Security-related commands in MaxCompute—such as GRANT, REVOKE, and SET LABEL—control access permissions and data classification. These commands are not SQL statements and cannot run through SQLTask. Use SecurityManager.runQuery() from MaxCompute SDK for Java to run them programmatically, or use the MaxCompute client to run them from the CLI.
Security-related commands
The following command prefixes identify security-related commands in MaxCompute:
GRANT/REVOKE ...
SHOW GRANTS/ACL/PACKAGE/LABEL/ROLE/PRINCIPALS
SHOW PRIV/PRIVILEGES
LIST/ADD/REMOVE USERS/ROLES/TRUSTEDPROJECTS
DROP/CREATE ROLE
CLEAR EXPIRED GRANTS
DESC/DESCRIBE ROLE/PACKAGE
CREATE/DELETE/DROP PACKAGE
ADD ... TO PACKAGE
REMOVE ... FROM PACKAGE
ALLOW/DISALLOW PROJECT
INSTALL/UNINSTALL PACKAGE
LIST/ADD/REMOVE ACCOUNTPROVIDERS
SET LABEL ...To run these commands, use one of the following methods:
Method | When to use |
MaxCompute client | Run commands interactively from the CLI. See Security parameters. |
| Run commands programmatically from Java applications. See the MaxCompute SDK for Java documentation. |
Prerequisites
Before you begin, make sure you have:
IntelliJ IDEA installed. See Install IntelliJ IDEA.
MaxCompute Studio installed and connected to a MaxCompute project. See Install MaxCompute Studio and Manage project connections.
A MaxCompute Java module created with project dependencies configured. See Create a MaxCompute Java module.
The
odps-sdk-coredependency added to your project. TheSecurityManagerclass is included in this package: To get the latest version, search forodps-sdk-coreon search.maven.org.<dependency> <groupId>com.aliyun.odps</groupId> <artifactId>odps-sdk-core</artifactId> <version>X.X.X-public</version> </dependency>
Run a security command via the Java SDK
This example sets a data classification label on specific columns of a table using SET LABEL.
Step 1: Create the test table
Run the following command on the MaxCompute client to create a test table named test_label:
CREATE TABLE IF NOT EXISTS test_label(
key STRING,
value BIGINT
);Step 2: Write and run the Java code
Create a Java class in your MaxCompute Java module and add the following code. Replace the placeholder values before running.
import com.aliyun.odps.Odps;
import com.aliyun.odps.OdpsException;
import com.aliyun.odps.account.Account;
import com.aliyun.odps.account.AliyunAccount;
import com.aliyun.odps.security.SecurityManager;
public class test {
public static void main(String[] args) throws OdpsException {
try {
// Initialize the ODPS client
Account account = new AliyunAccount("<your_accessid>", "<your_accesskey>");
Odps odps = new Odps(account);
odps.setEndpoint("http://service-corp.odps.aliyun-inc.com/api");
odps.setDefaultProject("<your_project>");
// Run a security command: set label 2 on both columns of test_label
SecurityManager securityManager = odps.projects().get().getSecurityManager();
String result = securityManager.runQuery("SET LABEL 2 TO TABLE test_label(key, value);", false);
System.out.println(result);
} catch (OdpsException e) {
e.printStackTrace();
}
}
}Replace the following placeholders:
Placeholder | Description |
| Your Alibaba Cloud AccessKey ID |
| Your Alibaba Cloud AccessKey Secret |
| The name of your MaxCompute project |
SecurityManager.runQuery() parameters
Parameter | Type | Description |
| String | The security command to run. Must be one of the supported security-related command prefixes listed above. |
| boolean | Whether to simulate execution without applying changes. Set to |
Step 3: Verify the result
After the Java code runs successfully, verify that the label was applied by running the desc command on the MaxCompute client:
desc test_label;The output shows the label assigned to each column. If the SET LABEL command took effect, the key and value columns display label 2:
+------------------------------------------------------------------------------------+
| Owner: ... |
| Project: <your_project> |
| TableComment: |
+------------------------------------------------------------------------------------+
| ... |
+------------------------------------------------------------------------------------+
| Native Columns: |
+------------------------------------------------------------------------------------+
| Field | Type | Label | Comment |
+------------------------------------------------------------------------------------+
| key | string | 2 | |
| value | bigint | 2 | |
+------------------------------------------------------------------------------------+Usage notes
The account used to call
SecurityManager.runQuery()must have project-level permissions to run security commands, such as project owner or security administrator rights.Label values in MaxCompute represent data classification levels.
SET LABEL 2assigns classification level 2 to the specified columns, controlling which users can access the data. See Label-based access control for the full classification model.If the command fails, an
OdpsExceptionis thrown. Check the exception message for details such as insufficient permissions or invalid syntax.Use the
odps-sdk-coreversion that matches your MaxCompute project environment. Check search.maven.org for the latest public release.
What's next
MaxCompute permissions — Understand the full permission model.
Label-based access control — Learn how label values control data access.
Security parameters — Configure security settings for your project.
Cross-project resource access based on packages — Share resources securely across projects.