This topic provides answers to some frequently asked questions about task failures caused by permission issues.
Commonly used scripts for a project owner to grant permissions
-- Method 1: Directly grant permissions to a user.
use project_xxx; -- Allow the user to use the specified project. The name of a project in the development environment is suffixed with _dev.
grant CreateResource to user_xxx@aliyun.com; -- Grant the CreateResource permission to the specified RAM user.
-- Method 2: Create a role and assign the role to a user.
use project_xxx;
create role worker; -- Create a role.
grant worker to user_xxx@aliyun.com; -- Assign the role to the specified RAM user.
grant CreateInstance, CreateResource, CreateFunction, CreateTable, List ON PROJECT project_xxx TO ROLE worker; -- Grant the required permissions on a specified project to the role.
-- Examples:
-- Grant volume-related permissions to the specified RAM user.
use project_xxx;
grant CreateVolume on project project_xxx to user user_xxx@aliyun.com;
grant Read on volume volume_xxx to user user_xxx@aliyun.com;
grant Write on volume volume_xxx to user user_xxx@aliyun.com;
-- Query the permissions that are granted to the specified RAM user.
use project_xxx;
show grants for user_xxx@aliyun.com;What do I do if I do not have permissions on volumes of MaxCompute?
Error message
[403] com.aliyun.odps.OdpsException: ODPS-0420095: Access Denied - Volumes is not allowed in project config. at com.aliyun.odps.rest.RestClient.handleErrorResponse(RestClient.java:382) at com.aliyun.odps.rest.RestClient.request(RestClient.java:321) at com.aliyun.odps.rest.RestClient.request(RestClient.java:275) at com.aliyun.odps.Volume.reload(Volume.java:109) at com.aliyun.odps.Volumes.exists(Volumes.java:117) at com.aliyun.odps.Volumes.exists(Volumes.java:100)Solution
Check whether Object Storage Service (OSS) is activated. The volumes of MaxCompute are created based on OSS. Therefore, the volumes of MaxCompute can be used only after OSS is activated. For more information about how to activate OSS, see Activate OSS.
Grant volume-related permissions to your Alibaba Cloud account. For more information, see Apply for trial use of new features.
What do I do if Download control on a MaxCompute table is not enabled?
Error message
Solution
On the Data Map page in the DataWorks console, search for the MaxCompute table and apply for Download control on the table. After Download control is enabled, you can download the data of the table when the table is running. For more information, see Data Map.
What do I do if I do not have permissions such as Describe and Select on MaxCompute tables?
Error message
Solution
Apply for the table permissions in the related project.
Scenario
Solution
Cross-project
To apply for permissions on a cross-project table, contact the table owner. You can search for the table and apply for the related permissions on the Data Map page in the DataWorks console.
A single project
If the table permissions are created by using your Alibaba Cloud account in the current project, the Alibaba Cloud account can automatically obtain the permissions.
If the table permissions are created by using another Alibaba Cloud account in the current project, apply for the table permissions by using the method that is used to apply for permissions on a cross-project table.
In special scenarios, contact the project owner to grant related permissions. For example, if
the project is protected, contact the project owner. You can refer to the preceding commonly used authorization scripts.