This topic explains the project-level tenant resource access control feature, which lets you configure fine-grained, project-level access permissions for tenant-level resources in MaxCompute.
Background
MaxCompute resource objects include tenant objects and project-level objects.
Tenant objects: Include external data sources, network connections, custom images, and quota groups. A tenant administrator uses a RAM policy to control permissions for these resources.
Project-level objects: Objects that belong to a project, such as schemas, tables, roles, instances, resources, functions, and views. A project administrator controls permissions for these objects by using the authorization models within MaxCompute.
You can use tenant objects across projects. By default, MaxCompute does not check whether a project is authorized to use a tenant object. If the owner of a tenant object does not want a specific project to use it, they can enable project-level tenant resource access control to explicitly link the resource to specific projects. This is an optional, enhanced access control model.
Usage
MaxCompute offers two security models for controlling access to tenant objects at the project level.
The project-level tenant resource access control switch applies to all tenant objects. When you turn on this switch, it enables permission checks for all tenant resources.
This feature is currently in preview and cannot be enabled directly. If you need to use this feature, submit a ticket.
Mode 1: Enable project-level tenant resource access control
The creator of a tenant resource can specify which projects can use the resource by configuring a mount relationship between the resource and the projects.
Then, the project administrator grants users within the project permissions to use the resource through an authorization model.
By enabling project-level tenant resource access control, you can control which projects are allowed to use specific tenant objects. Currently, there is no switch for a tenant administrator to enforce this feature for all projects.
Mode 2: Without project-level tenant resource access control
Any user who has permission to run tasks in a project can use the tenant resources required for those tasks.
Even if a tenant resource creator configures mount relationships between resources and projects, or a project administrator grants Usage permissions to users by using a policy, these settings have no effect if project-level tenant resource access control is disabled. However, tenant-level policy authorizations remain in effect regardless of this setting.
Enable project-level tenant resource access control
To enable project-level tenant resource access control, perform the following steps:
Mount tenant objects to projects:
Log on to the MaxCompute console, and select a region in the upper-left corner.
In the navigation pane on the left, navigate to the configuration page for the target object: , Manage Configurations > Network Connection, Manage Configurations > External Data Source, or Manage Configurations > Images.
In the Actions column of the target object, click Enhance Access Management, select the projects to mount, and then complete the configuration.
View the mounted tenant objects:
In the navigation pane on the left, choose . On the Projects page, click Manage in the Actions column of the target project to open its project settings page.
On the Project Settings page, select the Parameter Configuration tab. In the Permission Properties section, click Edit. Then, click View Tenant Resources Bound to Projects to see the mount status between the project and resources such as network connections, external data sources, custom images, and quota groups.
Apply a policy to the project's mounted tenant objects:
In the navigation pane on the left, choose . On the Projects page, click Manage in the Actions column of the target project to open its project settings page.
On the Project Settings page, select the Role Permissions tab. Find the target project-level role and click Edit Role in the Actions column.
In the Edit Role dialog box, set Authorization Method to Policy.
In the Policy-based Access Control script box, you can modify the role policy.
For example, the following policy allows user
ain projectproject_ato use a quota of500 CU:{ "Statement":[ { "Action":[ "odps:Usage" ], "Effect":"Allow", "Resource":[ "acs:odps:*:regions/*/quotas/500cu" ] } ], "Version":"1" }After you grant user
apermission to use tenant resources withinproject_a, you can control tenant resource access at the user or role level when project-level tenant resource access control is enabled.For more information about policy configurations, see Policy-based access control.
Query tenant resources used by a project
You can query for tenant resources used by a project in several ways, depending on the scenario.
Tenant resource | Scenario | Query method |
Quota group | The project uses a default quota. | View the default compute quota in the project list on the page in the MaxCompute console. |
A quota is specified at the job level. | Check the compute quota specified in the runtime parameters before you run the SQL statement.
| |
A quota rule specifies a project and task. | ||
Network connection | Querying an external table that uses a network connection to access a data source in a VPC. | Run the
|
A network connection is specified before running an SQL statement that contains a UDF for VPC access. | Check the network connection specified in the runtime parameters before you run the SQL statement:
| |
An external data source references a network connection. | View the network connection in the list on the page in the MaxCompute console. | |
A Spark on MaxCompute job uses a network connection. | ||
External data source | Querying a table from an external schema that references an external data source. |
|
Custom image | A UDF references a custom image. |
Related documentation
For more information about tenant resources, see the following topics: