Use a package - Security Management| Alibaba Cloud Documentation Center

This topic describes the operations that are related to the creator and users of a package in a project.

Entities of a package

A package involves two entities: package creator and package user.

Package creator: a supplier who provides resources of a project. The creator packages the resources of a project that the creator wants to share and the access permissions on the resources into a file. Then, the creator allows package users to install and use this package.
Package user: a user who uses the resources of a project. A package user can access resources across projects after the user installs the package provided by the creator.

Limits

Before you use a package, take note of the following limits:

A package can be installed for a maximum of 100,000 MaxCompute projects.
A maximum of 100 packages in a MaxCompute project can be installed for another MaxCompute project.
A maximum of 100,000 packages can be created for a MaxCompute project.
A maximum of 100,000 packages can be installed for a MaxCompute project.
A maximum of 1,000 resources can be added to a package.

Package creator

Create a package. Only the owner of a project has the permissions to create a package.
```
create package <pkgname>;
```
pkgname: the name of the package that you want to create. The package name cannot exceed 128 characters.
Add resources that the creator wants to share to a package.
```
-- Add an object to a package. 
add project_object to package package_name [with privileges privileges]; 
-- Remove objects from a package. 
remove project_object from package package_name; 
project_object ::= table table_name |
                   table view_name |
                instance inst_name |
                function func_name |
                resource res_name
privileges ::= action_item1, action_item2, ...
```
Description:
- Projects cannot be used as objects. Therefore, you cannot use a package in a project to create objects in other projects.
- When you add resources to a package, do not prefix the project name to the object name. For example, if you want to add a table named table_test to a package in the prj1 project, the name of the table cannot be prj1.table_test. The table name must be table_test.
- When you add resources, you can use an asterisk (*) as a regular expression in the statement that is used to add the resources. For example, add tables * to package package_name; is used to add all tables to a package.
- The object and its permissions are added to a package at the same time. If you do not specify permissions by using the parameter [with privileges privileges], only the read-only permissions on the object are assigned. The read-only permissions include READ, DESCRIBE, and SELECT. The object and its permissions are inseparable and cannot be updated after you add them to a package. If you want to update them, you must remove the object from the package and add the object and its permissions again.
- An object is not packaged as a snapshot. Therefore, when the data of an object is updated, the data accessed by package users is the new data of the object.
Allow other projects to use a package.
```
allow project <prjname> to install package <pkgname> [using label <number>];
```
using label <number>: optional. You can specify this parameter to add a column-level policy for authorizing a project to access the package. The authorized project can access the package, but it can access or read only the columns whose label level is lower than or equal to the level specified by number. The columns whose label level is higher than the level specified by number cannot be accessed or read.
Revoke the permissions for other projects to use a package.
```
disallow project <prjname> to install package <pkgname>;
```
Delete a package.
```
delete package <pkgname>;
```
View the list of packages that are created and installed.
```
show packages;
```
View the details of a package.
```
describe package <pkgname>;
```

Package user

Install a package. Only the owner of a project has the permissions to install a package in the project.
```
install package <pkgname>;
```
If you want to install a package, you must specify pkgname in the <projectName>.<packageName> format.
Uninstall a package.
```
uninstall package <pkgname>;
```
If you want to uninstall a package, you must specify pkgname in the <projectName>.<packageName> format.
View packages.
- View the packages that are created and installed.
```
show packages; 
```
- View the details of a package.
```
describe package <pkgname>; 
```
Grant access to a package to other members or roles of this project.
The installed package is a type of independent object in MaxCompute. If you want to access resources that are shared by other projects in a package, you must have the READ permission on the package. If you do not have this permission, you must apply for this permission from the owner or administrator of the project. The owner or administrator of the project can grant you the READ permission by using access control list (ACL) rules.
Execute one of the following statements to grant a specific permission on the package to a user or a role:
```
grant <actions> on package <pkgName> to user <username>;
grant <actions> on package <pkgName> to role <role_name>;
```
Note After authorization, the user or the users who assigned the role have the permissions to access objects in the package only in this project.
Sample statements:
- The ACL rules allow the Alibaba Cloud account aliyun$odps_test@aliyun.com to access resources in the package.
```
use prj2;
install package prj1.testpkg;
grant read on package prj1.testpackage to user aliyun$odps_test@aliyun.com;
```
- The ACL rules allow all members that are assigned the role_dev role to access resources in the package.
```
use prj2;
install package prj1.testpkg;
grant read on package prj1.testpackage to role role_dev;
```

Example

Jack is the administrator of the prj1 project. John is the administrator of the prj2 project. Jack wants to share some resources of the prj1 project with the prj2 project owned by John. The resources include the datamining.jar file and the sampletable table. If Bob in the prj2 project wants to access these resources, John can use ACL-based authorization to grant permissions to Bob, without the assistance of Jack.

Jack creates a package in the prj1 project.

use prj1;
create package datamining; -- Create a package. 
add resource datamining.jar to package datamining; -- Add resources to the package. 
add table sampletable to package datamining; -- Add a table to the package. 
allow project prj2 to install package datamining; -- Allow the prj2 project to install the package.

John installs the package in the prj2 project.

use prj2;
install package prj1.datamining; -- Install the package. 
describe package prj1.datamining; -- View resources in the package.

John grants Bob the permissions to use the package.

use prj2;
grant Read on package prj1.datamining to user aliyun$bob@aliyun.com; -- Grant Bob the permissions to use the package by using ACL rules.