba Cloud account of the RAM user. - MaxCompute projects recognize only the RAM account system but not the RAM permission system. After RAM users of your Alibaba Cloud account are added to a MaxCompute project, MaxCompute authenticates these RAM users but does not consider the permission definitions in RAM.
- MaxCompute only allows an Alibaba Cloud account to add its own RAM users to the project.
Therefore, when you run the
Add a RAM role
- Create a RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud account, Create a RAM role for a trusted IdP, or Create a RAM role for a trusted Alibaba Cloud service.
Assume that the name of the created RAM role is vuser1.
- Define the policy attached to the RAM role. For more information, see Edit the trust policy of a RAM role.
Subsequent operations need to be performed on DataWorks. Therefore, you must authorize the RAM role to DataWorks so that you can submit periodic scheduling jobs to MaxCompute on DataWorks. Example of a trust policy:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "dataworks.aliyuncs.com" ] } } ], "Version": "1" } - Add the RAM role to a MaxCompute project. You can use one of the following methods:
- Method 1: Use the MaxCompute client (odpscmd) or log on to the MaxCompute console (query editor) and run the following command in the MaxCompute project:
For example, if you want to authorize RAM user abc@example.com to use the RAM role vuser1, run the following command:add user `RAM$<Alibaba Cloud account>:role/RAM role name`;RAM$abc@example.com:role/vuser1.You can run the
list users;command to check whether the RAM role has been added to the MaxCompute project. - Method 2: Log on to the MaxCompute console. On the Project management tab, find your project and click Member management in the Actions column to go to the Member management page. Add the RAM role to the project. For more information about how to add members on the Member management page, see Add workspace members.
- Method 1: Use the MaxCompute client (odpscmd) or log on to the MaxCompute console (query editor) and run the following command in the MaxCompute project:
Authorize an Alibaba Cloud account
After a user is added to a project, the project owner or project administrator must authorize the user. The user can perform operations in the project only after it is authorized.
- Scenario 1: Jack is the administrator of project prj1. A new user Alice with the Alibaba
Cloud account alice@aliyun.com applies to be added to prj1 and requires the permissions
to view tables, submit jobs, and create tables.
Users with the Admin role in the project or the project owner can run the following command on the MaxCompute client:
-- Enter prj1. use prj1; -- Add Alice to the project. add user aliyun$alice@aliyun.com; -- Grant required permissions to Alice. grant List, CreateTable, CreateInstance on project prj1 to user aliyun$alice@aliyun.com; - Scenario 2: The Alibaba Cloud account bob@aliyun.com has been added to a project named
$user_project_name. It must be granted the permissions to create tables, obtain table
information, and execute functions.
Users with the Admin role in the project or the project owner can run the following command on the MaxCompute client:
-- Grant bob@aliyun.com the CreateTable permission to create tables in the project named $user_project_name. grant CreateTable on PROJECT $user_project_name to USER ALIYUN$bob@aliyun.com; -- Grant bob@aliyun.com the Describe permission to obtain information from the table named $user_table_name. grant Describe on Table $user_table_name to USER ALIYUN$bob@aliyun.com; -- Grant bob@aliyun.com the Execute permission to execute the function named $user_function_name. grant Execute on Function $user_function_name to USER ALIYUN$bob@aliyun.com;
Authorize a RAM user
desc permission on table src.
- View the account systems supported by the project.
list accountproviders; -- Return result: ALIYUN, RAMThe output shows that the RAM account system is supported by the project, which means that you can add RAM users to this project. If RAM users are not supported, run the
add accountprovider ram;command to add support for the RAM account system. - Add a RAM user to the project and grant the Describe permission on the src table to
the user:
add user ram$bob@aliyun.com:Alice; -- Return result: OK: DisplayName=RAM$bob@aliyun.com:Alice -- Authorize a RAM user. grant Describe on table src to user ram$bob@aliyun.com:Alice; -- Return result: OK
- For more information about how to obtain the AccessKey ID and AccessKey secret of a RAM user, see Create a RAM user.
- For more information about authorizing a user, see Authorize users.
Remove an Alibaba Cloud account
When a user leaves a project, the user must be removed from the project. After the user is removed, the user no longer has the permission to access resources in the project.
remove user;- Before you remove a user who has been assigned a role, you must first revoke the role. For more information about roles, see Manage roles.
- After a user is removed, permissions related to the user are retained. If the user is added to the project again, the user's historical access permissions will be activated again.
- MaxCompute does not support complete removal of a user and the related authorization data.
-- Remove users.
remove user ALIYUN$odps_test_user@aliyun.com;
remove user RAM$ram_test_user;
-- Run the following command to check whether the users are removed: If these two accounts are not found, they have been removed from the project.
list users;Remove a RAM user
- Run the
removeusercommand to remove a RAM user of an Alibaba Cloud account.-- Revoke the permissions of RAM user Alice. odps@ ****>revoke describe on table src from user ram$bob@aliyun.com:Alice; OK -- Remove the RAM user. odps@ ****>remove user ram$bob@aliyun.com:Alice; Confirm to "remove user ram$bob@aliyun.com:Alice;" (yes/no)? yes OK - Run the
removeaccountprovidercommand to remove the RAM account system from the current project. The command must be executed by the project owner.-- Remove the RAM account system. odps@ ****>remove accountprovider ram; Confirm to "remove accountprovider ram;" (yes/no)? yes OK -- Check whether the removal is successful. odps@ ****>list accountproviders; ALIYUN