Data Lake Formation allows you to configure fine-grained permissions at five levels: data catalog, database, table, column, and function. This topic describes the permissions required for data operations and explains owner permissions.
Permission management
Permission settings
You can enable or disable permissions for a data catalog. For more information, see Permission settings.
Background information
To configure permissions, specify the following three elements.
|
Element |
Description |
|
Principal |
The user or role that is granted permissions. The user must be a RAM user or RAM role. The role must be created in the data lake with the role management feature. A principal can be specified in one of the following formats:
|
|
Resource |
Resources managed in the data lake include:
|
|
Action |
The available actions depend on the resource type. For example, a database supports CreateTable and List permissions, a table supports Select and Update permissions, and a column supports only the Select permission. |
Permission overview
The following table describes the permissions supported by Data Lake Formation.
|
Resource |
Action |
Description |
|
data catalog |
Alter |
Allows a principal to modify a data catalog. For example, by running the |
|
Drop |
Allows a principal to delete a data catalog. For example, by running the |
|
|
Grant |
Allows a principal to grant permissions on a data catalog. For example, by running the |
|
|
Create Database |
Allows a principal to create a database in a data catalog. For example, by running the |
|
|
database |
Describe |
Allows a principal to view the metadata of a database or switch to a database. For example, by running commands such as |
|
Alter |
Allows a principal to modify a database. For example, by running the |
|
|
Drop |
Allows a principal to delete a database. For example, by running the |
|
|
Create Table |
Allows a principal to create a table in a database. For example, by running the |
|
|
List |
Allows a principal to view the list of resources in a database. For example, by running the Important
|
|
|
table |
Describe |
Allows a principal to view the metadata of a table. For example, by running the |
|
Alter |
Allows a principal to modify a table. For example, by running commands such as |
|
|
Drop |
Allows a principal to delete a table. For example, by running the |
|
|
Select |
Allows a principal to read data from a table. For example, by running the |
|
|
Update |
Allows a principal to update data in a table. For example, by running commands such as |
|
|
column |
Select |
Allows a principal to read data from a column. For example, by running the |
|
function |
Describe |
Allows a principal to view the metadata of a function. |
|
Alter |
Allows a principal to modify a function. |
|
|
Drop |
Allows a principal to delete a function. |
|
|
Execute |
Allows a principal to use or execute a function. |
Owner permissions
Owner
The creator of a resource is its owner. You can view the owner of a database or table in its basic information.
-
If a RAM user creates a database or table in Data Lake Formation, that RAM user is the resource owner. The owner is identified by the user's principal format.
-
If a Linux or LDAP user creates a resource in an E-MapReduce engine by running an SQL command, that user becomes the resource owner.
-
The Databricks engine does not support resource owners.
-
For integration with open-source big data systems, Data Lake Formation treats a RAM user and a Linux or LDAP user with the same username as equivalent owners. For example, an owner specified as
acs:ram::<Alibaba Cloud account ID>:user/user_ais equivalent to an owner specified asuser_a. -
When an Alibaba Cloud account is a resource owner, it has no equivalent Linux or LDAP user. Note that an owner specified as
acs:ram::<Alibaba Cloud account ID>:rootis not equivalent to an owner specified asroot. -
In the Data Lake Formation console, you can view the username of a RAM user under . When you use an E-MapReduce engine, add a Linux or LDAP user with the same name as the RAM user by using user management.
Permissions
A resource owner has all permissions on that resource. For example, if the owner of a database is the RAM user user_a, user_a can perform operations such as Alter Database and Drop Database.
Owner permissions on a resource do not extend to its child resources. For example, the owner of a database has owner permissions only on the database itself, not on the tables within that database.
Verification
-
When you log on to the Data Lake Formation console as a RAM user, you have owner permissions for resources owned by that RAM user or its equivalent identity.
-
When using an E-MapReduce engine to access data lake metadata resources, you are identified as a Linux or LDAP user and have owner permissions for resources owned by that user or its equivalent identity.
-
The Databricks engine does not support the verification of owner permissions.
Supported compute engines
Data Lake Formation supports E-MapReduce. The following table describes the support details.
|
EMR major version |
Hive |
Spark |
Presto |
Impala |
|
|
EMR 3.x |
EMR-3.39.0 and earlier |
Not supported |
Not supported |
Not supported |
Not supported |
|
EMR-3.40.0 |
Supported |
Supported |
Supported |
Not supported |
|
|
EMR-3.41.0 to EMR-3.43.1 |
Supported |
Supported |
Not supported |
Not supported |
|
|
EMR-3.44.0 and later (planned) |
Supported |
Supported |
Supported |
Supported |
|
|
EMR 5.x |
EMR-5.5.0 and earlier |
Not supported |
Not supported |
Not supported |
Not supported |
|
EMR-5.6.0 |
Supported |
Supported |
Supported |
Not supported |
|
|
EMR-5.7.0 to EMR-5.9.1 |
Supported |
Supported |
Not supported |
Not supported |
|
|
EMR-5.10.0 and later (planned) |
Supported |
Supported |
Supported |
Supported |
|