Normally, the authorization operation involves three elements: subject, object and action. In MaxCompute, subject indicates a user, object indicates all objects in the project and action is related to a specified object. Different types of objects support different actions.
MaxCompute project supports the following object types and actions:
|Project||Read||View the CreateTime and other information about a project, excluding any objects of the project.|
|Project||Write||Update Comments and other information of a project, excluding any objects of the project.|
|Project||List||View the list of all objects in the project.|
|Project||CreateTable||Create a Table in the project.|
|Project||CreateInstance||Create an Instance in the project.|
|Project||CreateFunction||Create a Function in the project.|
|Project||CreateResource||Create a Resource in the project.|
|Project||All||Has all privileges mentioned above.|
|Table||Describe||Read meta information of a Table.|
|Table||Select||Read the data of a Table.|
|Table||Alter||Alter the meta information of a Table.|
|Table||Update||Override or add data in a Table.|
|Table||Drop||Drop the Table.|
|Table||All||Has all privileges mentioned above.|
|Function||Read||Read the fuction.|
|Function||Write||Update the function.|
|Function||Execute||Execute the function.|
|Function||Delete||Delete the function.|
|Function||All||Has all privileges mentioned above.|
|Resource, Instance, Job, Volume||Read||Read the ojects.|
|Resource, Instance, Job, Volume||Write||Update the objects.|
|Resource, Instance, Job, Volume||Delete||Delete the objects.|
|Resource, Instance, Job, Volume||All||Has all privileges mentioned above.|
- In the privilege description mentioned above, the CreateTable action of Project-type objects as well as the Select, Alter, Update and Drop actions of Table-type objects shall be used with the CreateInstance action privilege of the Project-type object. The actions corresponding to these privileges cannot be carried out without granting the CreateInstance privilege. It is related to the internal implementation of the ODPS. Similarly, the Select privilege of Table shall be used with the CreateInstance privilege.
After adding a user or creating a role, you should grant the user or role with privileges. ACL authorization is based on an object. The Access Control List after authorization is considered as a sub-resource of this object. The authorization operation can be executed on condition that the object has existed. Once the object is dropped, the privilege data will be deleted automatically.
ACL authorization supports the syntax which is similar to GRANT/REVOKE syntax defined in SQL92. It grants or revokes the privileges on existing objects in project by using simple authorization statements.
The authorization statements are shown as follows:
grant actions on object to subject
revoke actions on object from subject
actions ::= action_item1, action_item2, ...
object ::= project project_name | table schema_name |
instance inst_name | function func_name |
subject ::= user full_username | role role_name
If you are familiar with the GRANT/REVOKE syntax defined in SQL92 or Oracle database security management, you can easily find that the ACL authorization syntax of ODPS does not support [WITH GRANT OPTION] authorization parameter. That is, when user A grants privilege to user B to access an object, user B cannot grant user C with the privilege. Therefore, the user who performs any authorization action must be:
- Project Owner
- A user with admin role in the project
- Object creator in the project
The following description shows a simple instance for ACL authorization:
Scenario: Aliyun account users email@example.com and firstname.lastname@example.org are new members of the project test_project. They need to submit jobs, create tables and view existing objects in the project test_project.
The authorization actions executed by the project owner:
use test_project; --Use a project
add user email@example.com; --Add a user.
add user firstname.lastname@example.org; --Add a user.
create role worker; --reate a role.
grant worker TO email@example.com; --Grant the role to a user.
grant worker TO firstname.lastname@example.org; --Grant the role to a user.
grant CreateInstance, CreateResource, CreateFunction, CreateTable, List ON PROJECT test_project TO ROLE worker; --Grant privileges to the role.