All Products
Search
Document Center

MaxCompute:Authorization practices

Last Updated:Oct 10, 2023

To ensure the security of data in a MaxCompute project, the project owner or users with the authorization capability must manage the permissions of members in the project. This topic provides cases of managing permissions in MaxCompute.

Policy-based access control cases

Allow users with specific roles to perform operations based on policies

  • Scenario description

    Specific project members are granted permissions to create tables, upload resource files, create functions, and run tasks to read the tables whose names start with t_app_.

  • Procedure

    Use the MaxCompute client

    1. Create a role.

      create role <role_name>;

      The role_name parameter specifies the name of the role.

    2. Prepare a policy script and place the script file in the bin directory where the MaxCompute client file is located. The script file is named policy_1.json and contains the following content:

      {
       "Statement": [
       {
       "Action": ["odps:List",
       "odps:CreateTable",
       "odps:CreateInstance",
       "odps:CreateResource",
       "odps:CreateFunction"],
       "Effect": "Allow",
       "Resource": ["acs:odps:*:projects/<project_name>"]},
       {
       "Action": ["odps:*"],
       "Effect": "Allow",
       "Resource": [
       "acs:odps:*:projects/<project_name>/tables/t_app_*",
       "acs:odps:*:projects/<project_name>/registration/functions/*",
       "acs:odps:*:projects/<project_name>/instances/*",
       "acs:odps:*:projects/<project_name>/resources/*"]}],
       "Version": "1"}

      The project_name parameter specifies the name of your MaxCompute project.

    3. Grant required permissions.

      -- Grant permissions to the created role.
      put policy policy_1.json on role <role_name>;
      
      -- Assign the role to the specified user.
      grant <role_name> to <user_name>;

      The user_name parameter specifies the account to which you want to assign the role. For an Alibaba Cloud account, the format is ALIYUN$Alibaba Cloud account. For a RAM user, the format is RAM$Alibaba Cloud account:RAM username.

    Use the MaxCompute console

    1. Log on to the MaxCompute console. In the top navigation bar, select a region.

    2. In the left-side navigation pane, choose Workspace > Projects.

    3. On the Projects page, find the desired project and click Manage in the Actions column.

    4. On the Role Permissions tab, click Create Project-level Role.

    5. In the Create Role dialog box, select Resource from the Role Type drop-down list, configure the Role Name parameter, and then select Policy for Authorization Method.

      Enter the following policy document:

      {
       "Statement": [
       {
       "Action": ["odps:List",
       "odps:CreateTable",
       "odps:CreateInstance",
       "odps:CreateResource",
       "odps:CreateFunction"],
       "Effect": "Allow",
       "Resource": ["acs:odps:*:projects/<project_name>"]},
       {
       "Action": ["odps:*"],
       "Effect": "Allow",
       "Resource": [
       "acs:odps:*:projects/<project_name>/tables/t_app_*",
       "acs:odps:*:projects/<project_name>/registration/functions/*",
       "acs:odps:*:projects/<project_name>/instances/*",
       "acs:odps:*:projects/<project_name>/resources/*"]}],
       "Version": "1"}
    6. On the Role Permissions tab, find the created role and click Manage Members in the Actions column to add the Alibaba Cloud account or RAM user to the role.

Forbid users with specific roles from performing operations based on policies

  • Scenario description: Access control on tables whose names start with tb_ is critical. Some accounts are not allowed to drop the tables. The access control is implemented based on policies.

  • Procedure

    Use the MaxCompute client

    1. Create a role.

      create role <role_name>;

      The role_name parameter specifies the name of the role.

    2. Prepare a policy script and place the script file in the bin directory where the MaxCompute client file is located. The script file is named policy_2.json and contains the following content:

      { 
        "Version": "1", 
        "Statement": [{ 
          "Effect": "Deny", 
          "Action": "odps:Drop", 
          "Resource": "acs:odps:*:projects/<project_name>/tables/tb_*" }]
      }

      The project_name parameter specifies the name of your MaxCompute project.

    3. Grant required permissions.

      -- Grant permissions to the created role.
      put policy policy_2.json on role <role_name>;
      
      -- Assign the role to the specified user.
      grant <role_name> to <user_name>;  

      The user_name parameter specifies the account to which you want to assign the role. For an Alibaba Cloud account, the format is ALIYUN$Alibaba Cloud account. For a RAM user, the format is RAM$Alibaba Cloud account:RAM username.

    Use the MaxCompute console

    1. Log on to the MaxCompute console. In the top navigation bar, select a region.

    2. In the left-side navigation pane, choose Workspace > Projects.

    3. On the Projects page, find the desired project and click Manage in the Actions column.

    4. On the Role Permissions tab, click Create Project-level Role.

    5. In the Create Role dialog box, select Resource from the Role Type drop-down list, configure the Role Name parameter, and then select Policy for Authorization Method.

      Enter the following policy document:

      { 
        "Version": "1", 
        "Statement": [{ 
          "Effect": "Deny", 
          "Action": "odps:Drop", 
          "Resource": "acs:odps:*:projects/<project_name>/tables/tb_*" }]
      }
    6. On the Role Permissions tab, find the created role and click Manage Members in the Actions column to add the Alibaba Cloud account or RAM user to the role.

Grant permissions to roles based on policies

  • Scenario description

    The account a****@aliyunid.com is authorized to submit requests by using the CIDR block 10.32.180.0/23 before 2018-11-11 23:59:59. The account is granted the CreateInstance, CreateTable, and List permissions on the project named test_project and is not allowed to drop tables in the test_project project.

  • Procedure

    Use the MaxCompute client

    1. Create a role.

      create role policy_3;
    2. Prepare a policy script and place the script file in the bin directory where the MaxCompute client file is located. The script file is named policy_3.json and contains the following content:

      {
      "Version": "1",
      "Statement":
       [{
          "Effect":"Allow",
          "Action":["odps:CreateTable","odps:CreateInstance","odps:List"],
          "Resource":"acs:odps:*:projects/<project_name>",
          "Condition":{
              "DateLessThan": {
                  "acs:CurrentTime":"2018-11-11T23:59:59Z"
              },
              "IpAddress": {
                  "acs:SourceIp":"10.32.180.0/23"
              }
          }
      },
      {
          "Effect":"Deny",
          "Action":"odps:Drop",
          "Resource":"acs:odps:*:projects/<project_name>/tables/*"
      }]
      }

      The project_name parameter specifies the name of your MaxCompute project.

    3. Grant required permissions.

      -- Grant permissions to the created role.
      put policy policy_3.json on role policy_3;
      
      -- Assign the role to the specified user.
      grant policy_3 to ALIYUN$a****@aliyunid.com;

    Use the MaxCompute console

    1. Log on to the MaxCompute console. In the top navigation bar, select a region.

    2. In the left-side navigation pane, choose Workspace > Projects.

    3. On the Projects page, find the desired project and click Manage in the Actions column.

    4. On the Role Permissions tab, click Create Project-level Role.

    5. In the Create Role dialog box, select Resource from the Role Type drop-down list, configure the Role Name parameter, and then select Policy for Authorization Method.

      Enter the following policy document:

      {
      "Version": "1",
      "Statement":
       [{
          "Effect":"Allow",
          "Action":["odps:CreateTable","odps:CreateInstance","odps:List"],
          "Resource":"acs:odps:*:projects/<project_name>",
          "Condition":{
              "DateLessThan": {
                  "acs:CurrentTime":"2018-11-11T23:59:59Z"
              },
              "IpAddress": {
                  "acs:SourceIp":"10.32.180.0/23"
              }
          }
      },
      {
          "Effect":"Deny",
          "Action":"odps:Drop",
          "Resource":"acs:odps:*:projects/<project_name>/tables/*"
      }]
      }
    6. On the Role Permissions tab, find the created role and click Manage Members in the Actions column to add the Alibaba Cloud account or RAM user to the role.

Package-based access control cases

Access resources across projects based on packages

  • Scenario description

    Business analysts need to view production tables, but they are not allowed to view production task code. Permissions to access some tables of multiple production projects need to be granted to the business analysts.

  • Solution

    Create a separate analysis project in this scenario. You can create a package in a production project and add the tables that need to be accessed to the package, install the package in the analysis project, and grant permissions on the package to the analysts. You can perform this operation in multiple production projects. This can reduce member management costs, eliminate the need to add analysts to all production projects, and ensure that these analysts can view only specific production tables in the analysis project.

    In this example, a package named Package_test is created in a production project named Project_a, and a production table named table_a is added to the package. The package is installed in the analysis project named Project_analyze, and the analyst who uses the A*****@aliyunid.com account is authorized to query data from the table_a table in the package.

  • Procedure

    1. Create a package in the production project.

      USE Project_a;
      CREATE PACKAGE Package_test;
    1. Add the resources that you want to share to the package in the production project.

      ADD table table_a TO PACKAGE Package_test;
    1. Allow an analysis project to use the package created in the production project.

      ALLOW PROJECT Project_analyze TO INSTALL PACKAGE Package_test;
    1. Install the package in the analysis project.

      USE Project_analyze;
      INSTALL PACKAGE Project_a.Package_test;
    1. Grant the required permission on the package to the account used by the analyst.

      GRANT read on package Package_test TO USER ALIYUN$A*****@aliyunid.com;
    2. Query data from the table. This step is performed by the analyst.

      select * from Project_a.table_a;

Access resources across Alibaba Cloud accounts based on packages

  • Scenario description

    For the same enterprise, different departments use different Alibaba Cloud accounts to activate MaxCompute due to internal costs and other business requirements. However, data exchange between departments is required. For data security concerns, it is expected that package users in different projects can only read data in specific tables of the provider. Therefore, fine-grained management of data permissions of different Alibaba Cloud accounts is required.

    Note
    • RAM users of an Alibaba Cloud account cannot be added to MaxCompute projects of another Alibaba Cloud account. For example, RAM users of Alibaba Cloud Account B cannot be added to the project owned by Alibaba Cloud Account A.

    • If you want to grant only the read permissions on tables, resources, and functions, you can use packages to share resources across projects of different Alibaba Cloud accounts.

  • Solution

    Two projects named Project_a and Project_b are available. The Project_a project is owned by Alibaba Cloud Account A, and the Project_b project is owned by Alibaba Cloud Account B. The read permissions on the t1 and t2 tables in the Project_a project need to be granted to the RAM user b_user1 of Alibaba Cloud Account B. The read permissions on the t3 table in the Project_a project need to be granted to the RAM user b_user2 of Alibaba Cloud Account B.

    Important

    Data can be exchanged between Alibaba Cloud accounts after authorization. However, if you use MaxCompute in the DataWorks console, you cannot configure scheduling dependencies between tasks of DataWorks workspaces of different Alibaba Cloud accounts.

  • Procedure

    1. Use Alibaba Cloud Account A to enter the Project_a project, and create a package named a_to_b_pkg. Add the t1, t2, and t3 tables in the Project_a project to the a_to_b_pkg package.

    USE Project_a;
    CREATE PACKAGE a_to_b_pkg; 
    ADD table t1 TO PACKAGE a_to_b_pkg;
    ADD table t2 TO PACKAGE a_to_b_pkg;
    ADD table t3 TO PACKAGE a_to_b_pkg;
    1. Allow Alibaba Cloud Account B to install the a_to_b_pkg package in the Project_b project.

    ALLOW Project_b TO INSTALL PACKAGE a_to_b_pkg;
    1. Use Alibaba Cloud Account B to enter the Project_b project and install the a_to_b_pkg package in the project.

    INSTALL PACKAGE Project_a.a_to_b_pkg;
    1. Grant permissions on the tables in the package to the RAM users of Alibaba Cloud Account B.

    add user ram$B:b_user1; 
    add user ram$B:b_user2; 
    GRANT Describe , Select ON TABLE t1 TO USER ram$B:b_user1 PRIVILEGEPROPERTIES ("refobject" = "true", "refproject"="project_a", "package"="project_a.a_to_b_pkg");-- Grant permissions on the t1 table in the package to the RAM user b_user1.
    GRANT Describe , Select ON TABLE t2 TO USER ram$B:b_user1 PRIVILEGEPROPERTIES ("refobject" = "true", "refproject"="project_a", "package"="project_a.a_to_b_pkg");-- Grant permissions on the t2 table in the package to the RAM user b_user1.
    GRANT Describe , Select ON TABLE t3 TO USER ram$B:b_user2 PRIVILEGEPROPERTIES ("refobject" = "true", "refproject"="project_a", "package"="project_a.a_to_b_pkg");-- Grant permissions on the t3 table in the package to the RAM user b_user2.

Row-level access control based on packages

  • Scenario description

    The table_order table in the ProjectA project is a table that contains information about orders and transactions of all merchants. Merchants need to view the table, but they can only view the orders and transactions of their own stores.

  • Solution

    Use the row-level access control mechanism that allows each merchant to filter data by merchant ID in the table_order table and read only the data of their own store. By default, MaxCompute does not support row-level access control. You can create a separate view of the table_order table for each merchant on the downstream and grant the permissions on the view to each merchant by using a package.

  • Procedure

    1. Create a separate view for each merchant in the ProjectA project.

      CREATE VIEW <viewname> as select * from table_order WHERE sellerid='xxxx';

      The viewname parameter specifies the name of the view.

    1. Create a package in the ProjectA project and grant the permissions on a view in the package to each merchant.

      create package <packagename>;
      add table <viewname> to package <packagename>;
      allow project <Projectname_seller> to install package <packagename>;

      The packagename parameter specifies the name of the package. The Projectname_seller parameter specifies the name of the MaxCompute project to which the merchant belongs.

    1. Install the package in the project to which the merchant belongs and grant read permissions on the view to the merchant.

      USE <Projectname_seller>;
      install package <ProjectA>.<packagename>;
      grant read on package <ProjectA>.<packagename> to user <username>;
      select * from <ProjectA>.<viewname>;

      The username parameter specifies the account used to query data from the view in the project to which the merchant belongs.