DataWorks provides a message subscription feature through its OpenEvent capability. You can register a service program as a DataWorks extension to capture and respond to subscribed event messages. This lets you receive notifications and manage processes for specific events. This topic uses the "block or approve downloads of more than 1,000 data records in real time" event as an example to describe the process of developing and verifying a risk identification rule.
Background information
Data downloading is a critical operation in enterprise risk management. Typically, only enterprise data developers and analysts can browse and use data on the data platform. They are not allowed to download detailed data to a local computer for analysis. After data is exported to a local computer, the operations performed on the data cannot be audited. Improper data usage or malicious attacks can result in data misuse and breaches, which can lead to data security incidents and negative public sentiment. This scenario demonstrates how to block data exporting in real time.
Objective
When a user attempts to export more than 1,000 rows of data at a time, the system automatically blocks the operation or triggers an approval process.
Prerequisites
Activate the DataWorks service is activated. This solution is based on the Open Platform capabilities of DataWorks Enterprise Edition.
EventBridge is activated to receive the message bodies of user operation events. These messages are then consumed by the risk behavior extension.
An ECS instance or an on-premises data center is created to deploy the risk behavior extension.
Step 1: Enable and configure message subscription
Enable and configure message subscription.
Because downloading query results is not a workspace-level operation, this use case uses the default bus to receive messages for operation events.
Query for events with the type
dataworks:ResourcesDownload:DownloadResources.Click Event Details in the Actions column to view the event message body. The following is an example:
ImportantThe content of the message body provides context for risk assessment. For example, you can use the key fields in the following table as context for risk assessment in other similar scenarios.
To use a RAM user or RAM role to read events from the default bus, you must complete RAM authorization.
{ "datacontenttype": "application/json;charset=utf-8", "aliyunaccountid": "110755000425****", "aliyunpublishtime": "2023-12-05T07:25:31.708Z", "data": { "eventCode": "download-resources", "extensionBizId": "audit_4d7ebb42b805428483148295a97a****", "extensionBizName": "DataWorks_IDE_Query_20231205152530.csv", "requestId": "77cac0c2fc12cecbf1d289128897****@@ac15054317017611303051804e****", "appId": ****, "tenantId": 52425742456****, "blockBusiness": true, "eventBody": { "sqlText": "SELECT * FROM table_1", "queryDwProjectId": "****", "moduleType": "develop_query", "operatorBaseId": "110755000425****", "datasourceId": "1****", "queryDwProjectName": "yongxunQA_emr_chen****", "dataRowSize": 4577, "datasourceName": "odps_source", "operatorUid": "110755000425****" }, "operator": "110755000425****" }, "aliyunoriginalaccountid": "110755000425****", "specversion": "1.0", "aliyuneventbusname": "default", "id": "169d171c-d523-4370-a874-bb0fa083****", "source": "acs.dataworks", "time": "2023-12-05T15:25:31.588Z", "aliyunregionid": "cn-chengdu", "type": "dataworks:ResourcesDownload:DownloadResources" }Key parameter descriptions:
Parameter
Description
sqlText
The SQL query.
queryDwProjectId
The ID of the workspace that contains the queried data source.
moduleType
The download source. Valid values:
develop_query: Query in Data Studio.
sqlx_query: Query in DataAnalysis.
dw_excel: Workbook in DataAnalysis.
operatorBaseId
The UID of the operator.
datasourceId
The ID of the queried data source.
queryDwProjectName
The name of the workspace that contains the queried data source.
dataRowSize
The number of data rows to download.
datasourceName
The name of the queried data source.
Step 2: Develop and deploy the extension
Preparations:
Enable message subscription, register an extension, and retrieve the information required to develop the extension. For more information, see Develop and deploy an extension: Self-managed service.
Develop and deploy the extension.
Develop and deploy the extension as an application service based on the information that you retrieved. For more information, see Develop and deploy an extension: Function Compute. The key parameter settings and sample code are provided below:
When registering the extension, for Processing Extension Point, select Pre-event for Resources Download.
The following code provides a sample for developing the extension:
ImportantThis sample extension uses the
dataRowSizefield in the event message body from Step 1 to check for risks based on the number of rows to be downloaded.When you configure the response, if you want to trigger an approval process, ensure that the extension returns
WARNfromcallbackExtensionRequest.setCheckResult()when it detects risky user behavior. If you want to block the action,callbackExtensionRequest.setCheckResult()must returnFAIL.The extension code in this topic uses the download of 1,000 data records as an example. If you want different numbers of downloaded records to trigger different approval flows, you can configure multiple extensions. For more information, see Step 3: Configure a risk identification rule. For example:
The first extension is triggered only for downloads of 0 to 2,000 records and corresponds to approval flow 1.
The second extension is triggered only for downloads of 2,001 or more records and corresponds to approval flow 2.
package com.aliyun.dataworks.demo; import com.alibaba.fastjson.JSON; import com.alibaba.fastjson.JSONObject; import com.aliyun.dataworks.config.Constants; import com.aliyun.dataworks.config.EventCheckEnum; import com.aliyun.dataworks.config.ExtensionParamProperties; import com.aliyun.dataworks.services.DataWorksOpenApiClient; import com.aliyun.dataworks_public20200518.Client; import com.aliyun.dataworks_public20200518.models.CallbackExtensionRequest; import com.aliyun.dataworks_public20200518.models.CallbackExtensionResponse; import com.aliyun.dataworks_public20200518.models.GetOptionValueForProjectRequest; import com.aliyun.dataworks_public20200518.models.GetOptionValueForProjectResponse; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; /** * @author dataworks demo */ @RestController @RequestMapping("/extensions") public class ExtensionsController { @Autowired(required = false) private DataWorksOpenApiClient dataWorksOpenApiClient; @Autowired private ExtensionParamProperties extensionParamProperties; /** * Receives messages pushed from EventBridge. * * @param jsonParam */ @PostMapping("/consumer") public void consumerEventBridge(@RequestBody String jsonParam) { JSONObject jsonObj = JSON.parseObject(jsonParam); String eventCode = jsonObj.getString(Constants.EVENT_CODE_FILED); if (Constants.COMMIT_FILE_EVENT_CODE.equals(eventCode) || Constants.DEPLOY_FILE_EVENT_CODE.equals(eventCode)) { // Initialize the client. Client client = dataWorksOpenApiClient.createClient(); try { // Information about the parameters for the current event. String messageId = jsonObj.getString("id"); JSONObject data = jsonObj.getObject("data", JSONObject.class); // Long projectId = data.getLong("appId"); // Initialize the event callback. CallbackExtensionRequest callbackExtensionRequest = new CallbackExtensionRequest(); callbackExtensionRequest.setMessageId(messageId); callbackExtensionRequest.setExtensionCode(extensionParamProperties.getExtensionCode()); JSONObject eventBody = data.getJSONObject("eventBody"); Long dataRowSize = eventBody.getLong("dataRowSize"); // Obtain the configurations of the extension option in the project. GetOptionValueForProjectRequest getOptionValueForProjectRequest = new GetOptionValueForProjectRequest(); // The default project ID for the configuration information of a global extension point event is -1. getOptionValueForProjectRequest.setProjectId("-1"); getOptionValueForProjectRequest.setExtensionCode(extensionParamProperties.getExtensionCode()); GetOptionValueForProjectResponse getOptionValueForProjectResponse = client.getOptionValueForProject(getOptionValueForProjectRequest); JSONObject jsonObject = JSON.parseObject(getOptionValueForProjectResponse.getBody().getOptionValue()); // Note: You must configure this parameter based on the format set in DataWorks. Long maxDataRowSize = jsonObject.getLong("dataRowSize"); // Check whether the code contains a restricted function. if (dataRowSize > 1000) { callbackExtensionRequest.setCheckResult(EventCheckEnum.FAIL.getCode()); callbackExtensionRequest.setCheckMessage("The number of rows to download exceeds the limit."); } else { // Successful callback. callbackExtensionRequest.setCheckResult(EventCheckEnum.OK.getCode()); } // Call back to DataWorks. CallbackExtensionResponse acsResponse = client.callbackExtension(callbackExtensionRequest); // The unique ID of the request, used for subsequent troubleshooting. System.out.println("acsResponse:" + acsResponse.getBody().getRequestId()); } catch (Exception e) { // Error description. System.out.println("ErrMsg:" + e.getMessage()); } } else { System.out.println("Failed to filter other events. Check the configuration steps."); } } }
Step 3: Configure a risk identification rule
Go to the Security Center page.
Log on to the DataWorks console. In the top navigation bar, select the desired region. In the left-side navigation pane, choose . On the page that appears, click Go to Security Center.
In the left navigation pane, click .
Configure an approval process for the published extension. For more information, see Configure a risk response.
Step 4: Enable a risk identification rule
Turn on the Enable switch to enable the extension as prompted.
Step 5: Verify the results
Go to the Data Download page.
Click Download in the Actions column for the specified file.
If the check passes, you can continue the download.
If the check fails, the download is blocked, or you are prompted to submit a request.
Other similar scenarios
You can use other fields from the download event, such as the workspace name, SQL details, data source name, and user UID, for other real-time risk control scenarios. For example:
Allowing or denying data downloads based on the user's department (workspace).
Blocking downloads if the query SQL contains sensitive fields.
Implementing tiered risk control. For example, requiring approval for downloads of more than 20,000 records and blocking downloads of more than 50,000 records.
Defining download limits based on workspace roles. For example, allowing the Developer role to download N records and blocking downloads that exceed this limit. You can also allow the Analyst role to download M records and block downloads that exceed this limit. This requires using the ListProjectMembers - Query workspace members API operation.
Setting different download quantity policies for data development and data analysis scenarios.