All Products
Search

This Product

    Graph Compute:Grant permissions on offline storage to Graph Compute

    Document Center

    Graph Compute:Grant permissions on offline storage to Graph Compute

    Last Updated:Mar 21, 2024

    Grant permissions on offline storage to Graph Compute

    1. Scenarios

    Use data in a self-managed data warehouse to start a Graph Compute instance

    1. (1) Log on to the Graph Compute console.

    (2) If you select a MaxCompute table as a data source, you must grant the read permissions on the table to the ALIYUN$openias account in advance.

    2. Grant permissions on MaxCompute to Graph Compute

    1. Download and configure the MaxCompute client (odpscmd).

    2. Run the ./bin/odpscmd command to go to the MaxCompute environment.

    3. Run commands to grant permissions to the ALIYUN$openias account.

      Note: ALIYUN$openias is the MaxCompute account of the BuildService offline system of the iGraph engine. The BuildService offline system is responsible for building indexes for MaxCompute data.

    4. The following table describes the permissions that are required by the offline system of the iGraph engine.

    Object

    Action

    Description

    Project

    Read

    The permissions to query the information about a project, such as the time when the project was created. The information about objects in the project is excluded.

    Project

    List

    The permissions to query all types of objects in a project.

    Table

    Describe

    The permissions to read metadata from a table.

    Table

    Select

    The permissions to read data from a table.

    Table

    Download

    The permissions to download data from a table for index building.

    For more information, see MaxCompute permissions.

    (1) Add a role

    // Add the ALIYUN$openias account.
add user `ALIYUN$openias`; 
// Check whether the account is added.
list users;

    (2) Grant the read permissions to your ALIYUN$openias account

    // Grant permissions to your ALIYUN$openias account.
// Replace [project] with your project name.
// Replace [table] with your table name.
grant Read ON PROJECT [project] to user `ALIYUN$openias`;
grant List ON PROJECT [project] to user `ALIYUN$openias`;
grant Describe ON TABLE [table] to user `ALIYUN$openias`;
grant Select ON TABLE [table] to user `ALIYUN$openias`;

    (3) Grant the write permissions to your ALIYUN$openias account

    // Grant permissions to your ALIYUN$openias account.
// Replace [project] with your project name.
// Replace [user] with the account that you added.
// Replace [table] with your table name.
grant Read ON PROJECT [project] to user `ALIYUN$openias`;
grant List ON PROJECT [project] to user `ALIYUN$openias`;
grant CreateTable ON PROJECT [project] to user `ALIYUN$openias`;
grant CreateInstance ON PROJECT [project] to user `ALIYUN$openias`;

    (4) Grant the access permissions on sensitive fields

    # Explicitly grant the access permissions on the data whose sensitivity level is not higher than level 2 in the t1 table.
$ GRANT LABEL 2 ON TABLE t1 TO USER `ALIYUN$openias`;

# Explicitly grant the access permissions on the data whose sensitivity level is not higher than level 3 in the col1 and col2 columns of the t1 table.
$ GRANT LABEL 3 ON TABLE t1(col1, col2) TO USER `ALIYUN$openias`;

# Grant the access permissions on the sensitive fields in the entire project.
$ set label 4 to user `ALIYUN$openias`;