Grant permissions by using ACL-based access control - MaxCompute

MaxCompute supports access control lists (ACLs) for granting users or roles permissions to perform specific actions on objects. To manage permissions for multiple users, you can grant permissions to a role and then assign that role to the users. This method provides simple and efficient access control. This topic describes the ACL authorization commands that MaxCompute supports and provides authorization examples.

Background information

ACL-based access control uses a whitelist. This means you can explicitly allow a user or role to perform specific actions on an object. This method is straightforward and allows for precise authorization.

ACL-based access control is enabled by default when you create a MaxCompute project. The project owner can run the set CheckPermissionUsingACL=true|false; command to enable or disable this feature.

ACL-based access control is suitable for the following scenarios.

Scenario

Description

Grantor

Authorization endpoint

Grant permissions to a user

Grants permissions directly to a single user to perform one or more operations on a specified object.

For more information, see the Supported authorizers column in MaxCompute permissions.

Grant permissions to users based on roles

Grant a role permissions to perform one or more operations on a specified object. Then, attach the role to multiple users. The users then have the permissions of the role.

For more information about creating a role and attaching a role to a user, see Role planning and Attach a role to a user.

Note

Roles are used to better manage users. Typically, you do not grant the same permissions on the same object to multiple roles.

Prerequisites

Before you use ACL-based access control, ensure that you have the following information:

The user account or role to which you want to grant permissions. Ensure that the user or role has been added to your MaxCompute project. An Alibaba Cloud account is in the format ALIYUN$<account_id>, a RAM user account is in the format RAM$<account_id>:<RAM_user_UID>, and a RAM role account is in the format `RAM$<account_id>:role/<RAM_role_name>`.
You can run the list users; or list roles; command on the MaxCompute client to retrieve account or role information.
To add a user or role, see User planning and management or Role planning.
The object type, object name, and the actions to authorize.
For more information about object types and actions, see MaxCompute permissions.

Limits

The following limits apply to ACL-based access control:

You can grant permissions only on existing objects and to existing users or roles. This prevents security risks that can arise if you delete an object and then create a different object with the same name.
ACL-based access control does not support authorization using the [with grant option] clause. For example, if User A grants a permission to User B, User B cannot grant that same permission to User C.
ACL authorization uses a whitelist (Allow). It does not support a blacklist (Deny).

Precautions

Note the following when you use ACL-based access control:

If you delete an object, MaxCompute automatically revokes all ACL authorizations associated with that object.
After a user is removed, the permissions that are granted to the user are retained. If the user is added to the project again, the historical access permissions of the user are activated again. For more information about how to clear the residual permission information of a removed user, see Completely clear the residual permission information of a removed user.

Command formats

The command formats for ACL-based access control are as follows:

Grant ACL permissions

grant <actions> on <object_type> <object_name> 
[(<column_list>)] to <subject_type> <subject_name> 
[privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];

Revoke ACL permissions

revoke <actions> on <object_type> <object_name> 
[(<column_list>)] from <subject_type> <subject_name>;

Column-level access control

grant <actions> on table <table_name> (<column_list>) to <subject_type> <subject_name>;
revoke <actions> on table <table_name> (<column_list>) from <subject_type> <subject_name>;

The following table describes the parameters.

Parameter		Required	Description
actions		Yes	The name of the action permission to be granted. You can specify one or more actions in a single authorization. If you specify multiple actions, separate them with commas (,). For more information about the valid values, see MaxCompute permissions.
object_type		Yes	The type of the object to be granted permissions. You can specify only one object type in a single authorization. For more information about the valid values, see MaxCompute permissions.
object_name		Yes	The name of the object to be granted permissions. You can obtain the name in the following ways: Project name: You can log on to the MaxCompute console, switch the region in the upper-left corner, and find the project name on the Project Management tab. When the query type is Project, you can only query the current project. Table or view: To obtain the name of a table or view, run the `show tables;` command on the MaxCompute client. Model name: You can execute the `show models;` command in the MaxCompute client to obtain the model name. Resource name: To obtain the name of a resource, run the `list resources;` command on the MaxCompute client. Function name: To obtain the name of a function, run the `list functions;` command on the MaxCompute client. Instance name: You can use the MaxCompute client to execute the `show instances;` command to obtain the instance ID. You can use an asterisk () as a wildcard character for the authorization object. For example, `table taobao` indicates all tables whose names start with `taobao`. Note You can use an asterisk (*) as a wildcard character only when you grant permissions to a ROLE. You cannot use a wildcard character when you grant permissions to a USER.
column_list		No	This parameter is required only when object_type is Table and you need to perform column-level access control. You can specify one or more column names, separated by commas (,). Note This parameter controls the Describe, Select, Alter, Update, Drop, ShowHistory, and ALL permissions on the specified columns of a table. If columns in the table have sensitivity levels, you can use Label-based access control to control access to sensitive data based on sensitivity level labels.
privilegeproperties	conditions	No	Controls permissions based on dimensions such as the request source and access method. The format is `"<var_name> <Operation> Constant" and "<var_name> <Operation> Constant" and ...`. For a list of supported var_name and Operation values, see Conditions.
privilegeproperties	days	No	The expiration time of the permission, in days. If you do not specify this parameter, the permission is permanently valid. If you specify this parameter, MaxCompute automatically purges the permission information after it expires.
subject_type		Yes	The type of the subject to be granted permissions. Valid values: USER: an Alibaba Cloud account or a RAM user ROLE: a role
subject_name		Yes	The user account or role name to be granted permissions. You can specify only one user or role at a time. The formats are as follows: Alibaba Cloud account: ALIYUN$<account_id>. RAM user: RAM$<account_id>:<RAM user ID>. RAM role: or `RAM$<account_id>:role/<RAM role name>`. You can run the `list users;` or `list roles;` command on the MaxCompute client to obtain the name of the user account or role.

Conditions

The following table lists the supported var_name and Operation values for conditions.

var_name	Type	Operation	Description
acs:UserAgent	STRING	StringEquals: `=` StringNotEquals: `<>` StringLike: `like` StringNotLike: `not like`	The User-Agent of the client that sends the request.
acs:Referer	STRING		The HTTP Referer of the request.
acs:SourceIp	IP Address	IpAddress: `in (...)` NotIpAddress: `not in (...)`	The IP address of the client that sends the request.
acs:SecureTransport	BOOLEAN	True False	Indicates whether the request was sent over a secure channel, such as HTTPS.
acs:CurrentTime	DATEANDTIME	DateEquals: `=` DateNotEquals: `<>` DateLessThan: `<` DateLessThanEquals: `<=` DateGreaterThan: `>` DateGreaterThanEquals: `>=`	The time when the web server receives the request. The time is in the ISO 8601 format, such as 2012-11-11T23:59:59Z.

ACL access control examples

Assume that Bob@aliyun.com(account ID: 5527xxxxxxxx5788) is the owner of the test_project_a project. Allen(UID: 1652xxxxxxxxxx1538), Alice(UID: 2763xxxxxxxxxx1649), and Tom(UID: 3874xxxxxxxxxx1850) are RAM users who belong to Bob@aliyun.com. The following examples demonstrate how to grant permissions using the MaxCompute client:

Example 1: Grant permissions to a user

Create a table named sale_detail in the test_project_a project and grant the Describe (read metadata) and Select (read table data) permissions on the table to the user Allen. The sample commands are as follows.

-- Bob enters the test_project_a project.
use test_project_a; 
-- Create a partitioned table named sale_detail.
create table if not exists sale_detail
(
shop_name     string,
customer_id   string,
total_price   double
)
partitioned by (sale_date string, region string);
-- Add user Allen as a project member.
add user RAM$5527xxxxxxxx5788:1652xxxxxxxxxx1538;
-- Grant permissions to Allen.
grant Describe, Select on table sale_detail to USER RAM$5527xxxxxxxx5788:1652xxxxxxxxxx1538;
-- View the authorization result for Allen.
show grants for RAM$5527xxxxxxxx5788:1652xxxxxxxxxx1538; 
-- The authorization result is as follows.
Authorization Type: ACL
[user/RAM$5527xxxxxxxx5788:1652xxxxxxxxxx1538]
A       projects/test_project_a/tables/sale_detail: Describe | Select

Example 2: Grant permissions to a user

Based on the sale_detail table created in Example 1, grant all permissions on the shop_name and customer_id columns to the user Alice. The sample commands are as follows.

-- Bob enters the test_project_a project.
use test_project_a; 
-- Add user Alice as a project member.
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
-- Grant column-level permissions to Alice.
grant All on table sale_detail (shop_name, customer_id) to USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
-- View the authorization result for Alice.
show grants for RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649; 
-- The authorization result is as follows.
Authorization Type: ACL
[user/RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649]
A       projects/test_project_a/tables/sale_detail/customer_id: All
A       projects/test_project_a/tables/sale_detail/shop_name: All

Example 3: Revoke permissions from a user

Based on Example 1 and Example 2, revoke the permissions from the users Allen and Alice. The sample commands are as follows.

-- Bob enters the test_project_a project.
use test_project_a; 
-- Revoke permissions from Allen.
revoke Describe, Select on table sale_detail (shop_name, customer_id) from USER RAM$5527xxxxxxxx5788:1652xxxxxxxxxx1538;
-- Revoke permissions from Alice.
revoke All on table sale_detail (shop_name, customer_id) from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
-- View the result of revoking permissions from Allen. The permission list does not contain Describe or Select permissions.
show grants for RAM$5527xxxxxxxx5788:1652xxxxxxxxxx1538; 
-- View the result of revoking permissions from Alice. The permission list does not contain the All permission.
show grants for RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;

Example 4: Grant the same permissions to multiple users based on a role

Grant permissions to Alice, Tom, and another Alibaba Cloud account, Lily@aliyun.com(account ID: 5638xxxxxxxx6899), to create instances, resources, functions, and tables, and to view all object types in the test_project_a project. The sample commands are as follows.

-- Bob enters the test_project_a project.
use test_project_a; 
-- Add users Alice, Tom, and Lily@aliyun.com as project members.
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
add user RAM$5527xxxxxxxx5788:3874xxxxxxxxxx1850;
add user ALIYUN$5638xxxxxxxx6899;
-- Create the Worker role.
create role Worker; 
-- Assign the Worker role to the users.
grant Worker TO RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649; 
grant Worker TO RAM$5527xxxxxxxx5788:3874xxxxxxxxxx1850; 
grant Worker TO ALIYUN$5638xxxxxxxx6899; 
-- Grant the CreateInstance, CreateResource, CreateFunction, CreateTable, and List permissions on the test_project_a project to the Worker role.
grant CreateInstance, CreateResource, CreateFunction, CreateTable, List on project test_project_a TO ROLE Worker;
-- View the authorization result for Lily.
show grants for ALIYUN$5638xxxxxxxx6899; 
-- The authorization result is as follows. It indicates that user Lily has the preceding permissions.
[roles]
worker

Authorization Type: ACL
[role/worker]
A       projects/test_project_a: CreateTable | CreateResource | CreateInstance | CreateFunction | List

Example 5: Revoke the same permissions that were granted to multiple users based on a role

In this example, the permissions that were granted to the RAM users Alice and Tom and the Alibaba Cloud account Lily@aliyun.com in Example 4 are revoked. The sample commands are as follows:

-- Go to the test_project_a project using the Alibaba Cloud account Bob@aliyun.com.
use test_project_a; 
-- Revoke the role Worker from the RAM users Alice and Tom and the Alibaba Cloud account Lily@aliyun.com.
revoke Worker from RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
revoke Worker from RAM$5527xxxxxxxx5788:3874xxxxxxxxxx1850;
revoke Worker from ALIYUN$5638xxxxxxxx6899;
-- Query the permissions of the Alibaba Cloud account Lily@aliyun.com. The Alibaba Cloud account Lily@aliyun.com does not have the permissions of the role Worker.
show grants for ALIYUN$5638xxxxxxxx6899;

What to do next

After you understand how ACL-based authorization works, you can perform the following operations as needed: