Run security-related commands using the Java SDK

更新时间:
复制 MD 格式

Security-related commands in MaxCompute—such as GRANT, REVOKE, and SET LABEL—control access permissions and data classification. These commands are not SQL statements and cannot run through SQLTask. Use SecurityManager.runQuery() from MaxCompute SDK for Java to run them programmatically, or use the MaxCompute client to run them from the CLI.

Security-related commands

The following command prefixes identify security-related commands in MaxCompute:

GRANT/REVOKE ...
SHOW  GRANTS/ACL/PACKAGE/LABEL/ROLE/PRINCIPALS
SHOW  PRIV/PRIVILEGES
LIST/ADD/REMOVE  USERS/ROLES/TRUSTEDPROJECTS
DROP/CREATE  ROLE
CLEAR EXPIRED  GRANTS
DESC/DESCRIBE  ROLE/PACKAGE
CREATE/DELETE/DROP  PACKAGE
ADD ... TO  PACKAGE
REMOVE ... FROM  PACKAGE
ALLOW/DISALLOW  PROJECT
INSTALL/UNINSTALL  PACKAGE
LIST/ADD/REMOVE  ACCOUNTPROVIDERS
SET LABEL  ...

To run these commands, use one of the following methods:

Method

When to use

MaxCompute client

Run commands interactively from the CLI. See Security parameters.

SecurityManager.runQuery()

Run commands programmatically from Java applications. See the MaxCompute SDK for Java documentation.

Prerequisites

Before you begin, make sure you have:

  • IntelliJ IDEA installed. See Install IntelliJ IDEA.

  • MaxCompute Studio installed and connected to a MaxCompute project. See Install MaxCompute Studio and Manage project connections.

  • A MaxCompute Java module created with project dependencies configured. See Create a MaxCompute Java module.

  • The odps-sdk-core dependency added to your project. The SecurityManager class is included in this package: To get the latest version, search for odps-sdk-core on search.maven.org.

      <dependency>
        <groupId>com.aliyun.odps</groupId>
        <artifactId>odps-sdk-core</artifactId>
        <version>X.X.X-public</version>
      </dependency>

Run a security command via the Java SDK

This example sets a data classification label on specific columns of a table using SET LABEL.

Step 1: Create the test table

Run the following command on the MaxCompute client to create a test table named test_label:

CREATE TABLE IF NOT EXISTS test_label(
  key   STRING,
  value BIGINT
);

Step 2: Write and run the Java code

Create a Java class in your MaxCompute Java module and add the following code. Replace the placeholder values before running.

import com.aliyun.odps.Odps;
import com.aliyun.odps.OdpsException;
import com.aliyun.odps.account.Account;
import com.aliyun.odps.account.AliyunAccount;
import com.aliyun.odps.security.SecurityManager;

public class test {
  public static void main(String[] args) throws OdpsException {
    try {
      // Initialize the ODPS client
      Account account = new AliyunAccount("<your_accessid>", "<your_accesskey>");
      Odps odps = new Odps(account);
      odps.setEndpoint("http://service-corp.odps.aliyun-inc.com/api");
      odps.setDefaultProject("<your_project>");

      // Run a security command: set label 2 on both columns of test_label
      SecurityManager securityManager = odps.projects().get().getSecurityManager();
      String result = securityManager.runQuery("SET LABEL 2 TO TABLE test_label(key, value);", false);
      System.out.println(result);
    } catch (OdpsException e) {
      e.printStackTrace();
    }
  }
}

Replace the following placeholders:

Placeholder

Description

<your_accessid>

Your Alibaba Cloud AccessKey ID

<your_accesskey>

Your Alibaba Cloud AccessKey Secret

<your_project>

The name of your MaxCompute project

SecurityManager.runQuery() parameters

Parameter

Type

Description

query

String

The security command to run. Must be one of the supported security-related command prefixes listed above.

isDryRun

boolean

Whether to simulate execution without applying changes. Set to false to execute the command; set to true to validate syntax only.

Step 3: Verify the result

After the Java code runs successfully, verify that the label was applied by running the desc command on the MaxCompute client:

desc test_label;

The output shows the label assigned to each column. If the SET LABEL command took effect, the key and value columns display label 2:

+------------------------------------------------------------------------------------+
| Owner: ...                                                                         |
| Project: <your_project>                                                            |
| TableComment:                                                                      |
+------------------------------------------------------------------------------------+
| ...                                                                                |
+------------------------------------------------------------------------------------+
| Native Columns:                                                                    |
+------------------------------------------------------------------------------------+
| Field           | Type    | Label | Comment                                        |
+------------------------------------------------------------------------------------+
| key             | string  | 2     |                                                |
| value           | bigint  | 2     |                                                |
+------------------------------------------------------------------------------------+

Usage notes

  • The account used to call SecurityManager.runQuery() must have project-level permissions to run security commands, such as project owner or security administrator rights.

  • Label values in MaxCompute represent data classification levels. SET LABEL 2 assigns classification level 2 to the specified columns, controlling which users can access the data. See Label-based access control for the full classification model.

  • If the command fails, an OdpsException is thrown. Check the exception message for details such as insufficient permissions or invalid syntax.

  • Use the odps-sdk-core version that matches your MaxCompute project environment. Check search.maven.org for the latest public release.

What's next