This topic describes how to authorize users to manage objects in a MaxCompute project, for example, to read, write, and query table data, query resource information, and execute functions.

Overview

After members are added to a project, the members can perform operations in the project only after the project owner or project administrators grant the required permissions to them.

MaxCompute provides various methods to control permissions, including access control list (ACL)-based or policy-based authorization, resource sharing across projects, and project data protection. To manage permissions, you must make clear the subject, the object, and the action. We recommend that you preferentially use ACL-based authorization instead of policy-based authorization.

When you use ACL-based authorization, the subject can be a user or a role. The object can be a project or an object such as table, function, resource, or instance in a project. The action varies based on the object type. You can authorize a subject only when the specific object exists. If the object is deleted, the granted permissions are automatically deleted.

Object types and actions that MaxCompute projects support

Object Action Description
Project Read Views information about a project, such as the creation time, excluding information about objects in the project.
Project Write Updates information about a project, such as comments, excluding information about objects in the project.
Project List Queries all types of objects in a project.
Project CreateTable Creates tables in a project.
Project CreateInstance Creates instances in a project.
Project CreateFunction Creates functions in a project.
Project CreateResource Creates resources in a project.
Project All Has all of the preceding project permissions.
Table Describe Reads the metadata of tables.
Table Select Reads data from tables.
Table Alter Modifies the metadata of tables and creates or deletes table partitions.
Table Update Overwrites data in tables or appends data to tables.
Table Drop Deletes tables.
Table ShowHistory Queries the backup history of tables.
Table All Has all of the preceding table permissions.
Function Read Reads function information.
Function Write Updates functions.
Function Delete Deletes functions.
Function Execute Executes functions.
Function All Has all of the preceding function permissions.
Resource Read Reads resource information.
Resource Write Updates resources.
Resource Delete Deletes resources.
Resource All Has all of the preceding resource permissions.
Instance Read Reads instance information.
Instance Write Updates instances.
Instance All Has both of the preceding instance permissions.
Note
  • In MaxCompute, permissions on views must be separately granted in the same way as tables.
  • The CreateTable permission on a project and the Select, Alter, Update, and Drop permissions on tables in a project must be used together with the CreateInstance permission on the project in which you perform operations.

    A user without the CreateInstance permission on a project cannot complete the CreateTable, Select, Alter, Update, or Drop operation in the project. For example, to read data from tables of Project B in Project A, you must have the CreateInstance permission on Project A and the Select permission on tables of Project B.

Authorization syntax in MaxCompute

Authorization syntax in MaxCompute is similar to the GRANT and REVOKE statements that are defined by the SQL-92 standard. You can use simple statements to grant or revoke permissions on projects or objects in projects. MaxCompute supports the following authorization syntax:
grant actions on object to subject
revoke actions on object from subject
actions ::= action_item1, action_item2, ...
object ::= project project_name | table schema_name |
           instance inst_name | function func_name |
           resource res_name
subject ::= user full_username | role role_name
In the authorization process, note the following points:
  • When you use ACL-based authorization, the [WITH GRANT OPTION] parameter is not supported. In other words, when User A authorizes User B to manage an object, User B cannot authorize User C to manage the same object.
  • Only the following roles have the permission to authorize users in a project:
    • Project owner
    • Project administrator
    • Object creator
  • After you log on with an Alibaba Cloud account, you can authorize other Alibaba Cloud accounts and Resource Access Management (RAM) users under the current Alibaba Cloud account. You cannot authorize RAM users under other Alibaba Cloud accounts.

Examples

  • ACL-based authorization
    Alice has an Alibaba Cloud account alice@aliyun.com. Allen, whose account is bob@aliyun.com:Allen, is a RAM user that belongs to bob@aliyun.com. Your Alibaba Cloud account is bob@aliyun.com and you are the project administrator of the test_project_a project. After you log on, you can run the following commands to grant permissions, such as the CreateInstance, CreateTable, and List permissions, to Alice and Allen:
    -- Go to the test_project_a project.
use test_project_a; 
-- Add Alice as a member of the project.
add user aliyun$alice@aliyun.com;
-- Add Allen as a member of the project. 
add user ram$bob@aliyun.com:Allen; 
-- Create a worker role.
create role worker; 
-- Assign the worker role to the added members.
grant worker TO aliyun$alice@aliyun.com; 
grant worker TO ram$bob@aliyun.com:Allen;  
-- Grant the CreateInstance, CreateResource, CreateFunction, CreateTable, and List permissions to the worker role.
grant CreateInstance, CreateResource, CreateFunction, CreateTable, List ON PROJECT test_project_a TO ROLE worker;
-- Grant both instance permissions to the worker role.
grant all on instance instance_name to Role worker;
  • Resource sharing across projects
    Alice and Allen with the granted permissions in the preceding example need to query data in the prj_b_test_table table of the test_project_b project and use the prj_b_test_udf function of the project. You are also the project administrator of the test_project_b project. After you log on, you can run the following commands to grant permissions on the test_project_b project to Alice and Allen:
    -- Go to the test_project_b project.
use test_project_b; 
-- Add Alice and Allen as members of the project.
add user aliyun$alice@aliyun.com; 
add user ram$bob@aliyun.com:Allen; 
-- Create the prj_a_worker role.
create role prj_a_worker; 
-- Assign the prj_a_worker role to the added members.
grant prj_a_worker TO aliyun$alice@aliyun.com; 
grant prj_a_worker TO ram$bob@aliyun.com:Alice;  
-- Grant permissions to the prj_a_worker role.
grant Describe , Select  ON TABLE prj_b_test_table TO ROLE prj_a_worker; 
grant Read  ON Function prj_b_test_udf TO ROLE prj_a_worker; 
grant Read  ON Resource prj_b_test_udf_resource TO ROLE prj_a_worker; 
-- After permissions are granted, the two members can run the following commands in the test_project_a project to query data in the prj_b_test_table table of the test_project_b project and use the prj_b_test_udf function of the test_project_b project:
use test_project_a;
select test_project_b:prj_b_test_udf(arg0, arg1) as res from test_project_b.prj_b_test_table;
    To create a user-defined function (UDF) in the test_project_a project by using resources of the test_project_b project, the members can run the following command:
    create function function_name as 'com.aliyun.odps.compiler.udf.PlaybackJsonShrinkUdf' using 'test_project_b/resources/odps-compiler-playback.jar' -f;