ACL access control

ACL-based access control applies to the following scenarios.

Before you use ACL-based access control, ensure you have the following information:

• The grantee's account name or role name. The user or role must be added to the MaxCompute project. The account formats are as follows: An Alibaba Cloud account is in the format ALIYUN$<account_name>, a RAM user account is in the format RAM$[<account_name>:]<RAM user name> , and a RAM role is in the format RAM$<account_name>:role/<RAM role name>.

  You can run the list users; or list roles; command in the MaxCompute client to retrieve account or role names.

  To add a user or role, see User planning and management or Role planning.

• The object type, object name, and the actions to grant.

  For more information about object types and actions, see MaxCompute permissions.

The following limits apply to ACL-based access control:

• You can grant permissions only to existing users or roles on existing objects. This avoids security risks from deleting and re-creating an object with the same name.

• ACL-based access control does not support authorization with the [with grant option] clause. For example, if user A grants user B access to an object, user B cannot then grant that permission to user C.

• ACL authorization uses an allow-list model and does not support a deny-list model.

Note the following when you use ACL-based access control:

• If you delete an object, MaxCompute automatically revokes all ACL permissions associated with it.

• When a user is removed, the permissions granted to the user are retained. If the user is added to the project again, their previous permissions are restored. To completely clear the permission information of a removed user, see Permanently clear the residual permission information of a removed user.

ACL-based access control commands use the following syntax:

• Grant ACL permissions

  grant <actions> on <object_type> <object_name> 
  [(<column_list>)] to <subject_type> <subject_name> 
  [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];

• Revoke ACL permissions

  revoke <actions> on <object_type> <object_name> 
  [(<column_list>)] from <subject_type> <subject_name>;

• Column-level access control

  grant <actions> on table <table_name> (<column_list>) to <subject_type> <subject_name>;
  revoke <actions> on table <table_name> (<column_list>) from <subject_type> <subject_name>;

The following table describes the parameters.

Assume that Bob@aliyun.com is the project owner of test_project_a, and Allen, Alice, and Tom are RAM users under Bob@aliyun.com. The following examples demonstrate authorization operations using the MaxCompute client.

• Example 1: Grant permissions to a user

  Create the sale_detail table in the test_project_a project, and grant user Allen the Describe (read metadata) and Select (read data) permissions on the table. The following provides sample commands.

  -- Bob switches to the test_project_a project.
  use test_project_a; 
  -- Create a partitioned table named sale_detail.
  create table if not exists sale_detail
  (
  shop_name     string,
  customer_id   string,
  total_price   double
  )
  partitioned by (sale_date string, region string);
  -- Add the user Allen as a project member.
  add user RAM$Bob@aliyun.com:Allen;
  -- Grant permissions to Allen.
  grant Describe, Select on table sale_detail to USER RAM$Bob@aliyun.com:Allen;
  -- View the permissions granted to Allen.
  show grants for RAM$Bob@aliyun.com:Allen; 
  -- The authorization result is as follows.
  Authorization Type: ACL
  [user/RAM$Bob@aliyun.com:Allen]
  A       projects/test_project_a/tables/sale_detail: Describe | Select

• Example 2: Grant column-level permissions to a user

  Using the sale_detail table created in Example 1, grant user Alice all permissions on the shop_name and customer_id columns in the sale_detail table. The following provides sample commands.

  -- Bob switches to the test_project_a project.
  use test_project_a; 
  -- Add user Alice as a project member.
  add user RAM$Bob@aliyun.com:Alice;
  -- Grant column-level permissions to Alice.
  grant All on table sale_detail (shop_name, customer_id) to USER RAM$Bob@aliyun.com:Alice;
  -- View the permissions granted to Alice.
  show grants for RAM$Bob@aliyun.com:Alice; 
  -- The authorization result is as follows.
  Authorization Type: ACL
  [user/RAM$Bob@aliyun.com:Alice]
  A       projects/test_project_a/tables/sale_detail/customer_id: All
  A       projects/test_project_a/tables/sale_detail/shop_name: All

• Example 3: Revoke permissions from users

  Based on Example 1 and Example 2, revoke the permissions from users Allen and Alice. The following provides sample commands.

  -- Bob switches to the test_project_a project.
  use test_project_a; 
  -- Revoke the permissions from Allen.
  revoke Describe, Select on table sale_detail (shop_name, customer_id) from USER RAM$Bob@aliyun.com:Allen;
  -- Revoke the permissions from Alice.
  revoke All on table sale_detail (shop_name, customer_id) from USER RAM$Bob@aliyun.com:Alice;
  -- Check Allen's permissions after revocation. The Describe and Select permissions are removed from the permission list.
  show grants for RAM$Bob@aliyun.com:Allen; 
  -- Check Alice's permissions after revocation. The All permission is removed from the permission list.
  show grants for RAM$Bob@aliyun.com:Alice; 

• Example 4: Grant the same permissions to multiple users using a role

  Grant Alice, Tom, and another Alibaba Cloud account Lily@aliyun.com the permissions to create instances, resources, functions, and tables, and to list all object types in the test_project_a project. The following provides sample commands.

  -- Bob switches to the test_project_a project.
  use test_project_a; 
  -- Add the users Alice, Tom, and Lily@aliyun.com as project members.
  add user RAM$Bob@aliyun.com:Alice;
  add user RAM$Bob@aliyun.com:Tom;
  add user ALIYUN$Lily@aliyun.com;
  -- Create the Worker role.
  create role Worker; 
  -- Assign the Worker role to the users.
  grant Worker TO RAM$Bob@aliyun.com:Alice; 
  grant Worker TO RAM$Bob@aliyun.com:Tom; 
  grant Worker TO ALIYUN$Lily@aliyun.com; 
  -- Grant the Worker role the permissions to create instances, resources, functions, and tables, and to list all object types in the test_project_a project.
  grant CreateInstance, CreateResource, CreateFunction, CreateTable, List on project test_project_a TO ROLE Worker;
  -- View the permissions for the user Lily.
  show grants for ALIYUN$Lily@aliyun.com; 
  -- The following authorization result indicates that the user Lily has the specified permissions.
  [roles]
  worker
  
  Authorization Type: ACL
  [role/worker]
  A       projects/test_project_a: CreateTable | CreateResource | CreateInstance | CreateFunction | List

• Example 5: Revoke the same role-based permissions from multiple users

  Based on Example 4, revoke the permissions from users Alice, Tom, and Lily@aliyun.com. The following provides sample commands.

  -- Bob switches to the test_project_a project.
  use test_project_a; 
  -- Revoke the Worker role from the users Alice, Tom, and Lily@aliyun.com.
  revoke Worker from RAM$Bob@aliyun.com:Alice;
  revoke Worker from RAM$Bob@aliyun.com:Tom;
  revoke Worker from ALIYUN$Lily@aliyun.com;
  -- Check Lily's permissions after revocation. The permission list no longer includes the Worker role.
  show grants for ALIYUN$Lily@aliyun.com; 

Once you understand how ACL authorization works, you can manage permissions according to your business needs:

• Project-level role authorization

• Manage user permissions using commands

• Query the permissions of a user, role, or object