Error code: ODPS-0420095: Access Denied
Error Message 1: You have no privilege to create external project - you have to be owner,super admin or admin of the referred project.
Sample
ODPS-0420095: Access Denied - You have no privilege to create external project - you have to be owner,super admin or admin of the referred project.
Description
The user is not authorized to create external projects. Only the users who are assigned the Super_Administrator or admin role can create external projects.
Solutions
Grant the user the permissions of the Super_Administrator or admin role. The following statement shows an example. For more information, see Manage user permissions by using commands.
grant Super_Administrator TO RAM$xxx;
You can also execute the following statement:
grant admin TO RAM$xxx;
Error Message 2: You have no privilege 'odps:<Action>' on {acs:odps:*:projects/<project_name>}
Sample
ODPS-0420095: Access Denied - You have no privilege 'odps:CreateInstance' on {acs:odps:*:projects/maxcompute_dev}
Description
In the error message, the action is CreateInstance and the resource is maxcompute_dev. The error message is returned due to the following reason:
The executor does not have the CreateInstance permission on the maxcompute_dev project.
For more information about actions and resources, see MaxCompute permissions.
Solutions
Request the owner of the maxcompute_dev project to grant the CreateInstance permission on the project to the executor.
Use the GRANT statement to grant the required permission. For more information about the syntax, see Grant permissions to users in a project.
Sample statement: grant CreateInstance on project maxcompute_dev to USER RAM$xxx;
Error Message 3: You don't exist in project <project_name>
Sample
ODPS-0420095: Access Denied - You don't exist in project <project_name>.
Description
The executor is not authorized to perform the operation because the executor is not a member of the project. Request the owner of the Alibaba Cloud account or a user who has the required permissions to add the executor to the project as a member.
Solutions
Add the executor to the project as a member. Sample commands:
Add an Alibaba Cloud account: add user ALIYUN$<account_name>;
Add a RAM user: add user RAM$[<account_name>:]<Name of the RAM user>;
Add a RAM role: add user `RAM$<accout_name>:role/<Name of the RAM role>`;
ImportantThe acute accents (`) in the preceding command are required.
Subsequent operations must be performed in the DataWorks console. Therefore, you must assign the RAM role to DataWorks when you modify the policy that is attached to the RAM role. This way, periodically scheduled jobs can be submitted to MaxCompute in the DataWorks console. The following code shows the configuration of the policy that is attached to the RAM role.
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"dataworks.aliyuncs.com"
]
}
}
],
"Version": "1"
}For more information, see User planning and management.
Error Message 4: You have NO privilege to do the PROJECT SECURITY OPERATION for {<resource>}
Sample
com.aliyun.odps.OdpsException: ODPS-0420095: Access Denied - Authorization Failed [4003], You have NO privilege to do the PROJECT SECURITY OPERATION for {acs:odps:*:projects/test_sx_0831006/authorization/roles}. Context ID:312d7f21-ae64-4a43-b558-e8712eb85291. (MC RequestID: 638DB6702EC9C84692F2F55A)",
Description
The executor is not authorized to manage the project. The error message indicates that the executor is not granted the permissions on the resource {acs:odps:*:projects/test_sx_0831006/authorization/roles}.
Solutions
Request the project owner or the account that is assigned the Super_Administrator role to grant the executor the management permissions on the project. The management permissions can be the permissions of the admin or Super_Administrator role or the permissions that are described in MaxCompute permissions.
In most cases, permissions on multiple resources are involved. Therefore, we recommend that you use wildcards (*) to specify the resources in the policy.
{
"Statement": [{
"Action": ["odps:*"],
"Effect": "Allow",
"Resource": ["acs:odps:*:projects/logreadtest/authorization/roles",
"acs:odps:*:projects/logreadtest/authorization/roles/*/*"]}],
"Version": "1"}Error Message 5: The task is not in release range: CUPID
Sample
ODPS-0420095: Access Denied - The task is not in release range: CUPID
Description
The quota that is used by the job or the default quota of the project does not support MaxCompute Spark jobs.
Solutions
The pay-as-you-go Developer Edition only supports MaxCompute SQL jobs (support for UDFs) and PyODPS jobs.
Purchase MaxCompute computing resources and bind the resources to a pay-as-you-go quota or a subscription quota to run Spark jobs. For more information about Spark on MaxCompute, see Overview.
Error Message 6: You have no privilege 'odps:Usage' on {acs:odps:*:tanents/<tenant_id:regions/region_id>/quotas/<quotaname>}
Sample
ODPS-0420095: Access Denied - Authorization Failed [], You have NO privilege 'odps: Usage' on {acs: odps: *:tenants/111111/regions/cn-beijing/quotas/q_1}
Description
When you use a job-level quota to run jobs, you need to check whether you are authorized to use the quota. This error message is returned because you are not authorized to use the quota.
Solutions
Permission control for quotas is based on tenant permission control. To resolve this issue, go to the Tenants page in the MaxCompute console and check whether the user account in use has the required permission.