Tables in an external project are owned by the Alibaba Cloud account that created the project. To let other users query or modify those tables, you must add them to the external project and grant permissions explicitly.
Usage notes
When the data lakehouse solution is enabled for MaxCompute, MaxCompute does not persist metadata in a data source. Policies are managed based on the names of objects in a data source. If the name of an object in the data source changes, its permissions become invalid — run Revoke or delete the policy to remove them. If you do not clean up the old permissions before a new object with the same name is created, the new object inherits those permissions and may receive unintended access.
Prerequisites
Before you begin, make sure you have:
-
Created an external project
-
The target user's Alibaba Cloud account name (format:
ALIYUN$<account_name>) -
(Optional) If granting access to a RAM user, the external project must have RAM support enabled
To look up existing users in the project, run list users; in the MaxCompute client (odpscmd).
To grant access to other Alibaba Cloud accounts or RAM users, follow MaxCompute security standards. For details, see Permission overview.
Grant a user access to an external project
The authorization flow covers two projects: the external project (where you add the user and grant table permissions) and the main project (where you grant job-run permissions). The table below summarizes all steps before you begin.
| Step | Project | Purpose | SQL command |
|---|---|---|---|
| 1 | External project | Switch context | use <external_project_name>; |
| 2 (Optional) | External project | Enable RAM user support | add accountprovider ram; |
| 3 (Optional) | External project | Enable Hive-compatible data types | set odps.sql.hive.compatible=true; |
| 4 | External project | Add user to project | add user <Alibaba Cloud account>; |
| 5 | External project | Grant permission to list tables | grant List on project external_project to USER <Alibaba Cloud account>; |
| 6 | External project | Grant permissions on a table | grant All on table <table_name> to user <Alibaba Cloud account>; |
| 7 | Main project | Switch context | use <main_project_name>; |
| 8 | Main project | Grant permission to run jobs | grant CreateInstance on project <main_project_name> to user <Alibaba Cloud account>; |
Step 1: Switch to the external project
use <external_project_name>;Step 2: (Optional) Enable RAM support
Run this step only if the user you are adding is a RAM user.
add accountprovider ram;Step 3: (Optional) Enable Hive-compatible data types
Run this step only if the external project is based on a Hadoop external data source.
set odps.sql.hive.compatible=true;Step 4: Add the user to the project
add user <Alibaba Cloud account>;Replace <Alibaba Cloud account> with the account name in ALIYUN$<account_name> format.
Step 5: Grant permission to list tables
grant List on project external_project to USER <Alibaba Cloud account>;This lets the user see which tables exist in the external project.
Step 6: Grant permissions on a table
grant All on table <table_name> to user <Alibaba Cloud account>;Replace <table_name> with the name of the table to share.
Step 7: Switch to the main project
use <main_project_name>;Step 8: Grant permission to run jobs
grant CreateInstance on project <main_project_name> to user <Alibaba Cloud account>;What's next
Once access is granted, the user can query and update table data in the external project using SQL. For a full list of supported operations, see Use SQL statements to manage an external project.