本文为您介绍MaxCompute项目中的权限管理命令全集,包含用户管理、角色管理、用户或角色授权、权限查看等命令。
角色管理
命令
create role <role_name> [privilegeproperties("type"="admin|resource")];示例
创建一个Worker资源类角色,命令示例如下。
create role Worker;创建一个sale_admin管理类角色,命令示例如下。
create role sale_admin privilegeproperties("type"="admin");
list roles;命令
drop role <role_name>;示例
drop role Worker;
用户管理
命令
add user ALIYUN$<account_name>;示例
add user ALIYUN$odps_test_user@aliyun.com;
命令
remove user ALIYUN$<account_name>;示例
remove user ALIYUN$odps_test_user@aliyun.com;
命令
add user RAM$[<account_name>:]<RAM用户名称>;示例
add user RAM$ram_test; --等效于如下语句。 add user RAM$odps_test_user@aliyun.com:ram_test;
命令
remove user RAM$[<account_name>:]<RAM用户名称>;示例
remove user RAM$ram_test; --等效于如下语句。 remove user RAM$odps_test_user@aliyun.com:ram_test;
命令
add user `RAM$<accout_name>:role/<RAM角色名称>`;示例
add user `RAM$odps_test_user@aliyun.com:role/ram_role`;
命令
remove user `RAM$<accout_name>:role/<RAM角色名称>`;示例
remove user ALIYUN$odps_test_user@aliyun.com;
list users;
角色授权
为角色授予项目的操作权限
命令
ACL授权
grant Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All on project <project_name> to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];通过ACL语法实现Policy授权
grant Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All on project <project_name> to ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
示例
--ACL授权。 grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker; --Policy授权。 grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
为角色授予表的操作权限
命令
ACL授权
grant Describe|Select|Alter|Update|Drop|ShowHistory|All on table <table_name> [(<column_list>)] to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];通过ACL语法实现Policy授权
grant Describe|Select|Alter|Update|Drop|ShowHistory|All on table <table_name> [(<column_list>)] to ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
示例
--ACL授权。 grant Describe, Select on table sale_detail to ROLE Worker; --Policy授权。 grant Describe, Select on table sale_detail to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
为角色授予资源的操作权限
命令
ACL授权
grant Read|Write|Delete|All on resource <resource_name> to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];通过ACL语法实现Policy授权
grant Read|Write|Delete|All on resource <resource_name> to ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
示例
--ACL授权。 grant Read, Write on resource udtf.jar to ROLE Worker; --Policy授权。 grant Read, Write on resource udtf.jar to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
为角色授予函数的操作权限
命令
grant Read|Write|Delete|Execute|All on function <function_name> to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];示例
--ACL授权。 grant Read, Write on function udf_test to ROLE Worker; --Policy授权。 grant Read, Write on function udf_test to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
为角色授予实例的操作权限
命令
ACL授权
grant Read|Write|All on instance <instance_id> to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];通过ACL语法实现Policy授权
grant Read|Write|All on instance <instance_id> to ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
示例
--ACL授权。 grant All on instance 202112300224**** to ROLE Worker; --Policy授权。 grant All on instance 202112300224**** to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
撤销为角色授予的项目操作权限
命令
撤销ACL授权
revoke Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All on project <project_name> from ROLE <role_name>;撤销Policy授权
revoke Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All on project <project_name> from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
示例
--撤销ACL授权。 revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker; --撤销Policy授权。 revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
撤销为角色授予的表操作权限
命令
撤销ACL授权
revoke Describe|Select|Alter|Update|Drop|ShowHistory|All on table <table_name> [(<column_list>)] from ROLE <role_name>;撤销Policy授权
revoke Describe|Select|Alter|Update|Drop|ShowHistory|All on table <table_name> [(<column_list>)] from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
示例
--撤销ACL授权。 revoke Describe, Select on table sale_detail to ROLE Worker; --撤销Policy授权。 revoke Describe, Select on table sale_detail from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
撤销为角色授予的资源操作权限
命令
撤销ACL授权
revoke Read|Write|Delete|All on resource <resource_name> from ROLE <role_name>;撤销Policy授权
revoke Read|Write|Delete|All on resource <resource_name> from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
示例
--撤销ACL授权。 revoke Read, Write on resource udtf.jar from ROLE Worker; --撤销Policy授权。 revoke Read, Write on resource udtf.jar from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
撤销为角色授予的函数操作权限
命令
撤销ACL授权
revoke Read|Write|Delete|Execute|All on function <function_name> from ROLE <role_name>;撤销Policy授权
revoke Read|Write|Delete|Execute|All on function <function_name> from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
示例
--撤销ACL授权。 revoke Read, Write on function udf_test from ROLE Worker; --撤销Policy授权。 revoke Read, Write on function udf_test from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
撤销为角色授予的实例操作权限
命令
revoke Read|Write|All on instance <instance_id> from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");示例
--撤销ACL授权。 revoke All on instance 202112300224**** from ROLE Worker; --撤销Policy授权。 revoke All on instance 202112300224**** from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
命令
grant Download on {Table|Resource|Function|Instance} <object_name> to ROLE <role_name>;示例
grant download on table sale_detail to ROLE Worker;
命令
revoke Download on {Table|Resource|Function|Instance} <object_name> from ROLE <role_name>;示例
revoke download on table sale_detail from ROLE Worker;
命令
grant Label <number> on table <table_name> [(<column_list>)] to ROLE <role_name> [with exp <days>];示例
grant Label 4 on table sale_detail to ROLE Worker;
命令
revoke Label on table <table_name> [(<column_list>)] from ROLE <role_name>;示例
revoke Label on table sale_detail from ROLE Worker;
命令
grant <role_name> to <user_name>;示例
grant Worker to ALIYUN$Kate@aliyun.com; grant Worker to RAM$Bob@aliyun.com:Allen;
命令
revoke <role_name> from <user_name>;示例
revoke Worker from ALIYUN$Kate@aliyun.com; revoke Worker from RAM$Bob@aliyun.com:Allen;
用户授权
为用户授予项目的操作权限
命令
grant Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All on project <project_name> to USER <user_name> [privilegeproperties("conditions" = "<conditions>",示例
grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to user RAM$Kate@aliyun.com:Lily;
为用户授予表的操作权限
命令
grant Describe|Select|Alter|Update|Drop|ShowHistory|All on table <table_name> [(<column_list>)] to USER <user_name> [privilegeproperties("conditions" = "<conditions>"示例
grant Describe, Select on table sale_detail to USER RAM$Bob@aliyun.com:Allen;
为用户授予资源的操作权限
命令
grant Read|Write|Delete|All on resource <resource_name> to USER <user_name> [privilegeproperties("conditions" = "<conditions>",示例
grant Read, Write on resource udtf.jar to USER RAM$Bob@aliyun.com:Alice;
为用户授予函数的操作权限
命令
grant Read|Write|Delete|Execute|All on function <function_name> to USER <user_name> [privilegeproperties("conditions" = "<conditions>"示例
grant Read, Write on function udf_test to USER RAM$Bob@aliyun.com:Tom;
为用户授予实例的操作权限
命令
grant Read|Write|All on instance <instance_id> to USER <user_name> [privilegeproperties("conditions" = "<conditions>"示例
grant All on instance 202112300224**** to USER RAM$Bob@aliyun.com:Tom;
撤销为用户授予的项目的操作权限
命令
revoke Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All on project <project_name> from USER <user_name>;示例
revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from user RAM$Kate@aliyun.com:Lily;
撤销为用户授予的表的操作权限
命令
revoke Describe|Select|Alter|Update|Drop|ShowHistory|All on table <table_name> [(<column_list>)] from USER <user_name>;示例
revoke Describe, Select on table sale_detail from USER RAM$Bob@aliyun.com:Allen;
撤销为用户授予的资源的操作权限
命令
revoke Read|Write|Delete|All on resource <resource_name> from USER <user_name>;示例
revoke Read, Write on resource udtf.jar from USER RAM$Bob@aliyun.com:Alice;
撤销为用户授予的函数的操作权限
命令
revoke Read|Write|Delete|Execute|All on function <function_name> from USER <user_name>;示例
revoke Read, Write on function udf_test from USER RAM$Bob@aliyun.com:Tom;
撤销为用户授予的实例的操作权限
命令
revoke Read|Write|All on instance <instance_id> from USER <user_name>;示例
revoke All on instance 202112300224**** from USER RAM$Bob@aliyun.com:Tom;
命令
请参见为角色授予对象的操作权限和将角色赋予用户。
示例
--为角色Worker授权。 --ACL授权。 grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker; --Policy授权。 grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker privilegeproperties("policy" = "true", "allow"="true"); --将角色Worker赋予用户。 grant Worker to RAM$Bob@aliyun.com:Allen; grant Worker to RAM$Bob@aliyun.com:Alice; grant Worker to RAM$Bob@aliyun.com:Tom;
命令
示例
--为角色Worker撤销授权。 --撤销ACL授权。 revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker; --撤销Policy授权。 revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker privilegeproperties("policy" = "true", "allow"="true"); --或 --收回赋予用户的角色Worker。 revoke Worker from RAM$Bob@aliyun.com:Allen;
命令
grant Download on {Table|Resource|Function|Instance} <object_name> to USER <user_name>;示例
grant Download on table sale_detail to USER RAM$Bob@aliyun.com:Allen;
命令
revoke Download on {Table|Resource|Function|Instance} <object_name> from USER <user_name>;示例
revoke Download on table sale_detail from USER RAM$Bob@aliyun.com:Allen;
命令
示例
--创建角色Worker。 create role Worker; --为角色Worker授权。 grant download on table sale_detail to ROLE Worker; --将角色Worker赋予用户。 grant Worker to RAM$Bob@aliyun.com:Allen; grant Worker to RAM$Bob@aliyun.com:Alice; grant Worker to RAM$Bob@aliyun.com:Tom;
命令
示例
-为角色Worker撤销授权。 revoke download on table sale_detail from ROLE Worker; --或 --收回赋予用户的角色Worker。 revoke Worker from RAM$Bob@aliyun.com:Allen;
命令
grant Label <number> on table <table_name> [(<column_list>)] to USER <user_name> [with exp <days>];示例
grant Label 4 on table sale_detail to USER RAM$Bob@aliyun.com:Allen;
命令
revoke Label on table <table_name> [(<column_list>)] from USER <user_name>;示例
revoke Label on table sale_detail from ROLE Worker;
命令
示例
--创建角色Worker。 create role Worker; --为角色Worker授权。 grant Label 4 on table * to ROLE Worker; --将角色Worker赋予用户。 grant Worker to RAM$Bob@aliyun.com:Allen; grant Worker to RAM$Bob@aliyun.com:Alice; grant Worker to RAM$Bob@aliyun.com:Tom;
命令
示例
-为角色Worker撤销授权。 revoke Label on table * from ROLE Worker; --或 --收回赋予用户的角色Worker。 revoke Worker from RAM$Bob@aliyun.com:Allen;
命令
purge privs from user <user_name>;示例
purge privs from user RAM$Bob@aliyun.com:Allen;
查询权限信息
查询指定角色的权限及绑定的用户信息
查询指定角色的权限及绑定的用户信息详情请参见查询指定角色的权限及绑定的用户信息。
命令
describe role <role_name>;示例
describe role Worker;
查询用户的权限信息
show grants;命令
show grants for <user_name>;示例
show grants for ALIYUN$Bob@aliyun.com; show grants for RAM$Bob@aliyun.com:Allen;
查询对象的ACL授权信息
查询对象的ACL授权信息详情请参见查询指定对象的ACL授权信息。
命令
show acl for <object_name> [on type <object_type>];示例
show acl for test_project_a on type project;
查询Label权限信息
show label grants;命令
show label <level> grants;示例
show label 2 grants;
命令
show label grants for user <user_name>;示例
show label grants for user RAM$Bob@aliyun.com:Allen;
命令
show label <level> grants for user <user_name>;示例
show label 3 grants for user RAM$Bob@aliyun.com:Allen;
命令
show label grants on table <table_name>;示例
show label grants on table sale_detail;
命令
show label <level> grants on table <table_name>;示例
show label 4 grants on table sale_detail;
命令
show label [<label>] grants on table <table_name> for user <user_name>;示例
show label grants on table sale_detail for user RAM$Bob@aliyun.com:Allen;
命令
describe <table_name>;示例
describe sale_detail;
查询Package授权信息
命令
show acl for <project_name>.<package_name> on type package;示例
show acl for test_project_b.datashare on type package;
命令
show grants on <object_type> <object_name> privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package _name>");示例
show grants on Table sale_detail privilegeproperties ("refobject"="true", "refproject"="test_project_a", "package"="datashare");
命令
show label grants on table <table_name> privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");示例
show label grants on table sale_detail privilegeproperties ("refobject"="true", "refproject"="test_project_a", "package"="datashare");
查看项目空间安全配置信息
项目空间数据保护
开启或关闭项目空间数据保护机制
set ProjectProtection=true|false;查看项目空间的安全配置
show SecurityConfiguration;返回结果中有
ProjectProtection=true|false,对应项目空间数据保护机制已开启或关闭。
查看已添加的可信的项目空间
list trustedprojects;LabelSecurity权限控制策略
开启或关闭LabelSecurity权限控制策略
set LabelSecurity=true|false;查看项目空间的安全配置
show SecurityConfiguration;返回结果中有
LabelSecurity=true|false,对应项目空间LabelSecurity权限控制策略已开启或关闭。
Download权限控制功能
开启或关闭Download权限控制功能
setproject odps.security.enabledownloadprivilege=true|false;查看项目空间属性
setproject;返回结果中有
odps.security.enabledownloadprivilege = true|false,对应项目空间Download权限控制功能已开启或关闭。
反馈
- 本页导读 (1)
文档反馈