Any user, except the project owner, must be added to the MaxCompute project and granted the corresponding permissions to manage data, jobs, resources, and functions in MaxCompute. This article describes how a project owner can add, authorize, and remove other users, including RAM sub-accounts to MaxCompute.
If you are a project owner, we recommend that you read this article carefully. If you are a typical user, we recommend that you submit an application to the project owner to be added to the corresponding project. We recommend all users to read the subsequent sections.
All the operations mentioned in this article are executed on the console. For Linux, run ./bin/odpscmd and for Windows, run ./bin/odpscmd.bat.
Add a user
In this example, the project owner, Alice, wants to authorize another user, therefore she must add the user to the project first. Only a user who has been added to the project can be authorized.
add user ALIYUNfirstname.lastname@example.org; add user RAM$ram_test_user;
This indicates that the Alibaba Cloud account email@example.com and the sub-account ram_test_user created by Alice using RAM have been added to the project.
Add a RAM sub-account
- By using DataWorks, for more information, see Prepare a RAM account.
- By using MaxCompute client commands as described in this document.
By default, MaxCompute project only recognizes Alibaba Cloud account systems. To view the supported account systems use the
- MaxCompute only allows a primary account to add its own RAM sub-accounts to a project.
RAM sub-accounts of other Alibaba Cloud accounts are not allowed. Therefore, you can
skip to specify the name of the primary account before the RAM sub-accounts when
add user. MaxCompute determines by default that the account which runs the command is the corresponding sub-account.
- MaxCompute only recognizes the RAM account system and does not recognize the RAM permission system. Users can add any of their RAM sub-accounts to a MaxCompute project, but MaxCompute does not consider the permission limits in RAM when performing permission verification of RAM sub-accounts.
list accountproviders;command. Typically, only the ALIYUN account is visible, for example:
odps@ ****>list accountproviders; ALIYUNNote Only the project owner has the permission to perform operations related to
accountproviders.As shown in the preceding command, you can only see the
ALIYUNaccount system. If you want to add RAM accounts support, run the
add accountprovider ram; as follows: ram;as follows:
odps@ odps_pd_inter>add accountprovider ram; OK
The user will still not be able to operate MaxCompute successfully. This is because, the user must be granted certain permissions to operate MaxCompute within the permissive limits. For more information, see Authorization.
- MaxCompute only allows a primary account to add its own RAM sub-accounts to a project. RAM sub-accounts of other Alibaba Cloud accounts are not allowed. Therefore, you can skip to specify the name of the primary account before the RAM sub-accounts when
Once the user is added, the project owner or project administrator must authorize the user. The user can perform the operations only after obtaining the permissions.
MaxCompute provides ACL authorization, cross-project resource sharing, and project resource protection. The following are two common scenarios, for more information, see ACL Authorization .
use prj1; --Open the project prj1 add user firstname.lastname@example.org; --Add the user grant List, CreateTable, CreateInstance on project prj1 to user email@example.com; --Authorize the user
grant CreateTable on PROJECT $user_project_name to USER ALIYUNfirstname.lastname@example.org; --Grant CreateTable permission on project “$user_project_name” to email@example.com grant Describe on Table $user_table_name to USER ALIYUNfirstname.lastname@example.org; --Grant Describe permission on table “$user_table_name” to email@example.com grant Execute on Function $user_function_name to USER ALIYUNfirstname.lastname@example.org; --Grant Run permission on function "$user_function_name" to email@example.com
Authorize RAM Sub-account
list accountproviders;command as follows:
odps@ ****>list accountproviders; ALIYUN, RAM
Describepermission on the tables. For example:
odps@ ****>add user firstname.lastname@example.org:Alice; OK: DisplayName=RAMemail@example.com:Alice odps@ ****>grant Describe on table src to user firstname.lastname@example.org:Alice; OK
descon the table src.
Remove a User
When a user leaves the project team, Alice must remove the user from the project. Once removed from the project, the user no longer has any access permission to the project resources.
- A user removed from a project immediately loses an authority to access resources of the project.
- Revoke all the roles of the user, before removing a user whom the roles are assigned. For more information about roles, see Role Management.
- After a user is removed, allACL Authorization data related to the user is retained. After a user is added to a project again, the ACL Authorization of this user is enabled again.
- MaxCompute does not support complete removal of a user and all permission data from a project.
remove user ALIYUNemail@example.com; remove user RAM$ram_test_user;
If those two accounts are no longer listed after running the command, it indicates that the accounts have been removed from the project.
Remove a RAM Sub-account
remove usercommand. For example:
odps@ ****>revoke describe on table src from user firstname.lastname@example.org:Alice; OK -- Revoke Alice sub-account permissions odps@ ****>remove user email@example.com:Alice; Confirm to "remove user firstname.lastname@example.org:Alice;" (yes/no)? yes OK -- Remove sub-account
remove accountprovideras follows:
odps@ ****>remove accountprovider ram; Confirm to "remove accountprovider ram;" (yes/no)? yes OK odps@ ****>list accountproviders; ALIYUN