DataWorks provides workspaces in basic mode and in standard mode. This topic describes the characteristics of permission management for data in MaxCompute compute engine instances associated with workspaces in different modes. This topic also describes the differences between the data access behaviors in MaxCompute compute engine instances in the development and production environments.
Prerequisites
Usage notes
Item | Description | References |
---|---|---|
Characteristics of permission management for MaxCompute compute engine instances associated with workspaces in different modes | If you associate a MaxCompute compute engine with workspaces in different modes as a compute engine instance, the environments in which the MaxCompute compute engine instance is used vary based on the workspace mode. Therefore, data access behaviors, required access permissions, and data security levels in workspaces in different modes vary. | Differences on permission management for MaxCompute compute engine instances associated with workspaces in different modes |
Data access behaviors in MaxCompute compute engine instances associated with workspaces in different modes | Workspaces in different modes have different numbers of MaxCompute compute engine instances and provide different environments. Therefore, resources that are accessed in different environments by default and the methods that can be used to access the resources vary. | Differences on data access behaviors in MaxCompute compute engine instances associated with workspaces in different modes |
Naming formats of tables in MaxCompute compute engine instances associated with workspaces in different modes | Naming formats of tables in MaxCompute compute engine instances associated with workspaces in different modes must be distinguished to prevent misoperations in the production environment. | Naming formats of tables in MaxCompute compute engine instances associated with workspaces in different modes |
Differences on permission management for MaxCompute compute engine instances associated with workspaces in different modes
In different workspace modes, the environments in which a MaxCompute compute engine instance is used are different. MaxCompute compute engine instances associated with workspaces in different modes have different permission management characteristics, and workspaces in different modes have different benefits and risks. The following table describes the details.
Item | Basic mode | Standard mode |
---|---|---|
Permissions | In a workspace in basic mode, the Development role of the workspace is mapped to the
Role_Project_Dev role of the associated MaxCompute compute engine instance.
|
In a workspace in standard mode, the Development role of the DataWorks workspace is
mapped to the Role_Project_Dev role of the associated MaxCompute compute engine instance
in the development environment.
|
Benefits |
Workspaces in basic mode are simple and easy to use. You need to only assign the Development role to development engineers to complete all data warehouse development operations. |
Workspaces in standard mode are secure and standardized.
|
Risks |
Workspaces in basic mode impose risks on stability and security.
|
The data development and production process is complex. In most cases, the process involves more than one developer. |
Differences on data access behaviors in MaxCompute compute engine instances associated with workspaces in different modes
MaxCompute allows you to access resources across projects. Users that are assigned the Development role can directly access resources in a MaxCompute compute engine instance in the production environment from DataStudio (the development environment). Workspaces in different modes have different numbers of MaxCompute compute engine instances and provide different environments. Behaviors of access to resources in MaxCompute compute engine instances in the development environment and those in the production environment are different. The following table describes the differences.Item | Workspace mode | DataStudio | Operation Center |
---|---|---|---|
Accounts or roles that can be used to perform operations | Standard mode | Current logon user | Accounts or roles that are specified to perform operations for the scheduling engine |
Basic mode | Accounts or roles that are specified to perform operations for the scheduling engine
Note In a workspace in basic mode, if an Alibaba Cloud account is specified to perform
operations for the scheduling engine, the Alibaba Cloud account is used to run nodes,
regardless of whether the Alibaba Cloud account is the current logon user that performs
operations.
|
||
Environment in which resources reside | Standard mode | projectname_dev.tablename/function/resource | projectname.tablename/function/resource |
Basic mode | projectname.tablename/function/resource | ||
Accounts used to access resources | Standard mode | Statement 1: select col1 from tablename
select col1 from projectname.tablename
Note By default, RAM users that are not specified to perform operations for the scheduling
engine do not have permissions to access the data in the production environment. If
you want to access the data as a RAM user, you must request permissions to access
tables in the production environment in Security Center for the RAM user.
|
Statement used for the access: select col1 from tablename
|
Basic mode | Statement used for the access: select col1 from tablename
Note In a workspace in basic mode, if an Alibaba Cloud account is specified to perform
operations for the scheduling engine, the Alibaba Cloud account is used to access
resources, regardless of whether the Alibaba Cloud account is the current logon user
that performs operations.
|
||
Permissions required to access resources | Standard mode | Permissions that are granted to personal accounts | Permissions granted to the accounts or roles that are specified to perform operations for the scheduling engine |
Basic mode | Permissions granted to the accounts or roles that are specified to perform operations
for the scheduling engine
Note An Alibaba Cloud account has full permissions on its resources. For security purposes,
we recommend that you do not specify an Alibaba Cloud account to perform operations
for the scheduling engine in a workspace in basic mode.
|
Naming formats of tables in MaxCompute compute engine instances associated with workspaces in different modes
A workspace in basic mode provides only the production environment. Therefore, a MaxCompute compute engine instance that is associated with the workspace is used only in the production environment. A workspace in standard mode provides the development environment and production environment. The two environments are isolated from each other. In this case, the naming formats of tables in the MaxCompute compute engine instances that are associated with the workspace differ in the two environments. If you want to access tables in the production environment from the development environment, you must use the appropriate naming format in the production environment to prevent misoperations. The following table describes the naming formats of tables in the two environments.
Environment | Standard mode | Example |
---|---|---|
Development environment | Project name_dev.Table name | If you want to create a table named user_info in the projectA project, the table name is displayed as projectA_dev.user_info. |
Production environment | Project name.Table name | If you want to create a table named user_info in the projectA project, the table name is displayed as projectA.user_info. |