External data source authorization

更新时间:
复制 MD 格式

MaxCompute integrates with RAM and STS to enable secure access to external data sources. This topic describes authorization methods that use RAM and STS for different scenarios.

RAM role authorization for OSS

To allow a MaxCompute external table to directly access data in OSS, the table owner must specify a RAM role with the necessary OSS permissions in the external table definition. After the role is associated, the owner can grant users access to the external table. You can grant permissions in the following ways:

  • One-click authorization (Recommended): If MaxCompute and OSS belong to the same Alibaba Cloud account, log on to your account and click here to complete the one-click authorization.

    Note

    The default AliyunODPSDefaultRole grants broad permissions and is for reference only. You must configure access and trust policies in the RAM console to match the permissions required by your MaxCompute external table or external data source.

  • Custom authorization: You can use this method for both same-account and cross-account scenarios. Follow these steps:

    • If MaxCompute and OSS belong to the same account, set the Service in the trust policy to odps.aliyuncs.com.

    • If MaxCompute and OSS belong to different accounts, set the Service in the trust policy to <MaxCompute-owner-account-ID>@odps.aliyuncs.com. You can obtain the MaxCompute owner's account ID on the Account Overview page.

    1. Create a RAM role.

      Log on to the RAM console and create a role from the RAM roles page. For example, you can name the role oss-admin. For more information, see Create a RAM role for a trusted Alibaba Cloud account.image

    2. Modify the RAM role's trust policy.

      1. Log in to the RAM console.

      2. In the left navigation bar, select Identities > Roles.

      3. On the Roles page, click the target Role Name to go to the role details page.

      4. On the Trust Policy tab, click Edit Trust Policy, and on the Edit Trust Policy page, select the JSON Editor tab.

        Replace the existing policy with the following code:

        Same account

        {
         "Statement": [
         {
         "Action": "sts:AssumeRole",
         "Effect": "Allow",
         "Principal": {
         "Service": [
         "odps.aliyuncs.com"
         ]
         }
         }
         ],
         "Version": "1"
        }

        Cross-account

        {
        "Statement": [
        {
         "Action": "sts:AssumeRole",
         "Effect": "Allow",
         "Principal": {
         "Service": [
         "<MaxCompute-owner-account-ID>@odps.aliyuncs.com"
         ]
         }
        }
        ],
        "Version": "1"
        }
      5. When you are finished, click OK.

    3. Create an access policy.

      On the Policies page in the RAM console, create an access policy. For example, you can name it AliyunODPSRolePolicy.

      The following policy grants common OSS permissions. You can also customize the permissions. For more information, see Create a custom access policy.

      {
      "Version": "1",
      "Statement": [
      {
       "Action": [
       "oss:ListBuckets",
       "oss:GetObject",
       "oss:ListObjects",
       "oss:PutObject",
       "oss:DeleteObject",
       "oss:AbortMultipartUpload",
       "oss:ListParts"
       ],
       "Resource": "*",
       "Effect": "Allow"
      }
      ]
      }
    4. Attach the access policy to the RAM role you just created.

      1. Log in to the RAM console.

      2. In the left navigation bar, select Identities > Roles.

      3. On the Roles page, click the target Role Name to go to the role details page.

      4. On the Manage Permissions tab, click Create Authorization. In the Create Authorization panel that appears, select the policies to grant to the role, and click OK.

        For more information, see Manage the permissions of a RAM role.

RAM role authorization for Tablestore

To allow a MaxCompute external table to directly access data in Tablestore, the table owner must specify a RAM role with the necessary Tablestore permissions in the external table definition. After the role is associated, the owner can grant users access to the external table. You can grant permissions in the following ways:

  • One-click authorization (Recommended): If MaxCompute and Tablestore belong to the same Alibaba Cloud account, log on to your account and click here to complete the one-click authorization.

  • Custom authorization: This method applies to cross-account scenarios where MaxCompute and Tablestore belong to different accounts.

    1. Create a RAM role.

      Log on to the RAM console with the Tablestore account and create a role from the RAM roles page. For example, you can name the role tablestore-access-role.

      For more information, see Create a RAM role for a trusted Alibaba Cloud account.

    2. Modify the RAM role's trust policy.

      If MaxCompute and Tablestore belong to different accounts, use the following settings to enable cross-account access from MaxCompute to Tablestore.

      1. Log in to the RAM console.

      2. In the left navigation bar, select Identities > Roles.

      3. On the Roles page, click the target Role Name to go to the role details page.

      4. On the Trust Policy tab, click Edit Trust Policy, and on the Edit Trust Policy page, select the JSON Editor tab.

        Configure the following policy:

        {
        "Statement": [
        {
         "Action": "sts:AssumeRole",
         "Effect": "Allow",
         "Principal": {
         "Service": [
         "<MaxCompute-owner-account-ID>@odps.aliyuncs.com"
         ]
         }
        }
        ],
        "Version": "1"
        }

        The <MaxCompute-owner-account-ID> placeholder represents the ID of the Alibaba Cloud account that owns the MaxCompute project.

    3. Create an access policy.

      On the Policies page in the RAM console, create an access policy. For example, you can name it AliyunODPSRolePolicy.

      The following policy grants common Tablestore permissions. You can also customize the permissions. For more information, see Create a custom access policy.

      {
      "Version": "1",
      "Statement": [
      {
       "Action": [
       "ots:ListTable",
       "ots:DescribeTable",
       "ots:GetRow",
       "ots:PutRow",
       "ots:UpdateRow",
       "ots:DeleteRow",
       "ots:GetRange",
       "ots:BatchGetRow",
       "ots:BatchWriteRow",
       "ots:ComputeSplitPointsBySize"
       ],
       "Resource": "*",
       "Effect": "Allow"
      }
      ]
      }
    4. Attach the AliyunODPSRolePolicy access policy to the RAM role you created.

      1. Log in to the RAM console.

      2. In the left navigation bar, select Identities > Roles.

      3. On the Roles page, click the target Role Name to go to the role details page.

      4. On the Manage Permissions tab, click Create Authorization. In the Create Authorization panel that appears, select the policies to grant to the role, and click OK.

        For more information, see Manage the permissions of a RAM role.

RAM role authorization for Hologres

To allow a MaxCompute external table to directly access data in Hologres, the table owner must specify a RAM role with the necessary Hologres permissions in the external table definition. After the role is associated, the owner can grant users access to this external table. Follow these steps to configure the required permissions:

  1. Create a RAM role

    Create a RAM role to obtain its Alibaba Cloud Resource Name (ARN). The ARN is required to configure STS authentication when you create the external table. Select a trusted entity type based on your business requirements. In this example, an Alibaba Cloud account is the trusted entity.

    Perform the following steps:

    1. Log in to the RAM console.

    2. In the left navigation bar, select Identities > Roles.

    3. On the Roles page, click Create Role.

  2. Modify the trust policy

    1. On the Roles page, click the target Role Name to go to the role details page.

    2. On the Trust Policy tab, click Edit Trust Policy, and on the Edit Trust Policy page, select the JSON Editor tab.

    3. Modify the trust policy as shown in the following examples.

      The content of the trust policy varies based on the trusted entity type. Replace <UID> with your Alibaba Cloud account ID. You can obtain your account ID on the User Information page.

      Alibaba Cloud account

      {
       "Statement": [
       {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
       "RAM": [
       "acs:ram::<UID>:root"
       ]
       }
       },
       {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
       "Service": [
       "<UID>@odps.aliyuncs.com"
       ]
       }
       }
       ],
       "Version": "1"
      }

      Identity provider

      {
       "Statement": [
       {
       "Action": "sts:AssumeRole",
       "Condition": {
       "StringEquals": {
       "saml:recipient": "https://signin.aliyun.com/saml-role/sso"
       }
       },
       "Effect": "Allow",
       "Principal": {
       "Federated": [
       "acs:ram::<UID>:saml-provider/IDP"
       ]
       }
       },
       {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
       "Service": [
       "<UID>@odps.aliyuncs.com"
       ]
       }
       }
       ],
       "Version": "1"
      }
  3. Add the RAM role to a Hologres instance and grant permissions

    The RAM role requires developer permissions on the Hologres instance to access its resources.

    By default, RAM roles cannot view or manage instances in the Hologres Management Console. An Alibaba Cloud account holder must grant the necessary permissions to the role.

    To add the RAM role to a Hologres instance, follow these steps:

    Hologres console

    1. Log on to the Hologres Management Console, and in the upper-left corner, select the region.

    2. In the navigation pane on the left, click Instances.

    3. On the Instances page, click the target instance name.

    4. On the instance details page, in the navigation pane on the left, click Account Management.

    5. On the User Management page, click Add User.

    6. In the Add User dialog box that appears, configure the parameters and click OK.

      • Set Role to AliyunODPSDefaultRole.

      • Set Member Role to Regular user.

    7. On the User Management page, in the navigation pane on the left, click DB Authorization.

    8. On the Database Authorization page, click Create Database.

    9. In the Create Database dialog box, configure the required parameters, and click OK.

      Set Policies to SPM.

    10. On the DB Authorization page, click Authorize User in the Actions column for the target database.

    11. Click Grant Permissions in the top-right corner. In the Grant Permissions dialog box that appears, configure User and User Group.

      • Users Select the RAM user that you want to configure.

      • For Groups, select Developer.

    RAM console

    Attach the AliyunODPSRolePolicy access policy to the RAM role you created.

    1. Log in to the RAM console.

    2. In the left navigation bar, select Identities > Users.

    3. On the Users page, click the target User Logon Name/Display Name to go to the user details page.

    4. On the user details page, click the Manage Permissions tab.

    5. On the Manage Permissions tab, select Individual, and click Grant Permission.

    6. In the Grant Permission panel, select the policy to grant to the user, and click OK.

      For the access policy, select AliyunRAMReadOnlyAccess.

      For more information, see Grant permissions to a RAM user.

    SQL

    For information about the SQL statements for authorization, see Hologres permission model.

Note

Hologres also supports dual-signature authentication. For more information, see Hologres external tables.

RAM role authorization for DLF and OSS

When building a data lakehouse with MaxCompute, DLF, and OSS, you must first create an external data source by associating it with a RAM role that has the necessary data access permissions for both DLF and OSS. You can then use this setup to create an external schema for accessing the data. To grant other users permissions on tables in the external schema, see Grant permissions on federated external tables in an external schema. You can grant permissions in the following ways:

  • One-click authorization (Recommended): If the account that is used to create the MaxCompute project is the same as the account that is used to deploy DLF and OSS, you can click Authorize DLF and OSS to complete the authorization.

  • Custom authorization: You can use this method for both same-account and cross-account scenarios. Follow these steps:

    • If the MaxCompute project and DLF are in the same account, set the Service in the trust policy to odps.aliyuncs.com.

    • If the MaxCompute project and DLF are in different accounts, set the Service in the trust policy to <MaxCompute-project-owner-account-ID>@odps.aliyuncs.com. You can obtain the MaxCompute owner account ID on the Account Overview page.

    1. Log on to the RAM console and create a RAM role for a trusted Alibaba Cloud account.

    2. In the RAM console, modify the trust policy of the RAM role. Use the following content for the trust policy:

      Same account

      {
      "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
       "Service": [
       "odps.aliyuncs.com"
       ]
       }
      }
      ],
      "Version": "1"
      }

      Cross-account

      {
      "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
       "Service": [
       "<MaxCompute-project-owner-account-ID>@odps.aliyuncs.com" 
       ]
       }
      }
      ],
      "Version": "1"
      }
    3. In the RAM console, create a custom access policy for the newly created RAM role. For more information, see Create a custom access policy. Use the following content for the custom access policy:

      {
      "Version": "1",
      "Statement": [
      {
       "Action": [
       "oss:ListBuckets",
       "oss:GetObject",
       "oss:ListObjects",
       "oss:PutObject",
       "oss:DeleteObject",
       "oss:AbortMultipartUpload",
       "oss:ListParts"
       ],
       "Resource": "*",
       "Effect": "Allow"
      },
      {
       "Action": [
       "dlf:CreateFunction",
      "dlf:BatchGetPartitions",
      "dlf:ListDatabases",
      "dlf:CreateLock",
      "dlf:UpdateFunction",
      "dlf:BatchUpdateTables",
      "dlf:DeleteTableVersion",
      "dlf:UpdatePartitionColumnStatistics",
      "dlf:ListPartitions",
      "dlf:DeletePartitionColumnStatistics",
      "dlf:BatchUpdatePartitions",
      "dlf:GetPartition",
      "dlf:BatchDeleteTableVersions",
      "dlf:ListFunctions",
      "dlf:DeleteTable",
      "dlf:GetTableVersion",
      "dlf:AbortLock",
      "dlf:GetTable",
      "dlf:BatchDeleteTables",
      "dlf:RenameTable",
      "dlf:RefreshLock",
      "dlf:DeletePartition",
      "dlf:UnLock",
      "dlf:GetLock",
      "dlf:GetDatabase",
      "dlf:GetFunction",
      "dlf:BatchCreatePartitions",
      "dlf:ListPartitionNames",
      "dlf:RenamePartition",
      "dlf:CreateTable",
      "dlf:BatchCreateTables",
      "dlf:UpdateTableColumnStatistics",
      "dlf:ListTableNames",
      "dlf:UpdateDatabase",
      "dlf:GetTableColumnStatistics",
      "dlf:ListFunctionNames",
      "dlf:ListPartitionsByFilter",
      "dlf:GetPartitionColumnStatistics",
      "dlf:CreatePartition",
      "dlf:CreateDatabase",
      "dlf:DeleteTableColumnStatistics",
      "dlf:ListTableVersions",
      "dlf:BatchDeletePartitions",
      "dlf:ListCatalogs",
      "dlf:UpdateTable",
      "dlf:ListTables",
      "dlf:DeleteDatabase",
      "dlf:BatchGetTables",
      "dlf:DeleteFunction"
       ],
       "Resource": "*",
       "Effect": "Allow"
      }
      ]
      }
    4. Attach the custom access policy to the RAM role you created. For more information, see Manage the permissions of a RAM role.

Service-linked role authorization for Hologres (identity passthrough)

When MaxCompute accesses data in Hologres through an external data source and an external project, you must use a service-linked role to grant the required data access permissions to Hologres. After the role is created, this mode uses identity passthrough for authorization, authenticating users by passing their identity to Hologres to prevent unauthorized access. To use this feature, users must be members of the MaxCompute external project and have permissions on the Hologres data source that is mapped to the external project.

  1. Log in to the RAM console.

  2. In the left navigation bar, select Identities > Roles.

  3. On the Roles page, click Create Role.

  4. In the upper-right corner of the Create Role page, click Create Service Linked Role.

  5. On the Create Service Linked Role page, select Select Service: aliyunserviceroleformaxcomputeidentitymgmt, and click Create Service Linked Role.

    If a message indicates that the role already exists, it means that the role has been authorized. You can ignore the message.

Service-linked role authorization for Paimon_DLF (identity passthrough)

When MaxCompute accesses data in DLF through an external data source and an external project, you must use a service-linked role to grant the required data access permissions to DLF. After the role is created, this mode uses identity passthrough for authorization. It passes the user identity to DLF for authentication to prevent unauthorized access. To use this feature, the user must be added to the MaxCompute external project and have permissions on the DLF data source that is mapped to the external project.

  1. Log in to the RAM console.

  2. In the left navigation bar, select Identities > Roles.

  3. On the Roles page, click Create Role.

  4. In the upper-right corner of the Create Role page, click Create Service Linked Role.

  5. On the Create Service Linked Role page, for Select Service, select AliyunServiceRoleForMaxComputeLakehouse, and click Create Service Linked Role.

    If a message indicates that the role already exists, it means that the role has been authorized. You can ignore the message.