Limiting Access for a DataWorks UDF to Specific Accounts

Common Solutions

  1. The “package” solution, to perform fine-grained control of permissions through package authorization.
  2. Create a new role on DataWorks (Management > MaxCompute Advanced Configuration > Custom User Role) for advanced control.
  3. The “role policy” solution, to customize the permission set of a role through a role policy.

Solution Limitations

Package Solution

The “package” solution, to perform fine-grained control of permissions through package authorization.
Package basics: It is often used to solve the problem of user authorization for sharing data and resources across projects. After packaging, we can see that the user has received all permissions after being given the role of DataWorks developer. This is uncontrollable.

  1. First, the permissions of the well-known DataWorks developer role are as follows:
  1. From the perspective of permission configuration, it obviously does not meet our requirements. It is obvious that the user has all permissions on packages, functions, resources and tables in the project by default.
  • A projects/sz_mc/packages/*: * A projects/sz_mc/registration/functions/*: * A projects/sz_mc/resources/*: * A projects/sz_mc/tables/*: *

New Role on DataWorks

Create a new role on DataWorks (Management > MaxCompute Advanced Configuration > Custom User Role) for advanced control. However, in the advanced configuration of DataWorks-MaxCompute, only a table or a project can be authorized, and the resource and UDF cannot be authorized.

Role Policy Solution

The “role policy” solution. Through a policy, we can finely manage the specific permission granularity of specific users for specific resources, which can meet our scenario requirements. However, the official documentation of the policy mechanism has not been disclosed, the main consideration of which is whether the user is familiar with the policy or not. If not, it will likely cause problems and reduce development efficiency.

Role Policy Solution Implementation Details

For security, it is recommended that beginners use a test project to verify the policy. The following operations are completed through MaxCompute console. For details, see the console configuration.

Step 1: Create a Default Deny UDF Role

Create a denyudfrole role, as follows:

odps@ sz_mc>create role denyudfrole;
{
"Version": "1", "Statement":
[{
"Effect":"Deny",
"Action":["odps:Read","odps:List"],
"Resource":"acs:odps:*:projects/sz_mc/resources/getaddr.jar"
},
{
"Effect":"Deny",
"Action":["odps:Read","odps:List"],
"Resource":"acs:odps:*:projects/sz_mc/registration/functions/getregion"
}
] }
odps@ sz_mc>put policy /Users/yangyi/Desktop/role_policy.json on role denyudfrole;
odps@ sz_mc>grant denyudfrole to RAM$yangyi.pt@aliyun-test.com:ramtest;

Step 2: Verifying Role on Console

Log in to the console to confirm the role.

Step 3: Configure a Project Policy

Write a policy.

{
"Version": "1", "Statement":
[{
"Effect":"Allow",
"Principal":"RAM$yangyi.pt@aliyun-test.com:yangyitest",
"Action":["odps:Read","odps:List","odps:Select"],
"Resource":"acs:odps:*:projects/sz_mc/resources/getaddr.jar"
},
{
"Effect":"Allow",
"Principal":"RAM$yangyi.pt@aliyun-test.com:yangyitest",
"Action":["odps:Read","odps:List","odps:Select"],
"Resource":"acs:odps:*:projects/sz_mc/registration/functions/getregion"
}] }
odps@ sz_mc>put policy /Users/yangyi/Desktop/project_policy.json;

Summary

At this point, some people may have a clear understanding of the security systems of DataWorks and MaxCompute, while others may still be confused. The summary is as follows:

  1. If you do not want an account to access specific resources, you can add the “Data Developer” permission to it in DataWorks, and then configure the “Deny Access” permission on MaxCompute console according to the role policy.
  2. If you want to specify an account to access the resources, you can configure the “Data Developer” permission in DataWorks, and then configure the “Allow Access” permission on the MaxCompute console according to the project policy.
  3. The specific examples are detailed above, which can meet our refined management requirements.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com