This topic describes how to authorize users to manage the objects in a MaxCompute project, for example, to read, write, and query table data, query resource information, and execute functions.
After members are added to a project, the members can perform operations in the project only after the project owner or project administrators grant the required permissions to them.
MaxCompute provides various authorization methods, including access control list (ACL)-based or policy-based authorization, resource sharing across projects, and project data protection. Authorization involves three elements: subject, object, and action. We recommend that you use ACL-based authorization instead of policy-based authorization.
If you use ACL-based authorization, the subject can be a user or a role. The object can be a project or an object in a project, such as table, function, resource, or instance. The action varies based on the object type. You can authorize a subject only if a specific object exists. If the object is deleted, the granted permissions are automatically deleted.
Object types and actions that MaxCompute projects support
|Project||Read||Views information about a project, such as its creation time. The information does not include information about the objects in the project.|
|Project||Write||Updates information about a project, such as comments. The information does not include information about the objects in the project.|
|Project||List||Queries all types of objects in a project.|
|Project||CreateTable||Creates tables in a project.|
|Project||CreateInstance||Creates instances in a project.|
|Project||CreateFunction||Creates functions in a project.|
|Project||CreateResource||Creates resources in a project.|
|Project||All||Has all of the preceding project permissions.|
|Table||Describe||Reads the metadata of tables.|
|Table||Select||Reads the data in tables.|
|Table||Alter||Modifies the metadata of tables and creates or deletes table partitions.|
|Table||Update||Overwrites data in tables or appends data to tables.|
|Table||ShowHistory||Queries the backup history of tables.|
|Table||All||Has all of the preceding table permissions.|
|Function||Read||Reads function information.|
|Function||All||Has all of the preceding function permissions.|
|Resource||Read||Reads resource information.|
|Resource||All||Has all of the preceding resource permissions.|
|Instance||Read||Reads instance information.|
|Instance||All||Has both of the preceding instance permissions.|
- In MaxCompute, permissions on views must be separately granted in the same way as tables.
- The CreateTable permission on a project and the Select, Alter, Update, and Drop permissions on tables in a project must be used together with the CreateInstance permission on the project in which you perform operations.
A user who does not have the CreateInstance permission on a project cannot perform the operations that require the preceding permissions. For example, to read data from the tables of project B in project A, you must have the CreateInstance permission on project A and the Select permission on the tables of project B.
Authorization syntax in MaxCompute
grant <actions> on <object> to <subject> revoke <actions> on <object> from <subject> actions ::= action_item1, action_item2, ... object ::= project project_name | table schema_name | instance inst_name | function func_name | resource res_name subject ::= user full_username | role role_name
- actions: specifies one or more actions. Separate multiple actions with commas (,). You can view the supported actions in Object types and actions that MaxCompute projects support.
- object: specifies an object type. You can view the supported object types in Object types and actions that MaxCompute projects support.
- subject: specifies the user or role that you want to authorize.
- MaxCompute also supports access control at the column level. Syntax:
grant <actions> on table <table_name>[(column_list)] to <subject>; revoke <actions> on table <table_name>[(column_list)] from <subject>;
- table_name: specifies the name of a table.
- column_list: specifies some column names of the table. Set this parameter only if you want to grant permissions at the column level. Separate multiple column names with commas (,).
- If you use ACL-based authorization, you can add conditions to implement access control from more dimensions. You can also set the expiration time for permissions. Syntax:
grant <actions> on <object> to <subject> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
- conditions: Set this parameter in the
"<var_name> <Operation> constant" and "<var_name> <Operation> constant" and ...format. The following table lists the supported values of var_name and Operation.
var_name Data type Operation Description acs:UserAgent STRING
The user agent of the client that sent a request. acs:Referer STRING The HTTP referer of a request. acs:SourceIp IP Address
not in (...)
The IP address of the client that sends a request. acs:SecureTransport BOOLEAN
Specifies whether a request is sent over a secure channel, such as an HTTPS channel. acs:CurrentTime Date and time
The time at which the web server receives a request. The value must be in the ISO 8601 format, such as 2012-11-11T23:59:59Z.
- Expires: specifies the expiration time of the permissions, in days.
- conditions: Set this parameter in the
- If you use ACL-based authorization, the
[WITH GRANT OPTION]parameter cannot be used. For example, if User A authorizes User B to access an object, user B cannot authorize User C to access the same object.
- Only the following roles have the permissions to authorize users in a project:
- Project owner
- Project administrator
- Object creator
- A user with an Alibaba Cloud account can authorize only their own RAM users but cannot authorize RAM users of other Alibaba Cloud accounts.
- ACL-based authorization
email@example.com is a new member of the test_project_a project. Allen is a RAM user of firstname.lastname@example.org. An Alibaba Cloud account can execute the following statements to grant permissions, including the permissions to submit jobs, create data tables, and query existing objects in a project:
-- Go to the test_project_a project. use test_project_a; -- Add a member to the project. add user email@example.com; -- Add a RAM user to the project. add user firstname.lastname@example.org:Allen; -- Create a role named worker. create role worker; -- Assign the worker role to the added members. grant worker TO email@example.com; grant worker TO firstname.lastname@example.org:Allen; -- Grant the CreateInstance, CreateResource, CreateFunction, CreateTable, and List permissions on all objects in the test_project_a project to the worker role. grant CreateInstance, CreateResource, CreateFunction, CreateTable, List ON PROJECT test_project_a TO ROLE worker; -- Grant all instance permissions to the worker role. grant all on instance instance_name to Role worker;
- Resource sharing across projects
Alice and Allen with the granted permissions in the preceding example want to query data in the prj_b_test_table table of the test_project_b project. They also want to use the prj_b_test_udf function of the project. The project administrator of the test_project_b project can execute the following statements to grant the required permissions to Alice and Allen:
To create a user-defined function (UDF) in the test_project_a project by using resources of the test_project_b project, the members can run the following command:
-- Go to the test_project_b project. use test_project_b; -- Add members to the project. add user email@example.com; add user firstname.lastname@example.org:Allen; -- Create the prj_a_worker role. create role prj_a_worker; -- Assign the prj_a_worker role to the added members. grant prj_a_worker TO email@example.com; grant prj_a_worker TO firstname.lastname@example.org:Alice; -- Grant permissions to the prj_a_worker role. grant Describe , Select ON TABLE prj_b_test_table TO ROLE prj_a_worker; grant Read ON Function prj_b_test_udf TO ROLE prj_a_worker; grant Read ON Resource prj_b_test_udf_resource TO ROLE prj_a_worker; -- After authorization, the two members can execute the following statements in the test_project_a project to query the prj_b_test_table table and use the prj_b_test_udf function of the test_project_b project: use test_project_a; select test_project_b:prj_b_test_udf(arg0, arg1) as res from test_project_b.prj_b_test_table;
create function function_name as 'com.aliyun.odps.compiler.udf.PlaybackJsonShrinkUdf' using 'test_project_b/resources/odps-compiler-playback.jar' -f;
- Access control at the column level
ACL-based authorization supports access control at the column level. In the following example, a user with an Alibaba Cloud account creates a table named sale_detail. Then, the user grants the role worker the Describe and Select permissions on the shop_name and customer_id columns in the table.
-- Go to the test_project_a project. use test_project_a; -- Create a partitioned table named sale_detail. create table if not exists sale_detail ( shop_name string, customer_id string, total_price double ) partitioned by (sale_date string, region string); -- Authorize the role worker at the column level. grant Describe, Select on table sale_detail (shop_name, customer_id) to role worker;