This topic describes how to authorize users to manage objects in a MaxCompute project, for example, to read, write, and query table data, query resource information, and execute functions.
After members are added to a project, the members can perform operations in the project only after the project owner or project administrators grant the required permissions to them.
MaxCompute provides various methods to control permissions, including access control list (ACL)-based or policy-based authorization, resource sharing across projects, and project data protection. To manage permissions, you must make clear the subject, the object, and the action. We recommend that you preferentially use ACL-based authorization instead of policy-based authorization.
When you use ACL-based authorization, the subject can be a user or a role. The object can be a project or an object such as table, function, resource, or instance in a project. The action varies based on the object type. You can authorize a subject only when the specific object exists. If the object is deleted, the granted permissions are automatically deleted.
Object types and actions that MaxCompute projects support
|Project||Read||Views information about a project, such as the creation time, excluding information about objects in the project.|
|Project||Write||Updates information about a project, such as comments, excluding information about objects in the project.|
|Project||List||Queries all types of objects in a project.|
|Project||CreateTable||Creates tables in a project.|
|Project||CreateInstance||Creates instances in a project.|
|Project||CreateFunction||Creates functions in a project.|
|Project||CreateResource||Creates resources in a project.|
|Project||All||Has all of the preceding project permissions.|
|Table||Describe||Reads the metadata of tables.|
|Table||Select||Reads data from tables.|
|Table||Alter||Modifies the metadata of tables and creates or deletes table partitions.|
|Table||Update||Overwrites data in tables or appends data to tables.|
|Table||ShowHistory||Queries the backup history of tables.|
|Table||All||Has all of the preceding table permissions.|
|Function||Read||Reads function information.|
|Function||All||Has all of the preceding function permissions.|
|Resource||Read||Reads resource information.|
|Resource||All||Has all of the preceding resource permissions.|
|Instance||Read||Reads instance information.|
|Instance||All||Has both of the preceding instance permissions.|
- In MaxCompute, permissions on views must be separately granted in the same way as tables.
- The CreateTable permission on a project and the Select, Alter, Update, and Drop permissions
on tables in a project must be used together with the CreateInstance permission on
the project in which you perform operations.
A user without the CreateInstance permission on a project cannot complete the CreateTable, Select, Alter, Update, or Drop operation in the project. For example, to read data from tables of Project B in Project A, you must have the CreateInstance permission on Project A and the Select permission on tables of Project B.
Authorization syntax in MaxCompute
grant actions on object to subject revoke actions on object from subject actions ::= action_item1, action_item2, ... object ::= project project_name | table schema_name | instance inst_name | function func_name | resource res_name subject ::= user full_username | role role_name
- When you use ACL-based authorization, the
[WITH GRANT OPTION]parameter is not supported. In other words, when User A authorizes User B to manage an object, User B cannot authorize User C to manage the same object.
- Only the following roles have the permission to authorize users in a project:
- Project owner
- Project administrator
- Object creator
- After you log on with an Alibaba Cloud account, you can authorize other Alibaba Cloud accounts and Resource Access Management (RAM) users under the current Alibaba Cloud account. You cannot authorize RAM users under other Alibaba Cloud accounts.
- ACL-based authorization
Alice has an Alibaba Cloud account firstname.lastname@example.org. Allen, whose account is email@example.com:Allen, is a RAM user that belongs to firstname.lastname@example.org. Your Alibaba Cloud account is email@example.com and you are the project administrator of the test_project_a project. After you log on, you can run the following commands to grant permissions, such as the CreateInstance, CreateTable, and List permissions, to Alice and Allen:
-- Go to the test_project_a project. use test_project_a; -- Add Alice as a member of the project. add user firstname.lastname@example.org; -- Add Allen as a member of the project. add user email@example.com:Allen; -- Create a worker role. create role worker; -- Assign the worker role to the added members. grant worker TO firstname.lastname@example.org; grant worker TO email@example.com:Allen; -- Grant the CreateInstance, CreateResource, CreateFunction, CreateTable, and List permissions to the worker role. grant CreateInstance, CreateResource, CreateFunction, CreateTable, List ON PROJECT test_project_a TO ROLE worker; -- Grant both instance permissions to the worker role. grant all on instance instance_name to Role worker;
- Resource sharing across projects
Alice and Allen with the granted permissions in the preceding example need to query data in the prj_b_test_table table of the test_project_b project and use the prj_b_test_udf function of the project. You are also the project administrator of the test_project_b project. After you log on, you can run the following commands to grant permissions on the test_project_b project to Alice and Allen:
To create a user-defined function (UDF) in the test_project_a project by using resources of the test_project_b project, the members can run the following command:
-- Go to the test_project_b project. use test_project_b; -- Add Alice and Allen as members of the project. add user firstname.lastname@example.org; add user email@example.com:Allen; -- Create the prj_a_worker role. create role prj_a_worker; -- Assign the prj_a_worker role to the added members. grant prj_a_worker TO firstname.lastname@example.org; grant prj_a_worker TO email@example.com:Alice; -- Grant permissions to the prj_a_worker role. grant Describe , Select ON TABLE prj_b_test_table TO ROLE prj_a_worker; grant Read ON Function prj_b_test_udf TO ROLE prj_a_worker; grant Read ON Resource prj_b_test_udf_resource TO ROLE prj_a_worker; -- After permissions are granted, the two members can run the following commands in the test_project_a project to query data in the prj_b_test_table table of the test_project_b project and use the prj_b_test_udf function of the test_project_b project: use test_project_a; select test_project_b:prj_b_test_udf(arg0, arg1) as res from test_project_b.prj_b_test_table;
create function function_name as 'com.aliyun.odps.compiler.udf.PlaybackJsonShrinkUdf' using 'test_project_b/resources/odps-compiler-playback.jar' -f;