All Products
Search
Document Center

MaxCompute:REVOKE

Last Updated:Jun 30, 2023

MaxCompute allows you to use the ACL-based access control method or policy-based access control method to revoke specified operation permissions on specific objects from a user or role.

Prerequisites

Before you use the ACL-based access control method or policy-based access control method, make sure that the following conditions are met:

  • The account of the user from which you want to revoke permissions or the name of the role from which you want to revoke permissions is obtained. The role or account is added to your MaxCompute project. If the account of the user is an Alibaba Cloud account, record the Alibaba Cloud account in the format of ALIYUN$Alibaba Cloud account. If the account of the user is a RAM user, record the RAM user in the format of RAM$Alibaba Cloud account to which the RAM user belongs:Name of the RAM user.

    You can run the list users; or list roles; command on the MaxCompute client to query the name of the user account or role.

    For more information about how to add a user or role, see User planning and management or Role planning.

  • The type of the object on which you want to revoke permissions, the name of the object, and the actions that you want to deny on the object are obtained.

    For more information about object types and actions supported for each type of object, see MaxCompute permissions.

Limits

Before you use the ACL-based access control method, take note of the following limits:

  • You can use the ACL-based access control method to grant the permissions only on an existing object and to an existing subject. If you delete an object and then create an object with the same name, the new object does not inherit the permissions on the deleted object.

  • The ACL-based access control method does not support authorization by using the [with grant option] clause. For example, if User A authorizes User B to access an object, User B cannot authorize User C to access the same object.

  • The ACL-based access control method is implemented based only on the whitelist mechanism. You cannot use this method to deny actions on objects.

  • You can use the policy-based access control method to grant permissions only to existing roles.

Precautions

  • Before you use the ACL-based access control method, take note of the following items:

    • If you delete an object, MaxCompute revokes all permissions on the object that are granted by using the ACL-based access control method.

    • After a user is removed, the permissions that are granted to the user are retained. If the user is added to the project again, the historical access permissions of the user are activated again. For more information about how to clear the residual permission information of a removed user, see Completely clear the residual permission information of a removed user.

  • Before you use the policy-based access control method, take note of the following items:

    • You can use the policy-based access control method to grant permissions on an object that does not exist. If you delete an existing object whose permissions are granted, the permission information related to the object is retained. As a result, if you create an object that has the same name as the deleted object, security risks may exist.

    • After a user is removed, the permissions that are granted to the user are retained. If the user is added to the project again, the historical access permissions of the user are activated again. For more information about how to clear the residual permission information of a removed user, see Completely clear the residual permission information of a removed user.

Syntax

  • Disable ACL-based access control

    revoke <actions> on <object_type> <object_name> 
    [(<column_list>)] from <subject_type> <subject_name>;
  • Disable policy-based access control

    revoke <actions> on <object_type> <object_name> 
    from ROLE <role_name> 
    privilegeproperties ("policy" = "true", "allow"="{true|false}");

Parameters

Parameter

Required

Description

actions

Yes

The action that is allowed. You can specify one or more actions in a single statement.

If you specify multiple actions, separate them with commas (,). For more information about the supported actions, see MaxCompute permissions.

object_type

Yes

The type of object on which permissions are granted. You can specify only one type of object in a single statement.

For more information about the supported object types, see MaxCompute permissions.

object_name

Yes

The name of the object whose permissions are granted. You can obtain the name of an object by using one of the following methods:

  • Project name: To obtain the name of a project, log on to the MaxCompute console. In the top navigation bar, select a region in which the project resides. On the Project management tab, view the name of the project.

  • Table or view: To obtain the name of a table or view, run the show tables; command on the MaxCompute client.

  • Resource name: To obtain the name of a resource, run the list resources; command on the MaxCompute client.

  • Function name: To obtain the name of a function, run the list functions; command on the MaxCompute client.

  • Instance name: To obtain the name of an instance, run the show instances; command on the MaxCompute client. Instance names are the same as instance IDs in MaxCompute.

You can use asterisks (*) when you configure this parameter. For example, if you set this parameter to table taobao*, all tables whose names start with taobao are matched.

Note

You can use asterisks (*) only when the value of subject_type is ROLE.

column_list

No

The names of columns on which you want to perform access control. This parameter is required only if you set the object_type parameter to Table and you want to perform column-level access control in a table. You can specify one or more column names in a single statement. If you specify multiple column names, separate them with commas (,).

Note

This parameter is used to specify the specific columns on which you want to manage the Describe, Select, Alter, Update, Drop, and ShowHistory permissions and all permissions. If sensitivity levels are specified for columns in a table, you can use the label-based access control method to manage the access permissions on sensitive data in the columns. For more information about the label-based access control method, see Label-based access control.

subject_type

Yes

The type of the subject to which permissions are granted. Valid values:

  • USER: Alibaba Cloud account or RAM user

  • ROLE: role

subject_name

Yes

The account of the user to which permissions are granted or the name of the role to which permissions are granted. You can specify only an account or a role in a single statement.

You can run the list users; or list roles; command on the MaxCompute client to obtain the name of the user account or role.

role_name

Yes

The name of the role to which permissions are granted. You can specify only one role in a single statement.

You can run the list roles; command on the MaxCompute client to query the name of the role.

privilegeproperties

policy

Yes

Set the value to true. The value true indicates that policy-based access control is used.

allow

Required if you want to use the whitelist mechanism

Specifies whether to allow the specified action on the specified object. Valid values:

  • true: The specified action on the specified object is allowed.

  • false: The specified action on the specified object is not allowed. This value indicates the blacklist mechanism.

Environment

You can run the commands that are described in this topic on the following platforms:

  • MaxCompute client

    Use the MaxCompute client to access MaxCompute projects and run authorization commands.

Examples

For example, the Alibaba Cloud account Bob@aliyun.com is the owner of the project test_project_a. Allen, Alice, and Tom are the RAM users of the Alibaba Cloud account Bob@aliyun.com. In the following examples, statements are executed on the MaxCompute client.

  • Example 1: Revoke permissions from a user

    In this example, the permissions that are granted to the RAM users Allen and Alice in Example 1 and Example 2 are revoked. Sample statements:

    -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
    use test_project_a; 
    -- Revoke the Describe and Select permissions from the RAM user Allen. 
    revoke Describe, Select on table sale_detail (shop_name, customer_id) from USER RAM$Bob@aliyun.com:Allen;
    -- Revoke all permissions on the table from the RAM user Alice. 
    revoke All on table sale_detail (shop_name, customer_id) from USER RAM$Bob@aliyun.com:Alice;
    -- Query the permissions of the RAM user Allen. The RAM user Allen does not have the Describe and Select permissions. 
    show grants for RAM$Bob@aliyun.com:Allen; 
    -- Query the permissions of the RAM user Alice. The RAM user Alice does not have the permissions on the table. 
    show grants for RAM$Bob@aliyun.com:Alice; 
  • Example 2: Revoke the same permissions that are granted by using a role from multiple users

    In this example, the same permissions that are granted to the RAM users Alice and Tom and the Alibaba Cloud account Lily@aliyun.com are revoked. Sample statements:

    -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
    use test_project_a; 
    -- Revoke the role Worker from the RAM users Alice and Tom and the Alibaba Cloud account Lily@aliyun.com. 
    revoke Worker from RAM$Bob@aliyun.com:Alice;
    revoke Worker from RAM$Bob@aliyun.com:Tom;
    revoke Worker from ALIYUN$Lily@aliyun.com;
    -- Query the permissions of the Alibaba Cloud account Lily@aliyun.com. The Alibaba Cloud account Lily@aliyun.com does not have the permissions of the role Worker. 
    show grants for ALIYUN$Lily@aliyun.com; 

Revoke access permissions on a package from a user or role

Revoke the access permissions on a package from a user or role in the MaxCompute project where the package is installed.

  • Syntax

    revoke <actions> on package <project_name>.<package_name> from {USER|ROLE} <name>;
  • Parameters

    Parameter

    Required

    Description

    actions

    Yes

    The action on resources in a package. Set the value to Read.

    project_name

    Yes

    The name of the MaxCompute project to which the package belongs.

    Log on to the MaxCompute console. In the top navigation bar, select a region. On the Project management tab, obtain the name of the MaxCompute project.

    package_name

    Yes

    The name of the package.

    You can execute the show packages; statement on the MaxCompute client to obtain the information about the package that you created.

    name

    Yes

    The name of the user account or role from which you want to revoke the access permissions on the package. You can specify only one user account or role in a single statement.

    You can run the list users; or list roles; command on the MaxCompute client to obtain the name of the user account or role.

  • Examples

    Revoke the access permissions on the specified package from Bella. Sample statement:

    -- Revoke the access permissions on the specified package from Bella. 
    revoke Read on package test_project_a.datashare from user RAM$Amy@aliyun.com:Bella;

Revoke label-based permissions granted by using explicit authorization

The project owner or a user who is assigned the Admin role revokes label-based permissions that are granted by using explicit authorization.

  • Syntax

    revoke Label on table <table_name> [(<column_list>)] from {USER|ROLE} <name>;
  • Precautions

    • If you revoke explicitly configured label-based permissions on a table, the explicitly configured label-based permissions on the columns in the table are also revoked.

    • If you revoke explicitly configured label-based permissions, the access-level labels that are configured for users or roles are not affected. For example, label-based access control allows a user whose access level is 2 to access the table data whose sensitivity level is lower than or equal to 3. If you disable label-based access control, the user can access the table data whose sensitivity level is lower than or equal to 2.

  • Parameters

    Parameter

    Required

    Description

    table_name

    Yes

    The name of the table or view.

    You can run the show tables; command on the MaxCompute client to obtain the name of the table or view.

    column_list

    No

    This parameter is required if you want to revoke the permission to access sensitive data of a specified column in a table or view. You can specify multiple column names. Separate column names with commas (,).

    name

    Yes

    The name of the user or role.

    You can run the list users; or list roles; command on the MaxCompute client to obtain the name of the user account or role.

  • Examples

    In these examples, the test_project_a project stores a table named sale_detail that contains the shop_name, customer_id, and total_price columns. Bob@aliyun.com is the owner of the test_project_a project. Allen is a RAM user that belongs to the Alibaba Cloud account Bob@aliyun.com and is added to the test_project_a project.

    Revoke the permissions to access data with high sensitivity levels from Allen. Sample statements:

    -- Revoke the permissions to access data whose sensitivity level is lower than or equal to 3 in the shop_name, customer_id, and total_price columns of the sale_detail table from Allen. 
    revoke Label on table sale_detail(shop_name, customer_id, total_price) from USER RAM$Bob@aliyun.com:Allen;
    -- View the permissions that are granted to Allen. 
    show label grants on table sale_detail for USER RAM$Bob@aliyun.com:Allen;
    -- The following result is returned: 
    User Label: 1
    +-------------+--------------+--------------------------+
    | Column      | GrantedLabel | Expires                  |
    +-------------+--------------+--------------------------+
    | total_price | 3            | 2021-12-31T19:56:18+0800 |
    +-------------+--------------+--------------------------+
    -- Revoke the permissions to access sensitive data in the sale_detail table from Allen. 
    revoke Label on table sale_detail from USER RAM$Bob@aliyun.com:Allen; 
    -- View the permissions that are granted to Allen. 
    show label grants on table sale_detail for USER RAM$Bob@aliyun.com:Allen;
    -- The following result is returned: 
    User Label: 1

Revoke a user from a role

Revokes a user from a specific role.

  • Syntax

    revoke <role_name> from <user_name>;
  • Parameters

    • role_name: required. The name of the role from which you want to revoke a user.

    • user_name: required. The name of the Alibaba Cloud account or RAM user that you want to revoke. The format of an Alibaba Cloud account is ALIYUN$****@aliyun.com;. The format of a RAM user is RAM$****.

  • Examples

    -- Revoke the Alibaba Cloud account alice@aliyun.com from the player role. 
    revoke player from ALIYUN$alice@aliyun.com;

Related statements

  • CREATE PACKAGE: creates a package.

  • CREATE ROLE: creates a role in a MaxCompute project.

  • SET LABEL: MaxCompute provides the label-based access control method. You can use this method to configure access level labels for users or roles and sensitivity level labels for table data or column data at the project level.

  • GRANT: MaxCompute provides the ACL-based access control method. You can use this method to grant permissions on an object to a user or role to allow one or more specified actions on an object.