Authorization allows a user to perform operations including read, write, and view on tables, tasks, resources, and other objects of the MaxCompute. After the user is added, the project owner or the project administrator must authorize the user. The user can perform operations only after obtaining the permission.
MaxCompute provides Access Control List (ACL) authorization, cross-project resource sharing, and project resource protection. Authorization typically includes three elements: subject, object, and action. In MaxCompute, the subject refers to a user or a role and the object refers to various types of objects in a project.
ACL authorization includes following MaxCompute objects: Project, Table, Function, Resource, and Instance. Operations are related to specific object types, therefore different types of objects support different types of actions.
| Object | Action | Description |
|---|---|---|
| Project | Read | View project information (excluding any project objects), such as the creation time. |
| Project | Write | Update project information (excluding any project objects), such as comments. |
| Project | List | View the list of all types of objects in the project. |
| Project | CreateTable | Create a table in the project. |
| Project | CreateInstance | Create an instance in the project. |
| Project | CreateFunction | Create a function in the project. |
| Project | CreateResource | Create a resource in the project. |
| Project | All | Grant all of the preceding permissions. |
| Table | Describe | Read the metadata of the table. |
| Table | Select | Read the table data. |
| Table | Alter | Change the metadata of the table and add or delete a partition. |
| Table | Update | Overwrite or add table data. |
| Table | Drop | Delete a table. |
| Table | All | Grant all the preceding permissions. |
| Function | Read | Read and run permissions. |
| Function | Write | Update. |
| Function | Delete | Delete. |
| Function | Run | Run. |
| Function | All | Grant all the preceding permissions. |
| Resource | Read | Read. |
| Resource | Write | Update. |
| Resource | Delete | Delete. |
| Resource | All | Grant all the preceding permissions. |
| Instance | Read | Read. |
| Instance | Write | Update. |
| Instance | All | Grant all the preceding permissions. |
 |
Note |
|
- SQL92 Authorization
MaxCompute supports authorization using the syntax similar to the GRANT and REVOKE commands defined by SQL92. It grants or revokes permissions to/from the existing project object through simple authorization statements. The authorization syntax is as follows:
grant actions on object to subject revoke actions on object from subject actions ::= action_item1, action_item2, ... object ::= project project_name | table schema_name | instance inst_name | function func_name | resource res_name subject ::= user full_username | role role_nameUsers familiar with GRANT and REVOKE commands defined by SQL92 or with Oracle database security management can identify that the ACL authorization syntax of MaxCompute does not support [WITH GRANT OPTION] authorization parameters. For example, when User A authorizes User B to access an object, User B cannot grant the permission to User C. In this scenario, all permissions can be granted by one of the following three roles:- Project owner
- Project administrator
- Object creator
- Use example of ACL authorization
In the following scenario, the Alibaba Cloud account user alice@aliyun.com is a newly added member to the project test_project_a, and Allen is a RAM-sub account added to bob@aliyun.com. In test_project_a, they both must submit jobs, create tables, and view existing objects in the project.
The project administrator performs the following authorization operations:use test_project; --Open the project add user aliyun$alice@aliyun.com; --Add the user add user aliyun$alice@aliyun.com; --Add the user create role worker; --Create a role grant worker TO aliyun$alice@aliyun.com; --Grant the role grant worker TO aliyun$bob@aliyun.com; --Grant the role grant CreateInstance, CreateResource, CreateFunction, CreateTable, List ON PROJECT test_project TO ROLE worker; --Authorize the role - Cross-project Table/Resource/Function sharing
Following the preceding example, aliyun$alice@aliyun.com and ram$bob@aliyun.com:Allen have certain permissions in test_project_a. These two users must query table prj_b_test_table in test_project_b, and use test_project_b. UDF prj_b_test_udf.
The project administrator performs the following authorization operations for test_project_b:use test_project_b; --Open the project add user aliyun$alice@aliyun.com; --Add the user add user ram$bob@aliyun.com:Allen; --Add th RAM sub-account create role prj_a_worker; --Create a role grant prj_a_worker TO aliyun$alice@aliyun.com; --Grant the role grant prj_a_worker TO ram$bob@aliyun.com:Alice; --Grant the role grant Describe , Select ON TABLE prj_b_test_table TO ROLE prj_a_worker; --Authorize the role grant Read ON Function prj_b_test_udf TO ROLE prj_a_worker; --Authorize the role grant Read ON Resource prj_b_test_udf_resource TO ROLE prj_a_worker; --Authorize the role --After authorization, the two users query table and use udf in test_project_a as follows: use test_project_a; select test_project_b:prj_b_test_udf(arg0, arg1) as res from test_project_b.prj_b_test_table;
|
Note |
If UDF is created in test_project_a, then only Resource authorization is required. Use the following code: |