Out-of-the-Box MaxCompute Data Security Solution

Prevent Data from Being Downloaded Locally

Prevent Data Leakage or Local Downloads

set ProjectProtection=true 
--Sets ProjectProtection to allow data import and prohibit data export.
--The default value of ProjectProtection is false.

Data Export Method with Data Protection Enabled

SET ProjectProtection=true WITH EXCEPTION <policyFile>
{
"Version": "1",
"Statement":
[{
"Effect":"Allow",
"Principal":"ALIYUN$Alice@aliyun.com",
"Action":["odps:Select"],
"Resource":"acs:odps:*:projects/alipay/tables/table_test",
"Condition":{
"StringEquals": {
"odps:TaskType":["DT", "SQL"]
}
}
}]
}
show grants [for <username>] [on type <objectType>]
list trustedprojects;
--Displays all trusted projects.
add trustedproject <projectname>;
--Adds a trusted project.
remove trustedproject <projectname>;
--Removes a trusted project.

IP Whitelist Control

  1. After an IP whitelist is configured for a project, only IP addresses (console or SDK outbound IP addresses) in the whitelist can be used to access the project.
  2. An IP whitelist takes effect five minutes after the configuration is completed.
  3. Add the IP address of your PC to the whitelist to avoid blocking your PC from accessing your project.
setproject odps.security.ip.whitelist=101.132.236.134,100.116.0.0/16,101.132.236.134-101.132.236.144;
  1. IP address: for example, 101.132.236.134
  2. Subnet mask: for example, 100.116.0.0/16
  3. Network segment: for example, 101.132.236.134–101.132.236.144

Refined Management

{
"Version": "1",
"Statement":
[{
"Effect":"Allow",
"Principal":"ALIYUN$alice@aliyun.com",
"Action":["odps:CreateTable","odps:CreateInstance","odps:List"],
"Resource":"acs:odps:*:projects/prj1",
"Condition":{
"DateLessThan": {
"acs:CurrentTime":"2013-11-11T23:59:59Z"
},
"IpAddress": {
"acs:SourceIp":"10.32.180.0/23"
}
}
},
{
"Effect":"Deny",
"Principal":"ALIYUN$alice@aliyun.com",
"Action":"odps:Drop",
"Resource":"acs:odps:*:projects/prj1/tables/*"
}]
}

Data Security Guard (Data Masking)

Fine-Grained Permission Control

Column-Based Access Control

set LabelSecurity=true; 
--Enables LabelSecurity.
set label 2 to table user_profile(mobile, user_addr, birthday);
--Sets the sensitivity levels of the mobile, user_addr, and birthday columns of the user_profile table to 2.
set label 3 to table user_profile(id_card, credit_card);
--Sets the sensitivity levels of the id_card and credit_card columns of the user_profile table to 3.
GRANT LABEL 2 ON TABLE user_profile TO USER alice WITH EXP 7;

User-Defined Role Management Based on Role Policies

  1. Grant access permissions to one group of objects, such as all functions or tables with names starting with taobao, at one time.
  2. Authorization based on conditions includes time-based access, access using specified IP addresses, and SQL-based access to a specified table (access through other tasks will be denied).
get policy --Reads the policy of the project.
put policy <policyFile> --Configures (overwrites) a project policy.
get policy on role <roleName> --Reads the policy for a project role.
put policy <policyFile> on role <roleName> --Configures (overwrites) a policy for the project role.
  1. Click New, enter a role name, and select accounts (sub-account users) to be added to the role.
  1. Role authorization can be table or project based.
  1. For table-based role authorization, select target tables and select actions that can be performed for each table.

JDBC 2.4 (Enhanced Data Security)

Procedure of using JDBC to enhance data security:

  1. Download JDBC 2.4 (recommended).
  2. Set the JDBC URL. Typical methods to set the tunnel endpoint are described at jdbc:odps:http://service.cn.maxcompute.aliyun-inc.com/api?tunnelEndpoint=http://dt.cn-shanghai.maxcompute.aliyun-inc.com.
  3. For more information about regions where MaxCompute is available and corresponding tunnel endpoints, visit https://help.aliyun.com/document_detail/34951.html.
  4. Enable project protection without exception.
  5. SET ProjectProtection=true
  6. For more information, see chapter 1 “Prevent data from being downloaded locally.”
  7. Set an upper limit to the number of data entries returned.
  8. setproject READ_TABLE_MAX_ROW=1000
  9. Query data using JDBC. A maximum of 1,000 data entries can be returned.

--

--

--

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Run an Enterprise level Elasticsearch Stack on a Kubernetes cluster

New INST-WETH Vault for Instadapp

LazyTensor in Action at Facebook & Google

How To Get a Job in Big Tech (As told by a software engineer in big tech NOT a youtuber)

The secret feature on the Crodo site

Ways to ensure decent code quality in the project

File descriptors — pwnable.kr

Programming evolves, privilege reigns

A screenshot of a Commodore 64 program printing hello world.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

More from Medium

DIFFERENT WAYS CLOUD MIGRATION AND MANAGEMENT COSTS GO OFF THE RAILS.

Xmigrate beta_v0.3.0 released

Easy Stream Management with Kafka Connect

Apache Kafka Exam Notes