When you accelerate queries on data in MaxCompute tables in Hologres, an error may occur if you are not granted relevant permissions. This topic provides answers to some frequently asked questions (FAQ) about permissions on MaxCompute.

FAQ

Why is the error message "You have NO privilege 'odps:Select' on xxx" returned when I query data in a MaxCompute table?

  • Problem description

    After I create a foreign table in the Hologres console, I cannot query data in the source MaxCompute table. The following error message is returned: You have NO privilege 'odps:Select' on xxx.

  • Cause

    The current RAM user is not granted the SELECT permission on data in the MaxCompute table.

  • Solution

    Contact the MaxCompute administrator to grant the current RAM user the SELECT permission on data in the MaxCompute table. For more information, see Permissions.

Why is the error message "The sensitive label of column 'xxx' is 2, but your effective label is 0" returned when I query data in a MaxCompute table?

  • Problem description

    After I create a foreign table in the Hologres console, I cannot query data in the source MaxCompute table. The following error message is returned: The sensitive label of column 'xxx' is 2, but your effective label is 0.

  • Cause

    The current RAM user is granted the permissions to query only part of fields in the MaxCompute table.

  • Solution
    To resolve this issue, you can select one of the following three methods:
    • Recommended.Submit a ticket to update the version of the current instance to version 0.8.
    • Add the following statements before the existing query statements: 
      set hg_experimental_enable_odps_executor=on; 
set hg_experimental_enable_query_master=on;
    • Obtain the permissions to query all fields in the MaxCompute table. For more information, see Permissions.

Why is the error message "You have NO privilege 'odps:Select' on xxx" returned when I select a MaxCompute table across MaxCompute projects?

  • Problem description

    The RAM user that I use is granted the permissions to query data in a MaxCompute table in Project 2. However, when I select the MaxCompute table to query data in Project 1, an error occurs. The following error message is returned: You have NO privilege 'odps:Select' on xxx.

  • Cause

    The current RAM user is granted the permissions to query data in existing MaxCompute tables in Project 2. However, the error message is still returned when the RAM user queries data in Project 1 and selects a MaxCompute table that belongs to Project 2. This is because the RAM user is granted the permissions on Project 2 based on package-based resource sharing across projects. You can add SQL statements to resolve this issue.

  • Solution
    If the current RAM user is granted the permissions on Project 2 based on package-based resource sharing across projects, you can add the following statement before the existing SQL statements in Hologres to resolve the preceding issue: 
    // Execute the following statement if you use a Hologres instance of V0.7:
set seahawks.seahawks_internal_current_odps_project='holoprojectname';
// Execute the following statement if you use a Hologres instance of V0.8:
set hg_experimental_odps_current_project_name = 'holoprojectname';

Why is the error message "You have NO privilege 'odps:List' on xxx" returned when I create a foreign table?

  • Problem description

    When I use HoloWeb or HoloStudio to create a foreign table in a visualized manner in the Hologres console, an error occurs. The following error message is returned: You have NO privilege 'odps:List' on xxx.

  • Cause

    The current RAM user is not granted the LIST permission on a MaxCompute project.

  • Solution

Why is the error message "Access denied by project ip white list: sourceIP:'xxxx' is not in white list. project: xxxx" returned when I create a foreign table?

  • Problem description

    When I use HoloWeb to create a foreign table in the Hologres console, an error occurs. The following error message is returned: Access denied by project ip white list: sourceIP:'xxxx' is not in white list. project: xxxx.

  • Cause

    An IP address allowlist is configured for the current MaxCompute cluster. However, HoloWeb is not included in the allowlist.

  • Solution

    After an IP address allowlist is configured, only the IP addresses in the allowlist are authorized to access MaxCompute projects. If you access MaxCompute projects from an IP address that is not in the allowlist, your access request is denied even if you have a valid AccessKey pair. In this case, you can create a foreign table only after you add the IP address in the error message to the allowlist. For more information, see Manage IP address whitelists.

Why is the error message "You don't exist in project xxx" returned when I create a foreign table?

  • Problem description

    When I create a foreign table, the following error message is returned: You don't exist in project xxx.

  • Cause

    The RAM user that is used to create the foreign table is not granted the permissions to access the MaxCompute project in which the source MaxCompute table resides.

  • Solution

    Check whether the name of the MaxCompute project to be accessed is valid. If the project name is invalid, replace it with a valid one. If the project name is valid but the issue persists, go to MaxCompute and grant the RAM user the permissions to access the MaxCompute project. For more information, see Permission overview.