Access control for packages is supported. After a package is installed, you can perform fine-grained access control by specifying an access control list (ACL) for objects in the package and perform finer-grained access control by enabling the LabelSecurity mechanism of MaxCompute to control access to the package. For example, you can grant users or roles the permissions to access only specified resources in a package or specified columns in a table of the package. This topic describes how to grant or revoke permissions on the resources in a package to or from users or roles by using the two access control policies.

Background information

The following table describes the access control policies for packages that are provided by MaxCompute.
Access control policy Description Authorized by Operation platform
ACL-based access control In the project where a package is installed, you can grant or revoke permissions on some resources in the package by specifying an ACL for objects. After you grant permissions, users in the project where the package is installed can perform the specified operations on the specified objects. The project owner or a user who is assigned the Admin role
Label-based access control In the project where a package is installed, you can grant or revoke permissions on table resources in the package by using LabelSecurity. After you grant permissions, users in the project where the package is installed can access only sensitive data whose security level is not higher than the specified security level. This helps manage data permissions in a finer-grained manner. For more information about LabelSecurity, see Label-based access control.

Limits

Only the project owner and a user that is assigned the Admin role are allowed to grant or revoke permissions.

ACL-based access control

  • Specify an ACL to grant permissions on some resources in a package. Syntax:
    -- Grant permissions on a specified object. 
    grant <actions> on <object_type> <object_name> to [user|role] <name> privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");
    -- Grant permissions on specified columns in a specified table. 
    grant <actions> on table <table_name>[(<column_list>)] to [user|role] <name> privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");
  • View the ACL-based permissions on the resources in the package. Syntax:
    show grants on <object_type> <object_name> privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");
  • Revoke the ACL-based permissions from some resources in the package. Syntax:
    -- Revoke permissions from a specified object. 
    revoke <actions> on <object_type> <object_name> from [user|role] <name> privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");
    -- Revoke permissions from the columns in a specified table. 
    revoke <actions> on table <table_name>[(<column_list>)] from [user|role] <name> privilegeproperties ("refobject"="true", "refproject"="<project_name>",  "package"="<package_name>");
Parameters in the syntax:
  • actions: required. The permissions that you want to grant. You can run the describe package project_name.package_name; command to query the permissions of the package.
  • object_type: required. The type of the object in a package. You can run the describe package project_name.package_name; command to query the type of the object that is included in a package.
  • object_name: required. The name of the object in a package. You can run the describe package project_name.package_name; command to query the name of the object that is included in a package.
  • name: required. The name of the user or role to which you want to grant permissions. For more information about how to obtain user or role information, see View users or View roles.
  • table_name: required. The name of the table on which you want to grant permissions. You can run the describe package project_name.package_name; command to query the name of the table that is included in a package.
  • column_list: optional. The name of a column in the table. If you specify multiple column names, separate them with commas (,).
  • "refobject"="true": required. This value true indicates that fine-grained access control is used for the package.
  • "refproject"="<project_name>": required. The name of the MaxCompute project to which the package belongs.
  • "package"="<package_name>": required. The name of the package.

Label-based access control

You can grant permissions on the tables in a package by using LabelSecurity after you perform ACL-based access control. This way, you can access only table data with the specified security level.

  • Use LabelSecurity to grant permissions on the tables in the package. Syntax:
    grant label <number> on table <table_name[(<column_list>)]> to [user|role] <name>[with exp <days>] privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");
  • View the label-based permissions on the tables in the package. Syntax:
    show label grants on table <table_name> privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");
  • Revoke label-based permissions from the tables in the package. Syntax:
    revoke label <number> on table <table_name>[(<column_list>)] from [user|role] <name> privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");
Parameters in the syntax:
  • number: the security level for sensitive data. For more information about label-based access control, see Label-based access control.
  • table_name: required. The name of the table on which you want to grant permissions. You can run the describe package project_name.package_name; command to query the name of the table that is included in a package.
  • column_list: optional. The name of a column in the table. If you specify multiple column names, separate them with commas (,).
  • name: required. The name of the user or role to which you want to grant permissions. For more information about how to obtain user or role information, see View users or View roles.
  • days: optional. The number of days for which a permission is valid. Unit: days. If you do not specify this parameter, the default value is 180.
  • "refobject"="true": required. This value true indicates that fine-grained access control is used for the package.
  • "refproject"="<project_name>": required. The name of the MaxCompute project to which the package belongs.
  • "package"="<package_name>": required. The name of the package.

Examples

The following examples show the preceding access control methods based on the scenario examples in Cross-project resource access based on packages.
  • Example 1: Perform ACL-based access control. John grants the SELECT permission on the sampletable table in the package to Bob.
    use prj2;
    -- Grant the SELECT permission on the sampletable table in the package to Bob. 
    grant Select on table sampletable to user aliyun$bob@aliyun.com privilegeproperties ("refobject"="true", "refproject"="prj1", "package"="datamining");
    
    -- View the ACL-based permissions on the sampletable table in the package. 
    show grants on table sampletable privilegeproperties ("refobject"="true", "refproject"="prj1", "package"="datamining");
    
    -- Revoke ACL-based permissions from Bob. 
    revoke Select on table sampletable from user aliyun$bob@aliyun.com privilegeproperties ("refobject"="true", "refproject"="prj1", "package"="datamining");
  • Example 2: Perform label-based access control. In this example, the sampletable table has three columns t1, t2, and t3, in which t1 has a security level of 1, t2 has a security level of 2, and t3 has a security level of 3. John grants Bob the permissions on the data with the security level of 2 in the sampletable table in the package. The validity period of the permissions is seven days.
    use prj2;
    -- Enable LabelSecurity. 
    set LabelSecurity=true;
    
    -- Specify the security level for each column in the sampletable table. 
    set label 1 to table sampletable(t1);
    set label 2 to table sampletable(t2);
    set label 3 to table sampletable(t3);
    
    -- Grant Bob the permissions on the data that has a security level of 2 in the sampletable table. Set the validity period of the permissions to seven days. In the preceding example, Bob has the permissions to read data from the table. After you enable LabelSecurity, Bob has the permissions to read data from the t2 column of the table. 
    grant label 2 on table sampletable(t2) to user aliyun$bob@aliyun.com with exp 7 privilegeproperties ("refobject"="true", "refproject"="prj1", "package"="datamining");
    
    -- View the label-based permissions on the sampletable table in the package. 
    show label grants on table sampletable privilegeproperties ("refobject"="true", "refproject"="prj1", "package"="datamining");
    
    -- Revoke label-based permissions from Bob. 
    revoke label 2 on table sampletable(t2) from user aliyun$bob@aliyun.com privilegeproperties ("refobject"="true", "refproject"="prj1", "package"="datamining");