Authorization

Last Updated: Jun 23, 2016

Normally, the authorization operation involves three elements: subject, object and action. In MaxCompute, subject indicates a user, object indicates all objects in the project and action is related to a specified object. Different types of objects support different actions.

MaxCompute project supports the following object types and actions:

Object Type Action Description
Project Read View the CreateTime and other information about a project, excluding any objects of the project.
Project Write Update Comments and other information of a project, excluding any objects of the project.
Project List View the list of all objects in the project.
Project CreateTable Create a Table in the project.
Project CreateInstance Create an Instance in the project.
Project CreateFunction Create a Function in the project.
Project CreateResource Create a Resource in the project.
Project All Has all privileges mentioned above.
Table Describe Read meta information of a Table.
Table Select Read the data of a Table.
Table Alter Alter the meta information of a Table.
Table Update Override or add data in a Table.
Table Drop Drop the Table.
Table All Has all privileges mentioned above.
Function Read Read the fuction.
Function Write Update the function.
Function Execute Execute the function.
Function Delete Delete the function.
Function All Has all privileges mentioned above.
Resource, Instance, Job, Volume Read Read the ojects.
Resource, Instance, Job, Volume Write Update the objects.
Resource, Instance, Job, Volume Delete Delete the objects.
Resource, Instance, Job, Volume All Has all privileges mentioned above.

Notes:

  • In the privilege description mentioned above, the CreateTable action of Project-type objects as well as the Select, Alter, Update and Drop actions of Table-type objects shall be used with the CreateInstance action privilege of the Project-type object. The actions corresponding to these privileges cannot be carried out without granting the CreateInstance privilege. It is related to the internal implementation of the ODPS. Similarly, the Select privilege of Table shall be used with the CreateInstance privilege.

After adding a user or creating a role, you should grant the user or role with privileges. ACL authorization is based on an object. The Access Control List after authorization is considered as a sub-resource of this object. The authorization operation can be executed on condition that the object has existed. Once the object is dropped, the privilege data will be deleted automatically.

ACL authorization supports the syntax which is similar to GRANT/REVOKE syntax defined in SQL92. It grants or revokes the privileges on existing objects in project by using simple authorization statements.

The authorization statements are shown as follows:

  1. grant actions on object to subject
  2. revoke actions on object from subject
  3. actions ::= action_item1, action_item2, ...
  4. object ::= project project_name | table schema_name |
  5. instance inst_name | function func_name |
  6. resource res_name
  7. subject ::= user full_username | role role_name

If you are familiar with the GRANT/REVOKE syntax defined in SQL92 or Oracle database security management, you can easily find that the ACL authorization syntax of ODPS does not support [WITH GRANT OPTION] authorization parameter. That is, when user A grants privilege to user B to access an object, user B cannot grant user C with the privilege. Therefore, the user who performs any authorization action must be:

  • Project Owner
  • A user with admin role in the project
  • Object creator in the project

The following description shows a simple instance for ACL authorization:

Scenario: Aliyun account users alice@aliyun.com and bob@aliyun.com are new members of the project test_project. They need to submit jobs, create tables and view existing objects in the project test_project.

The authorization actions executed by the project owner:

  1. use test_project; --Use a project
  2. add user aliyun$alice@aliyun.com; --Add a user.
  3. add user aliyun$bob@aliyun.com; --Add a user.
  4. create role worker; --reate a role.
  5. grant worker TO aliyun$alice@aliyun.com; --Grant the role to a user.
  6. grant worker TO aliyun$bob@aliyun.com; --Grant the role to a user.
  7. grant CreateInstance, CreateResource, CreateFunction, CreateTable, List ON PROJECT test_project TO ROLE worker; --Grant privileges to the role.
Thank you! We've received your feedback.