At the project level, MaxCompute enables the configuration of user access-level labels and table or column sensitivity-level labels. Users can only access tables or columns with sensitivity levels that are equal to or lower than their access levels. This topic describes the label-based authorization mechanism and offers examples for reference.
Background information
Label-based access control, also known as LabelSecurity, is a mandatory access control (MAC) policy at the project level. By default, LabelSecurity is disabled when a MaxCompute project is created. The project owner can enable or disable LabelSecurity at the project level by executing the Set LabelSecurity=true|false;
command.
Once LabelSecurity is enabled, the project owner must define sensitivity levels for tables or columns and access levels for users or roles. They must also configure sensitivity-level labels for tables or columns and access-level labels for users or roles. Users with the SELECT permission on the target table can only access data in tables or columns with sensitivity levels that are equal to or lower than their user access levels.
LabelSecurity offers the following capabilities for sensitive data:
The minimum granularity supported is at the column level, allowing for sensitivity levels to be configured for individual columns within a table.
Sensitivity-level labels can be configured for any column in a table, enabling a table to contain columns with varying sensitivity levels.
Sensitivity-level labels can be configured for views, which are independent of the sensitivity-level labels of their corresponding source tables.
The table below describes the operations supported by LabelSecurity.
Operation |
Description |
Operator |
Authorization Entry |
Configure sensitivity-level labels for data in tables or columns |
Configure sensitivity-level labels for tables or columns. |
|
|
Configure access-level labels for users or roles to access data at different sensitivity levels. |
|||
Authorize users or roles with lower access levels to access data with higher sensitivity levels. |
|||
Revoke permissions from users or roles to access data with higher sensitivity levels. |
|||
Remove information about expired permissions. |
Default policies for label-based access control
The following default policies apply to label-based access control after configuring labels for tables or columns and for users or roles:
No-ReadUp: Users cannot access tables or columns with sensitivity levels higher than their user access levels. If your business requires this scenario, explicit authorization operations are necessary. For more information, see Explicit label-based authorization.
Trusted-User: Users can write data with sensitivity levels that are equal to or lower than their user access levels. The default sensitivity level for a newly created table or view is 0, as is the default access level for a new user.
Prerequisites
Ensure the following information is available before using the label-based access control mechanism:
The account of the user to whom you want to grant permissions or the name of the role to which you want to grant permissions is obtained. The role or account is added to your MaxCompute project. If the account of the user is an Alibaba Cloud account, record the Alibaba Cloud account in the format of ALIYUN$<account_id>. If the account of the user is a RAM user, record the RAM user in the format of RAM$<account_id>:<RAM user ID>. If the account of the user is a RAM role, record the RAM role in the format of `RAM$<account_id>:role/<Name of the RAM role>`.
You can run the
list users;
orlist roles;
command on the MaxCompute client to query the account or role name.If you want to add a user or role, see User planning and management or Role planning.
-
Obtain the name of the table or column for which you want to grant permissions.
In the MaxCompute client, you can execute the
SHOW TABLES;
command to retrieve a list of table or view names along with their columns.
Limits
Sensitivity-level labels cannot be configured for partition key columns.
Usage notes
Consider the following when using LabelSecurity:
-
```html
-
In traditional mandatory access control (MAC) systems, complex security policies often prevent data from being arbitrarily distributed within a project. For instance, users might be restricted from writing data with sensitivity levels lower than their access levels (No-WriteDown). MaxCompute, however, does not support No-WriteDown by default to reduce the complexity of managing sensitivity levels. If your project requires such controls, you can modify the project security configuration by executing the
Set ObjectCreatorHasGrantPermission=false;
command. -
To prevent data from flowing between different projects, set the project to a protected state (ProjectProtection) by executing the
command. This configuration restricts users to accessing data only within the project, effectively preventing data transfers outside the project. For more details on project data protection, see data protection mechanism.
-
When an object is deleted, MaxCompute automatically revokes all label-based permissions associated with that object.
After a user is removed, the permissions that are granted to the user are retained. If the user is added to the project again, the historical access permissions of the user are activated again. For more information about how to clear the residual permission information of a removed user, see Completely clear the residual permission information of a removed user.
Configure sensitivity-level labels for data in tables or columns
The project owner or a user with the Admin role can assign sensitivity-level labels to a table or its columns.
-
Command Syntax
SET Label <number> TO TABLE <table_name>[(<column_list>)];
-
Notes
-
If you assign a sensitivity-level label to a table without specifying labels for its columns, all columns inherit the table's sensitivity level. For instance, if a table's sensitivity level is 2 and the columns have no assigned levels, each column's sensitivity level is also 2.
-
Column labels take precedence over table labels, regardless of their sensitivity levels. A table label does not override column labels. For example, if a table is initially set to sensitivity level 2 and column col1 is later set to level 3, all columns except col1 will remain at level 2, while col1 will be at level 3.
-
To modify sensitivity-level labels for tables or columns, simply rerun the command with the new labels.
-
-
Parameter Description
Parameter name
Required
Description
number
Yes
The specified sensitivity level. Valid values range from 0 to 9. A larger value indicates a higher security level.
table_name
Yes
The name of the target table or view.
You can execute the MaxCompute client
show tables;
command to obtain the name of the table or view.column_list
No
The names of columns. You can specify multiple column names. Separate column names with commas (,).
Configure access-level labels for users or roles
The project owner or an Admin-assigned user configures access-level labels for other users or roles.
-
Command Syntax
SET Label <number> TO {USER|ROLE} <name>;
-
Notes
-
Once access-level labels are configured for users, they will only be able to access data with a sensitivity level that is equal to or lower than their assigned access level. For instance, a user with an access level of 3 is authorized to access tables or columns with sensitivity levels from 0 to 3.
-
To modify the access-level labels for users or roles, simply rerun the command with the new access-level labels.
-
-
Parameter Description
Parameter name
Required
Description
number
Yes
The highest sensitivity level of data that the users or roles can access. Valid values range from 0 to 9 and correspond to sensitivity-level labels of data.
name
Yes
The name of the user or role.
You can execute the MaxCompute client
list users;
orlist roles;
command to obtain the user account or role name.
Label-based explicit authorization
The project owner or a user with the Admin role can grant authorization to users with lower access levels, allowing them to handle data classified at higher sensitivity levels.
-
Command Syntax
GRANT Label <number> ON TABLE <table_name> [(<column_list>)] TO {USER|ROLE} <name> [WITH exp <days>];
-
Notes
Explicitly configured labels for table columns take precedence over labels configured for the table itself.
-
Parameter Description
Parameter name
Required
Description
number
Yes
The highest sensitivity level of data that the users or roles can access.
Valid values: 0 to 9. These values correspond to sensitivity-level labels of data.
table_name
Yes
The name of the table or view.
You can execute the MaxCompute client command
show tables;
to obtain the name of the table or view.column_list
No
This parameter is required if you want to authorize access to specific columns in the table or view. You can specify multiple column names for a single authorization operation. Separate column names with commas (,).
name
Yes
The name of the user or role.
You can execute the MaxCompute client command
list users;
orlist roles;
to obtain the account of the user or the name of the role.days
No
The expiration time of the specified permission. Unit: days. Valid values: 0 to 263-1. If you do not specify this parameter, the default expiration time is 180 days.
Revoke label-based explicit authorization
Either the project owner or a user with the Admin role can revoke label-based explicit authorization.
-
Command Syntax
REVOKE Label ON TABLE <table_name> [(<column_list>)] FROM {USER|ROLE} <name>;
-
Notes
-
Revoking a label explicitly set for a table also revokes the labels explicitly set for the columns within that table.
-
Revoking explicitly configured label-based permissions does not affect access-level labels configured for users or roles. For instance, if a user with an access level of 2 is denied permission to access table data with a sensitivity level of 3 or lower, they can still access table data with a sensitivity level of 2 or lower.
-
-
Parameter Description
Parameter name
Required
Description
table_name
Yes
The name of the table or view.
You can execute the MaxCompute client
show tables;
command to obtain the name of the table or view.column_list
No
This parameter is required if you want to revoke the permission to access sensitive data of a specified column in a table or view. You can specify multiple column names. Separate column names with commas (,).
name
Yes
The name of the user or role.
You can execute the MaxCompute client
list users;
orlist roles;
command to obtain the user account or role name.
Clear expired permissions
Upon expiration of label-based explicit authorization information, either the project owner or a user with the Admin role must execute a specific command to purge the data pertaining to the expired permissions.
clear expired grants;
Examples of label-based access control
Consider the project named test_project_a, which contains a table called sale_detail with columns such as shop_name, customer_id, and total_price. The owner of test_project_a is Bob@aliyun.com. Allen, a RAM user associated with Bob, has been granted membership to test_project_a.
-
Example 1: Assign sensitivity-level labels to the table sale_detail or its individual columns. Here are some sample commands:
--Bob enters the project test_project_a. USE test_project_a; --Set the label of the table sale_detail to level 1. At this point, the sensitivity level of all columns in the table is 1. SET Label 1 TO TABLE sale_detail; --Set the labels of the shop_name and customer_id columns in the sale_detail table to level 2. At this point, the labels of other columns remain at level 1. SET Label 2 TO TABLE sale_detail(shop_name, customer_id); --Change the label of the table sale_detail to level 3. Note: At this point, the labels of the shop_name and customer_id columns remain at level 2, while the labels of other columns are changed to level 3. SET Label 3 TO TABLE sale_detail; --Change the labels of the shop_name and customer_id columns in the sale_detail table to level 4. At this point, the labels of other columns remain at level 3. SET Label 4 TO TABLE sale_detail(shop_name, customer_id); --View the label information of the table. DESCRIBE sale_detail; --The following result is returned. +------------------------------------------------------------------------------------+ | Owner: ALIYUN$****@test.aliyun.com | Project: **** | | TableComment: | +------------------------------------------------------------------------------------+ | CreateTime: 2021-12-13 11:27:04 | | LastDDLTime: 2021-12-13 11:27:04 | | LastModifiedTime: 2021-12-13 11:27:26 | +------------------------------------------------------------------------------------+ | TableLabel: 3 | --The sensitivity level of the table is 3. | MaxLabel: L4 | +------------------------------------------------------------------------------------+ | InternalTable: YES | Size: 784 | +------------------------------------------------------------------------------------+ | Native Columns: | +------------------------------------------------------------------------------------+ | Field | Type | Label | Comment | +------------------------------------------------------------------------------------+ | shop_name | string | 4 | | --The sensitivity level of the column is 4. | customer_id | string | 4 | | --The sensitivity level of the column is 4. | total_price | double | 3 | | --The sensitivity level of the column is 3. +------------------------------------------------------------------------------------+ | Partition Columns: | +------------------------------------------------------------------------------------+ | sale_date | string | | | region | string | | +------------------------------------------------------------------------------------+
-
Example 2: Set access-level labels for users Kate@aliyun.com and the RAM user RAM$Bob@aliyun.com:Allen within the project test_project_a. Here are some sample commands:
--Bob enters the project test_project_a. USE test_project_a; --Set the access-level label of Kate to level 3. This allows Kate to access data whose sensitivity level ranges from 0 to 3. SET Label 3 TO USER ALIYUN$Kate@aliyun.com; --Set the access-level label of the RAM user Allen to level 1. This allows Allen to access data whose sensitivity level ranges from 0 to 1. SET Label 1 TO USER RAM$Bob@aliyun.com:Allen; --View the access-level label information of Allen. SHOW LABEL GRANTS FOR RAM$Bob@aliyun.com:Allen; --The following result is returned. User Label: 1 (granted label list is empty)
-
Example 3: Explicitly grant Allen permission to access data classified with high sensitivity levels. Here are some sample commands:
--Bob enters the project test_project_a. USE test_project_a; --Explicitly authorize Allen to access data in the sale_detail table whose sensitivity level is lower than or equal to 3. The validity period of the granted permissions is 4 days. GRANT LABEL 3 ON TABLE sale_detail TO USER RAM$Bob@aliyun.com:Allen WITH exp 4; --View the explicit authorization results for Allen. SHOW LABEL GRANTS ON TABLE sale_detail FOR USER RAM$Bob@aliyun.com:Allen; --The following result is returned. User Label: 1 +-------------+--------------+--------------------------+ | Column | GrantedLabel | Expires | +-------------+--------------+--------------------------+ | total_price | 3 | 2021-12-31T19:56:18+0800 | +-------------+--------------+--------------------------+ --Explicitly authorize Allen to access data in the shop_name, customer_id, and total_price columns of the sale_detail table whose sensitivity level is lower than or equal to 4. The validity period of the granted permissions is 10 days. GRANT LABEL 4 ON TABLE sale_detail(shop_name, customer_id, total_price) TO USER RAM$Bob@aliyun.com:Allen WITH exp 10; --View the explicit authorization results for Allen. SHOW LABEL GRANTS ON TABLE sale_detail FOR USER RAM$Bob@aliyun.com:Allen; --The following result is returned. User Label: 1 +-------------+--------------+--------------------------+ | Column | GrantedLabel | Expires | +-------------+--------------+--------------------------+ | customer_id | 4 | 2022-01-06T19:58:00+0800 | +-------------+--------------+--------------------------+ | shop_name | 4 | 2022-01-06T19:58:00+0800 | +-------------+--------------+--------------------------+ | total_price | 4 | 2022-01-06T19:58:00+0800 | +-------------+--------------+--------------------------+
-
Example 4: Revoke Allen's permissions to access data classified with high sensitivity levels. Here are some sample commands:
--Revoke Allen's permissions to access data in the shop_name, customer_id, and total_price columns of the sale_detail table whose sensitivity level is lower than or equal to 3. REVOKE LABEL ON TABLE sale_detail(shop_name, customer_id, total_price) FROM USER RAM$Bob@aliyun.com:Allen; --View the revocation results for Allen. SHOW LABEL GRANTS ON TABLE sale_detail FOR USER RAM$Bob@aliyun.com:Allen; --The following result is returned. User Label: 1 +-------------+--------------+--------------------------+ | Column | GrantedLabel | Expires | +-------------+--------------+--------------------------+ | total_price | 3 | 2021-12-31T19:56:18+0800 | +-------------+--------------+--------------------------+ --Revoke Allen's permissions to access sensitive data in the sale_detail table. REVOKE LABEL ON TABLE sale_detail FROM USER RAM$Bob@aliyun.com:Allen; --View the revocation results for Allen. SHOW LABEL GRANTS ON TABLE sale_detail FOR USER RAM$Bob@aliyun.com:Allen; --The following result is returned. User Label: 1
Subsequent operations
Once you are familiar with the label-based access control mechanism, you can carry out authorization tasks tailored to your business needs: