All Products
Search
Document Center

MaxCompute:FAQ about permission management

Last Updated:May 17, 2024

This topic provides answers to some frequently asked questions (FAQ) about permission management of MaxCompute.

Category

FAQ

Authorization methods

User authorization

Permissions

How do I read data across projects?

You can read data across projects by using a package. A package is a mechanism that is used to share data and resources across projects. It is introduced to resolve user authorization issues when you want to share data and resources across projects. To share objects of a project, the project administrator can create a package that contains the objects and authorize the administrators of other projects to install the package. After the administrators of other projects install the package, they can authorize project members to use the package.

For more information about how to use a package and control access to the package, see Cross-project resource access based on packages and Access control for packages.

Can I change the owner of a MaxCompute project to a RAM user?

No, you cannot change the owner of a MaxCompute project to a RAM user. The project owner must be the account that creates the project. A project owner can assign the Admin role to a RAM user.

Which operations cannot be performed by the RAM users assigned the Admin role?

Compared with the project owner, the RAM users assigned the Admin role cannot perform the following operations:

  • Grant the permissions of the Admin role to other users.

  • Configure the security settings of projects.

  • Modify the authentication model of projects.

  • Modify the permissions of the Admin role.

I cannot access DataWorks as a RAM user and an error message, indicating that the AccessKey ID of the RAM user is not found, appears. However, the AccessKey ID exists. What do I do?

You must bind an AccessKey pair to the RAM user. To perform this operation, go to the Personal Information page and click Modify AccessKey Information. In the dialog box that appears, configure the AccessKey ID and AccessKey Secret parameters. Then, click Save AccessKey. After you complete the configuration, try to access DataWorks again.

What do I do if I fail to grant a RAM user the permissions on tables in the production environment?

  • Problem description

    When an Alibaba Cloud account is used to grant a RAM user the permissions on tables in the production environment, the following error message appears:

    class java.lang.IllegalArgumentException: AccessId should not be empty.
  • Cause

    The AccessKey pair of the Alibaba Cloud account or the RAM user is not configured.

  • Solution

    Use the Alibaba Cloud account or the RAM user to go to the Personal Information page, and check whether the AccessKey pair is configured. If the AccessKey pair is not configured, click Modify AccessKey Information. In the dialog box that appears, configure the AccessKey ID and AccessKey Secret parameters. Then, click Save AccessKey.

How do I grant users the permissions on tables?

Only the project owner or the RAM users assigned the Super_Administrator or Admin role can grant users the permissions on tables. You can use ACL-based authorization (GRANT) to grant users the permissions on tables. Sample statement:

grant Update on table project_name to ram$bob@aliyun.com:Allen;

For more information about authorization, see MaxCompute permissions.

How do I grant permissions to a RAM user?

Only Alibaba Cloud accounts or RAM users that are assigned the Super_Administrator or Admin role can grant permissions to RAM users. For more information about authorization, see MaxCompute permissions.

What are the objects and actions in permission management?

MaxCompute authorization involves the following elements:

  • Subject: the users or roles to which you want to grant permissions.

  • Object: the objects on which permissions are granted to users or roles, such as projects, tables, functions, resources, and instances.

  • Action: the actions that the authorized users or roles can perform on objects, such as the actions to read data from, write data to, and query data from tables.

For more information, see ACL-based access control.

How do I use a RAM user to access the projects that are created by other Alibaba Cloud accounts?

For example, RAM User C (ram_user_1) of Alibaba Cloud Account A wants to access the MaxCompute project that is created by Alibaba Cloud Account B.

Log on to the MaxCompute console as Alibaba Cloud Account B, add Alibaba Cloud Account A to the project that is created by Alibaba Cloud Account B, and then assign the MaxCompute Super_Administrator role to Alibaba Cloud Account A. Then, use Alibaba Cloud Account A to log on to the project that is created by Alibaba Cloud Account B and run the add user ram$A:ram_user_1; command to add RAM user C to the project that is created by Alibaba Cloud Account B.

How do I obtain the tenant ID (tenant_id)?

Permissions on specific resources can be granted to a tenant. To obtain the tenant ID, perform the following operations:

  1. Log on to the MaxCompute console. In the top navigation bar, select a region.

  2. In the left-side navigation pane, choose Tenants > Tenant Properties.

  3. On the Tenants page, obtain the tenant ID of the account.

What do I do if the error message "FAILED: Invalid account Name xxxxxx" appears during authorization?

  • Problem description

    The following error message appears during authorization:

    FAILED: Invalid account Name xxxxxx
  • Cause

    The username in the authorization statement is invalid.

  • Solution

    Check the username. You can run the list users; command to obtain the user list of the current project. When you perform authorization, copy the username that you want to use in the user list to the authorization statement instead of manually entering a username. This helps avoid spelling errors.

What do I do if the error message "FAILED: lack of account provider, principalName xxxxxx" appears when I grant permissions to a user?

  • Problem description

    The following error message appears during authorization:

    FAILED: lack of account provider, principalName xxxxxx
  • Cause

    The username in the authorization statement is invalid or the RAM account system is not supported in the current project.

  • Solution

    Log on to the MaxCompute client and run the list accountproviders; command to check whether the RAM account system is supported in the current MaxCompute project. If the command output does not contain RAM users, run the add accountprovider ram; command to enable support for the RAM account system. Then, run the list accountproviders; command again to check whether the RAM account system is supported in the MaxCompute project. If the RAM account system is supported but the error message still appears, check whether the username is valid. You can run the list users; command to obtain the user list of the current project. When you perform authorization, copy the username that you want to use in the user list to the authorization statement instead of manually entering a username. This helps avoid spelling errors.

Why does an error appear when a user who has the Select permission on a view queries data from the view? The error indicates that the view owner does not have the Select permission on the table that is referenced by the view.

  • Problem description

    View A in MaxCompute references Table B. User A has the Select permission on View A. When User A performs a query operation on View A, an error message appears, indicating that the owner (User B) of View A does not have the Select permission on Table B.

  • Cause

    A view is unavailable if the owner of the view does not have the Select permission on the table that is referenced by the view. This issue may occur in the following scenarios: (1) The Select permission on the referenced table is not granted to the new view owner at the earliest opportunity after the view owner is changed. (2) The owner of the table that is referenced by the view revokes the Select permission from the view owner. As a result, User A who has the Select permission on View A cannot query data from View A.

  • Solution

    We recommend that you run the following command to check whether the view owner has the Select permission on the table that is referenced by the view:

    show grants for <user_name>; -- Replace user_name with the username of the view owner.

    If the view owner does not have the Select permission on the table that is referenced by the view, grant the Select permission on the referenced table to the view owner.

What do I do if the error message "You have NO privilege to do the restricted operation on xxx Access Mode is AllDenied" appears when I run a job?

  • Cause

    The project to which the job you run belongs is disabled.

  • Solution

    • Check whether your account has overdue payments or whether the default computing quota of the project is a subscription quota and the related subscription service is expired. If your account has overdue payments or the subscription quota is expired, top up your account or renew your subscription. Your project will recover within about 2 to 30 minutes based on the number of orders and the number of projects that run on your MaxCompute project.

    • If your account does not have overdue payments or the subscription quota is not expired, your project is manually disabled. Go to the Projects page of the MaxCompute console to restore your project.

What do I do if the error message "failed to check policy format: invalid Action value - odps:<Action>" appears when I create a custom resource role?

  • Problem description

    The policy-based access control feature is used to create a resource role named test_role and the CreatePackage permission is granted to the role. The following code shows the policy content.

    {
        "Statement":[
            {
                "Action":[
                    "odps:CreatePackage"
                    ],
                    "Effect":"Allow",
                    "Resource":[
                        "acs:odps:*:projects/test_project/authorization",
                        "acs:odps:*:projects/test_project/authorization/packages/*",
                        "acs:odps:*:projects/test_project/authorization/packages/*/*/*" 
                        ]
            }
        ],
        "Version":"1"
    }

    The following error message appears:

    Create role test_role error: [400] com.aliyun.odps.OdpsException: failed to check policy format: invalid Action value - odps:CreatePackage
  • Cause

    MaxCompute does not allow you to grant project management permissions to resource roles. The CreatePackage permission is a project management permission. For more information about project management permissions, see the "Permissions on project management" section in MaxCompute permissions.

  • Solution

    When you create a custom role that has project management permissions, change the role type to Admin. For more information about role planning, see Role planning.