Troubleshooting MaxCompute and DataWorks Permission Problems

Join us at the Alibaba Cloud ACtivate Online Conference on March 5–6 to challenge assumptions, exchange ideas, and explore what is possible through digital transformation.

Alibaba Cloud MaxCompute and DataWorks are two independent products, and their permission systems have similarities as well as differences. Before handling the permission problems, you must first understand the respective permission systems of these two products.

MaxCompute and DataWorks Permission Systems

MaxCompute

MaxCompute has its own security systems, including ACL and policy authorization systems. For more information, visit https://www.alibabacloud.com/help/doc-detail/27924.htm

Image for post
Image for post

DataWorks

DataWorks is an upper-layer cloud warehouse development tool for MaxCompute. It has its own permission model and supports the MaxCompute underlying data authorization system. For more information, visit https://www.alibabacloud.com/help/doc-detail/92594.htm.

Viewing Roles on MaxCompute

Run “list roles” on the MaxCompute console to view the MaxCompute role system. Items that start with “role_” are roles that are encapsulated by DataWorks based on MaxCompute. The roles are described as follows:

Image for post
Image for post

Role nameCorresponding product and permissionadminDefault MaxCompute admin rolerole_project_adminDataWorks project administratorrole_project_deployDataWorks deployer rolerole_project_devDataWorks developer rolerole_project_guestDataWorks guest rolerole_project_peDataWorks O&M rolerole_project_schedulerDataWorks scheduler accountrole_project_securityDataWorks security administrator

The admin role is the default admin role of MaxCompute. This role can access all objects in the project and manage and authorize users or roles. Compared with the project owner, the admin role cannot assign the admin permissions to any user, specify the security configurations of the project, or change the authentication model of the project. The permissions of the admin role cannot be modified. Generally, if the permissions are not modified, the user who is assigned the admin role has only one account “project owner”.

odps@ clouder_bi>describe role admin;
[users]
ALIYUN$***@aliyun-test.com
Authorization Type: Admin

The MaxCompute project owner can assign the admin role to other sub-accounts, allowing them to perform permission model management for MaxCompute.

You can run “describe role” to view the permissions and user list of a role that starts with “role_”. Using the role_project_dev as an example:

odps@ clouder_bi>describe role role_project_dev;

[users]
RAM$yangyi.pt@aliyun-test.com:yangyitest

Troubleshooting Permission-related Problems

After learning the permission systems of the two products, you can troubleshoot permission-related problems in the following way:

Viewing the permissions granted to the current user or a specified user

By running the commands below, you can see the roles and permissions of the user.

show grants; --View permissions of the current user.
show grants for <username>; --View access permissions of a specified user. Only the project owner and admin are authorized to perform this operation.
show grants for RAM$Primary account:Sub-account;
Image for post
Image for post

Viewing the authorization list of a specified object

Generally, the list of users who are authorized to access the current table is displayed.

show acl for <objectName> [on type <objectType>];--View the list of authorized users and roles of a specified object
Supported object types: project, table, job, volume, instance, resource, function, package, topology, matrix, xflow, offline model, and stream job
Image for post
Image for post

Checking whether the ACL is effective

Permission verification often fails even if OK is returned after authorization.

show SecurityConfiguration;--View the security configuration of the project
Image for post
Image for post

In addition to the command line, you can check whether the ACL switch is enabled on the + +DataWorks > Project Management > MaxCompute Config+ + page.

Querying the policy configuration of the current project

There are two common types of policy authorization: project-level and role-level.

get policy;--Obtain the project-level policy configuration
get policy on role <rolename>;--Obtain the policy configuration of the specified role

Reference:https://www.alibabacloud.com/blog/troubleshooting-maxcompute-and-dataworks-permission-problems_594465?spm=a2c41.12560576.0.0

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store