This topic describes the possible causes of the error code ODPS-0130013: Authorization exception and provides solutions.
Error message 1: Authorization Failed [4011], You have NO privilege 'odps:Select' on {acs:odps:*:projects/<project_name>/tables/<table_name>}. Explicitly denied by policy. Context ID:<context ID>. --->Tips: CurrentProject:<project_name>; Pricipal:ALIYUN$<account_id>
Sample
FAILED: ODPS-0130013:Authorization Failed [4011], You have NO privilege 'odps:Select' on {acs:odps:*:projects/<project_name>/tables/<table_name>}. Explicitly denied by policy. Context ID:<context ID>. --->Tips: CurrentProject:<project_name>; Pricipal:ALIYUN$<account_id>;
Description
When a user accesses the project, the policy verification fails. If a policy is configured for a project, all users except the project owner must pass the policy verification.
Solution
Use commands to grant required permissions to the user.
-- Run the following command to obtain the information about the policy of the project:
get policy;
-- The following result is returned and indicates that only the project owner can access the project.
{
"Version": "1",
"Statement":
[{
"Effect":"Deny",
"Principal":"*",
"Action":"odps:*",
"Resource":"acs:odps:*:projects/*",
}]
}
-- Modify the policy content.
-- Save the modified policy as a policy.txt file.
-- Change the value of the Effect field to allow, which specifies that all users can access the project.
{
"Version": "1",
"Statement":
[{
"Effect":"allow",
"Principal":"*",
"Action":"odps:*",
"Resource":"acs:odps:*:projects/*",
}]
}Error message 2: Authorization Failed [4021], You have NO privilege 'odps:Select' on {acs:odps:*:projects/<project_name>/tables/<table_name>}. project '<project_name>' is protected
Sample
ODPS-0130013:Authorization exception - Authorization Failed [4021], You have NO privilege 'odps:Select' on {acs:odps:*:projects/<project_name>/tables/<table_name>}. project 'wego_data_center' is protected. You need to contact the project owner to set the exception policy for you. Context ID:<context ID>. --->Tips: CurrentProject:wg_data_ops; Pricipal:ALIYUN$<account_id>; No permission 'odps:Select' on resource acs:odps:*:projects/projects/<project_name>/tables/<table_name>
Description
The data protection policy is enabled for the project. Data access that is initiated by external projects is not allowed.
Solution
Please ask the project owner to disable the data protection policy.
You can use the following command to turn off the data protection switch:
-- The value true specifies that the data protection policy is enabled. The value false specifies that the data protection policy is disabled. set ProjectProtection={true|false}; -- Sample command: set ProjectProtection=false;Request the user to access the project. This prevents operations across projects.
Error message 3: Authorization Failed [4031], You have NO privilege 'odps:Select' on {acs:odps:*:projects/<project_name>/tables/<table_name>}. CheckLabelSecurity failed: The sensitive label of column '<column_name>' is xx, but your effective label is xx
Sample
ODPS-0130013:Authorization exception - Authorization Failed [4031], You have NO privilege 'odps:Select' on {acs:odps:*:projects/<project_name>/tables/<table_name>}. CheckLabelSecurity failed. The sensitive label of column 'status_id' is 2, but your effective label is 0.
Description
A low sensitivity level is specified in the access-level label that is configured for the current user.
Solution
The project owner or a user who is assigned the Admin role authorizes the current user to access data with higher sensitivity levels. Command:
GRANT Label <number> ON TABLE <table_name> [(<column_list>)] TO {USER|ROLE} <name> [WITH exp <days>];For more information, see Label-based access control.