MaxCompute has a powerful security system to protect data in projects. Before using MaxCompute, you should learn some basic concepts about privileges:
- A privilege includes three elements: subject (user account or role), object (table, resource, or function), and operation (depending on the specific object type). For details, see https://www.alibabacloud.com/help/doc-detail/27935.htm
- There are two authorization methods: ACL (based on the object and grant statement) and policy (based on the policy file).
- To authorize a package of another project, see https://www.alibabacloud.com/help/doc-detail/34602.htm
- You can use column labels to implement access control for different columns in a table. See https://www.alibabacloud.com/help/doc-detail/34604.htm
MaxCompute Studio is a big data integrated development environment (IDE) tool that is provided by the Alibaba Cloud MaxCompute platform and installed on the developer’s client. MaxCompute Studio provides the following functions to help you better understand and use MaxCompute permissions:
You can use the statement “show grants” to show the permissions of a project. Privilege-related statements are integrated in the Studio Editor. Users can call the live template using a shortcut (Ctrl + J for Windows, and Command + J for Mac):
In addition, MaxCompute Studio also provides graphical display of user privileges. As shown in the following figure, click “Show privileges” on the toolbar. On the displayed “Show user privileges in this MaxCompute project” dialog box, click the “search” button, and the privileges of the user in the project are displayed below:
The “json” tab shows all privileges, and the “table” tab shows the privileges of the user on the table. When you hover the mouse over the “table” tab, the privilege description is displayed:
Privilege Exception Diagnosis
If the task reports an exception in authentication due to lack of privileges, you can use Studio’s privilege exception diagnosis to quickly find a solution. As shown in the following figure, click the “Privilege exception diagnosis” button on the toolbar. On the displayed “Permission exception diagnosis” dialog box, enter the complete authentication exception information in the upper text box, and click “OK”, then possible solutions will be displayed in the lower text box:
Writing Privilege Statements
MaxCompute provides a series of privilege statements, which have been integrated in the MaxCompute SQL Editor. Users can execute these statements using Studio for privileges operations. Specifically, user the shortcut key (Windows: Ctrl + J, Mac: Command + J) to call the live template, and then search:
In addition, smart code prompts are also supported when writing an authorization statement:
Generating Authorization Statements
In addition to manually written authorization statements, Studio also supports graphical authorization. Click “Show privileges” on the toolbar. On the displayed “Show user privileges” dialog box, click the “grant privilege” tab and select the authorization object, then the SQL panel below displays the corresponding authorization statement synchronously. Click “execute grant command”, and wait for the backend to complete.
Privileges in Studio
- When the user adds a MaxCompute project, Studio will try to list all objects in the project to the local machine, which means that the user must have the “list” privilege for the project.
- To display table details, the user must have the “describe” privilege for the table. To display custom functions, the user must have the “read” privilege for the functions. The user also needs privileges for any table or function used in writing SQL statements in the Editor.
- To run an SQL statement in the Editor, the user must have the “select” privilege for the table involved. The user also needs the “CreateInstance” privilege for the project to submit the SQL task.
- To release a developed UDF, the user needs the “write” privilege for the function.