This topic describes common permission-related error messages that block tasks and explains how to resolve them.
The following are common permission-granting scripts for a project owner:
-- Method 1: Grant a permission directly to a user
use project_xxx; -- Switch to a project. Append _dev for a development environment.
grant CreateResource to user_xxx@aliyun.com; -- A RAM user
-- Method 2: Grant permissions by using a role
use project_xxx;
create role worker; -- Create a role.
grant worker to user_xxx@aliyun.com; -- Assign the role to a RAM user.
grant CreateInstance, CreateResource, CreateFunction, CreateTable, List ON PROJECT project_xxx TO ROLE worker; -- Grant permissions to the role.
-- The following scripts are examples for specific scenarios.
-- Grant volume permissions
use project_xxx;
grant CreateVolume on project project_xxx to user user_xxx@aliyun.com;
grant Read on volume volume_xxx to user user_xxx@aliyun.com;
grant Write on volume volume_xxx to user user_xxx@aliyun.com;
-- Show permissions
use project_xxx;
show grants for user_xxx@aliyun.com;Unauthorized access to a MaxCompute volume
-
Error message
[403] com.aliyun.odps.OdpsException: ODPS-0420095: Access Denied - Volumes is not allowed in project config. at com.aliyun.odps.rest.RestClient.handleErrorResponse(RestClient.java:382) at com.aliyun.odps.rest.RestClient.request(RestClient.java:321) at com.aliyun.odps.rest.RestClient.request(RestClient.java:275) at com.aliyun.odps.Volume.reload(Volume.java:109) at com.aliyun.odps.Volumes.exists(Volumes.java:117) at com.aliyun.odps.Volumes.exists(Volumes.java:100) -
Solution
-
MaxCompute volumes are built on Object Storage Service (OSS). You must activate OSS before you can use them. For more information about how to activate OSS, see Activate OSS Service.
-
You must also enable the volume feature for your account. To do this, apply for volume access.
-
Missing Download permission for a MaxCompute table
-
Error message
elNum":0,"smallCategorySeekJobReduce2Num":0,"topk":"500","vectorSeparator":",","workerRtMap":{}} 2019-11-26 09:44:06.772 [main] INFO c.a.p.p.CentauriPipelineExecutor - [] - execute RowColWorker worker start .......... [ODPS] getCountOfTable 建立DownloadSession失败 RequestId=20191126094406d6cf890b01803690, ErrorCode=NoPermission, ErrorMessage=Authorization Failed [4019], You have NO privilege 'odps:Download' on {acs:odps:*:projects/palgo_fpage/tables/behemoth_plt_item_img_emb_proxima}. Context ID:fd326e9d-9ac4-47a5-a088-87ad724f519f. --->Tips: CurrentProject:palgo_fpage_dev; Pricipal:ALIYUN$bsehfglmglm0@aliyun.com; No permission 'odps:Download' on resource acs:odps:*:projects/palgo_fpage/tables/behemoth_plt_item_img_emb_proxima CentauriException(code=20005, msg=odps任务运行失败, detailMsg=getCountOfTable error , odps client is null. tableName : palgo_fpage.behemoth_plt_item_img_emb_proxima) at com.alibaba.proxima.utils.OdpsUtil.getCountOfTable(OdpsUtil.java:125) at com.alibaba.proxima.pipeline.worker.odps.RowColWorker.apply(RowColWorker.java:23) at com.alibaba.proxima.pipeline.runner.OdpsPipelineRunner.run(OdpsPipelineRunner.java:40) at com.alibaba.proxima.pipeline.CentauriPipelineExecutor.execute(CentauriPipelineExecutor.java:30) at com.alibaba.proxima.CentauriRunner.runWithNormal(CentauriRunner.java:30) at com.alibaba.proxima.CentauriRunner.main(CentauriRunner.java:208) 2019-11-26 09:44:07.138 [main] INFO c.a.p.p.CentauriPipelineExecutor - [] - execute CleanUpWorker worker start .......... Exception in thread "main" java.lang.NullPointerException at com.alibaba.proxima.pipeline.worker.odps.CleanUpWorker.apply(CleanUpWorker.java:24) at com.alibaba.proxima.pipeline.runner.OdpsPipelineRunner.run(OdpsPipelineRunner.java:40) at com.alibaba.proxima.pipeline.CentauriPipelineExecutor.execute(CentauriPipelineExecutor.java:30) at com.alibaba.proxima.CentauriRunner.runWithNormal(CentauriRunner.java:44) at com.alibaba.proxima.CentauriRunner.main(CentauriRunner.java:208) FAILED: Run job failed. 2019-11-26 09:44:07 INFO =========================================================== 2019-11-26 09:44:07 INFO Exit code of the Shell command 100 2019-11-26 09:44:07 INFO --- Invocation of Shell command completed --- -
Solution
Go to Data Map in the DataWorks console. Search for the MaxCompute table and apply for the
Downloadpermission. After the permission is granted, you can download the table data. For more information, see Data Map.
Missing Describe, Select, or other table permissions
-
Error message
OK OK OK Running job in console. 2022-09-22 16:46:36.310 [main] INFO c.a.proxima.config.ConfigConvert - [1] - lead sign from resource : PROXIMA_CENTAURI_CHECK_SIGN ... ODPS-0420095: Access Denied - Authorization Failed [4019] You don't have the permission to access 'odps:Describe' on {acs:odps:*:projects/alinlp_kgb_algo/tables/df_sem_query_offline_embedding} Context ID:37a079dc-0c9b-4053-b718-06adc10e5b2 Tips: Principal:ALIYUN$xxx@xxx.com ... FAILED CentauriException(code=20005) odps样本运行失败 -
Solution
Apply for the required permissions on the table in the project.
Scenario
Solution
cross-project
If the table is in a different project, contact the table owner to request the required permissions. Alternatively, search for the table in Data Map in the DataWorks console and apply for permissions there.
Same project
-
If you created the table in the current project, you automatically have the necessary permissions.
-
If another user created the table, apply for permissions as you would for a cross-project table.
-
In special cases, such as when a
project is protected, contact the project owner to grant the required permissions. For example scripts, see the permission-granting scripts at the top of this topic.
-