REVOKE-MaxCompute(MaxCompute)-阿里云帮助中心

Prerequisites

To use ACLs or policies for access control, you need the following information:

The user account or role name. The specified user or role must exist in the MaxCompute project. The format for an Alibaba Cloud account is ALIYUN$<alibaba_cloud_account>, and the format for a RAM user account is RAM$<alibaba_cloud_account>:<ram_user_name>.

You can run the list users; or list roles; command in the MaxCompute client to get user or role information.

To add a user or role, see User planning and management or Role planning.
The object type and name, and the actions to revoke.

For more information about object types and supported actions, see MaxCompute permissions.

Limitations

ACLs have the following limitations:

ACLs support granting permissions only on existing objects and to existing users or roles. This model prevents security risks that can occur if you delete and then re-create an object with the same name.
ACLs do not support granting permissions with the [with grant option] clause. For example, if user A grants user B permission to access an object, user B cannot grant the same permission to user C.
ACLs support only whitelisting. Blacklisting is not supported.
Policy-based permission control supports granting permissions only to existing roles.

Usage notes

Note the following when you use ACLs:
- If you delete an object, MaxCompute automatically revokes all ACL permissions associated with that object.
- When a user is removed from a project, their permissions are retained. If the user is added back to the project later, their previous permissions are automatically reactivated. To permanently clear a deleted user's permissions, see Permanently clear the permissions of a deleted user.
Note the following when you use policies:
- Policies let you grant permissions on objects that do not yet exist. If you delete an object, its policy-based permissions are not deleted. Be aware of the security risks if you delete and then re-create an object with the same name.
- When a user is removed from a project, their permissions are retained. If the user is added back to the project later, their previous permissions are automatically reactivated. To permanently clear a deleted user's permissions, see Permanently clear the permissions of a deleted user.

Syntax

Revoke ACL permissions

revoke <actions> on <object_type> <object_name> 
[(<column_list>)] from <subject_type> <subject_name>;

Revoke policy-based permissions

revoke <actions> on <object_type> <object_name> 
from ROLE <role_name> 
privilegeproperties ("policy" = "true", "allow"="{true|false}");

Parameters

Parameter		Required	Description
actions		Yes	The actions to revoke. You can specify one or more actions. If you specify multiple actions, separate them with commas (,). For more information about supported actions, see MaxCompute permissions.
object_type		Yes	The type of the object. You can specify only one object type in a single statement. For more information about supported object types, see MaxCompute permissions.
object_name		Yes	The object name. You can find object names in the following ways: Project name: Log on to the MaxCompute console. In the top navigation bar, select a region. You can find the MaxCompute project name on the Projects tab. Table name: Run the `show tables;` command in the MaxCompute client to get table or view names. Resource name: Run the `list resources;` command in the MaxCompute client to get resource names. Function name: Run the `list functions;` command in the MaxCompute client to get function names. Instance name: Run the `show instances;` command in the MaxCompute client to get instance IDs. You can use a wildcard () in the object name. For example, `table taobao` refers to all tables whose names start with `taobao`. Note The wildcard (*) is supported only when revoking permissions from a ROLE. It is not supported for a USER.
column_list		No	This parameter is required only when object_type is `Table` and you want to perform column-level access control. You can specify one or more columns. Separate multiple column names with commas (,). Note This parameter controls the `Describe`, `Select`, `Alter`, `Update`, `Drop`, `ShowHistory`, and `ALL` permissions for the specified columns. If columns are assigned a sensitivity level, you can use label-based access control to manage permissions to access sensitive data.
subject_type		Yes	The type of the principal. Valid values: USER: An Alibaba Cloud account or a RAM user. ROLE: A role.
subject_name		Yes	The name of the user account or role from which permissions are revoked. You can specify only one user or role. You can run the `list users;` or `list roles;` command in the MaxCompute client to find user account or role names.
role_name		Yes	The name of the role from which permissions are revoked. You can specify only one role. You can run the `list roles;` command in the MaxCompute client to find role names.
privilegeproperties	policy	Yes	Set the value to true. This indicates that policy-based permission control is used.
privilegeproperties	allow	Required for whitelisting	Specifies the authorization mechanism. Valid values: true: whitelist. Allows the specified action on the specified object. false: blacklist. Denies the specified action on the specified object.

Execution environment

You can run the commands in this topic in the following tools:

MaxCompute client

Connect to a MaxCompute project and then run the command.
SQL analytics

Run the use <MaxCompute_Name>; command to switch to the target MaxCompute project, and then run the command.

Examples

Assume that the Alibaba Cloud account Bob@aliyun.com is the project owner of test_project_a, and Allen, Alice, and Tom are RAM users that belong to Bob@aliyun.com. The following examples show how to run revoke commands in the MaxCompute client:

Example 1: Revoke permissions from a user

This example revokes permissions from the users Allen and Alice. Sample commands:

-- As Bob, enter the test_project_a project.
use test_project_a; 
-- Revoke permissions from Allen.
revoke Describe, Select on table sale_detail (shop_name, customer_id) from USER RAM$Bob@aliyun.com:Allen;
-- Revoke permissions from Alice.
revoke All on table sale_detail (shop_name, customer_id) from USER RAM$Bob@aliyun.com:Alice;
-- Verify the result for Allen. The permission list no longer includes the Describe or Select permissions.
show grants for RAM$Bob@aliyun.com:Allen; 
-- Verify the result for Alice. The permission list no longer includes the All permission.
show grants for RAM$Bob@aliyun.com:Alice;

Example 2: Revoke a role from multiple users to revoke identical permissions

Revoke permissions from the users Alice, Tom, and Lily@aliyun.com. Sample commands:

-- As Bob, enter the test_project_a project.
use test_project_a; 
-- Revoke the Worker role from the users Alice, Tom, and Lily@aliyun.com.
revoke Worker from RAM$Bob@aliyun.com:Alice;
revoke Worker from RAM$Bob@aliyun.com:Tom;
revoke Worker from ALIYUN$Lily@aliyun.com;
-- Verify the result for Lily. The role list no longer includes the Worker role.
show grants for ALIYUN$Lily@aliyun.com;

Revoke permission to access a package

You can revoke permission from a user or role to access an installed package.

Syntax

revoke <actions> on package <project_name>.<package_name> from {USER|ROLE} <name>;

Parameters

Parameter	Required	Description
actions	Yes	The action to revoke. The only valid value is `Read`.
project_name	Yes	The name of the MaxCompute project to which the package belongs. Log on to the MaxCompute console. In the top navigation bar, select a region. The project name is on the Projects tab.
package_name	Yes	The name of the package. You can run the `show packages;` command in the MaxCompute client to list created packages.
name	Yes	The name of the user account or role from which to revoke the permission. You can specify only one user or role. You can run the `list users;` or `list roles;` command in the MaxCompute client to find user account or role names.

Example

Revoke permission to access the package from the user Bella. Sample command:

 -- Revoke permission from Bella to access the package.
revoke Read on package test_project_a.datashare from user RAM$Amy@aliyun.com:Bella;

Revoke explicit Label permissions

A project owner or a user with the Admin role can revoke explicit Label permissions.

Syntax

revoke Label on table <table_name> [(<column_list>)] from {USER|ROLE} <name>;

Usage notes
- If you revoke a user's explicit Label permissions on a table, their explicit Label permissions on the columns of that table are also revoked.
- Revoking explicit Label permissions does not affect the access level set for a user. For example, a user has an access level of 2 and is explicitly granted permission to access data with a sensitivity level of up to 3 in a table. After you revoke this explicit permission, the user can still access data in the table with a sensitivity level of 2 or lower.

Parameters

Parameter	Required	Description
table_name	Yes	The name of the table or view. You can run the `show tables;` command in the MaxCompute client to get table or view names.
column_list	No	The columns from which you want to revoke permission to access sensitive data. You can specify multiple columns. Separate multiple column names with commas (,).
name	Yes	The name of the user or role. You can run the `list users;` or `list roles;` command in the MaxCompute client to find user account or role names.

Example

Assume that the test_project_a project contains a table named sale_detail with the columns shop_name, customer_id, and total_price. Bob@aliyun.com is the project owner of test_project_a. Allen is a RAM user that belongs to Bob and has been added to the project.

Revoke permission from Allen to access highly sensitive data. Sample commands:

-- Revoke permission from Allen to access data with a sensitivity level up to 3 in the shop_name, customer_id, and total_price columns of the sale_detail table.
revoke Label on table sale_detail(shop_name, customer_id, total_price) from USER RAM$Bob@aliyun.com:Allen;
-- Verify the result for Allen.
show label grants on table sale_detail for USER RAM$Bob@aliyun.com:Allen;
-- The following result is returned. The explicit grant is revoked.
User Label: 1
-- Revoke permission from Allen to access sensitive data in the sale_detail table.
revoke Label on table sale_detail from USER RAM$Bob@aliyun.com:Allen; 
-- Verify the result for Allen.
show label grants on table sale_detail for USER RAM$Bob@aliyun.com:Allen;
-- The following result is returned.
User Label: 1

Remove a user from a role

Removes a user from a specified role.

Syntax
```
revoke <role_name> from <user_name>;
```
Parameters
- role_name: Required. The name of the role from which to remove the user.
- user_name: Required. The account of the Alibaba Cloud user or RAM user to remove. The format for an Alibaba Cloud account is ALIYUN$<alibaba_cloud_account>, and the format for a RAM user is RAM$<alibaba_cloud_account>:<ram_user_name>.

Example

-- Remove the Alibaba Cloud user alice@aliyun.com from the player role.
revoke player from ALIYUN$alice@aliyun.com;

Related commands

CREATE PACKAGE: Creates a package.
CREATE ROLE: Creates a role in a MaxCompute project.
SET LABEL: MaxCompute supports label-based access control. You can set an access level for a user and a sensitivity level for a table or column at the project level.
GRANT: Grants permissions to a user or role for specific operations on an object by using Access Control Lists (ACLs).