MaxCompute allows you to configure access-level labels for users and sensitivity-level labels for tables or columns in tables at the project level. After you configure these labels, users can access only the tables or columns whose sensitivity level is lower than or equal to the user access levels. This topic describes the label-based access control mechanism and provides examples on how to use the label-based access control mechanism.

Background information

Label-based access control is also called LabelSecurity. It is used as a mandatory access control (MAC) policy at the project level. After you create a MaxCompute project, LabelSecurity is disabled for the MaxCompute project by default. The project owner can run the Set LabelSecurity=truefalse; command at the project level to enable or disable LabelSecurity for the MaxCompute project.

If LabelSecurity is enabled for a MaxCompute project, the project owner must define the sensitivity levels of tables or columns in tables and access levels of users or roles, and configure sensitivity-level labels for tables or columns in tables and access-level labels for users or roles. If a user wants to access data with sensitivity levels, the user must have the SELECT permission on the table that stores the data and can access only the data of the table or columns whose sensitivity level is lower than or equal to the user access level.

LabelSecurity provides the following capabilities for sensitive data:
  • A column is the minimum supported granularity for configuring sensitivity levels.
  • Sensitivity-level labels can be configured for any columns in a table. A table can contain columns with different sensitivity levels.
  • Sensitivity-level labels can be configured for views. The sensitivity-level labels of views are not related to the sensitivity-level labels of the source tables that correspond to the views.

The following table describes the operations that are supported by LabelSecurity.

Operation Description Performed by Operation platform
Configure sensitivity-level labels for a table or columns in a table Allows you to configure sensitivity-level labels for a table or columns in a table.
  • Project owner
  • Users who are assigned the Admin role
Configure access-level labels for users or roles Allows you to configure access-level labels for users or roles.
Enable label-based explicit authorization Allows you to authorize users or roles with low access levels to access data with high sensitivity levels.
Disable label-based explicit authorization Allows you to revoke the access permissions on data with high sensitivity levels from users or roles.
Clear information about expired permissions Allows you to clear information about expired permissions.

Default policies for label-based access control

After you configure labels for tables or columns and users or roles, the following default policies for label-based access control are used:
  • No-ReadUp: Users cannot access the tables or columns whose sensitivity level is higher than the user access levels. If users want to access the tables or columns whose sensitivity level is higher than the user access levels, explicit authorization operations are required. For more information about explicit authorization operations, see Enable label-based explicit authorization.
  • Trusted-User: Users can write data whose sensitivity level is not higher than the user access levels. The default sensitivity level of a newly created table or view is 0. This indicates that all users or roles can access the table or view. The default access level of a newly added user is 0.

Prerequisites

Before you perform label-based access control, make sure that the following information is obtained:
  • The account of the user to whom you want to grant permissions or the name of the role to which you want to grant permissions is obtained. The role or account is added to your MaxCompute project. If the account of the user is an Alibaba Cloud account, record the Alibaba Cloud account in the format of ALIYUN$Alibaba Cloud account. If the account of the user is a RAM user, record the RAM user in the format of RAM$Alibaba Cloud account to which the RAM user belongs:Name of the RAM user.

    You can run the list users; or list roles; command on the MaxCompute client to query the account or role name.

    If you want to add a user or role, see User planning and management or Role planning and management.

  • The name of the object. The object can be a table or column.

    You can run the show tables; command on the MaxCompute client to obtain the name of a table or view and the names of columns in the table or view.

Limits

You cannot configure sensitivity-level labels for partition key columns.

Usage notes

Before you perform label-based access control, take note of the following items:
  • In some traditional MAC systems, you can use complex security policies when you perform label-based access control. This prevents data from being distributed by unauthorized users in a project. For example, the No-WriteDown policy prohibits a user from writing data whose sensitivity level is lower than or equal to the user access level. By default, MaxCompute does not support the No-WriteDown policy. This reduces the costs of managing data sensitivity levels. If your project has similar requirements, you can run the Set ObjectCreatorHasGrantPermission=false; command to modify the security configurations of the project.
  • To prevent data transfer across projects, you can run the set ProjectProtection=true; command to enable project data protection. This way, users can access only data in their projects. This prevents users from transferring data across projects. For more information about project data protection, see Project data protection.
  • If you delete an object, MaxCompute automatically revokes all labels that are associated with the object.
  • After a user is removed, the permissions that are granted to the user are retained. If the user is added to the project again, the historical access permissions of the user are activated again. For more information about how to clear the residual permission information of a removed user, see Completely clear the residual permission information of a removed user.

Configure sensitivity-level labels for a table or columns in a table

The project owner or a user who is assigned the Admin role configures sensitivity-level labels for a table or columns in a table.

  • Syntax
    set Label <number> to table <table_name>[(<column_list>)];
  • Usage notes
    • If you configure a sensitivity-level label for a table and you do not configure sensitivity-level labels for columns in the table, the sensitivity level of all columns in the table is the same as the sensitivity level of the table. For example, if the sensitivity level of a table is 2 and no sensitivity level is configured for all the columns in the table, the sensitivity level of all the columns in the table is 2.
    • The labels that you configured for columns in a table overwrite the label that you configured for the table. The label that you configured for a table does not overwrite the labels that you configured for columns in the table. For example, if the initial sensitivity level that you configured for a table is 2 and the sensitivity level that you configured for col1 in the table is 3, the sensitivity level of all the columns except col1 is 2.
    • If you want to modify the sensitivity-level labels that you configured for tables or columns, you can rerun the command to configure sensitivity-level labels.
  • Parameters
    Parameter Required Description
    number Yes The sensitivity level. Valid values: 0-9. A larger value indicates a higher security level.
    table_name Yes The name of the table or view.

    You can run the show tables; command on the MaxCompute client to obtain the name of the table or view.

    column_list No The names of columns in the table. You can specify multiple column names. Separate column names with commas (,).

Configure access-level labels for users or roles

The project owner or a user who is assigned the Admin role configures access-level labels for other users or roles in the project.

  • Syntax
    set Label <number> to {USER|ROLE} <name>;
  • Usage notes
    • After you configure access-level labels for users, the users can access only the data whose sensitivity level is lower than or equal to the user access levels. For example, if the access level of a user is 3, the user can access tables or columns whose sensitivity level ranges from 0 to 3.
    • If you want to modify the access-level label that is configured for a user or role, you must rerun the command to configure a new access-level label.
  • Parameters
    Parameter Required Description
    number Yes The highest sensitivity level of data that the users or roles can access. The valid values range from 0 to 9 and correspond to sensitivity-level labels.
    name Yes The name of the user or role.

    You can run the list users; or list roles; command on the MaxCompute client to obtain the name of the user account or role.

Enable label-based explicit authorization

The project owner or a user who is assigned the Admin role authorizes users or roles with low access levels to access data with high sensitivity levels.

  • Syntax
    grant Label <number> on table <table_name> [(<column_list>)] to {USER|ROLE} <name> [with exp <days>];
  • Usage notes

    The labels that are explicitly configured for columns in a table overwrite the label that is explicitly configured for the table.

  • Parameters
    Parameter Required Description
    number Yes The highest sensitivity level of data that the users or roles can access.

    The valid values range from 0 to 9 and correspond to sensitivity-level labels.

    table_name Yes The name of the table or view.

    You can run the show tables; command on the MaxCompute client to obtain the name of the table or view.

    column_list No This parameter is required if you want to authorize a user or role to access a specified column in the table or view. You can specify multiple column names for a single authorization operation. Separate column names with commas (,).
    name Yes The name of the user or role.

    You can run the list users; or list roles; command on the MaxCompute client to obtain the name of the user account or role.

    days No The expiration time of the specified permission. Unit: days. Valid values: 0 to 263 - 1. If you do not specify this parameter, the default expiration time is 180 days.

Disable label-based explicit authorization

The project owner or a user who is assigned the Admin role revokes an explicitly configured label from a user or role.

  • Syntax
    revoke Label on table <table_name> [(<column_list>)] from {USER|ROLE} <name>;
  • Usage notes
    • If you revoke the label that is explicitly configured for a table from a user, the labels that are explicitly configured for the columns in the table are also revoked.
    • If you revoke the labels that are explicitly configured for tables or columns, the access-level labels that are configured for users or roles are not affected. For example, if a user whose access level is 2 is revoked the permissions to access the table data whose sensitivity level is lower than or equal to 3, the user can still access the table data whose sensitivity level is lower than or equal to 2.
  • Parameters
    Parameter Required Description
    table_name Yes The name of the table or view.

    You can run the show tables; command on the MaxCompute client to obtain the name of the table or view.

    column_list No This parameter is required if you want to revoke the permission to access sensitive data of a specified column in a table or view. You can specify multiple column names. Separate column names with commas (,).
    name Yes The name of the user or role.

    You can run the list users; or list roles; command on the MaxCompute client to obtain the name of the user account or role.

Clear information about expired permissions

The project owner or a user who is assigned the Admin role clears information about the expired permissions that are granted by using explicit authorization.

clear expired grants;

Examples

In these examples, the test_project_a project stores a table named sale_detail that contains the shop_name, customer_id, and total_price columns. Bob@aliyun.com is the owner of the test_project_a project. Allen is a RAM user that belongs to Bob@aliyun.com and is added to the test_project_a project.

  • Example 1: Configure sensitivity-level labels for the sale_detail table and columns in the sale_detail table. Sample commands:
    -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
    use test_project_a;
    -- Set the label of the sale_detail table to 1. In this case, the labels of all the columns in the table are 1. 
    set Label 1 to table sale_detail; 
    -- Set the labels of the shop_name and customer_id columns in the sale_detail table to 2. In this case, the labels of other columns are still 1. 
    set Label 2 to table sale_detail(shop_name, customer_id); 
    -- Change the label of the sale_detail table to 3. The labels of the shop_name and customer_id columns are still 2. The labels of other columns in the sale_detail table are changed to 3. 
    set Label 3 to table sale_detail; 
    -- Change the labels of the shop_name and customer_id columns in the sale_detail table to 4. In this case, the labels of other columns are still 3. 
    set Label 4 to table sale_detail(shop_name, customer_id); 
    -- View the labels of the table. 
    describe sale_detail;
    -- The following result is returned: 
    +------------------------------------------------------------------------------------+
    | Owner: ALIYUN$****@test.aliyun.com | Project: ****                                 |
    | TableComment:                                                                      |
    +------------------------------------------------------------------------------------+
    | CreateTime:               2021-12-13 11:27:04                                      |
    | LastDDLTime:              2021-12-13 11:27:04                                      |
    | LastModifiedTime:         2021-12-13 11:27:26                                      |
    +------------------------------------------------------------------------------------+
    | TableLabel:               3                                                        |  -- The table label is 3. 
    | MaxLabel:                 L4                                                       |
    +------------------------------------------------------------------------------------+
    | InternalTable: YES      | Size: 784                                                |
    +------------------------------------------------------------------------------------+
    | Native Columns:                                                                    |
    +------------------------------------------------------------------------------------+
    | Field           | Type       | Label | Comment                                     |
    +------------------------------------------------------------------------------------+
    | shop_name       | string     | 4     |                                             |  -- The column label is 4. 
    | customer_id     | string     | 4     |                                             |  -- The column label is 4. 
    | total_price     | double     | 3     |                                             |  --The column label is 3. 
    +------------------------------------------------------------------------------------+
    | Partition Columns:                                                                 |
    +------------------------------------------------------------------------------------+
    | sale_date       | string     |                                                     |
    | region          | string     |                                                     |
    +------------------------------------------------------------------------------------+
  • Example 2: Configure access-level labels for the Alibaba Cloud account Kate@aliyun.com and RAM$Bob@aliyun.com:Allen in the test_project_a project. Sample commands:
    -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
    use test_project_a;
    -- Set the access-level label of the Alibaba Cloud account Kate@aliyun.com to 3. This allows Kate@aliyun.com to access data whose sensitivity level is 0 to 3.  
    set Label 3 to USER ALIYUN$Kate@aliyun.com; 
    -- Set the access-level label of the RAM user Allen to 1. This allows Allen to access data whose sensitivity level is 0 or 1. 
    set Label 1 to USER RAM$Bob@aliyun.com:Allen; 
    -- View the information about the access level of Allen. 
    show label grants for RAM$Bob@aliyun.com:Allen;
    -- The following result is returned: 
    User Label: 1
    
    (granted label list is empty)
  • Example 3: Explicitly authorize Allen to access data with high sensitivity levels. Sample commands:
    -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
    use test_project_a;
    -- Explicitly authorize Allen to access data whose sensitivity level is lower than or equal to 3 in the sale_detail table. The validity period of the granted permissions is 4 days. 
    grant Label 3 on table sale_detail to USER RAM$Bob@aliyun.com:Allen with exp 4; 
    -- View the permissions that are granted to Allen. 
    show label grants on table sale_detail for USER RAM$Bob@aliyun.com:Allen;
    -- The following result is returned: 
    User Label: 1
    +-------------+--------------+--------------------------+
    | Column      | GrantedLabel | Expires                  |
    +-------------+--------------+--------------------------+
    | total_price | 3            | 2021-12-31T19:56:18+0800 |
    +-------------+--------------+--------------------------+
    -- Explicitly authorize Allen to access the data whose sensitivity level is lower than or equal to 3 in the shop_name, customer_id, and total_price columns of the sale_detail table. The validity period of the granted permissions is 10 days. 
    grant Label 4 on table sale_detail(shop_name, customer_id, total_price) to USER RAM$Bob@aliyun.com:Allen with exp 10;
    -- View the permissions that are granted to Allen. 
    show label grants on table sale_detail for USER RAM$Bob@aliyun.com:Allen;
    -- The following result is returned: 
    User Label: 1
    +-------------+--------------+--------------------------+
    | Column      | GrantedLabel | Expires                  |
    +-------------+--------------+--------------------------+
    | customer_id | 4            | 2022-01-06T19:58:00+0800 |
    +-------------+--------------+--------------------------+
    | shop_name   | 4            | 2022-01-06T19:58:00+0800 |
    +-------------+--------------+--------------------------+
    | total_price | 4            | 2022-01-06T19:58:00+0800 |
    +-------------+--------------+--------------------------+
  • Example 4: Revoke the permissions to access data with high sensitivity levels from Allen. Sample commands:
    -- Revoke the permission to access data whose sensitivity level is lower than or equal to 3 in the shop_name, customer_id, and total_price columns of the sale_detail table from Allen. 
    revoke Label on table sale_detail(shop_name, customer_id, total_price) from USER RAM$Bob@aliyun.com:Allen;
    -- View the permissions that are granted to Allen. 
    show label grants on table sale_detail for USER RAM$Bob@aliyun.com:Allen;
    -- The following result is returned: 
    User Label: 1
    +-------------+--------------+--------------------------+
    | Column      | GrantedLabel | Expires                  |
    +-------------+--------------+--------------------------+
    | total_price | 3            | 2021-12-31T19:56:18+0800 |
    +-------------+--------------+--------------------------+
    -- Revoke the permissions to access sensitive data in the sale_detail table from Allen. 
    revoke Label on table sale_detail from USER RAM$Bob@aliyun.com:Allen; 
    -- View the permissions that are granted to Allen. 
    show label grants on table sale_detail for USER RAM$Bob@aliyun.com:Allen;
    -- The following result is returned: 
    User Label: 1

What to do next

After you understand label-based access control, you can perform authorization operations based on your business requirements. For more information, see the following topics: