Join us at the Alibaba Cloud ACtivate Online Conference on March 5–6 to challenge assumptions, exchange ideas, and explore what is possible through digital transformation.
Alibaba Cloud MaxCompute and DataWorks are two independent products, and their permission systems have similarities as well as differences. Before handling the permission problems, you must first understand the respective permission systems of these two products.
MaxCompute and DataWorks Permission Systems
MaxCompute has its own security systems, including ACL and policy authorization systems. For more information, visit https://www.alibabacloud.com/help/doc-detail/27924.htm
DataWorks is an upper-layer cloud warehouse development tool for MaxCompute. It has its own permission model and supports the MaxCompute underlying data authorization system. For more information, visit https://www.alibabacloud.com/help/doc-detail/92594.htm.
Viewing Roles on MaxCompute
Run “list roles” on the MaxCompute console to view the MaxCompute role system. Items that start with “role_” are roles that are encapsulated by DataWorks based on MaxCompute. The roles are described as follows:
Role nameCorresponding product and permissionadminDefault MaxCompute admin rolerole_project_adminDataWorks project administratorrole_project_deployDataWorks deployer rolerole_project_devDataWorks developer rolerole_project_guestDataWorks guest rolerole_project_peDataWorks O&M rolerole_project_schedulerDataWorks scheduler accountrole_project_securityDataWorks security administrator
The admin role is the default admin role of MaxCompute. This role can access all objects in the project and manage and authorize users or roles. Compared with the project owner, the admin role cannot assign the admin permissions to any user, specify the security configurations of the project, or change the authentication model of the project. The permissions of the admin role cannot be modified. Generally, if the permissions are not modified, the user who is assigned the admin role has only one account “project owner”.
odps@ clouder_bi>describe role admin;
Authorization Type: Admin
The MaxCompute project owner can assign the admin role to other sub-accounts, allowing them to perform permission model management for MaxCompute.
You can run “describe role” to view the permissions and user list of a role that starts with “role_”. Using the role_project_dev as an example:
odps@ clouder_bi>describe role role_project_dev;
RAMemail@example.com:yangyitestAuthorization Type: Policy
A projects/clouder_bi: *
A projects/clouder_bi/instances/*: *
A projects/clouder_bi/jobs/*: *
A projects/clouder_bi/offlinemodels/*: *
A projects/clouder_bi/packages/*: *
A projects/clouder_bi/registration/functions/*: *
A projects/clouder_bi/resources/*: *
A projects/clouder_bi/tables/*: *
A projects/clouder_bi/volumes/*: *
Troubleshooting Permission-related Problems
After learning the permission systems of the two products, you can troubleshoot permission-related problems in the following way:
Viewing the permissions granted to the current user or a specified user
By running the commands below, you can see the roles and permissions of the user.
show grants; --View permissions of the current user.
show grants for <username>; --View access permissions of a specified user. Only the project owner and admin are authorized to perform this operation.
show grants for RAM$Primary account:Sub-account;
Viewing the authorization list of a specified object
Generally, the list of users who are authorized to access the current table is displayed.
show acl for <objectName> [on type <objectType>];--View the list of authorized users and roles of a specified object
Supported object types: project, table, job, volume, instance, resource, function, package, topology, matrix, xflow, offline model, and stream job
Checking whether the ACL is effective
Permission verification often fails even if OK is returned after authorization.
show SecurityConfiguration;--View the security configuration of the project
In addition to the command line, you can check whether the ACL switch is enabled on the + +DataWorks > Project Management > MaxCompute Config+ + page.
Querying the policy configuration of the current project
There are two common types of policy authorization: project-level and role-level.
get policy;--Obtain the project-level policy configuration
get policy on role <rolename>;--Obtain the policy configuration of the specified role