This topic describes how to authorize users to manage objects in a MaxCompute project, for example, to read, write, and query table data, query resource information, and execute functions.
Overview
After members are added to a project, the members can perform operations in the project only after the project owner or project administrators grant the required permissions to them.
MaxCompute provides various methods to control permissions, including access control list (ACL)-based or policy-based authorization, resource sharing across projects, and project data protection. To manage permissions, you must make clear the subject, the object, and the action. We recommend that you preferentially use ACL-based authorization instead of policy-based authorization.
If you use ACL-based authorization, the subject can be a user or a role. The object can be a project or an object in a project, such as table, function, resource, or instance. The action varies based on the object type. You can authorize a subject only when the specific object exists. If the object is deleted, the granted permissions are automatically deleted.
Object types and actions that MaxCompute projects support
Object | Operation | Description |
---|---|---|
Project | Read | Views information about a project, such as the creation time, excluding information about objects in the project. |
Project | Write | Updates information about a project, such as comments, excluding information about objects in the project. |
Project | List | Queries all types of objects in a project. |
Project | CreateTable | Creates tables in a project. |
Project | CreateInstance | Creates instances in a project. |
Project | CreateFunction | Creates functions in a project. |
Project | CreateResource | Creates resources in a project. |
Project | All | Has all of the preceding project permissions. |
Table | Describe | Reads metadata from tables. |
Table | Select | Reads data from tables. |
Table | Alter | Modifies metadata of tables and creates or deletes table partitions. |
Table | Update | Overwrites data in tables or appends data to tables. |
Table | Drop | Deletes tables. |
Table | ShowHistory | Queries the backup history of tables. |
Table | All | Has all of the preceding table permissions. |
Function | Read | Reads function information. |
Function | Write | Updates functions. |
Function | Delete | Deletes functions. |
Function | Execute | Executes functions. |
Function | All | Has all of the preceding function permissions. |
Resource | Read | Reads resource information. |
Resource | Write | Updates resources. |
Resource | Delete | Deletes resources. |
Resource | All | Has all of the preceding resource permissions. |
Instance | Read | Reads instance information. |
Instance | Write | Updates instances. |
Instance | All | Has both of the preceding instance permissions. |
- In MaxCompute, permissions on views must be separately granted in the same way as tables.
- The CreateTable permission on a project and the Select, Alter, Update, and Drop permissions
on tables in a project must be used together with the CreateInstance permission on
the project in which you perform operations.
A user who does not have the CreateInstance permission on a project cannot complete the CreateTable, Select, Alter, Update, or Drop operation in the project. For example, to read data from tables of project B in project A, you must have the CreateInstance permission on project A and the Select permission on tables of project B.
Authorization syntax in MaxCompute
grant actions on object to subject
revoke actions on object from subject
actions ::= action_item1, action_item2, ...
object ::= project project_name | table schema_name |
instance inst_name | function func_name |
resource res_name
subject ::= user full_username | role role_name
- When you use ACL-based authorization, the
[WITH GRANT OPTION]
parameter cannot be used. For example, if user A authorizes user B to access an object, user B cannot authorize user C to access the same object by using the [WITH GRANT OPTION] parameter. - Only the following roles have the permission to authorize users in a project:
- Project owner
- Project administrator
- Object creator
- After you log on to MaxCompute with an Alibaba Cloud account, you can authorize other Alibaba Cloud accounts and Resource Access Management (RAM) users under the current Alibaba Cloud account. You cannot authorize RAM users under other Alibaba Cloud accounts.
Example:
- ACL-based authorization
Alice has an Alibaba Cloud account alice@aliyun.com. Allen is a RAM user under the Alibaba Cloud account bob@aliyun.com. Your Alibaba Cloud account is bob@aliyun.com and you are the project administrator of the test_project_a project. After you log on, you can run the following commands to grant permissions, such as the CreateInstance, CreateTable, and List permissions, to Alice and Allen:
-- Go to the test_project_a project. use test_project_a; -- Add Alice as a member of the project. add user aliyun$alice@aliyun.com; -- Add Allen as a member of the project. add user ram$bob@aliyun.com:Allen; -- Create a worker role. create role worker; -- Assign the worker role to the added members. grant worker TO aliyun$alice@aliyun.com; grant worker TO ram$bob@aliyun.com:Allen; -- Grant the CreateInstance, CreateResource, CreateFunction, CreateTable, and List permissions to the worker role. grant CreateInstance, CreateResource, CreateFunction, CreateTable, List ON PROJECT test_project_a TO ROLE worker; -- Grant all instance permissions to the worker role. grant all on instance instance_name to Role worker;
- Resource sharing across projects
Alice and Allen with the granted permissions in the preceding example need to query data in the prj_b_test_table table of the test_project_b project and use the prj_b_test_udf function of the project. You are also the project administrator of the test_project_b project. After you log on, you can run the following commands to grant permissions on the test_project_b project to Alice and Allen:
To create a user-defined function (UDF) in the test_project_a project by using resources of the test_project_b project, the members can run the following command:-- Go to the test_project_b project. use test_project_b; -- Add Alice and Allen as members of the project. add user aliyun$alice@aliyun.com; add user ram$bob@aliyun.com:Allen; -- Create the prj_a_worker role. create role prj_a_worker; -- Assign the prj_a_worker role to the added members. grant prj_a_worker TO aliyun$alice@aliyun.com; grant prj_a_worker TO ram$bob@aliyun.com:Alice; -- Grant permissions to the prj_a_worker role. grant Describe , Select ON TABLE prj_b_test_table TO ROLE prj_a_worker; grant Read ON Function prj_b_test_udf TO ROLE prj_a_worker; grant Read ON Resource prj_b_test_udf_resource TO ROLE prj_a_worker; -- After permissions are granted, the two members can execute the following commands in the test_project_a project to query data in the prj_b_test_table table of the test_project_b project and use the prj_b_test_udf function of the test_project_b project: use test_project_a; select test_project_b:prj_b_test_udf(arg0, arg1) as res from test_project_b.prj_b_test_table;
create function function_name as 'com.aliyun.odps.compiler.udf.PlaybackJsonShrinkUdf' using 'test_project_b/resources/odps-compiler-playback.jar' -f;