GRANT

ACL-based access control

• Prerequisites

  Before you use ACL-based access control, ensure you have the following information:

  • The name of the account or role to which you want to grant permissions. The account or role must be added to the MaxCompute project. The format for an Alibaba Cloud account is ALIYUN$<Alibaba Cloud account>, and the format for a RAM user is RAM$<Alibaba Cloud account to which the RAM user belongs>:<RAM user name>.

    You can run the list users; or list roles; command on the MaxCompute client to obtain account or role information.

    To add a new user or role, see User planning and management or Role planning.

  • The object type, object name, and the actions to grant.

    For more information about object types and supported actions, see MaxCompute permissions.

• Limitations

  The following limits apply to ACL-based access control:

  • ACL-based access control lets you grant permissions only on existing objects and to existing subjects. This helps prevent security risks that arise from deleting and then re-creating an object with the same name.

  • ACL-based access control does not support permission delegation through the [with grant option] clause. For example, if User A grants User B access to an object, User B cannot grant that permission to User C.

  • ACL authorization uses a whitelist (Allow) model and does not support a blacklist (Deny) model.

• Usage notes

  Note the following when using ACL-based access control:

  • If an object is deleted, MaxCompute automatically revokes all ACL permissions associated with that object.

  • When a user is removed from a project, the permissions granted to that user are retained. If the user is added back to the project, their previous access permissions are reactivated. To permanently clear a user's permissions, see Permanently clear the permissions of a deleted user.

• Syntax

  The syntax for ACL-based access control commands is as follows:

  • Grant ACL permissions

    grant <actions> on <object_type> <object_name> 
    [(<column_list>)] to <subject_type> <subject_name> 
    [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];

  • Column-level access control

    grant <actions> on table <table_name> (<column_list>) to <subject_type> <subject_name>;
    revoke <actions> on table <table_name> (<column_list>) from <subject_type> <subject_name>;

    The following table describes the parameters.

    Parameter		Required	Description
    actions		Yes	Specifies the action to grant. You can specify one or more actions in a single statement. If you specify multiple actions, separate them with commas (,). For a list of supported actions, see MaxCompute permissions.
    object_type		Yes	Specifies the type of the object on which permissions are granted. You can specify only one object type per statement. For a list of supported object types, see MaxCompute permissions.
    object_name		Yes	Specifies the name of the object on which permissions are granted. You can obtain the name in one of the following ways: Project name: Log on to the MaxCompute console, switch the region in the upper-left corner, and then go to the Projects tab to view the specific MaxCompute project name. Table name: Run the show tables; command on the MaxCompute client to obtain table or view names. Resource name: Run the list resources; command on the MaxCompute client to obtain resource names. Function name: Run the list functions; command on the MaxCompute client to obtain function names. Instance name: Run the show instances; command on the MaxCompute client to obtain instance IDs. You can use the wildcard character (*) for the object name. For example, table taobao* matches all tables whose names start with taobao. Note You can use the wildcard character (*) only when you grant permissions to a ROLE. The wildcard character is not supported for a USER.
    column_list		No	This parameter is required only when object_type is Table and you need to configure column-level access control. You can specify one or more column names, separated by commas (,). Note This parameter lets you control the Describe, Select, Alter, Update, Drop, ShowHistory, and ALL permissions on specific columns of a table. If columns in a table are configured with sensitivity levels, you can use label-based access control to manage access to sensitive data based on sensitivity levels.
    privilegeproperties	conditions	No	Controls permissions based on conditions such as the request source and access method. The format is "<var_name> <Operation> constant" and "<var_name> <Operation> constant" and .... For a list of supported var_name and Operation values, see Conditions.
    	days	No	Specifies the expiration period for the permissions, in days. If you do not specify this parameter, the permissions do not expire. If you specify this parameter, MaxCompute automatically revokes the permissions when they expire.
    subject_type		Yes	Specifies the type of the authorized subject. Valid values: USER: an Alibaba Cloud account or a RAM user ROLE: a role
    subject_name		Yes	Specifies the name of the authorized user or role. You can specify only one user or role per statement. You can run the list users; or list roles; command on the MaxCompute client to obtain the user account or role name.

• Conditions

  The following table lists the supported var_name and Operation values for conditions.

  var_name	Type	Operation	Description
  acs:UserAgent	STRING	StringEquals: = StringNotEquals: <> StringLike: like StringNotLike: not like	The User-Agent of the client that sends the request.
  acs:Referer	STRING		The HTTP referer of the request.
  acs:SourceIp	IP Address	IpAddress: in (...) NotIpAddress: not in (...)	The source IP address of the client that sends the request.
  acs:SecureTransport	BOOLEAN	True False	Indicates if the request uses a secure channel, such as HTTPS.
  acs:CurrentTime	DATEANDTIME	DateEquals: = DateNotEquals: <> DateLessThan: < DateLessThanEquals: <= DateGreaterThan: > DateGreaterThanEquals: >=	The time the web server received the request, in ISO 8601 format, such as 2012-11-11T23:59:59Z.

• Examples

  Assume that the Alibaba Cloud account Bob@aliyun.com is the project owner of test_project_a, and Allen, Alice, and Tom are RAM users under Bob@aliyun.com. The following examples show how to run authorization commands on the MaxCompute client:

  • Example 1: grant permissions to a user

    Create a table named sale_detail in the test_project_a project and grant the Describe (read metadata) and Select (read data) permissions on the table to the user Allen. Sample commands:

    --Switch to the test_project_a project.
    use test_project_a; 
    --Create a partitioned table named sale_detail.
    create table if not exists sale_detail
    (
    shop_name     string,
    customer_id   string,
    total_price   double
    )
    partitioned by (sale_date string, region string);
    --Add the RAM user Allen as a project member.
    add user RAM$Bob@aliyun.com:Allen;
    --Grant permissions to Allen.
    grant Describe, Select on table sale_detail to USER RAM$Bob@aliyun.com:Allen;
    --View the permissions granted to Allen.
    show grants for RAM$Bob@aliyun.com:Allen; 
    --The following result is returned.
    Authorization Type: ACL
    [user/RAM$Bob@aliyun.com:Allen]
    A       projects/test_project_a/tables/sale_detail: Describe | Select

  • Example 2: grant column-level permissions to a user

    Based on the sale_detail table created in Example 1, grant Alice all permissions on the shop_name and customer_id columns. Sample commands:

    --Switch to the test_project_a project.
    use test_project_a; 
    --Add the RAM user Alice as a project member.
    add user RAM$Bob@aliyun.com:Alice;
    --Grant column-level permissions to Alice.
    grant All on table sale_detail (shop_name, customer_id) to USER RAM$Bob@aliyun.com:Alice;
    --View the permissions granted to Alice.
    show grants for RAM$Bob@aliyun.com:Alice; 
    --The following result is returned.
    Authorization Type: ACL
    [user/RAM$Bob@aliyun.com:Alice]
    A       projects/test_project_a/tables/sale_detail/customer_id: All
    A       projects/test_project_a/tables/sale_detail/shop_name: All

  • Example 3: grant the same permissions to multiple users by using a role

    Grant permissions to create instances, resources, functions, and tables, and to list all object types in the test_project_a project to the RAM users Alice and Tom, and the Alibaba Cloud account Lily@aliyun.com. Sample commands:

    --Switch to the test_project_a project.
    use test_project_a; 
    --Add the users Alice, Tom, and Lily@aliyun.com as project members.
    add user RAM$Bob@aliyun.com:Alice;
    add user RAM$Bob@aliyun.com:Tom;
    add user ALIYUN$Lily@aliyun.com;
    --Create a role named Worker.
    create role Worker; 
    --Assign the Worker role to the users.
    grant Worker TO RAM$Bob@aliyun.com:Alice; 
    grant Worker TO RAM$Bob@aliyun.com:Tom; 
    grant Worker TO ALIYUN$Lily@aliyun.com; 
    --Grant the CreateInstance, CreateResource, CreateFunction, CreateTable, and List permissions on the test_project_a project to the Worker role.
    grant CreateInstance, CreateResource, CreateFunction, CreateTable, List on project test_project_a TO ROLE Worker;
    --View the permissions granted to the user Lily.
    show grants for ALIYUN$Lily@aliyun.com; 
    --The following result is returned. The result indicates that the user Lily has been granted the permissions.
    [roles]
    worker
    
    Authorization Type: ACL
    [role/worker]
    A       projects/test_project_a: CreateTable | CreateResource | CreateInstance | CreateFunction | List

Policy-based access control

• Prerequisites

  To use policy-based access control, you need the following information:

  • The name of the role that will receive the permissions. The role must already exist in the MaxCompute project.

    Run the list roles; command on the MaxCompute client to view existing roles.

    To add a new role, see Role planning.

  • The object type, object name, and the actions to grant.

    For more information about object types and actions, see MaxCompute permissions.

• Limitations

  Policy-based access control supports granting permissions only to existing roles.

• Notes

  Note the following when you use policy-based access control:

  • If both an allow list and a deny list are configured, the deny list takes precedence.

  • Policy-based access control allows you to grant permissions on an object that does not exist. When an object is deleted, the associated policy authorization is not removed. This can create a security risk if you later recreate an object with the same name.

  • When a user is removed from a project, the permissions granted to that user are retained. If the user is added back to the project, their previous access permissions are reactivated. To permanently clear a user's permissions, see Permanently clear the permissions of a deleted user.

• Syntax

  The policy-based access control command uses the following syntax:

  grant <actions> on <object_type> <object_name> 
  to ROLE <role_name> 
  privilegeproperties("policy" = "true", "allow"="{true|false}"[, "conditions"= "<conditions>" ,"expires"="<days>"]);

• Parameters

  Parameter		Required	Description
  actions		Yes	The actions to grant. You can specify multiple actions in a single statement. If you specify multiple actions, separate them with commas (,). For a list of valid actions, see MaxCompute permissions.
  object_type		Yes	The type of object on which to grant permissions. You can specify only one object type per statement. For a list of valid object types, see MaxCompute permissions.
  object_name		Yes	The name of the object. You can obtain the names as follows: Project name: Log on to the MaxCompute console, switch the region in the upper-left corner, and then find the MaxCompute project name on the Projects tab. Table name: Run the show tables; command on the MaxCompute client to get the names of tables or views. Resource name: Run the list resources; command on the MaxCompute client to get resource names. Function name: Run the list functions; command on the MaxCompute client to get function names. Instance name: Run the show instances; command on the MaxCompute client to get instance IDs. You can use an asterisk (*) as a wildcard in an object name. For example, table taobao* indicates all tables whose names start with taobao. Note You can use a wildcard (*) only when you grant permissions to a ROLE. Wildcards are not supported when you grant permissions to a USER.
  role_name		Yes	The name of the role to receive the permissions. You can specify only one role per statement. You can run the list roles; command on the MaxCompute client to get the role name.
  privilegeproperties	policy	Yes	Must be set to true. This enables policy-based access control.
  	allow	Required for allow list policies.	Specifies the authorization mechanism. Valid values: true: Allows the specified action on the specified object. false: Denies the specified action on the specified object. This functions as a deny list.
  	conditions	No	Controls permissions based on conditions such as the request source and access method. For a list of valid parameter values, see Conditions.
  	days	No	The validity period of the permissions, in days. If this parameter is not specified, the permissions do not expire. If specified, MaxCompute automatically revokes the permissions upon expiration.

• Examples

  Assume that the Alibaba Cloud account Bob@aliyun.com is the project owner of 'test_project_a', and Allen and Tom are RAM users that belong to bob@aliyun.com. Allen has the Admin role for the 'test_project_a' project. The following examples show how to run authorization commands on the MaxCompute client:

  • Example 1: Grant permissions to a user based on a role (deny list)

    Deny the RAM user Tom permission to drop tables whose names start with tb_. Sample commands:

    --Enter the test_project_a project.
    use test_project_a; 
    --Create a role named Worker.
    create role Worker; 
    --Add the RAM user Tom as a project member.
    add user RAM$Bob@aliyun.com:Tom;
    --Assign the Worker role to the RAM user Tom.
    grant Worker TO RAM$Bob@aliyun.com:Tom; 
    --Deny the Worker role permission to drop tables whose names start with tb_ in the test_project_a project.
    grant Drop on table tb_* to ROLE Worker privilegeproperties("policy" = "true", "allow"="false");
    --View the permissions granted to the RAM user Tom.
    show grants for RAM$Bob@aliyun.com:Tom; 
    --The following result is returned. D indicates Deny. The permission to drop tables whose names start with tb_ is denied.
    Authorization Type: Policy
    [role/worker]
    D      projects/test_project_a/tables/tb_*: Drop

  • Example 2: Revoke a policy-based authorization (deny list)

    Based on Example 1, revoke the authorization from the user Tom.

    --Enter the test_project_a project.
    use test_project_a; 
    --Revoke the Worker role from the RAM user Tom.
    revoke Worker from RAM$Bob@aliyun.com:Tom;
    --View the permissions of the RAM user Tom. The Drop permission is no longer in the permission list.
    show grants for RAM$Bob@aliyun.com:Tom; 

  • Example 3: Grant permissions to a user based on a role (allow list)

    Allow the RAM user Tom to update data in tables whose names start with tb_. Sample commands:

    --Enter the test_project_a project.
    use test_project_a; 
    --Create a role named Worker.
    create role Worker; 
    --Add the RAM user Tom as a project member.
    add user RAM$Bob@aliyun.com:Tom;
    --Assign the Worker role to the RAM user Tom.
    grant Worker TO RAM$Bob@aliyun.com:Tom; 
    --Allow the Worker role to update data in tables whose names start with tb_ in the test_project_a project.
    grant Update on table tb_* to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
    --View the permissions granted to the RAM user Tom.
    show grants for RAM$Bob@aliyun.com:Tom; 
    --The following result is returned. A indicates Allow. The permission to update data in tables whose names start with tb_ is granted.
    Authorization Type: Policy
    [role/worker]
    A       projects/test_project_a/tables/tb_*: Update

  • Example 4: Revoke a policy-based authorization (allow list)

    Based on Example 3, revoke the authorization from the user Tom.

    --Enter the test_project_a project.
    use test_project_a; 
    --Revoke the Worker role from the RAM user Tom.
    revoke Worker from RAM$Bob@aliyun.com:Tom;
    --View the permissions of the RAM user Tom. The Update permission is no longer in the permission list.
    show grants for RAM$Bob@aliyun.com:Tom; 

  • Example 5: Grant fine-grained permissions to a user with a built-in role

    Deny the RAM user Allen permission to drop any table in the test_project_a project. Sample commands:

    --Enter the test_project_a project.
    use test_project_a; 
    --Create a role named Worker.
    create role Worker; 
    --Assign the Worker role to the RAM user Allen.
    grant Worker TO RAM$Bob@aliyun.com:Allen; 
    --Deny the Worker role permission to drop any table in the test_project_a project.
    grant Drop on table * to ROLE Worker privilegeproperties("policy" = "true", "allow"="false");
    --View the permissions granted to the RAM user Allen.
    show grants for RAM$Bob@aliyun.com:Allen; 
    --The following result is returned. Dropping any table is denied.
    [roles]
    role_project_admin, worker
    
    Authorization Type: Policy
    [role/role_project_admin]
    A       projects/test_project_a: *
    A       projects/test_project_a/instances/*: *
    A       projects/test_project_a/jobs/*: *
    A       projects/test_project_a/offlinemodels/*: *
    A       projects/test_project_a/packages/*: *
    A       projects/test_project_a/registration/functions/*: *
    A       projects/test_project_a/resources/*: *
    A       projects/test_project_a/tables/*: *
    A       projects/test_project_a/volumes/*: *
    
    [role/worker]
    A       projects/test_project_a/tables/tb_*: Update
    D       projects/test_project_a/tables/*: Drop
    
    Authorization Type: ObjectCreator
    AG      projects/test_project_a/tables/local_test: All
    AG      projects/test_project_a/tables/mr_multiinout_out1: All
    AG      projects/test_project_a/tables/mr_multiinout_out2: All
    AG      projects/test_project_a/tables/ramtest: All
    AG      projects/test_project_a/tables/wc_in: All
    AG      projects/test_project_a/tables/wc_in1: All
    AG      projects/test_project_a/tables/wc_in2: All
    AG      projects/test_project_a/tables/wc_out: All

  • Example 6: Revoke permissions from a user with a built-in role

    Based on Example 5, revoke the authorization from the user Allen. Sample commands:

    --Enter the test_project_a project.
    use test_project_a; 
    --Revoke the Worker role from the RAM user Allen.
    revoke Worker from RAM$Bob@aliyun.com:Allen;
    --View the permissions of the RAM user Allen. The Drop permission is no longer in the permission list.
    show grants for RAM$Bob@aliyun.com:Allen; 

Grant a role to a user

When you grant a role to a user, the user gains all the permissions assigned to that role.

• Limitations

  Before you grant a role to a user, you must first grant the role the required permissions on objects in a project. For more information, see Grant permissions to a role or user.

• Syntax

  grant <role_name> to <user_name>;

• Parameters

  • role_name: Required. The name of the role to be granted.

  • user_name: Required. The Alibaba Cloud account or RAM user to receive the role. The format for an Alibaba Cloud account is ALIYUN$****@aliyun.com, and the format for a RAM user is RAM$****.

• Example

  -- Grant the player role to the Alibaba Cloud account test_user@aliyun.com.
  grant player to ALIYUN$test_user@aliyun.com;

Grant package access

Grant a user or role access to a package in the MaxCompute project where the package is installed.

An installed package is an independent object type in MaxCompute. To access resources in a package, you must have the Read permission on that package. If the requester does not have the Read permission, the project owner or a user with the Super_Administrator or Admin role can grant the permission using ACL-based access control.

• Syntax

  grant <actions> on package <project_name>.<package_name> to {USER|ROLE} <name>;

• Usage notes

  After you grant the permission, the user or role can access resources in the package only in the project where the package is installed. To manage permissions on packages in a fine-grained manner, see Package permission control.

• Parameters

  Parameter	Required	Description
  actions	Yes	The action to perform on resources in the package. This parameter must be set to Read.
  project_name	Yes	The name of the MaxCompute project where the package is installed. To find the project name, log on to the MaxCompute console, select a region in the upper-left corner, and go to the Projects tab.
  package_name	Yes	The name of the package. To view information about existing packages, run the show packages; command on the MaxCompute client.
  name	Yes	The user or role that is granted the permission. You can specify only one user or role at a time. To get the name of the user or role, run the list users; or list roles; command on the MaxCompute client.

• Example

  Assume that Bella is a RAM user who belongs to the Alibaba Cloud account Amy@aliyun.com. The following example shows how to grant Bella access to a package.

  -- Grant Bella access to the package.
  grant Read on package test_project_a.datashare to user RAM$Amy@aliyun.com:Bella;

Related commands

• CREATE PACKAGE: Creates a package.

• CREATE ROLE: Creates a role in a MaxCompute project.

• REVOKE: Revokes permissions to access a package from a user or role.