MaxCompute allows you to query the permissions of a user or role, or the permissions on an object by using MaxCompute SQL. This topic describes how to query permissions by using MaxCompute SQL and provides examples.
The following table describes the permission query operations that you can perform after you grant permissions to a user or role based on the authorization methods that are provided by MaxCompute.
- A: Allow. The operation is allowed.
- D: Deny. The operation is denied.
- C: With Condition. The permissions can be granted with conditions.
- G: With Grant Option. The permissions on the specified object can be granted.
Query the permissions of a specified role and information about the users that are assigned the role
- Syntax
describe role <role_name>; - Parameters
Parameter Required Description role_name Yes The name of the role whose permissions you want to query. You can run the
list roles;command to obtain the name of the role by using the MaxCompute client. - Query result
The query result includes the ACL-based, policy-based, and Download permissions.
- Example
The Alibaba Cloud account Bob@aliyun.com is the owner of the test_project_a project, and the Worker role is used in the project. Sample command:
describe role Worker;[users] RAM$Bob@aliyun.com:Allen Authorization Type: ACL A projects/test_project_a: CreateTable | CreateResource | CreateInstance | CreateFunction | List A projects/test_project_a/tables/bank_data: Download Authorization Type: Policy A projects/test_project_a/tables/bak*: Download A projects/test_project_a/tables/sale_detail: Update A projects/test_project_a/tables/tb_*: Download | Drop A projects/test_project_a/tables/view_1: Drop
Query the permissions of the current user and information about the role that is assigned to the user
- Syntax
show grants; - Query resultThe query result varies based on whether the current user is the project owner:
- If the current user is the project owner, the Alibaba Cloud account of the user and the projects that are created by the user are returned.
- If the current user is not the project owner, the role that is assigned to the user and the ACL-based, policy-based, and Download permissions of the user are returned.
- Example
The Alibaba Cloud account Bob@aliyun.com is the owner of the test_project_a project. Allen is a RAM user that is added to the project.
- If you access the project by using the Alibaba Cloud account Bob@aliyun.com, run the
show grants;command. The following result is returned:[ALIYUN$Bob@aliyun.com] projects/test_project_a: Project Owner - If you access the project by using the RAM user Allen, run the
show grants;command. The following result is returned:[roles] worker Authorization Type: ACL [user/RAM$Bob@aliyun.com:Allen] A projects/test_project_a: CreateTable | CreateResource | CreateInstance | CreateFunction | List A projects/test_project_a/packages/project_test_b.datashare: Read Authorization Type: Policy [role/worker] A projects/test_project_a/tables/tb_*: Drop | Download
- If you access the project by using the Alibaba Cloud account Bob@aliyun.com, run the
Query the permissions of a specified user and information about the role that is assigned to the user
- Syntax
show grants for <user_name>; - Parameters
Parameter Required Description user_name Yes The name of the user whose permissions you want to query. You can run the
list users;command to obtain the name of the user by using the MaxCompute client. - Query resultThe query result varies based on whether the current user is the project owner:
- If the current user is the project owner, the Alibaba Cloud account of the user and the projects that are created by the user are returned.
- If the current user is not the project owner, the role that is assigned to the user and the ACL-based, policy-based, and Download permissions of the user are returned.
- Example
The Alibaba Cloud account Bob@aliyun.com is the owner of the test_project_a project. Allen is a RAM user that is added to the project.
- Query the permissions of the Alibaba Cloud account Bob@aliyun.com. Sample command:
The following result is returned:show grants for ALIYUN$Bob@aliyun.com;[ALIYUN$Bob@aliyun.com] projects/test_project_a: Project Owner - Query the permissions of the RAM user Allen. Sample command:
The following result is returned:show grants for RAM$Bob@aliyun.com:Allen;[roles] worker Authorization Type: ACL [user/RAM$Bob@aliyun.com:Allen] A projects/test_project_a: CreateTable | CreateResource | CreateInstance | CreateFunction | List A projects/test_project_a/packages/project_test_b.datashare: Read Authorization Type: Policy [role/worker] A projects/test_project_a/tables/tb_*: Drop | Download
- Query the permissions of the Alibaba Cloud account Bob@aliyun.com. Sample command:
Query the ACL-based permissions on a specified object
- Syntax
show acl for <object_name> [on type <object_type>]; - Parameters
Parameter Required Description object_name Yes The name of the object on which you want to query ACL-based permissions. - Project: To view the name of a MaxCompute project, log on to the MaxCompute console. In the top navigation bar, select a region. Then, view the name of the MaxCompute project on the Project management tab. When you query information about a project, you can only obtain information only about the current project.
- Table or view: To obtain the name of a table or view, run the
show tables;command on the MaxCompute client. - Resource: To obtain the name of a resource, run the
list resources;command on the MaxCompute client. - Function: To obtain the name of a function, run the
list functions;command on the MaxCompute client. - Instance: To obtain the name of an instance, run the
show instances;command on the MaxCompute client. Instance names are the same as instance IDs in MaxCompute.
object_type No The type of the object on which you want to query ACL-based permissions. Valid values:- Project: The object is a project.
- Table: The object is a table.
- Resource: The object is a resource file.
- Function: The object is a function.
- Instance: The object is an instance.
By default, if you do not specify
on type <object_type>, the type of the object is Table. - Query result
The query result includes the information of the roles and users that have the permissions on the specified object and the ACL-based permissions.
- Example
View the permissions on an object in the test_project_a project.
- Query the permissions on the project. Sample command:
The following result is returned:show acl for test_project_a on type project;Authorization Type: Implicit AG project_owner/ALIYUN$Bob@aliyun.com: All AG admin/ALIYUN$Bob@aliyun.com: All Authorization Type: ACL A role/worker(projects/test_project_a): CreateTable | CreateResource | CreateInstance | CreateFunction | List A role/worker1(projects/test_project_a): CreateTable | CreateResource | CreateInstance | CreateFunction | List A role/worker2(projects/test_project_a): CreateTable | CreateResource | CreateInstance | CreateFunction - Query the permissions on a table. Sample command:
The following result is returned:show acl for sale_detail on type table;Authorization Type: Implicit AG project_owner/ALIYUN$Bob@aliyun.com: All AG admin/ALIYUN$Bob@aliyun.com: All AG object_creator/ALIYUN$Bob@aliyun.com: All Authorization Type: ACL A user/RAM$Bob@aliyun.com:Allen(acs:odps:*:projects/test_project_a/tables/sale_detail/customer_id): Describe | Select A user/RAM$Bob@aliyun.com:Allen(acs:odps:*:projects/test_project_a/tables/sale_detail/shop_name): Describe | Select - Query the permissions on a resource. Sample command:
The following result is returned:show acl for udtf.jar on type resource;Authorization Type: Implicit AG project_owner/ALIYUN$Bob@aliyun.com: All AG admin/ALIYUN$Bob@aliyun.com: All AG object_creator/ALIYUN$Bob@aliyun.com: All Authorization Type: ACL A user/RAM$Bob@aliyun.com:Allen(acs:odps:*:projects/test_project_a/resources/udtf.jar): Read | Write - Query the permissions on a function. Sample command:
The following result is returned:show acl for UDTFResource on type function;Authorization Type: Implicit AG project_owner/ALIYUN$Bob@aliyun.com: All AG admin/ALIYUN$Bob@aliyun.com: All AG object_creator/ALIYUN$Bob@aliyun.com: All Authorization Type: ACL A role/worker1(acs:odps:*:projects/test_project_a/registration/functions/udtfresource): Download A user/RAM$Bob@aliyun.com:Allen(acs:odps:*:projects/test_project_a/registration/functions/udtfresource): All - Query the permissions on an instance. Sample command:
The following result is returned:show acl for 20220105031923461ghu**** on type instance;Authorization Type: Implicit AG project_owner/ALIYUN$Bob@aliyun.com: All AG admin/ALIYUN$Bob@aliyun.com: All AG object_creator/ALIYUN$Bob@aliyun.com: All Authorization Type: ACL A user/RAM$Bob@aliyun.com:Allen(acs:odps:*:projects/test_project_a/instances/20220105031923461ghu****): All
- Query the permissions on the project. Sample command:
Query all highly sensitive data tables that the current user can access
- Syntax
show label grants; - Query resultThe query result includes the following information:
- User Label: the access level of the current user.
- TableName: the name of the highly sensitive data table that the current user can access.
- GrantedLabel: the level of sensitive data that the current user can access.
- Expires: the time at which the permissions expire.
- Example
The Alibaba Cloud account Bob@aliyun.com is the owner of the test_project_a project. Allen is a RAM user that is added to the project.
- If you access the project by using the Alibaba Cloud account Bob@aliyun.com, run the
show label grants;command. The following result is returned:User Label: 0 +--------------+--------------+--------------------------+ | TableName | GrantedLabel | Expires | +--------------+--------------+--------------------------+ | bank_data | 3 | 2022-07-04T16:30:47+0800 | +--------------+--------------+--------------------------+ | bank_data_pt | 4 | 2022-07-04T16:36:04+0800 | +--------------+--------------+--------------------------+ - If you access the project by using the RAM user Allen, run the
show label grants;command. The following result is returned:User Label: 1 +-------------+--------------+--------------------------+ | TableName | GrantedLabel | Expires | +-------------+--------------+--------------------------+ | sale_detail | 2 | 2022-01-09T11:43:27+0800 | +-------------+--------------+--------------------------+
- If you access the project by using the Alibaba Cloud account Bob@aliyun.com, run the
Query highly sensitive data tables of a specified level that the current user can access
- Syntax
show label <level> grants; - Parameters
Parameter Required Description level Yes The specified level of the sensitive data. - Query resultThe query result includes the following information:
- User Label: the access level of the current user.
- TableName: the name of the highly sensitive data table that the current user can access.
- GrantedLabel: the level of sensitive data that the current user can access.
- Expires: the time at which the permissions expire.
- Example
The Alibaba Cloud account Bob@aliyun.com is the owner of the test_project_a project. Allen is a RAM user that is added to the project.
- If you access the project by using the Alibaba Cloud account Bob@aliyun.com, run the following command:
The following result is returned:show label 3 grants;User Label: 0 +--------------+--------------+--------------------------+ | TableName | GrantedLabel | Expires | +--------------+--------------+--------------------------+ | bank_data | 3 | 2022-07-04T16:30:47+0800 | +--------------+--------------+--------------------------+ - If you access the project by using the RAM user Allen, run the following command:
The following result is returned:show label 2 grants;User Label: 1 +-------------+--------------+--------------------------+ | TableName | GrantedLabel | Expires | +-------------+--------------+--------------------------+ | sale_detail | 2 | 2022-01-09T11:43:27+0800 | +-------------+--------------+--------------------------+
- If you access the project by using the Alibaba Cloud account Bob@aliyun.com, run the following command:
Query highly sensitive data tables that a specified user can access
- Syntax
show label grants for user <user_name>; - Parameters
Parameter Required Description user_name Yes The name of the user whose permissions you want to query. You can run the
list users;command to obtain the name of the user by using the MaxCompute client. - Query resultThe query result includes the following information:
- User Label: the access level of the current user.
- TableName: the name of the highly sensitive data table that the current user can access.
- GrantedLabel: the level of sensitive data that the current user can access.
- Expires: the time at which the permissions expire.
- Example
The Alibaba Cloud account Bob@aliyun.com is the owner of the test_project_a project. Allen is a RAM user that is added to the project. Query highly sensitive data tables that the RAM user Allen can access. Sample command:
The following result is returned:show label grants for user RAM$Bob@aliyun.com:Allen;User Label: 2 +-----------+--------------+--------------------------+ | TableName | GrantedLabel | Expires | +-----------+--------------+--------------------------+ | bank_data | 3 | 2022-07-04T16:29:32+0800 | +-----------+--------------+--------------------------+
Query highly sensitive data tables of a specified level that a specified user can access
- Syntax
show label <level> grants for user <user_name>; - Parameters
Parameter Required Description level Yes The specified level of the sensitive data. user_name Yes The name of the user whose permissions you want to query. You can run the
list users;command to obtain the name of the user by using the MaxCompute client. - Query resultThe query result includes the following information:
- User Label: the access level of the current user.
- TableName: the name of the highly sensitive data table that the current user can access.
- GrantedLabel: the level of sensitive data that the current user can access.
- Expires: the time at which the permissions expire.
- Example
The Alibaba Cloud account Bob@aliyun.com is the owner of the test_project_a project. Allen is a RAM user that is added to the project. Query highly sensitive data tables that the RAM user Allen can access. Sample command:
The following result is returned:show label 3 grants for user RAM$Bob@aliyun.com:Allen;User Label: 2 +-----------+--------------+--------------------------+ | TableName | GrantedLabel | Expires | +-----------+--------------+--------------------------+ | bank_data | 3 | 2022-07-04T16:29:32+0800 | +-----------+--------------+--------------------------+
Query users who are authorized to access a specified sensitive data table
- Syntax
show label grants on table <table_name>; - Parameters
Parameter Required Description table_name Yes The name of the specified sensitive data table. You can run the
show tables;command to obtain the name of the table by using the MaxCompute client. - Query resultThe query result includes the following information:
- Sensitive Label Range: the sensitive data level range of the current table.
- UserName: the users and roles that can access the specified sensitive data table.
- GrantedLabel: the level of the sensitive data that the user can access.
- Expires: the time at which the permissions expire.
- Example
Query users who can access the highly sensitive data table sale_detail in the test_project_a project. Sample command:
The following result is returned:show label grants on table sale_detail;Sensitive Label Range: [3, 4] +-------------------------------------------------+--------------+--------------------------+ | UserName | GrantedLabel | Expires | +-------------------------------------------------+--------------+--------------------------+ | worker | 4 | 2022-07-04T11:23:35+0800 | +-------------------------------------------------+--------------+--------------------------+ | RAM$Bob@aliyun.com:Allen | 4 | 2022-07-04T17:54:00+0800 | +-------------------------------------------------+--------------+--------------------------+
Query users of a specified level who can access a specified sensitive data table
- Syntax
show label <level> grants on table <table_name>; - Parameters
Parameter Required Description level Yes The specified level of the sensitive data. table_name Yes The name of the specified sensitive data table. You can run the
show tables;command to obtain the name of the table by using the MaxCompute client. - Query resultThe query result includes the following information:
- Sensitive Label Range: the sensitive data level range of the current table.
- UserName: the users and roles that can access the specified sensitive data table.
- GrantedLabel: the level of the sensitive data that the user can access.
- Expires: the time at which the permissions expire.
- Example
Query users who can access the highly sensitive data table sale_detail in the test_project_a project. Sample command:
The following result is returned:show label 4 grants on table sale_detail;Sensitive Label Range: [3, 4] +-------------------------------------------------+--------------+--------------------------+ | UserName | GrantedLabel | Expires | +-------------------------------------------------+--------------+--------------------------+ | worker | 4 | 2022-07-04T11:23:35+0800 | +-------------------------------------------------+--------------+--------------------------+ | RAM$Bob@aliyun.com:Allen | 4 | 2022-07-04T17:54:00+0800 | +-------------------------------------------------+--------------+--------------------------+
Query the permissions of a specified user on a specified sensitive data table
- Syntax
show label [<label>] grants on table <table_name> for user <user_name>; - Parameters
Parameter Required Description label No The specified level of the sensitive data. table_name Yes The name of the specified sensitive data table. You can run the
show tables;command to obtain the name of the table by using the MaxCompute client.user_name Yes The name of the user whose permissions you want to query. You can run the
list users;command to obtain the list of the users by using the MaxCompute client. - Query resultThe query result includes the following information:
- User Label: the access level label of the current user.
- Column: the columns of the specified sensitive data table that the user can access.
- GrantedLabel: the level of the sensitive data that the user can access.
- Expires: the time at which the permissions expire.
- Example
Query the data that the RAM user Allen can access the table sale_detail in the test_project_a project. Sample command:
The following result is returned:show label grants on table sale_detail for user RAM$Bob@aliyun.com:Allen;User Label: 2 +-------------+--------------+--------------------------+ | Column | GrantedLabel | Expires | +-------------+--------------+--------------------------+ | customer_id | 4 | 2022-07-04T17:54:00+0800 | +-------------+--------------+--------------------------+ | shop_name | 4 | 2022-07-04T17:54:00+0800 | +-------------+--------------+--------------------------+ | total_price | 4 | 2022-07-04T17:54:00+0800 | +-------------+--------------+--------------------------+
Query the sensitivity levels of all columns in a specified table
- Syntax
describe <table_name>; - Parameters
Parameter Required Description table_name Yes The name of the specified sensitive data table. You can run the
show tables;command to obtain the name of the table by using the MaxCompute client. - Query result
The query result includes TableLabel, MaxLabel, and Label. TableLabel indicates the sensitivity level of the current table. MaxLabel indicates the maximum sensitivity level of the columns in the table. Label indicates the sensitivity level of each column.
- Example
Query the sensitivity levels of the table sale_detail and the columns of the table in the test_project_a project. Sample command:
The following result is returned:describe sale_detail;+------------------------------------------------------------------------------------+ | Owner: ALIYUN$Bob@aliyun.com | Project: project_test_a | | TableComment: | +------------------------------------------------------------------------------------+ | CreateTime: 2021-12-13 11:27:04 | | LastDDLTime: 2021-12-13 11:27:04 | | LastModifiedTime: 2021-12-13 11:27:26 | +------------------------------------------------------------------------------------+ | TableLabel: 3 | | MaxLabel: L4 | +------------------------------------------------------------------------------------+ | InternalTable: YES | Size: 784 | +------------------------------------------------------------------------------------+ | Native Columns: | +------------------------------------------------------------------------------------+ | Field | Type | Label | Comment | +------------------------------------------------------------------------------------+ | shop_name | string | 4 | | | customer_id | string | 4 | | | total_price | double | 3 | | +------------------------------------------------------------------------------------+ | Partition Columns: | +------------------------------------------------------------------------------------+ | sale_date | string | | | region | string | | +------------------------------------------------------------------------------------+
Query the permissions on a specified package
- Syntax
show acl for <project_name>.<package_name> on type package; - Parameters
Parameter Required Description project_name Yes The name of the project to which the package belongs. You can run the
describe package <package_name>;command to obtain the name of the project to which the package belongs by using the MaxCompute client.package_name Yes The name of the package. You can run the
show packages;command to query the name of the package by using the MaxCompute client. - Query result
The query result includes the information of the built-in roles and users who have the permissions to manage objects in a MaxCompute project and the ACL-based permissions.
- ExampleQuery the permissions on the package datashare that is installed in the test_project_b project. Sample command:
The following result is returned:show acl for test_project_b.datashare on type package;Authorization Type: Implicit AG project_owner/ALIYUN$Bob@aliyun.com: All AG admin/ALIYUN$Bob@aliyun.com: All Authorization Type: ACL A user/RAM$Amy@aliyun.com:Bella(acs:odps:*:projects/test_project_b/packages/test_project_a.datashare): Read
Query the permissions on an object in a specified package
- Syntax
show grants on <object_type> <object_name> privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package _name>"); - Parameters
Parameter Required Description object_type Yes The type of the object in the package on which you want to query the permissions. You can run the
describe package <project_name>.<package_name>;command to query the type of the object in the package by using the MaxCompute client.object_name Yes The name of the object on which you want to query the permissions. You can run the
describe package <project_name>.<package_name>;command to query the name of the object on which you want to query the permissions by using the MaxCompute client.project_name Yes The name of the project to which the package belongs. You can run the
describe package <project_name>.<package_name>;command to query the name of the project to which the package belongs by using the MaxCompute client.package_name Yes The name of the package to which the object belongs. You can run the
show packages;command to query the name of the package to which the object belongs by using the MaxCompute client. - Query result
The query result includes the information of the built-in roles and users who have the permissions to manage a specified object in a MaxCompute project and the ACL-based permissions.
- ExampleQuery the permissions on the table sale_detail in the package datashare that is installed in the MaxCompute project. Sample command:
The following result is returned:show grants on Table sale_detail privilegeproperties ("refobject"="true", "refproject"="test_project_a", "package"="datashare");Authorization Type: Implicit AG project_owner/: All Authorization Type: InstalledObjecACL [datashare] A user/RAM$Amy@aliyun.com:Bella(acs:odps:*:projects/test_project_a/tables/sale_detail): Select
Query the label-based permissions on a table in a specified package
- Syntax
show label grants on table <table_name> privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>"); - Parameters
Parameter Required Description table_name Yes The name of the table in the specified package on which the label-based permissions you want to query. You can run the
describe package <project_name>.<package_name>;command to query the name of the table in the specified package by using the MaxCompute client.project_name Yes The name of the project to which the specified package belongs. You can run the
describe package <package_name>;command to query the name of the project to which the specified package belongs by using the MaxCompute client.package_name Yes The name of the specified package. You can run the
show packages;command to query the name of the specified package by using the MaxCompute client. - Query resultThe query result includes the following information:
- Sensitive Label Range: the sensitive data level range of the current table.
- UserName: the users and roles that can access the specified sensitive data table.
- GrantedLabel: the level of the sensitive data that the user can access.
- Expires: the time at which the permissions expire.
- ExampleQuery the label-based permissions on the table sale_detail in the package datashare that is installed in the MaxCompute project. Sample command:
The following result is returned:show label grants on table sale_detail privilegeproperties ("refobject"="true", "refproject"="test_project_a", "package"="datashare");Sensitive Label Range: [2, 4] +-------------------------------------------------+--------------+--------------------------+ | UserName | GrantedLabel | Expires | +-------------------------------------------------+--------------+--------------------------+ | RAM$Amy@aliyun.com:Bella | 3 | 2022-07-12T22:24:24+0800 | +-------------------------------------------------+--------------+--------------------------+