When you accelerate queries on data in MaxCompute tables in Hologres, an error may occur if you are not granted relevant permissions. This topic provides answers to some frequently asked questions (FAQ) about permissions on MaxCompute.
FAQ
- Why is the error message "You have NO privilege 'odps:Select' on xxx" returned when I query data in a MaxCompute table?
- Why is the error message "The sensitive label of column 'xxx' is 2, but your effective label is 0" returned when I query data in a MaxCompute table?
- Why is the error message "You have NO privilege 'odps:Select' on xxx" returned when I select a MaxCompute table across MaxCompute projects?
- Why is the error message "You have NO privilege 'odps:List' on xxx" returned when I create a foreign table?
- Why is the error message "Access denied by project ip white list: sourceIP:'xxxx' is not in white list. project: xxxx" returned when I create a foreign table?
- Why is the error message "You don't exist in project xxx" returned when I create a foreign table?
Why is the error message "You have NO privilege 'odps:Select' on xxx" returned when I query data in a MaxCompute table?
- Problem description
After I create a foreign table in the Hologres console, I cannot query data in the source MaxCompute table. The following error message is returned: You have NO privilege 'odps:Select' on xxx.
- Cause
The current RAM user is not granted the SELECT permission on data in the MaxCompute table.
- Solution
Contact the MaxCompute administrator to grant the current RAM user the SELECT permission on data in the MaxCompute table. For more information, see Permissions.
Why is the error message "The sensitive label of column 'xxx' is 2, but your effective label is 0" returned when I query data in a MaxCompute table?
- Problem description
After I create a foreign table in the Hologres console, I cannot query data in the source MaxCompute table. The following error message is returned: The sensitive label of column 'xxx' is 2, but your effective label is 0.
- Cause
The current RAM user is granted the permissions to query only part of fields in the MaxCompute table.
- Solution
To resolve this issue, you can select one of the following three methods:
- Recommended.Submit a ticket to update the version of the current instance to version 0.8.
- Add the following statements before the existing query statements:
set hg_experimental_enable_odps_executor=on; set hg_experimental_enable_query_master=on; - Obtain the permissions to query all fields in the MaxCompute table. For more information, see Permissions.
Why is the error message "You have NO privilege 'odps:Select' on xxx" returned when I select a MaxCompute table across MaxCompute projects?
- Problem description
The RAM user that I use is granted the permissions to query data in a MaxCompute table in Project 2. However, when I select the MaxCompute table to query data in Project 1, an error occurs. The following error message is returned: You have NO privilege 'odps:Select' on xxx.
- Cause
The current RAM user is granted the permissions to query data in existing MaxCompute tables in Project 2. However, the error message is still returned when the RAM user queries data in Project 1 and selects a MaxCompute table that belongs to Project 2. This is because the RAM user is granted the permissions on Project 2 based on package-based resource sharing across projects. You can add SQL statements to resolve this issue.
- Solution
If the current RAM user is granted the permissions on Project 2 based on package-based resource sharing across projects, you can add the following statement before the existing SQL statements in Hologres to resolve the preceding issue:
// Execute the following statement if you use a Hologres instance of V0.7: set seahawks.seahawks_internal_current_odps_project='holoprojectname'; // Execute the following statement if you use a Hologres instance of V0.8: set hg_experimental_odps_current_project_name = 'holoprojectname';
Why is the error message "You have NO privilege 'odps:List' on xxx" returned when I create a foreign table?
- Problem description
When I use HoloWeb or HoloStudio to create a foreign table in a visualized manner in the Hologres console, an error occurs. The following error message is returned: You have NO privilege 'odps:List' on xxx.
- Cause
The current RAM user is not granted the LIST permission on a MaxCompute project.
- Solution
- Contact the MaxCompute administrator to grant the current RAM user the LIST permission on the MaxCompute project. For more information, see Permissions.
- Execute SQL statements to create a foreign table to query data. For more information, see Create a foreign table in Hologres to accelerate queries of MaxCompute data.
Why is the error message "Access denied by project ip white list: sourceIP:'xxxx' is not in white list. project: xxxx" returned when I create a foreign table?
- Problem description
When I use HoloWeb to create a foreign table in the Hologres console, an error occurs. The following error message is returned: Access denied by project ip white list: sourceIP:'xxxx' is not in white list. project: xxxx.
- Cause
An IP address allowlist is configured for the current MaxCompute cluster. However, HoloWeb is not included in the allowlist.
- Solution
After an IP address allowlist is configured, only the IP addresses in the allowlist are authorized to access MaxCompute projects. If you access MaxCompute projects from an IP address that is not in the allowlist, your access request is denied even if you have a valid AccessKey pair. In this case, you can create a foreign table only after you add the IP address in the error message to the allowlist. For more information, see Manage IP address whitelists.
Why is the error message "You don't exist in project xxx" returned when I create a foreign table?
- Problem description
When I create a foreign table, the following error message is returned: You don't exist in project xxx.
- Cause
The RAM user that is used to create the foreign table is not granted the permissions to access the MaxCompute project in which the source MaxCompute table resides.
- Solution
Check whether the name of the MaxCompute project to be accessed is valid. If the project name is invalid, replace it with a valid one. If the project name is valid but the issue persists, go to MaxCompute and grant the RAM user the permissions to access the MaxCompute project. For more information, see Permission overview.