After a user is added, the project owner or the project administrator must authorize the user. The user can perform operations only after obtaining permission. Authorization allows a user to perform operations including read, write, and view on tables, tasks, resources, and other objects of the MaxCompute.
MaxCompute provides access control list (ACL) authorization, cross-project resource sharing, and project resource protection. Authorization typically includes three elements: subject, object, and action. In MaxCompute, the subject refers to a user or a role and the object refers to various types of objects in a project.
ACL authorization includes following MaxCompute objects: Project, Table, Function, Resource, and Instance. Operations are related to specific object types, therefore different types of objects support different types of actions.
| Object | Action | Description |
|---|---|---|
| Project | Read | View project information (excluding any project objects), such as the creation time. |
| Project | Write | Update project information (excluding any project objects), such as comments. |
| Project | List | View the list of all types of objects in the project. |
| Project | CreateTable | Create a table in the project. |
| Project | CreateInstance | Create an instance in the project. |
| Project | CreateFunction | Create a function in the project. |
| Project | CreateResource | Create a resource in the project. |
| Project | All | Grant all of the preceding permissions. |
| Table | Describe | Read the metadata of the table. |
| Table | Select | Read the table data. |
| Table | Alter | Change the metadata of the table and add or delete a partition. |
| Table | Update | Overwrite or add table data. |
| Table | Drop | Delete a table. |
| Table | All | Grant all the preceding permissions. |
| Function | Read | Read and run permissions. |
| Function | Write | Update. |
| Function | Delete | Delete |
| Function | Run | Run. |
| Function | All | Grant all the preceding permissions. |
| Resource | Read | Read. |
| Resource | Write | Update. |
| Resource | Delete | Delete. |
| Resource | All | Grant all the preceding permissions. |
| Instance | Read | Read. |
| Instance | Write | Update. |
| Instance | All | Grant all the preceding permissions. |
 |
Note |
|
- SQL92 Authorization
MaxCompute supports authorization using the syntax similar to the GRANT and REVOKE commands defined by SQL92. It grants or revokes permissions to/from the existing project object through simple authorization statements. The authorization syntax is as follows:
grant actions on object to subject revoke actions on object from subject actions ::= action_item1, action_item2, ... object ::= project project_name | table schema_name | instance inst_name | function func_name | resource res_name subject ::= user full_username | role role_nameUsers familiar with the GRANT and REVOKE commands defined by SQL92 or with Oracle database security management can find that the ACL authorization syntax of MaxCompute does not support [WITH GRANT OPTION] authorization parameters. For example, when User A authorizes User B to access an object, User B cannot grant the permission to User C. In this scenario, all permissions must be granted by one of the following three roles:- Project owner
- Project administrator
- Object creator
- Use Example of ACL Authorization
In the following scenario, the Alibaba Cloud account user alice@aliyun.com is a newly added member to the project test_project_a, and Allen is a RAM-sub account added to bob@aliyun.com. In test_project_a, they both must submit jobs, create tables, and view existing objects in the project.
The following authorization operations procedure is performed by the project administrator:use test_project; --Open the project add user aliyun$alice@aliyun.com; --Add the user add user aliyun$alice@aliyun.com; --Add the user create role worker; --Create a role grant worker TO aliyun$alice@aliyun.com; --Grant the role grant worker TO aliyun$bob@aliyun.com; --Grant the role grant CreateInstance, CreateResource, CreateFunction, CreateTable, List ON PROJECT test_project TO ROLE worker; --Authorize the role - Cross-project Table/Resource/Function Sharing
Following the preceding example, aliyun$alice@aliyun.com and ram$bob@aliyun.com:Allen have certain permissions in test_project_a. These two users must query table prj_b_test_table in test_project_b, and use test_project_b. UDF prj_b_test_udf.
The following authorization operations procedure is performed by the administrator test_project_b:use test_project_b; --Open the project add user aliyun$alice@aliyun.com; --Add the user add user ram$bob@aliyun.com:Allen; --Add th RAM sub-account create role prj_a_worker; --Create a role grant prj_a_worker TO aliyun$alice@aliyun.com; --Grant the role grant prj_a_worker TO ram$bob@aliyun.com:Alice; --Grant the role grant Describe , Select ON TABLE prj_b_test_table TO ROLE prj_a_worker; --Authorize the role grant Read ON Function prj_b_test_udf TO ROLE prj_a_worker; --Authorize the role grant Read ON Resource prj_b_test_udf_resource TO ROLE prj_a_worker; --Authorize the role --After authorization, the two users query table and use udf in test_project_a as follows: use test_project_a; select test_project_b:prj_b_test_udf(arg0, arg1) as res from test_project_b.prj_b_test_table;
|
Note |
If UDF is created in test_project_a, only Resource authorization is required. Write as the following: |