Download control lets you restrict which users and roles can download tables or instances via Tunnel commands. By default, all project members can download all tables and instances. Enabling download control lets you limit those permissions to specific subjects and objects, reducing the risk of data leaks.
How it works
The project owner or a user with the Super_Administrator role enables download control at the project level:
setproject odps.security.enabledownloadprivilege=true|false;Once enabled, use grant Download and revoke Download commands to control which users or roles can download specific tables or instances.
Prerequisites
Before you begin, make sure you have:
-
The account or role name of the subject you want to authorize. Run
list users;orlist roles;on the MaxCompute client to look up existing accounts and roles. -
The name of the table or instance to authorize. Run
show tables;,list resources;,list functions;, orshow instances;to look up object names. -
(Optional) To add a new user or role to the project, see User planning and management and Role planning.
When specifying accounts, use the following formats:
| Account type | Format |
|---|---|
| Alibaba Cloud account | ALIYUN$<account_id> |
| RAM user | RAM$<account_id>:<RAM user ID> |
| RAM role | RAM$<account_id>:role/<RAM role name> |
Limitations
-
Only existing users, roles, tables, and instances can be used in download control authorization.
-
When granting permissions to a user, wildcards (
*) are not supported forobject_name. To authorize multiple objects using a wildcard, grant the permission to a role instead.
Usage notes
-
When an object (table or instance) is deleted, MaxCompute automatically revokes all download permissions on that object.
-
When a user is removed from a project, their permissions are retained. If the user is added back to the project, their historical permissions are reactivated. To clear residual permissions, see Completely clear the residual permission information of a removed user.
Syntax
Grant download permissions:
grant Download on <object_type> <object_name> to <subject_type> <subject_name>;Revoke download permissions:
revoke Download on <object_type> <object_name> from <subject_type> <subject_name>;| Parameter | Required | Description |
|---|---|---|
object_type |
Yes | The type of object. Valid values: Table, Instance. One type per command. |
object_name |
Yes | The name of the table, view, or instance. Run show tables; to get table or view names, or show instances; to get instance names (instance names are the same as instance IDs). When authorizing a role, wildcards are supported — for example, table taobao* matches all tables whose names start with taobao. |
subject_type |
Yes | The type of subject to authorize. Valid values: USER (an Alibaba Cloud account or RAM user) or ROLE (a role). |
subject_name |
Yes | The account or role name. Run list users; or list roles; on the MaxCompute client to look up available names. |
Examples
The following examples use test_project_a as the project. The project owner is username@example.com. Allen, Tom, and Alice are RAM users belonging to the username@example.com account. Download control is enabled for test_project_a. All commands are run on the MaxCompute client.
Grant download permissions to a user
Add Allen to the project and grant Allen permission to download the sale_detail table.
-- Switch to the test_project_a project.
use test_project_a;
-- Add Allen as a project member.
add user RAM$username@example.com:Allen;
-- Grant Allen download permission on sale_detail.
grant Download on table sale_detail to USER RAM$username@example.com:Allen;
-- Verify the result.
show grants for RAM$username@example.com:Allen;Expected output:
Authorization Type: ACL
[user/RAM$username@example.com:Allen]
A projects/test_project_a/tables/sale_detail: DownloadThe output confirms that Allen has the Download permission on sale_detail.
Revoke download permissions from a user
Revoke the download permission granted in the previous example from Allen.
-- Switch to the test_project_a project.
use test_project_a;
-- Revoke the download permission from Allen.
revoke Download on table sale_detail from USER RAM$username@example.com:Allen;
-- Verify the result. The output no longer shows the Download permission.
show grants for RAM$username@example.com:Allen;Grant download permissions to multiple users using a role
Grant Alice and Tom permission to download all tables whose names start with tb_ in test_project_a. Use a role to authorize both users in a single operation.
-- Switch to the test_project_a project.
use test_project_a;
-- Add Alice and Tom as project members.
add user RAM$username@example.com:Alice;
add user RAM$username@example.com:Tom;
-- Create a role named Worker.
create role Worker;
-- Assign the Worker role to Alice and Tom.
grant Worker TO RAM$username@example.com:Alice;
grant Worker TO RAM$username@example.com:Tom;
-- Grant the Worker role download permission on all tables starting with tb_.
grant Download on table tb_* to ROLE Worker;
-- Verify the result.
describe role Worker;Expected output:
Authorization Type: Policy
[role/worker]
A projects/test_project_a/tables/tb_*: DownloadThe output confirms that the Worker role has the Download permission on all tb_* tables, and both Alice and Tom inherit this permission through the role.
Revoke role-based download permissions from multiple users
Remove Alice and Tom from the Worker role to revoke the download permissions granted in the previous example.
-- Switch to the test_project_a project.
use test_project_a;
-- Remove Alice and Tom from the Worker role.
revoke Worker from RAM$username@example.com:Alice;
revoke Worker from RAM$username@example.com:Tom;
-- Verify the result. The output no longer shows the Download permission.
show grants for RAM$username@example.com:Alice;What's next
-
To check which permissions are available for users in your project, see Permissions.
-
To run download control commands, use the MaxCompute client, DataWorks console, or MaxCompute Studio.