When a data shipping job of the new version is running to ship data to MaxCompute, the data that is read from a source Logstore must be written to a MaxCompute table. To meet the requirement, you can assign a custom role to the data shipping job. This topic describes how to grant permissions to a custom role.

Prerequisites

  • A Resource Access Management (RAM) role named MaxComputeShipRole is created. For more information, see Create a RAM role.
  • If you are using a RAM user, make sure that the RAM user has the permissions to manage RAM roles.

Ship data within an Alibaba Cloud account

After you grant a RAM role the permissions to write data to a MaxCompute table, you can assign the RAM role to a data shipping job. In this example, the required permissions are granted to a RAM role by adding the RAM role as a member to a MaxCompute workspace.

You can use the graphical user interface (GUI) or command-line interface (CLI) to grant permissions to the RAM role.

Use the GUI to grant permissions to the RAM role

  1. Modify the trust policy of the RAM role.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Identities > Roles.
    3. On the Roles page, click the name of the RAM role.
    4. On the Trust Policy Management tab, click Edit Trust Policy.
    5. In the Edit Trust Policy panel, replace the existing script in the editor with the following script, and then click OK.
      {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "log.aliyuncs.com",
                "dataworks.aliyuncs.com"
              ]
            }
          }
        ],
        "Version": "1"
      }
  2. Add the RAM role as a workspace member.
    1. Log on to the MaxCompute console.
    2. In the upper-left corner of the page that appears, select a region.
    3. On the Project management tab, find the MaxCompute project that you want to manage and click Member management in the Actions column.
    4. On the User Management page, click Add Member.
      User Management
    5. In the Add Member dialog box, select the current logon account and the RAM role, and then add the logon account and the RAM role as prompted.
      Select Development in the Batch role setting section. For more information, see Add a workspace member and configure roles.
  3. Grant the RAM role the permissions to manage a MaxCompute table.
    1. In the left-side navigation pane, click Maxcompute Management.
    2. Set the MaxCompute Project selection parameter to Production Environment. Then, click Custom User Roles.
    3. In the Custom User Roles list, find the role_project_admin role and click Manage Members in the Actions column.
      Manage Members
    4. In the Manage Members dialog box, select the current logon account and the RAM role, and then add the logon account and the RAM role as prompted.
    5. In the Custom User Roles list, find the role_project_admin role and click Manage Permissions in the Actions column.
    6. On the Table tab of the Role Authorization dialog box, click Add Table. Then, select the MaxCompute table to which you want to ship data and select Describe, Alter, and Update.
      Important The preceding authorization takes effect only on the specified MaxCompute table. If you want to grant the RAM role the permissions to manage all tables in the current MaxCompute project, you can grant the permissions of the admin role to the current logon account and the RAM role. In the Custom User Roles list, find the admin role and click Manage Members in the Actions column. In the Manage Members dialog box, select the current logon account and the RAM role, and then add the logon account and the RAM role as prompted.

Use the CLI to grant permissions to the RAM role

  1. Log on to the MaxCompute console.
  2. In the upper-left corner of the page that appears, select a region.
  3. On the Project management tab, find the MaxCompute project that you want to manage and click Data Development in the Actions column.
  4. Create a workflow.
    1. On the Scheduled Workflow page, choose Create > Create Workflow.
    2. In the Create Workflow dialog box, set the Workflow Name parameter and click Create.
  5. Create a node.
    1. On the Scheduled Workflow page, choose Create > Create Node > MaxCompute > ODPS SQL.
    2. In the Create Node dialog box, set the Name and Path parameters, and then click Commit.
      You must set the Path parameter to the workflow that you created in Step 4.
  6. In the editor of the node, run the required commands to complete the authorization. The following table describes the commands.
    MaxCompute authorization
    Command Description
    USE project-name; Specifies a MaxCompute project. You must specify the MaxCompute project that you specified when you created a data shipping job of the new version. For more information, see Create a data shipping job of the new version to ship data to MaxCompute.
    ADD USER RAM$****.aliyunid.com:`role/maxcomputeshiprole`; Adds the RAM role as a user to the MaxCompute workspace.
    • ****.aliyunid.com indicates the Alibaba Cloud account to which the MaxCompute project belongs. You can run the list users; command to view the corresponding Alibaba Cloud account.
    • maxcomputeshiprole indicates the name of the custom RAM role. The name must be in lowercase.
    GRANT DESCRIBE, ALTER, UPDATE ON TABLE table-name to user RAM$****.aliyunid.com:`role/maxcomputeshiprole`; Grants the RAM role the permissions to view, modify, and update the MaxCompute table.
    Note The authorization procedure applies only to the specified MaxCompute table. If you want to grant the RAM role the permissions to manage all tables in the current MaxCompute project, run the GRANT admin to user RAM$****.aliyunid.com:`role/maxcomputeshiprole`; command to complete the authorization.
    SHOW GRANTS FOR `RAM$****.aliyunid.com:role/maxcomputeshiprole`; Checks whether the authorization is successful.
    If an output that is similar to the following example appears, the authorization is successful:
    Authorization Type: ACL
    [user/RAM$****.aliyunid.com:role/maxcomputeshiprole]
    A       projects/default_project_****/tables/****: Describe | Alter | Update
    The following errors may occur during the authorization process:
    • If the FAILED: mismatched input error occurs during the authorization process, the current RAM user does not have the permissions to run commands such as ADD USER.
    • If the FAILED: ODPS-0130013:Authorization exception - Authorization Failed [4003], You have NO privilege to do the PROJECT SECURITY OPERATION for {acs:odps:*:projects/xxxxxx/authorization/users}. Context ID:1111-11111-1111-1111-11111. error occurs during the authorization process, the current user does not have the permissions to manage MaxCompute projects or grant permissions to other users. For more information, see What do I do if I do not have the required permissions?
After you configure the settings, you can assign the custom RAM role to a data shipping job of the new version to ship data to the destination MaxCompute table. If you create a data shipping job of the new version, set the Authorization of MaxCompute Write Permission parameter to Custom Role and enter the Alibaba Cloud Resource Name (ARN) of the custom RAM role. In this example, acs:ram::10**12:role/maxcomputeshiprole is used. For information about how to obtain the ARN of a RAM role, see View the basic information about a RAM role. MaxCompute authorization

Ship data across Alibaba Cloud accounts

If Log Service is activated for Alibaba Cloud Account A and MaxCompute is activated for Alibaba Cloud Account B, you must grant RAM Role B of Alibaba Cloud Account B the permissions to write data to MaxCompute. After you complete the authorization, you can assign RAM Role B to a data shipping job to write the data that is read from the specified source Logstore to the specified destination MaxCompute table.

  1. Modify the trust policy of RAM Role B.
    1. Log on to the RAM console by using Alibaba Cloud Account B.
    2. In the left-side navigation pane, choose Identities > Roles.
    3. On the Roles page, click the name of RAM Role B.
    4. On the Trust Policy Management tab, click Edit Trust Policy.
    5. Modify the trust policy and click OK.

      Add ID of Alibaba Cloud Account A @log.aliyuncs.com and dataworks.aliyuncs.com to the Service element. Replace ID of Alibaba Cloud Account A with the actual ID. You can view the ID of your Alibaba Cloud account in the Account Management console.

      The following policy allows Alibaba Cloud Account A to obtain a temporary STS token to manage the cloud resources of Alibaba Cloud Account B:

      {
          "Statement": [
              {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Principal": {
                      "Service": [
                          "log.aliyuncs.com",
                          "dataworks.aliyuncs.com",
                          "ID of Alibaba Cloud Account A@log.aliyuncs.com"
                      ]
                  }
              }
          ],
          "Version": "1"
      }
  2. Add RAM Role B as a member to a MaxCompute workspace.
    You can use the GUI or CLI to grant permissions to RAM Role B. To complete the authorization, log on to the MaxCompute console by using Alibaba Cloud Account B. For more information, see Use the GUI to grant permissions to the RAM role or Use the CLI to grant permissions to the RAM role.
After you configure the settings, you can assign RAM Role B to a data shipping job of the new version to ship data to the destination MaxCompute table. If you create a data shipping job of the new version, set the Authorization of MaxCompute Write Permission parameter to Custom Role and enter the ARN of RAM Role B. In this example, acs:ram::11**13:role/maxcomputeshiprole is used. For information about how to obtain the ARN of a RAM role, see View the basic information about a RAM role. MaxCompute authorization