Security settings - Dataphin - Alibaba Cloud Documentation Center

Security settings provide fine-grained control over data security and access, allowing you to configure switches and authentication modes for SPARK Batch tasks (Spark Jar, PySpark) to ensure data security. This topic explains how to establish strict permission modes and configure SPARK Batch tasks (Spark Jar, PySpark).

Prerequisites

You need to purchase the Intelligent Development Edition or Basic Development Edition to use the security settings feature.

Strict permission mode

Background information

The Dataphin Management Center supports the project safe mode setting feature. Without this setting, the following security issues may arise:

Users can perform DDL operations across different projects without the project administrator's knowledge.
Note
For more information, see DDL statements.

In the same project, users can directly operate on Prod environment data in the Dev environment, leading to data leakage or accidental changes in the Prod environment.

The table below uses the developer role as an example to illustrate the operation permissions on the project when safe mode is enabled or disabled.

Operation	Default (permission mode not enabled)	Cross-project safe mode (enabled)	Production data safe mode (enabled)
All table operations in the current project's Dev environment	Supported	-	-
All table operations in the current project's Prod environment	Supported	-	Not supported
Cross-project query	Supported	-	-
Cross-project DDL	Supported	Not supported	-

Important

After enabling safe mode, project data is more secure, but system performance may be affected. It is advisable to enable it based on business requirements.
Indicates that the current operation is not governed by the cross-project safe mode or production data safe mode feature.

Default configuration of strict permission mode

In the top menu bar of the Dataphin home page, select Management Center > Specification Settings.
In the navigation pane on the left, select Data Access > Security Settings to enter the Security Settings page.

On the Security Settings page, click the Strict Permission Mode tab, and in the Default Configuration area, enable or disable the cross-project safe mode and production data safe mode.

Strict permission mode	Description
Cross-Project Security Mode	Disabled: Allows cross-project execution of DDL tasks, provided that the permission to operate the target object is available. Enabled: Prohibits cross-project execution and submission of DDL tasks (including creating, deleting, and modifying tables).
Production Data Security Mode	Disabled: Allows modification of Prod environment data in the Dev environment. Enabled: The Dev environment cannot modify Prod environment data (including adding, deleting, and modifying tables). Note After enabling, to modify Prod environment data, you need to go through the publishing process. For details, see Publishing Center.

Project configuration of strict permission mode

Note

Projects that are not individually configured will adhere to the Default Configuration.
Each project can configure the safe mode only once.

On the Strict Permission Mode tab, click the Add Safe Mode Configuration button.

In the Add Safe Mode Configuration dialog box, select the projects that need to enable strict permission mode.

Parameter	Description
Project	Select the projects that need to configure the safe mode. Multiple selections are supported.
Cross-Project Security Mode	Enabled: Prohibits DDL (create, drop, alter) from any project to the current project. Disabled: Allows accounts with permissions to perform DDL operations across projects.
Production Data Security Mode	Enabled: Prohibits DDL (create, drop, alter) of the project's production environment from any project. Disabled: Allows accounts with permissions to perform DDL on the project's production environment data. Note After enabling, to modify Prod environment data, you need to go through the publishing process. For details, see Publishing Center.

Click OK to complete the project-level strict permission mode configuration.

Project configuration list

You can view the project's name, cross-project safe mode, and production data safe mode status in the project configuration list.
(Optional) You can search for the target project by the project's name.

You can perform the following operations on the target project.

Operation	Description
View safe mode description	You can click the icon after the cross-project safe mode or production data safe mode, and then click View Diagram to understand the control details of cross-project safe mode and production data safe mode.
Edit	You can add or remove projects, and enable or disable the status of cross-project safe mode and production data safe mode.
Delete	After deleting the project safe mode configuration, it cannot be revoked. Please operate with caution.

SPARK_JAR_ON_MAX_COMPUTE tasks

Limits

When utilizing SPARK_JAR_ON_MAX_COMPUTE tasks, it's necessary to authenticate access to logical tables, including read and write permissions.
Different compute engines support various versions of SPARK_JAR_ON_MAX_COMPUTE tasks (for example, the MaxCompute engine defaults to SPARK V2.4.5, while the version for the Hadoop engine is to be determined).
SPARK_JAR_ON_MAX_COMPUTE task authentication mode can be enabled under the MaxCompute engine but is not available under the Hadoop engine (except for Inceptor).
Configuring this task is not supported when the compute engine is ArgoDB, Lindorm, StarRocks, GaussDB (DWS), Databricks, Doris, or SelectDB.

Procedure

On the Security Settings page, click the SPARK_JAR_ON_MAX_COMPUTE Tasks tab to enable or disable SPARK_JAR_ON_MAX_COMPUTE tasks and authentication mode.

SPARK_JAR_ON_MAX_COMPUTE tasks	Description
SPARK_JAR_ON_MAX_COMPUTE	Disabled: The original SPARK_JAR_ON_MAX_COMPUTE tasks can still be edited, deleted, executed, submitted, and published. Enabled: Supports creating SPARK_JAR_ON_MAX_COMPUTE tasks.
Authentication Mode	Disabled: It can only be enabled when the OpenAPI feature module is enabled. Enabled: After authentication is enabled, the data access of SPARK Batch tasks (Spark Jar, PySpark) will undergo permission verification. If the original tasks do not have the corresponding permissions, task execution will fail. Note After enabling, logical tables can be accessed, and data tables can be accessed using logical projects and sections.

Click OK to finalize the configuration.

Function authentication configuration

Note

By default, offline functions in all projects can be called using the project_name.function_name format. For projects with function authentication added, you need to request permission to use the functions.

Background information

Functions created in this project can be called across projects, posing a significant risk to data security. It is necessary to control the calling of offline functions to enhance data security.

On the Security Settings page, click the Function Authentication Settings tab, then click the Add Project button.
In the Add Project dialog box, configure the parameters.
Project: Add the project to which the function belongs.
Important
If tasks in the production environment call functions from the selected project, this operation may cause production tasks to report errors. Please operate with caution.
Click OK to complete the addition.

Project settings list

You can view the name, environment, and description information of added projects.
You can search using project name keywords.
You can perform the following operations on the target project.
Delete: Click the Delete icon in the operation column of the target project. After deletion, functions in that project will no longer be authenticated when called across projects.