All Products
Search
Document Center

MaxCompute:Manage projects

最終更新日:Oct 29, 2024

A project is the basic unit for performing user isolation and access control in MaxCompute. After you activate MaxCompute, you must create projects to use MaxCompute. This topic describes how to create and manage a MaxCompute project in the MaxCompute console.

Prerequisites

  • MaxCompute is activated for your Alibaba Cloud account or a RAM user within the Alibaba Cloud account.

  • The RAM user is authorized to access MaxCompute. By default, you can create, configure, and delete a project or change the status of a project only by using your Alibaba Cloud account. If you want to manage a MaxCompute project as a RAM user, you must obtain the credentials of the RAM user and attach the AliyunMaxComputeFullAccess policy or a custom policy to the RAM user.

    For more information about how to create a RAM user or obtain information about a RAM user, see Prepare a RAM user.

Permissions

  • Alibaba Cloud account: all permissions that are required for project management, including the query and operation permissions on all resources in a project.

  • RAM user:

    • To view a project in the project list as a RAM user, you must make sure that the RAM user is added to the project.

    • To create, delete, or modify the default quota of a project, or to freeze or restore a project as a RAM user, you must attach the related policies to the RAM user in the Resource Access Management (RAM) console. For more information, see RAM permissions.

    • To configure parameters and manage role permissions and packages on the project configuration page as a RAM user, the RAM user must be assigned the built-in role Admin or Super_Administrator or granted the required project management permissions. For more information about project management permissions, see the "Permissions on project management" section in MaxCompute permissions.

Precautions

Before you create a MaxCompute project, take note of the following items:

  • After you use an Alibaba Cloud account to create a MaxCompute project, you have the operation permissions on all the objects in the project. Only authorized users can access the project.

  • For a MaxCompute project that is created by a RAM user, both the RAM user and the Alibaba Cloud account to which the RAM user belongs have the operation permissions on all the objects in the project. Other users can access the project only after the users are granted the related permissions.

  • For a MaxCompute project that is created by a RAM user, MaxCompute assigns the RAM user the Super_Administrator role of the project by default. This facilitates project management.

Create a project

Projects that are created in the MaxCompute console can be used by various clients. DataWorks provides a unified end-to-end big data development and governance platform and is integrated with MaxCompute. You cannot associate a DataWorks workspace in standard mode with an existing MaxCompute project. We recommend that you create and use a MaxCompute project in the DataWorks console. For more information, see Create a workspace.

  1. Log on to the MaxCompute console. In the top navigation bar, select a region.

  2. In the left-side navigation pane, choose Workspace > Projects.

  3. On the Projects page, click Create Project.

  4. In the Create Project dialog box, configure the parameters as prompted.

    The following table describes the parameters that you must take note of.

    Parameter

    Description

    Project Name

    The name must be 3 to 28 characters in length and can contain letters, digits, and underscores (_). The name must start with a letter and must be globally unique.

    Billing Method

    The billing method of computing resources, which is also the billing method of the default quota group.

    Default Quota

    Quota groups are used to allocate computing resources.

    If you do not specify a quota group for your project, the jobs initiated by your project consume the computing resources in the default quota group. For more information about how to use computing resources, see Use quota groups for computing resources.

    Max Resources Consumed by An SQL Statement

    The upper limit for the resources that can be consumed by an SQL job.

    Formula: Amount of scanned data (GB) × Complexity. This parameter is optional. If you select Pay-as-you-go for Billing Method, we recommend that you configure this parameter to prevent a single SQL job from consuming excessive resources. We also recommend that you configure real-time consumption control to monitor resources consumed by computing jobs. This helps you prevent high resource consumption. For more information, see Consumption control.

    Data Type Edition

    The data type edition of MaxCompute. Valid values: MaxCompute V1.0 Data Type Edition (Suitable for Early MaxCompute Projects), MaxCompute V2.0 Data Type Edition (Recommended), and Hive-Compatible Data Type Edition (Suitable for MaxCompute Projects Migrated from Hadoop).

    Select a data type edition based on your business requirements. For more information about the differences among the three data type editions, see Data type editions.

    Encrypt

    Specifies whether to enable the data encryption feature for the MaxCompute project that you create. For more information about data encryption, see Storage encryption.

    If you select Yes, you must specify the following items:

    • Key: the type of the key that is used in the MaxCompute project. You can select MaxCompute Default Key or Bring Your Own Key (BYOK). If you select MaxCompute Default Key, the key that MaxCompute automatically creates for the project is used.

    • Algorithm: The encryption algorithm that is supported by the key. Valid values: AES256, AESCTR, and RC4.

  5. Click OK.

    After the MaxCompute project is created, you can view this project on the Projects page.

    You can perform the following operations on the created project:

    • Manage and configure project properties. For more information, see Configure a project.

    • Manage permissions on the data in your project. You can assign roles to RAM users of your Alibaba Cloud account and manage permissions based on the roles. For more information, see Role management.

    • Prepare the development environment for your MaxCompute project and install the required tools to develop data in your project. For more information, see Select a connection tool.

    • Delete your MaxCompute project. For more information, see Delete a project.

Configure a project

  1. Log on to the MaxCompute console. In the top navigation bar, select a region.

  2. In the left-side navigation pane, choose Workspace > Projects.

  3. On the Projects page, find the desired project and click Manage in the Actions column.

  4. Configure parameters.

    1. On the Project Settings page, click the Parameter Configuration tab.

    2. On the Parameter Configuration tab, configure parameters. The following table describes the parameters.

      Note
      • Check whether the related permissions are granted before you configure parameters in the Basic Information section. For more information about permissions, see RAM permissions. To configure parameters in the Basic Properties section, you must be assigned the Super_Administrator role of your project.

      • To configure parameters in the Permission Properties and IP Address Whitelist sections, you must be assigned the Super_Adminstrator or Admin role of the project or granted custom management permissions. For more information about the management permissions, see MaxCompute permissions.

      Section

      Parameter

      Description

      Basic Information

      Default Quota

      The default quota group for your project. You can change the default quota group based on your business requirements.

      Total storage

      The storage space that is occupied by your project, which is the logical storage space after your project data is collected and compressed.

      Data Transmission Service

      The resource group of the data transmission service that is bound to your project.

      If you select default from the drop-down list, the shared resource group of the data transmission service is used. You cannot use the subscription-based resource group of the data transmission service. The default resource group is automatically used by the data transmission service of your project, regardless of whether you turn on Enable As Default Data Transmission Service.

      Enable As Default Data Transmission Service

      Specifies whether to use the resource group that is bound to your project for your data transmission task.

      • If you turn on this switch, the data transmission task uses the resource group that is bound to your project.

      • If you turn off this switch, the data transmission task uses the shared resource group of the data transmission service.

      Super Administrator

      Members

      The members of the Super_Adminstrator role of a project. You can view or edit the role members in the Super Administrator section. The settings are the same as the members of the Super_Adminstrator role displayed on the Role Permissions tab. However, this parameter supports RAM permission verification. After a RAM user is granted the UpdateUsersToSuperAdmin permission, you can set the Super_Adminstrator role members of the project as the RAM user. For more information, see RAM permissions.

      Basic Properties

      Full Table Scan for Partitioned Table

      Specifies whether to allow a full table scan for your project. This parameter is equivalent to the odps.sql.allow.fullscan property for an SQL statement. A full table scan occupies a large amount of resources and reduces data processing efficiency. Therefore, we recommend that you do not enable this feature.

      Backup Data Retention Period

      The number of days for which the backup data of your project is retained. This parameter is equivalent to the odps.timemachine.retention.days property for an SQL statement. During the retention period, you can restore data of the version in use to the backup data of any version.

      Valid values: 0 to 30. Default value: 1. The value 0 indicates that the backup feature is disabled.

      Data Type Edition

      Valid values: MaxCompute V1.0 Data Type Edition (Suitable for Early MaxCompute Projects), MaxCompute V2.0 Data Type Edition (Recommended), and Hive-Compatible Data Type Edition (Suitable for MaxCompute Projects Migrated from Hadoop).

      For more information about the differences among the three data type editions, see Data type editions.

      DECIMAL in MaxCompute V2.0

      Specifies whether to enable the DECIMAL type of the MaxCompute V2.0 data type edition. This parameter is equivalent to the odps.sql.decimal.odps2 for an SQL statement.

      Limit on Resources Consumed by Single SQL Statement

      The upper limit for the resources that can be consumed by an SQL job. This parameter is equivalent to the odps.sql.metering.value.max parameter for an SQL statement. For more information, see Consumption control

      Formula: Amount of scanned data (GB) × Complexity.

      Storage Encryption Status

      You can configure this parameter only when you create a project. After you configure this parameter, you can only view the parameter configuration but cannot edit the configuration.

      Configure Lifecycle

      Specifies whether to configure a lifecycle for tables in your project. This parameter is equivalent to the odps.table.lifecycle parameter for an SQL statement. Valid values:

      • optional: The lifecycle clause is optional in a table creation statement. If you do not configure a lifecycle for a table, the table does not expire.

      • mandatory: The lifecycle clause is required in a table creation statement.

      • inherit: If you do not configure a lifecycle for a table when you create the table, the value of odps.table.lifecycle.value for an SQL statement is used by default. The value of odps.table.lifecycle.value is specified in the unit of days. Valid values: 1 to 37231. Default value: 37231.

      Time Zone

      The time zone that is used by your project. This parameter is equivalent to the odps.sql.timezone parameter for an SQL statement.

      Permission Properties

      ACL-based Access Control

      Specifies whether to enable ACL-based access control. This parameter is equivalent to the CheckPermissionUsingACL parameter for an SQL statement. By default, ACL-based access control is enabled.

      Policy-based Access Control

      Specifies whether to enable policy-based access control. This parameter is equivalent to the CheckPermissionUsingACL parameter for an SQL statement. By default, policy-based access control is enabled.

      Perform Operations on Objects by Object Creator

      Specifies whether to allow object creators to access the objects. This parameter is equivalent to the ObjectCreatorHasAccessPermission property for an SQL statement. The default value is Allow, which indicates that object creators are allowed to access the objects.

      Grant Permissions on Objects by Object Creator

      Specifies whether to allow object creators to grant permissions on the objects. This parameter is equivalent to the ObjectCreatorHasGrantPermission property for an SQL statement. The default value is Allow, which indicates that object creators are allowed to grant permissions on the objects.

      Label-based Access Control

      Specifies whether to enable label-based access control. This parameter is equivalent to the LabelSecurity parameter for an SQL statement. By default, label-based access control is not enabled.

      Project Data Protection

      Specifies whether to enable project data protection. This parameter is equivalent to the ProjectProtection parameter for an SQL statement and is used to allow or prohibit data outflow.

      If you enable project data protection, you can specify Exception Trusted Project. For more information about project data protection, see Project data protection.

      Download Permission

      Specifies whether to enable download control. This parameter is equivalent to the odps.security.enabledownloadprivilege parameter for an SQL statement.

      IP Address Whitelist

      Cloud product interconnection Network IP Addresses

      The whitelist of IP addresses that are authorized to access a project over the cloud product interconnection network.

      Note

      If you configure an IP address whitelist only for the cloud product interconnection network, only the IP addresses or CIDR blocks in the IP address whitelist are allowed to access MaxCompute over the cloud product interconnection network. Access requests over a virtual private cloud (VPC) are denied.

      VPC IP Addresses

      The whitelist of IP addresses that are authorized to access a project over a VPC.

      Note

      If you configure an IP address whitelist only for a VPC, only the IP addresses or CIDR blocks in the IP address whitelist are allowed to access MaxCompute over the VPC. Access requests over the cloud product interconnection network are denied.

      MaxCompute Internet

      MaxCompute Internet Address

      You can add or delete the public IP address or endpoint and port number that you want to access. For more information, see Access over the Internet.

  5. Manage roles.

    On the Role Permissions tab, you can manage roles for a project. For example, you can add and delete a role, change role information, and assign a role to a user.

    Note

    By default, only the Alibaba Cloud account has the permissions to manage roles for a project. If you want to manage roles as a RAM user, you must assign administrator roles of your project to the RAM user.

    1. On the Project Settings page, click the Role Permissions tab.

    2. On the Role Permissions tab, click Create Project-level Role.

    3. In the Create Role dialog box, create a role and grant permissions to the role as prompted.

      You can create an administrator role or a resource role. You can set Authorization Method to ACL or Policy. For more information about the permissions of various objects, see MaxCompute permissions.

      • ACL: You can use ACL-based access control to grant permissions on multiple objects in your project to a resource role at a time.

        Note

        After you submit an authorization request, do not close the progress bar or page until the authorization succeeds. Otherwise, the authorization is interrupted.

      • Policy: You can use policy-based access control in scenarios where ACL-based access control cannot meet your requirements for managing the permissions of administrator roles or resource roles. For example, if you want to grant permissions on a group of resources, such as all tables or tables whose names start with specific characters, or if you want to grant permissions by using policies that have specific restrictions, you can use policy-based access control. You can use a wildcard (*) to specify tables whose names start with specific characters.

        Examples of policy documents

        • Grant all management permissions to an administrator role.

          {
              "Statement":[
                  {
                      "Action":[
                          "odps:*"
                      ],
                      "Effect":"Allow",
                      "Resource":[
                          "acs:odps:*:projects/project_name/authorization/*"
                      ]
                  }
              ],
              "Version":"1"
          }
        • Grant the query permissions on all tables whose names start with tmp in a project to a resource role.

          {
              "Statement":[
                  {
                      "Effect":"Allow",
                      "Action":[
                          "odps:Describe",
                          "odps:Select"
                      ],
                      "Resource":[
                          "acs:odps:*:projects/project_name/tables/tmp_*",
                          "acs:odps:*:projects/project_name/schemas/*/tables/tmp_*"
                      ]
                  }
              ],
              "Version":"1"
          }
    4. Click OK.

    Other operations on roles:

    • View information about roles

      On the Role Permissions tab, view all roles in the project, including the built-in Super_Administrator and Admin roles. Click Edit Role in the Actions column of a role. In the dialog box that appears, you can view permissions granted to the role.

      Note

      If you set Authorization Method to Policy when you create the role, the policy document is displayed in the Edit Role dialog box. If you set Authorization Method to ACL when you create the role, and the role permissions involve many tables, resources, and functions, the role permissions cannot be fully displayed. In this case, you can search for an object and check whether permissions on this object are granted to the role. You can also execute the describe role <role_name>; statement to view the permissions of a role.

    • Edit role permissions

      Click Edit Role in the Actions column of a role. If you set Authorization Method to ACL when you create the role, you can add or remove an action on an object to or from the role, and grant or revoke permissions on an object to or from the role. If the desired object is not displayed, you can execute statements. For more information, see Perform access control based on project-level roles.

      Note
      • If a MaxCompute project is associated with a DataWorks workspace, DataWorks initializes roles for the MaxCompute project. These roles have fixed permissions that comply with the business logic of DataWorks. We recommend that you do not update these roles. For more information about the roles initialized by DataWorks, see Appendix: Mappings between DataWorks built-in workspace-level roles and MaxCompute roles.

      • If ACLs are used to grant permissions on a large number of objects to the role, the Edit Role dialog box may not be open due to timeout. If the timeout occurs, you can only run commands to view and edit the ACL-based permissions of the role.

    • View users to which a role is assigned

      Click Manage Members in the Actions column of a role. In the Manage Members dialog box, you can view the users to which this role is assigned, assign the role to a user, or revoke the role permissions from a user.

    • Delete a role

      Click Delete in the Actions column of a role to delete the existing role in the MaxCompute project. This operation is equivalent to the execution of the drop role <role_name>; statement. For more information, see Role planning.

    • Enable or disable tenant-level roles

      On the Role Permissions tab, select Tenant from the Role Level drop-down list. Click Enable or Disable in the Actions column of a role to enable or disable this role.

      Note

      If a role is granted permissions on an object in the project, the role can take effect only after you enable the object.

  6. Configure packages.

    If you want to allow users or roles to access resources across MaxCompute projects, we recommend that you use packages. Packages are suitable for cross-project access to tables, resources, and functions, but not computing resources. You can also use packages for permission management without the need to assign permissions to users or roles. A package involves resource providers and resource visitors. The following section describes the process of cross-project resource access by using packages.

    1. The resource provider shares resources with a package.

      1. On the Package tab, click Create Package.

      2. In the Create Package dialog box, configure Package Name and specify tables, resources, and functions that you want to share.

      3. Click OK.

      4. Find the package that you created and click Specify Project in the Actions column.

      5. In the Specify Project dialog box, enter the names of the projects that can use this package in the Project Name field.

      6. Click Confirm.

    2. The resource visitor accesses resources.

      1. On the Package tab, click Install Package.

      2. In the Install Package dialog box, enter the name of the package that you want to access.

      3. Click OK.

      4. (Optional) Grant permissions on the package to a role and assign the role to a user. For more information, see Manage roles.

  7. View project members.

    To grant a user access to MaxCompute project data, you need to add the user to the project and assign the appropriate permissions. On the Project Settings page, click the Project Member tab. On Project Member tab, you can view the permissions for all users within the project.

Change project status

MaxCompute allows you to perform the following operations on a project:

  • Freeze: If you click Freeze in the Actions column of a project, the project is stopped, services are suspended, and jobs that belong to the project cannot be run. Data in the project is inaccessible but is still retained. As a result, storage fees are incurred. After a project is frozen, the project status changes to Stopped.

  • Restore: After you click Restore in the Actions column of a project that is stopped or to be deleted, the project status changes to Normal.

  1. Log on to the MaxCompute console. In the top navigation bar, select a region.

  2. In the left-side navigation pane, choose Workspace > Projects.

  3. On the Projects page, find the desired project and click Freeze or Restore in the Actions column.

  4. In the Confirm message, click OK.

Delete a project

When you delete a project, you can delete the project immediately. In this case, the project is completely deleted and cannot be restored.

Note

If you immediately delete a project, the project data is cleared at the same time. The data clearance time varies based on the amount of data in the project. If you immediately create a project that has the same name as the project that you delete, an error is reported. You need to change the name of the project that you want to create and try again later.

If you delete a MaxCompute project, the following situations occur:

  • If you immediately delete a project, data in all tables in the project is immediately deleted and cannot be restored.

  • All tasks submitted to the MaxCompute project fail because the project does not exist.

  • If the MaxCompute project is associated with a DataWorks workspace, the DataWorks workspace cannot be used and cannot be restored after the MaxCompute project is deleted. We recommend that you log on to the DataWorks console to disassociate the project from the DataWorks workspace before you delete the MaxCompute project.

  1. Log on to the MaxCompute console. In the top navigation bar, select a region.

  2. In the left-side navigation pane, choose Workspace > Projects.

  3. On the Projects page, find the desired project and click Delete in the Actions column.

  4. In the Delete Project dialog box, select a deletion method, select the check box for confirmation, and then click OK.

Manage project tags

You can add tags to MaxCompute projects and remove tags from MaxCompute projects. For more information about how to use a tag and the limits on using a tag, see Tag overview.

  1. Log on to the MaxCompute console. In the top navigation bar, select a region.

  2. In the left-side navigation pane, choose Workspace > Projects.

  3. Add a tag.

    • Add a tag for a project.

      1. Move the pointer over the 编辑 icon in the Tag column of the project and select Edit.

      2. In the Configure Tags dialog box, specify Tag Key and Tag Value.

      3. Click OK. In the Configure Tags successfully message, click Close.

    • Add tags for multiple projects at a time.

      1. Select the projects to which you want to add tags and click Batch Add Tag in the lower part of the page.

      2. In the Configure Tags dialog box, specify Tag Key and Tag Value.

      3. Click OK. In the Configure Tags successfully message, click Close.

  4. Filter projects by tag.

    After you add tags to projects, you can select a tag key or a tag value from the tag filter drop-down list to filter projects.

  5. Optional. Remove tags.

    • Remove a tag from a project.

      1. Move the pointer over the 编辑 icon in the Tag column of the project and click Edit.

      2. In the Configure Tags dialog box, click the 删除 icon next to the desired tag.

      3. Click OK. In the Configure Tags successfully message, click Close.

    • Remove tags from multiple projects at a time.

      1. Select the projects from which you want to remove tags and click Batch Remove Tag in the lower part of the page.

      2. In the Delete Tags for Multiple Resources dialog box, select the tags that you want to remove.

      3. Click Unbind x tags. In the Configure Tags successfully message, click Close.