Authorization

Last Updated: Oct 31, 2017

Authorization generally involves three elements: subject (user or role), object, and action. In MaxCompute, the subject refers to a user or role, the object refers to various types of objects in a project, and actions are associated with specific object types. Different types of objects support different actions.

MaxCompute projects support the following object types and actions:

Object Action Description
Project Read View project information (excluding any project objects), such as the creation time.
Project Write Update project information (excluding any project objects), such as comments.
Project List View the list of all types of objects in the project.
Project CreateTable Create a table in the project.
Project CreateInstance Create an instance in the project.
Project CreateFunction Create a function in the project.
Project CreateResource Create a resource in the project.
Project CreateJob Create a job in the project.
Project CreateVolume Create a volume in the project.
Project CreateOfflineModel Create an offline model in the project.
Project CreateXflow Create an Xflow in the project.
Project All Grant all the preceding permissions
Table Describe Read the metadata of the table
Table Select Read the table data
Table Alter Change the metadata of the table and add or delete a partition
Table Update Overwrite or add table data
Table Drop Delete a table
Table All Grant all the preceding permissions.
Function Read Read and execute permissions.
Function Write Update.
Function Delete Delete.
Function All Grant all the preceding permissions.
Resource, Instance, Job, Volume Read Read.
Resource, Instance, Job, Volume Write Update.
Resource, Instance, Job, Volume Delete Delete.
Resource, Instance, Job, Volume All Grant all the preceding permissions.
OfflineModel Read Read.
OfflineModel Read Update.
OfflineModel Delete Delete.
OfflineModel All Grant all the preceding permissions.
Xflow Read Read.
Xflow Write Update.
Xflow Execute Execute.
Xflow Delete Delete.
Xflow All Grant all the preceding permissions.

Note:

  • In the previous description, the CreateTable action for the objects of Project type and the Select, Alter, Update, and Drop actions for the objects of Table type must work with the CreateInstance permission for the Project object. If the CreateInstance permission is not granted, the corresponding operations cannot be performed even though the mentioned permissions are granted, which is related to the internal implementation of MaxCompute. Similarly, the Select permission for Table type objects must work with the CreateInstance permission.

  • After a user or role is added, you must grant permissions to the user or role. MaxCompute authorization is an object-based authorization method. The permission data authorized by the Access Control List (ACL) is considered as a type of sub-resource of the object. Authorization can be performed only when the object exists. When the object is deleted, the authorized permission data is automatically deleted. MaxCompute authorization supports the syntax similar to the GRANT and REVOKE commands defined by SQL92. It grants or revokes permissions to/from the existing project object through simple authorization statements.

MaxCompute supports authorization using the syntax similar to the GRANT and REVOKE commands defined by SQL92. The authorization syntax is as follows:

  1. grant actions on object to subject
  2. revoke actions on object from subject
  3. actions ::= action_item1, action_item2, ...
  4. object ::= project project_name | table schema_name |
  5. instance inst_name | function func_name |
  6. resource res_name
  7. subject ::= user full_username | role role_name

Users familiar with the GRANT and REVOKE commands defined by SQL92 or with Oracle database security management can find that the ACL authorization syntax of MaxCompute does not support [WITH GRANT OPTION] authorization parameters. That is, when User A authorizes User B to access an object, User B cannot grant the permission to User C. In this case, all permissions must be granted by one of the three roles:

  • Project owner
  • Project administrator
  • Object creator

The following is an example of ACL-based authorization:

Scenario: Two users with Alibaba Cloud accounts alice@aliyun.com and bob@aliyun.com are added to the project test_project. In test_project, they need to submit jobs, create tables, and view existing objects in the project.

Procedure:

  1. use test_project; --Open the project
  2. add user aliyun$alice@aliyun.com; --Add the user
  3. add user aliyun$alice@aliyun.com; --Add the user
  4. create role worker; --Create a role
  5. grant worker TO aliyun$alice@aliyun.com; --Grant the role
  6. grant worker TO aliyun$bob@aliyun.com; --Grant the role
  7. grant CreateInstance, CreateResource, CreateFunction, CreateTable, List ON PROJECT test_project TO ROLE worker; --Authorize the role

Note: You can add and authorize project members in DataWorks. For more information, see How to Add and Authorize Members.

Thank you! We've received your feedback.