This topic describes the operations that are related to the creator and users of a package in a project.

Entities of a package

A package involves two entities: package creator and package user.
  • The project to which the package creator belongs provides resources. The creator packages both the resources that the creator wants to share and the access permissions into a file. Then, package users can download the package to use these resources.
  • The project to which the package user belongs uses the resources. A user can access resources across projects after the user downloads the package provided by the creator.

The following section describes the operations related to the package creator and package users.

Package creator

  • Create a package. Only the owner of the project has the permissions to create a package.
    create package <pkgname>;

    pkgname: The name of the created package cannot exceed 128 characters.

  • Add resources that the creator wants to share to a package.
    -- Add an object to a package. 
    add project_object to package package_name [with privileges privileges]; 
    -- Remove an object from a package. 
    remove project_object from package package_name; 
    project_object ::= table table_name |
                   instance inst_name |
                   function func_name |
                   resource res_name
    privileges ::= action_item1, action_item2, ...
    Description:
    • Projects cannot be used as objects. Therefore, you cannot use a package to create objects in projects.
    • When you add resources to a package, do not prefix the project name to the object name. For example, if you want to add a table named table_test to a package in the prj1 project, the name of the table cannot be prj1.table_test. The name must be table_test.
    • The object and its permissions are added to a package at the same time. If you do not specify permissions by using the parameter [with privileges privileges], the permissions on the object are read-only by default. The read-only permissions include READ, DESCRIBE, and SELECT. The object and its permissions are inseparable and cannot be updated after you add them to a package. If you want to update them, you must remove the object from the package and add it again.
    • An object is not packaged as a snapshot. Therefore, when the data of an object is updated, the data accessed by package users is the new data of the object.
  • Allow other projects to use a package.
    allow project <prjname> to install package <pkgname> [using label <number>];

    using label <number>: optional. You can use this parameter to add a column-level permission policy for authorizing a project to access the package. The authorized project can access the package, but it can only access or read columns whose label level is lower than or equal to the level specified by number. The authorized project cannot access or read columns whose label level is higher than the level specified by number.

  • Revoke the permissions for other projects to use this package.
    disallow project <prjname> to install package <pkgname>;
  • Delete the package.
    delete package <pkgname>;
  • View the list of packages that are created and downloaded.
    show packages;
  • View the details of a package.
    describe package <pkgname>;

Package user

  • Install a package. Only the project owner has the permissions to install a package.
    install package <pkgname>;

    If you want to install a package, you must specify pkgname in the <projectName>.<packageName> format.

  • Uninstall a package.
    uninstall package <pkgname>;

    If you want to uninstall a package, you must specify pkgname in the <projectName>.<packageName> format.

  • View packages.
    • View the list of packages that are created and installed.
      show packages; 
    • View the details of a package.
      describe package <pkgname>; 
  • Grant access to a package to other members or roles of this project.

    The downloaded package is an independent object in MaxCompute. If you want to access resources that are shared by other projects in a package, you must have the READ permission on the package. If you do not have this permission, you must apply for the permission from the owner or administrator of the project. The owner or administrator of the project can grant you the permission by using access control list (ACL) rules.

    Execute the following statement to grant a specific permission on the package to a user or a role.
    grant <actions> on package <pkgName> to user <username>;
    grant <actions> on package <pkgName> to role <role_name>;
    Note After authorization, you have the permissions to access objects in the package only in this project.
    Examples
    • The ACL rules allow the Alibaba Cloud account aliyun$odps_test@aliyun.com to access resources in the package.
      use prj2;
      install package prj1.testpkg;
      grant read on package prj1.testpackage to user aliyun$odps_test@aliyun.com;
    • The ACL rules allow all members that are assigned the role_dev role to access resources in the package.
      use prj2;
      install package prj1.testpkg;
      grant read on package prj1.testpackage to role role_dev;

Scenarios

Jack is the administrator of the prj1 project. John is the administrator of the prj2 project. Jack wants to share some resources of the prj1 project, such as the datamining.jar file and the sampletable table file, to the prj2 project. If a user Bob in the prj2 project wants to access these resources, John can use the ACL rules to grant permissions to Bob. In this process, Jack is not involved.
  1. Jack creates a package in the prj1 project.
    use prj1;
    create package datamining; -- Create a package. 
    add resource datamining.jar to package datamining; -- Add resources to the package. 
    add table sampletable to package datamining; -- Add a table to the package. 
    allow the prj2 project to install package datamining; -- Share the package with the prj2 project. 
  2. John installs the package in the prj2 project.
    use prj2;
    install package prj1.datamining; -- Install a package. 
    describe package prj1.datamining; -- View resources in the package. 
  3. John grants Bob the permissions to use the package.
    use prj2;
    grant Read on package prj1.datamining to user aliyun$bob@aliyun.com; -- Authorize Bob to use the package by using ACL rules.