MaxCompute外部表权限配置和使用

本文为您介绍在同账号及跨账号场景下如何访问OSS中的数据。

场景描述

本文以A、B、C三个阿里云账号为例,分别说明同账号跨账号访问OSS数据的场景。

image

注意事项

  • 配置权限时,请在只读环境中进行测试,避免因错误授权而导致数据写入错误。

  • 自定义Role时需注意授权范围,避免非预期权限的泄露。

数据概览

本文使用到的各项示例数据如下:

配置项

账号A

账号B

账号C

账号ID

124

146

139

MaxCompute

项目名称

mc_policy_config_a

mc_policy_config_b

mc_policy_config_c

地域

华东1(杭州)

OSS数据路径

oss-mc-test/test-oss-a

不涉及

不涉及

默认Role名称

(具备访问OSS的权限)

AliyunODPSDefaultRole

不涉及

不涉及

自定义Role名称

(具备访问OSS的权限)

role-a-to-a、role-a-to-b

不涉及

不涉及

RamUser名称

mc_user_a

mc_user_b

mc_user_c

RamRole名称

ramrole-user-A

ramrole-user-B

ramrole-user-C

权限策略名称

OdpsPolicy_A

OdpsPolicy_B

不涉及

同账号内访问:AMaxCompute外表访问AOSS数据

由账号A创建一个角色或者使用默认角色,创建外部表来访问AOSS数据。

访问OSSRole准备(自定义或默认Role)

默认:AliyunODPSDefaultRole

MaxComputeOSSOwner为同一个账号时,完成OSSSTS模式授权方式一的操作后,会默认生成一个AliyunODPSDefaultRole用于访问OSS。

说明

默认创建的AliyunODPSDefaultRole权限较多,仅供参考,您需要根据MaxCompute外表或外部数据源可访问的外部数据权限,在RAM控制台中配置合理的权限策略和信任策略。

自定义Role

若您需要通过自建的Role访问OSS,请使用A主账号新建自定义角色并授权。操作步骤请参见创建自定义Role。本文配置示例如下:

操作

参数

示例

创建RAM角色

信任主体类型

选择云服务

信任主体名称

选择云原生大数据计算服务 MaxCompute

角色名称

role-a-to-a。

修改RAM角色信任策略

信任策略

信任策略示例如下,表示允许MaxCompute服务扮演该角色。

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "odps.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

添加权限策略

权限策略

权限策略,名称为OdpsPolicy_A

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:ListBuckets",
        "oss:GetObject",
        "oss:ListObjects",
        "oss:PutObject",
        "oss:DeleteObject",
        "oss:AbortMultipartUpload",
        "oss:ListParts",
        "oss:GetBucketInfo",
        "oss:PostDataLakeStorageFileOperation",
        "oss:PostDataLakeStorageAdminOperation"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": "oss:*",
      "Resource": [
        "acs:oss:*:*:*/.dlsdata",
        "acs:oss:*:*:*/.dlsdata*"
      ]
    },
    {
      "Action": [
        "ots:ListTable",
        "ots:DescribeTable",
        "ots:GetRow",
        "ots:PutRow",
        "ots:UpdateRow",
        "ots:DeleteRow",
        "ots:GetRange",
        "ots:BatchGetRow",
        "ots:BatchWriteRow",
        "ots:ComputeSplitPointsBySize"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "pvtz:DescribeRegions",
        "pvtz:DescribeZones",
        "pvtz:DescribeZoneInfo",
        "pvtz:DescribeVpcs",
        "pvtz:DescribeZoneRecords"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dlf:CreateFunction",
        "dlf:BatchGetPartitions",
        "dlf:ListDatabases",
        "dlf:CreateLock",
        "dlf:UpdateFunction",
        "dlf:BatchUpdateTables",
        "dlf:DeleteTableVersion",
        "dlf:UpdatePartitionColumnStatistics",
        "dlf:ListPartitions",
        "dlf:DeletePartitionColumnStatistics",
        "dlf:BatchUpdatePartitions",
        "dlf:GetPartition",
        "dlf:BatchDeleteTableVersions",
        "dlf:ListFunctions",
        "dlf:DeleteTable",
        "dlf:GetTableVersion",
        "dlf:AbortLock",
        "dlf:GetTable",
        "dlf:BatchDeleteTables",
        "dlf:RenameTable",
        "dlf:RefreshLock",
        "dlf:DeletePartition",
        "dlf:UnLock",
        "dlf:GetLock",
        "dlf:GetDatabase",
        "dlf:GetFunction",
        "dlf:BatchCreatePartitions",
        "dlf:ListPartitionNames",
        "dlf:RenamePartition",
        "dlf:CreateTable",
        "dlf:BatchCreateTables",
        "dlf:UpdateTableColumnStatistics",
        "dlf:ListTableNames",
        "dlf:UpdateDatabase",
        "dlf:GetTableColumnStatistics",
        "dlf:ListFunctionNames",
        "dlf:ListPartitionsByFilter",
        "dlf:GetPartitionColumnStatistics",
        "dlf:CreatePartition",
        "dlf:CreateDatabase",
        "dlf:DeleteTableColumnStatistics",
        "dlf:ListTableVersions",
        "dlf:BatchDeletePartitions",
        "dlf:ListCatalogs",
        "dlf:UpdateTable",
        "dlf:ListTables",
        "dlf:DeleteDatabase",
        "dlf:BatchGetTables",
        "dlf:DeleteFunction"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "pai:AssumeUser",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "odps:ActOnBehalfOfAnotherUser",
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

A主账号访问A的数据

A主账号通过默认角色AliyunODPSDefaultRole或自定义角色role-a-to-a创建外部表,访问OSS数据。

  1. 使用A主账号登录MaxCompute客户端,创建OSS外部表

    通过AliyunODPSDefaultRole创建外部表

    CREATE EXTERNAL TABLE IF NOT EXISTS mc_oss_csv_external_defaultrole_a
    (
      vehicleId INT,
      recordId INT,
      patientId INT,
      calls INT,
      locationLatitute DOUBLE,
      locationLongtitue DOUBLE,
      recordTime STRING,
      direction STRING
    )
    STORED BY 'com.aliyun.odps.CsvStorageHandler'
    -- 如果使用默认角色并且访问同主账号的OSS数据,系统会按如下内容自动生成
    -- WITH serdeproperties (
    --   'odps.properties.rolearn'='acs:ram::124:role/aliyunodpsdefaultrole'
    -- )
    LOCATION 'oss://oss-cn-hangzhou-internal.aliyuncs.com/oss-mc-test/test-oss-a';

    通过自定义Role创建外部表

    CREATE EXTERNAL TABLE IF NOT EXISTS mc_oss_csv_external_test_ramrole_a
    (
      vehicleId INT,
      recordId INT,
      patientId INT,
      calls INT,
      locationLatitute DOUBLE,
      locationLongtitue DOUBLE,
      recordTime STRING,
      direction STRING
    )
    STORED BY 'com.aliyun.odps.CsvStorageHandler' 
    WITH serdeproperties (
      'odps.properties.rolearn'='acs:ram::124:role/role-a-to-a'
    ) 
    LOCATION 'oss://oss-cn-hangzhou-internal.aliyuncs.com/oss-mc-test/test-oss-a';
  2. A主账号查询外部表数据。

    通过AliyunODPSDefaultRole查询数据

    SELECT * FROM external_defaultrole_a;

    返回结果如下:

    +-----------+----------+-----------+-------+------------------+-------------------+----------------+-----------+
    | vehicleid | recordid | patientid | calls | locationlatitute | locationlongtitue |  recordtime    | direction |
    +-----------+----------+-----------+-------+------------------+-------------------+----------------+-----------+
    | 1         | 1        | 51        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:00 | S         |
    | 1         | 2        | 13        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:01 | NE        |
    | 1         | 3        | 48        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:02 | NE        |
    | 1         | 4        | 30        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:03 | W         |
    | 1         | 5        | 47        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:04 | S         |
    | 1         | 6        | 9         | 1     | 46.81006         | -92.08174         | 9/14/2014 0:05 | S         |
    | 1         | 7        | 53        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:06 | N         |
    | 1         | 8        | 63        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:07 | SW        |
    | 1         | 9        | 4         | 1     | 46.81006         | -92.08174         | 9/14/2014 0:08 | NE        |
    | 1         | 10       | 31        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:09 | N         |
    +-----------+----------+-----------+-------+------------------+-------------------+----------------+-----------+

    通过自定义Role查询数据

    SELECT * FROM external_ramrole_a;

    返回结果如下:

    +-----------+----------+-----------+-------+------------------+-------------------+----------------+-----------+
    | vehicleid | recordid | patientid | calls | locationlatitute | locationlongtitue |  recordtime    | direction |
    +-----------+----------+-----------+-------+------------------+-------------------+----------------+-----------+
    | 1         | 1        | 51        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:00 | S         |
    | 1         | 2        | 13        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:01 | NE        |
    | 1         | 3        | 48        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:02 | NE        |
    | 1         | 4        | 30        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:03 | W         |
    | 1         | 5        | 47        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:04 | S         |
    | 1         | 6        | 9         | 1     | 46.81006         | -92.08174         | 9/14/2014 0:05 | S         |
    | 1         | 7        | 53        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:06 | N         |
    | 1         | 8        | 63        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:07 | SW        |
    | 1         | 9        | 4         | 1     | 46.81006         | -92.08174         | 9/14/2014 0:08 | NE        |
    | 1         | 10       | 31        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:09 | N         |
    +-----------+----------+-----------+-------+------------------+-------------------+----------------+-----------+

ARamUser访问A的数据

ARamUser通过默认角色AliyunODPSDefaultRole或自定义角色 role-a-to-a创建外部表,访问OSS数据。

  1. 使用A主账号创建RamUser,并为MaxCompute项目授权。本文配置示例如下:

    参数

    示例

    RAM用户

    mc_user_a

    MaxCompute项目

    mc_policy_config_a

  2. 使用ARamUser登录MaxCompute客户端,创建OSS外部表。

    通过AliyunODPSDefaultRole创建外部表

    CREATE EXTERNAL TABLE IF NOT EXISTS external_defaultrole_ramuser_a
    (
      vehicleId INT,
      recordId INT,
      patientId INT,
      calls INT,
      locationLatitute DOUBLE,
      locationLongtitue DOUBLE,
      recordTime STRING,
      direction STRING
    )
    STORED BY 'com.aliyun.odps.CsvStorageHandler' 
    -- 如果使用默认角色并且访问同主账号的OSS数据,系统会按如下内容自动生成
    -- WITH serdeproperties (
    --   'odps.properties.rolearn'='acs:ram::124:role/aliyunodpsdefaultrole'
    -- ) 
    LOCATION 'oss://oss-cn-hangzhou-internal.aliyuncs.com/oss-mc-test/test-oss-a/';

    通过自定义Role创建外部表

    CREATE EXTERNAL TABLE IF NOT EXISTS external_ramrole_ramuser_a
    (
      vehicleId INT,
      recordId INT,
      patientId INT,
      calls INT,
      locationLatitute DOUBLE,
      locationLongtitue DOUBLE,
      recordTime STRING,
      direction STRING
    )
    STORED BY 'com.aliyun.odps.CsvStorageHandler' 
    WITH serdeproperties (
      'odps.properties.rolearn'='acs:ram::124:role/role-a-to-a'
    ) 
    LOCATION 'oss://oss-cn-hangzhou-internal.aliyuncs.com/oss-mc-test/test-oss-a/';
  3. 查询外部表数据。

    使用ARamUser登录MaxCompute客户端,查询外部表数据。

    通过AliyunODPSDefaultRole查询数据

    SELECT * FROM external_defaultrole_ramuser_a;

    返回结果如下:

    +-----------+----------+-----------+-------+------------------+-------------------+----------------+-----------+
    | vehicleid | recordid | patientid | calls | locationlatitute | locationlongtitue | recordtime     | direction |
    +-----------+----------+-----------+-------+------------------+-------------------+----------------+-----------+
    | 1         | 1        | 51        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:00 | S         |
    | 1         | 2        | 13        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:01 | NE        |
    | 1         | 3        | 48        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:02 | NE        |
    | 1         | 4        | 30        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:03 | W         |
    | 1         | 5        | 47        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:04 | S         |
    | 1         | 6        | 9         | 1     | 46.81006         | -92.08174         | 9/14/2014 0:05 | S         |
    | 1         | 7        | 53        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:06 | N         |
    | 1         | 8        | 63        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:07 | SW        |
    | 1         | 9        | 4         | 1     | 46.81006         | -92.08174         | 9/14/2014 0:08 | NE        |
    | 1         | 10       | 31        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:09 | N         |
    +-----------+----------+-----------+-------+------------------+-------------------+----------------+-----------+

    通过自定义Role查询数据

    SELECT * FROM external_ramrole_ramuser_a;

    返回结果如下:

    +-----------+----------+-----------+-------+------------------+-------------------+----------------+-----------+
    | vehicleid | recordid | patientid | calls | locationlatitute | locationlongtitue | recordtime     | direction |
    +-----------+----------+-----------+-------+------------------+-------------------+----------------+-----------+
    | 1         | 1        | 51        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:00 | S         |
    | 1         | 2        | 13        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:01 | NE        |
    | 1         | 3        | 48        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:02 | NE        |
    | 1         | 4        | 30        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:03 | W         |
    | 1         | 5        | 47        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:04 | S         |
    | 1         | 6        | 9         | 1     | 46.81006         | -92.08174         | 9/14/2014 0:05 | S         |
    | 1         | 7        | 53        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:06 | N         |
    | 1         | 8        | 63        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:07 | SW        |
    | 1         | 9        | 4         | 1     | 46.81006         | -92.08174         | 9/14/2014 0:08 | NE        |
    | 1         | 10       | 31        | 1     | 46.81006         | -92.08174         | 9/14/2014 0:09 | N         |
    +-----------+----------+-----------+-------+------------------+-------------------+----------------+-----------+

ARamRole访问A的数据

ARamRole作为访问者,通过默认角色AliyunODPSDefaultRole或者自定义角色创建外部表,访问OSS数据。

  1. 使用A主账号创建RamRole,并登录。具体操作请参见创建并登录RamRole。本文配置示例如下:

    参数

    示例

    RAM角色

    ramrole-user-A

    MaxCompute项目

    mc_policy_config_a

  2. 使用ARamRole创建OSS外部表。

    通过AliyunODPSDefaultRole创建外部表

    CREATE EXTERNAL TABLE IF NOT EXISTS external_defaultrole_ramrole_a
    (
      vehicleId INT,
      recordId INT,
      patientId INT,
      calls INT,
      locationLatitute DOUBLE,
      locationLongtitue DOUBLE,
      recordTime STRING,
      direction STRING
    )
    STORED BY 'com.aliyun.odps.CsvStorageHandler' 
    -- 如果使用默认角色并且访问同主账号的OSS数据,系统会按如下内容自动生成
    -- WITH serdeproperties (
    --   'odps.properties.rolearn'='acs:ram::124:role/aliyunodpsdefaultrole'
    -- ) 
    LOCATION 'oss://oss-cn-hangzhou-internal.aliyuncs.com/oss-mc-test/test-oss-a';

    通过自定义Role创建外部表

    CREATE EXTERNAL TABLE IF NOT EXISTS external_role_ramrole_a
    (
      vehicleId INT,
      recordId INT,
      patientId INT,
      calls INT,
      locationLatitute DOUBLE,
      locationLongtitue DOUBLE,
      recordTime STRING,
      direction STRING
    )
    STORED BY 'com.aliyun.odps.CsvStorageHandler' 
    WITH serdeproperties (
      'odps.properties.rolearn'='acs:ram::124:role/role-a-to-a'
    ) 
    LOCATION 'oss://oss-cn-hangzhou-internal.aliyuncs.com/oss-mc-test/test-oss-a';
  3. 读取OSS外部表。

    通过AliyunODPSDefaultRole查询数据

    SELECT * FROM external_defaultrole_ramrole_a;

    返回结果如下:

    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+
    | vehicleid  | recordid   | patientid  | calls      | locationlatitute | locationlongtitue | recordtime     | direction  |
    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+
    | 1          | 1          | 51         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:00 | S          |
    | 1          | 2          | 13         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:01 | NE         |
    | 1          | 3          | 48         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:02 | NE         |
    | 1          | 4          | 30         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:03 | W          |
    | 1          | 5          | 47         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:04 | S          |
    | 1          | 6          | 9          | 1          | 46.81006         | -92.08174         | 9/14/2014 0:05 | S          |
    | 1          | 7          | 53         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:06 | N          |
    | 1          | 8          | 63         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:07 | SW         |
    | 1          | 9          | 4          | 1          | 46.81006         | -92.08174         | 9/14/2014 0:08 | NE         |
    | 1          | 10         | 31         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:09 | N          |
    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+

    通过自定义Role查询数据

    SELECT * FROM external_role_ramrole_a;

    返回结果如下:

    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+
    | vehicleid  | recordid   | patientid  | calls      | locationlatitute | locationlongtitue | recordtime     | direction  |
    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+
    | 1          | 1          | 51         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:00 | S          |
    | 1          | 2          | 13         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:01 | NE         |
    | 1          | 3          | 48         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:02 | NE         |
    | 1          | 4          | 30         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:03 | W          |
    | 1          | 5          | 47         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:04 | S          |
    | 1          | 6          | 9          | 1          | 46.81006         | -92.08174         | 9/14/2014 0:05 | S          |
    | 1          | 7          | 53         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:06 | N          |
    | 1          | 8          | 63         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:07 | SW         |
    | 1          | 9          | 4          | 1          | 46.81006         | -92.08174         | 9/14/2014 0:08 | NE         |
    | 1          | 10         | 31         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:09 | N          |
    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+

跨账号访问:BMaxCompute外表访问AOSS数据

需要由A账号创建一个角色,授权给B账号,允许B账号访问AOSS数据;B使用A创建的角色创建外部表,以及访问OSS数据。

访问OSSRole准备(只能自定义Role)

使用A账号创建可信实体为阿里云服务的RAM角色,并将新建的权限策略授权给RAM角色。具体操作请参见创建自定义Role。本文配置示例如下:

操作

参数

示例

创建RAM角色

信任主体类型

选择云服务

信任主体名称

选择云原生大数据计算服务 MaxCompute

角色名称

role-a-to-b。

修改RAM角色信任策略

信任策略

信任策略示例如下,表示允许B账号的MaxCompute服务扮演该角色。其中146B账号的账号ID。

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "146@odps.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

添加权限策略

权限策略

权限策略,名称为OdpsPolicy_B

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:ListBuckets",
        "oss:GetObject",
        "oss:ListObjects",
        "oss:PutObject",
        "oss:DeleteObject",
        "oss:AbortMultipartUpload",
        "oss:ListParts",
        "oss:GetBucketInfo",
        "oss:PostDataLakeStorageFileOperation",
        "oss:PostDataLakeStorageAdminOperation"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": "oss:*",
      "Resource": [
        "acs:oss:*:*:*/.dlsdata",
        "acs:oss:*:*:*/.dlsdata*"
      ]
    },
    {
      "Action": [
        "ots:ListTable",
        "ots:DescribeTable",
        "ots:GetRow",
        "ots:PutRow",
        "ots:UpdateRow",
        "ots:DeleteRow",
        "ots:GetRange",
        "ots:BatchGetRow",
        "ots:BatchWriteRow",
        "ots:ComputeSplitPointsBySize"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "pvtz:DescribeRegions",
        "pvtz:DescribeZones",
        "pvtz:DescribeZoneInfo",
        "pvtz:DescribeVpcs",
        "pvtz:DescribeZoneRecords"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dlf:CreateFunction",
        "dlf:BatchGetPartitions",
        "dlf:ListDatabases",
        "dlf:CreateLock",
        "dlf:UpdateFunction",
        "dlf:BatchUpdateTables",
        "dlf:DeleteTableVersion",
        "dlf:UpdatePartitionColumnStatistics",
        "dlf:ListPartitions",
        "dlf:DeletePartitionColumnStatistics",
        "dlf:BatchUpdatePartitions",
        "dlf:GetPartition",
        "dlf:BatchDeleteTableVersions",
        "dlf:ListFunctions",
        "dlf:DeleteTable",
        "dlf:GetTableVersion",
        "dlf:AbortLock",
        "dlf:GetTable",
        "dlf:BatchDeleteTables",
        "dlf:RenameTable",
        "dlf:RefreshLock",
        "dlf:DeletePartition",
        "dlf:UnLock",
        "dlf:GetLock",
        "dlf:GetDatabase",
        "dlf:GetFunction",
        "dlf:BatchCreatePartitions",
        "dlf:ListPartitionNames",
        "dlf:RenamePartition",
        "dlf:CreateTable",
        "dlf:BatchCreateTables",
        "dlf:UpdateTableColumnStatistics",
        "dlf:ListTableNames",
        "dlf:UpdateDatabase",
        "dlf:GetTableColumnStatistics",
        "dlf:ListFunctionNames",
        "dlf:ListPartitionsByFilter",
        "dlf:GetPartitionColumnStatistics",
        "dlf:CreatePartition",
        "dlf:CreateDatabase",
        "dlf:DeleteTableColumnStatistics",
        "dlf:ListTableVersions",
        "dlf:BatchDeletePartitions",
        "dlf:ListCatalogs",
        "dlf:UpdateTable",
        "dlf:ListTables",
        "dlf:DeleteDatabase",
        "dlf:BatchGetTables",
        "dlf:DeleteFunction"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "pai:AssumeUser",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "odps:ActOnBehalfOfAnotherUser",
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

B主账号访问A的数据

B主账号通过自定义Role role-a-to-b创建外部表,访问AOSS数据。

  1. 使用B主账号登录MaxCompute客户端,通过自定义Role role-a-to-b创建OSS外部表。

    CREATE EXTERNAL TABLE IF NOT EXISTS external_ramrole_b
    (
      vehicleId INT,
      recordId INT,
      patientId INT,
      calls INT,
      locationLatitute DOUBLE,
      locationLongtitue DOUBLE,
      recordTime STRING,
      direction STRING
    )
    STORED BY 'com.aliyun.odps.CsvStorageHandler' 
    WITH serdeproperties (
      'odps.properties.rolearn'='acs:ram::124:role/role-a-to-b'
    ) 
    LOCATION 'oss://oss-cn-hangzhou-internal.aliyuncs.com/oss-mc-test/test-oss-a';
  2. B主账号通过自定义Role role-a-to-b查询外部表数据。

    SELECT * FROM external_ramrole_b;

    返回结果如下:

    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+
    | vehicleid  | recordid   | patientid  | calls      | locationlatitute | locationlongtitue | recordtime     | direction  |
    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+
    | 1          | 1          | 51         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:00 | S          |
    | 1          | 2          | 13         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:01 | NE         |
    | 1          | 3          | 48         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:02 | NE         |
    | 1          | 4          | 30         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:03 | W          |
    | 1          | 5          | 47         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:04 | S          |
    | 1          | 6          | 9          | 1          | 46.81006         | -92.08174         | 9/14/2014 0:05 | S          |
    | 1          | 7          | 53         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:06 | N          |
    | 1          | 8          | 63         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:07 | SW         |
    | 1          | 9          | 4          | 1          | 46.81006         | -92.08174         | 9/14/2014 0:08 | NE         |
    | 1          | 10         | 31         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:09 | N          |
    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+

BRamUser访问A的数据

BRamUser通过访问OSSRole准备(只能自定义Role)中的自定义角色 role-a-to-b创建外部表,访问AOSS数据。

  1. 使用B主账号创建RamUser,并为MaxCompute项目授权。本文配置示例如下:

    参数

    示例

    RAM用户(RamUser)

    mc_user_b

    MaxCompute项目

    mc_policy_config_b

  2. 使用BRamUser登录MaxCompute客户端,通过自定义Role role-a-to-b创建OSS外部表。

    CREATE EXTERNAL TABLE IF NOT EXISTS external_ramrole_ramuser_b
    (
      vehicleId INT,
      recordId INT,
      patientId INT,
      calls INT,
      locationLatitute DOUBLE,
      locationLongtitue DOUBLE,
      recordTime STRING,
      direction STRING
    )
    STORED BY 'com.aliyun.odps.CsvStorageHandler' 
    WITH serdeproperties (
      'odps.properties.rolearn'='acs:ram::124:role/role-a-to-b'
    ) 
    LOCATION 'oss://oss-cn-hangzhou-internal.aliyuncs.com/oss-mc-test/test-oss-a';
  3. 通过自定义Role查询外部表数据。

    使用BRamUser登录MaxCompute客户端,查询外部表数据。

    SELECT * FROM external_ramrole_ramuser_b;

    返回结果如下:

    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+
    | vehicleid  | recordid   | patientid  | calls      | locationlatitute | locationlongtitue | recordtime     | direction  |
    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+
    | 1          | 1          | 51         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:00 | S          |
    | 1          | 2          | 13         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:01 | NE         |
    | 1          | 3          | 48         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:02 | NE         |
    | 1          | 4          | 30         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:03 | W          |
    | 1          | 5          | 47         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:04 | S          |
    | 1          | 6          | 9          | 1          | 46.81006         | -92.08174         | 9/14/2014 0:05 | S          |
    | 1          | 7          | 53         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:06 | N          |
    | 1          | 8          | 63         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:07 | SW         |
    | 1          | 9          | 4          | 1          | 46.81006         | -92.08174         | 9/14/2014 0:08 | NE         |
    | 1          | 10         | 31         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:09 | N          |
    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+

BRamRole访问A的数据

BRamRole通过访问OSSRole准备(只能自定义Role)中的自定义角色 role-a-to-b创建外部表,访问AOSS数据。

  1. 使用B主账号创建RamRole,并登录。具体操作请参见创建并登录RamRole。本文配置示例如下:

    参数

    示例

    RAM角色(RamRole)

    ramrole-user-B

    MaxCompute项目

    mc_policy_config_b

  2. 使用BRamRole创建OSS外部表。

    CREATE EXTERNAL TABLE IF NOT EXISTS external_role_ramrole_b
    (
      vehicleId INT,
      recordId INT,
      patientId INT,
      calls INT,
      locationLatitute DOUBLE,
      locationLongtitue DOUBLE,
      recordTime STRING,
      direction STRING
    )
    STORED BY 'com.aliyun.odps.CsvStorageHandler' 
    WITH serdeproperties (
      'odps.properties.rolearn'='acs:ram::124:role/role-a-to-b'
    ) 
    LOCATION 'oss://oss-cn-hangzhou-internal.aliyuncs.com/oss-mc-test/test-oss-a';
  3. 读取OSS外部表。

    SELECT * FROM external_role_ramrole_b;

    返回结果如下:

    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+
    | vehicleid  | recordid   | patientid  | calls      | locationlatitute | locationlongtitue | recordtime     | direction  |
    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+
    | 1          | 1          | 51         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:00 | S          |
    | 1          | 2          | 13         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:01 | NE         |
    | 1          | 3          | 48         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:02 | NE         |
    | 1          | 4          | 30         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:03 | W          |
    | 1          | 5          | 47         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:04 | S          |
    | 1          | 6          | 9          | 1          | 46.81006         | -92.08174         | 9/14/2014 0:05 | S          |
    | 1          | 7          | 53         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:06 | N          |
    | 1          | 8          | 63         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:07 | SW         |
    | 1          | 9          | 4          | 1          | 46.81006         | -92.08174         | 9/14/2014 0:08 | NE         |
    | 1          | 10         | 31         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:09 | N          |
    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+

跨账号访问:C通过BMaxCompute外表访问AOSS数据

C主账号通过B的外表访问AOSS数据

说明

大致流程如下:

  1. B创建Package,将表external_ramrole_b共享给CProject进行读取。更多操作请参见基于Package跨项目访问资源

  2. C主账号通过查询B账号在操作中创建的外部表external_ramrole_b,访问AOSS数据。

  1. 使用B主账号登录MaxCompute客户端,创建Package,并添加外部表external_ramrole_b

    -- 创建package
    CREATE PACKAGE test_ramrole;
    
    -- 将B账号创建的external_ramrole_b外部表添加进package
    ADD TABLE external_ramrole_b TO PACKAGE test_ramrole;
  2. 使用B主账号登录MaxCompute客户端,执行如下命令,允许C主账号的Project下载安装Package。

    ALLOW PROJECT mc_policy_config_c TO INSTALL PACKAGE test_ramrole;
  3. 使用C主账号登录MaxCompute客户端,安装下载B账号创建的Package。

    INSTALL PACKAGE mc_policy_config_b.test_ramrole;
  4. 使用C主账号读取Package中的外部表。

    说明

    如果C账号已经开启Schema开关,需要使用三层语法进行读取。

    SELECT * FROM mc_policy_config_b.default.external_ramrole_b;

    返回结果如下:

    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+
    | vehicleid  | recordid   | patientid  | calls      | locationlatitute | locationlongtitue | recordtime     | direction  |
    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+
    | 1          | 1          | 51         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:00 | S          |
    | 1          | 2          | 13         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:01 | NE         |
    | 1          | 3          | 48         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:02 | NE         |
    | 1          | 4          | 30         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:03 | W          |
    | 1          | 5          | 47         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:04 | S          |
    | 1          | 6          | 9          | 1          | 46.81006         | -92.08174         | 9/14/2014 0:05 | S          |
    | 1          | 7          | 53         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:06 | N          |
    | 1          | 8          | 63         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:07 | SW         |
    | 1          | 9          | 4          | 1          | 46.81006         | -92.08174         | 9/14/2014 0:08 | NE         |
    | 1          | 10         | 31         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:09 | N          |
    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+

CRamUser通过B的外表访问A的数据

  1. 使用C主账号登录RAM控制台准备RAM用户,并创建访问密钥AccessKey。此步骤中,您无需为RamUser授权。

  2. 使用C主账号登录MaxCompute客户端,为CRamUser授予访问Package的权限。本文配置示例如下:

    参数

    示例

    RAM用户(RamUser)

    mc_user_c

    MaxCompute项目

    mc_policy_config_c

    -- C主账号将CRamUser添加为项目成员
    ADD USER RAM$mc_user_c;
    
    -- C主账号给CRamUser授予项目的CreateInstance权限
    GRANT CreateInstance ON PROJECT mc_policy_config_c TO USER RAM$C_testcloud_com:mc_user_c;
    
    -- C主账号给CRamUser授予访问Package的权限
    GRANT Read ON PACKAGE mc_policy_config_b.test_ramrole TO USER RAM$C_testcloud_com:mc_user_c;
  3. 使用CRamUser登录MaxCompute客户端,读取Package中的外部表。

    说明

    如果C账号已经开启Schema开关,需要使用三层语法进行读取。

    SELECT * FROM mc_policy_config_b.default.external_ramrole_b;

    返回结果如下:

    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+
    | vehicleid  | recordid   | patientid  | calls      | locationlatitute | locationlongtitue | recordtime     | direction  |
    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+
    | 1          | 1          | 51         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:00 | S          |
    | 1          | 2          | 13         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:01 | NE         |
    | 1          | 3          | 48         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:02 | NE         |
    | 1          | 4          | 30         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:03 | W          |
    | 1          | 5          | 47         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:04 | S          |
    | 1          | 6          | 9          | 1          | 46.81006         | -92.08174         | 9/14/2014 0:05 | S          |
    | 1          | 7          | 53         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:06 | N          |
    | 1          | 8          | 63         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:07 | SW         |
    | 1          | 9          | 4          | 1          | 46.81006         | -92.08174         | 9/14/2014 0:08 | NE         |
    | 1          | 10         | 31         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:09 | N          |
    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+

CRamRole通过B的外表访问A的数据

  1. 使用C主账号创建RamRole并授权,具体操作请参见创建并登录RamRole。本文配置示例如下:

    参数

    示例

    RAM角色(RamRole)

    ramrole-user-C

    MaxCompute项目

    mc_policy_config_c

  2. C主账号为CRamRole授予访问Package的权限。

    说明

    下述语句中,xxx_testcloud_com为使用whoami;命令获取的账号名称account_name

    -- C主账号给CRamRole授予访问Package的权限
    GRANT Read ON PACKAGE mc_policy_config_b.test_ramrole TO USER `RAM$xxx_testcloud_com:role/ramrole-user-C`;
  3. 使用C创建的RamRole登录MaxCompute客户端,读取Package中的外部表。登录方式请参见登录RamRole

    SELECT * FROM mc_policy_config_b.default.external_ramrole_b;

    返回结果如下:

    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+
    | vehicleid  | recordid   | patientid  | calls      | locationlatitute | locationlongtitue | recordtime     | direction  |
    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+
    | 1          | 1          | 51         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:00 | S          |
    | 1          | 2          | 13         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:01 | NE         |
    | 1          | 3          | 48         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:02 | NE         |
    | 1          | 4          | 30         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:03 | W          |
    | 1          | 5          | 47         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:04 | S          |
    | 1          | 6          | 9          | 1          | 46.81006         | -92.08174         | 9/14/2014 0:05 | S          |
    | 1          | 7          | 53         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:06 | N          |
    | 1          | 8          | 63         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:07 | SW         |
    | 1          | 9          | 4          | 1          | 46.81006         | -92.08174         | 9/14/2014 0:08 | NE         |
    | 1          | 10         | 31         | 1          | 46.81006         | -92.08174         | 9/14/2014 0:09 | N          |
    +------------+------------+------------+------------+------------------+-------------------+----------------+------------+

常见问题

使用自定义Role时,报错You are not authorized to do this action. You should be authorized by RAM

  • 问题原因

    自定义角色的信任策略只信任了当前阿里云账号,并没有允许其他阿里云服务去访问OSS,所以没有权限。

  • 解决措施

    将自定义角色的信任策略中Principal参数改为Service,表示允许MaxCompute服务去扮演该角色,示例如下:

    {
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Effect": "Allow",
          "Principal": {
            "Service": [
              "odps.aliyuncs.com"
            ]
          }
        }
      ],
      "Version": "1"
    }

附录

创建自定义Role

若您需要通过自建的Role访问OSS,则需要使用主账号新建自定义角色并授权。步骤如下:

  1. 创建RAM角色。

    登录RAM控制台,在左侧导航栏选择身份管理 > 角色,在角色页面单击创建角色创建普通服务角色。参数配置如下:

    参数名

    描述

    信任主体类型

    选择云服务

    信任主体名称

    选择云原生大数据计算服务 MaxCompute

    角色名称

    自定义。

  2. 修改RAM角色信任策略。

    1. 身份管理 > 角色页面单击新创建的角色名称,进入角色详情页面。

    2. 信任策略页签单击编辑信任策略,进入脚本编辑页签,修改RAM角色的信任策略

      您也可以在可视化编辑页签选择需要的信任策略。

      重要

      请勿将信任策略的可信实体配置为阿里云账号,会导致MaxCompute服务无权限访问OSS,而出现报错。具体报错请参见常见问题

      示例如下:表示允许MaxCompute服务扮演该角色。

      {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "odps.aliyuncs.com"
              ]
            }
          }
        ],
        "Version": "1"
      }
    3. 单击确定

  3. 添加权限策略。

    1. RAM控制台权限管理 > 权限策略页面,单击创建权限策略,选择需要的权限。详情请参见创建自定义权限策略

      说明

      您可在可视化编辑页签选择服务和对应的权限点,也可在脚本编辑页签输入所需的权限点。

      本文以脚本编辑方式为例,策略内容如下:用于MaxCompute服务默认角色的授权策略,包括OSS、OTS、DLF的部分访问权限。

      权限策略示例

      {
        "Version": "1",
        "Statement": [
          {
            "Action": [
              "oss:ListBuckets",
              "oss:GetObject",
              "oss:ListObjects",
              "oss:PutObject",
              "oss:DeleteObject",
              "oss:AbortMultipartUpload",
              "oss:ListParts",
              "oss:GetBucketInfo",
              "oss:PostDataLakeStorageFileOperation",
              "oss:PostDataLakeStorageAdminOperation"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Effect": "Allow",
            "Action": "oss:*",
            "Resource": [
              "acs:oss:*:*:*/.dlsdata",
              "acs:oss:*:*:*/.dlsdata*"
            ]
          },
          {
            "Action": [
              "ots:ListTable",
              "ots:DescribeTable",
              "ots:GetRow",
              "ots:PutRow",
              "ots:UpdateRow",
              "ots:DeleteRow",
              "ots:GetRange",
              "ots:BatchGetRow",
              "ots:BatchWriteRow",
              "ots:ComputeSplitPointsBySize"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "pvtz:DescribeRegions",
              "pvtz:DescribeZones",
              "pvtz:DescribeZoneInfo",
              "pvtz:DescribeVpcs",
              "pvtz:DescribeZoneRecords"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "dlf:CreateFunction",
              "dlf:BatchGetPartitions",
              "dlf:ListDatabases",
              "dlf:CreateLock",
              "dlf:UpdateFunction",
              "dlf:BatchUpdateTables",
              "dlf:DeleteTableVersion",
              "dlf:UpdatePartitionColumnStatistics",
              "dlf:ListPartitions",
              "dlf:DeletePartitionColumnStatistics",
              "dlf:BatchUpdatePartitions",
              "dlf:GetPartition",
              "dlf:BatchDeleteTableVersions",
              "dlf:ListFunctions",
              "dlf:DeleteTable",
              "dlf:GetTableVersion",
              "dlf:AbortLock",
              "dlf:GetTable",
              "dlf:BatchDeleteTables",
              "dlf:RenameTable",
              "dlf:RefreshLock",
              "dlf:DeletePartition",
              "dlf:UnLock",
              "dlf:GetLock",
              "dlf:GetDatabase",
              "dlf:GetFunction",
              "dlf:BatchCreatePartitions",
              "dlf:ListPartitionNames",
              "dlf:RenamePartition",
              "dlf:CreateTable",
              "dlf:BatchCreateTables",
              "dlf:UpdateTableColumnStatistics",
              "dlf:ListTableNames",
              "dlf:UpdateDatabase",
              "dlf:GetTableColumnStatistics",
              "dlf:ListFunctionNames",
              "dlf:ListPartitionsByFilter",
              "dlf:GetPartitionColumnStatistics",
              "dlf:CreatePartition",
              "dlf:CreateDatabase",
              "dlf:DeleteTableColumnStatistics",
              "dlf:ListTableVersions",
              "dlf:BatchDeletePartitions",
              "dlf:ListCatalogs",
              "dlf:UpdateTable",
              "dlf:ListTables",
              "dlf:DeleteDatabase",
              "dlf:BatchGetTables",
              "dlf:DeleteFunction"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": "pai:AssumeUser",
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": "odps:ActOnBehalfOfAnotherUser",
            "Resource": "*",
            "Effect": "Allow"
          }
        ]
      }
    2. 单击确定

    3. 创建权限策略对话框中输入策略名称,并单击确定

  4. 将新建的权限策略授权给新建的RAM角色。操作详情请参见RAM角色授权

    1. RAM控制台身份管理 > 角色页面,单击新创建的角色,进入角色详情页面。

    2. 权限管理页签单击新增授权,选择新建的权限策略,并单击确认新增授权

创建RamUser

  1. 使用主账号登录RAM控制台创建RAM用户,并创建访问密钥AccessKey。此步骤中,您无需为RamUser授权。

  2. 添加用户,并为MaxCompute项目授权。

    使用主账号登录MaxCompute客户端,执行以下操作:

    说明

    下述语句中,ramuser_name参数为您实际创建的RAM用户名称,project_name参数为实际的MaxCompute项目名称。

    1. 通过ADD USER将已创建的RamUser添加至MaxCompute项目,命令示例如下:

      ADD USER RAM$<ramuser_name>;
      说明

      您可执行LIST USERS;命令查询账号ARamUser。

    2. ARamUser授予项目的CreateTableCreateInstance权限。更多授权方法请参见为用户授予项目的操作权限

      GRANT CreateTable,CreateInstance ON PROJECT <project_name> TO USER RAM$<ramuser_name>;

创建并登录RamRole

  1. 主账号创建RamRole,作为访问者身份访问OSS。

    使用主账号登录RAM控制台创建可信实体为阿里云账号的RAM角色,该角色将作为访问者。image

    说明
    • 创建好RAM角色后,该角色信任策略的可信实体默认为阿里云账号,您无需修改信任策略。

    • 此处不涉及权限问题,您无需为该角色添加权限策略。

  2. 1中创建的RamRole添加为Project成员。

    使用主账号登录MaxCompute客户端,添加RamRoleProject成员,并授予RamRole关于ProjectCreateTableCreateInstance权限,更多授权操作请参见为用户授予对象的操作权限

    1. 执行whoami;命令获取账号名称account_name。例如:执行结果中Name字段值为ALIYUN$xxx_testcloud_com,则账号名称account_namexxx_testcloud_com

    2. 执行如下命令将RamRole添加为成员,并授权。

      -- 需要先打开ram支持
      ADD accountprovider ram;
      
      -- 添加ramroleproject中,先不赋予任何权限,此处的引号必须有且不能更改为单引号。
      ADD USER `RAM$<account_name>:role/<ramrole_name>`;
      
      -- 授予projectCreateTable权限
      GRANT CreateTable ON project <project_name> TO USER `RAM$<account_name>:role/<ramrole_name>`;
      
      -- 授予projectCreateInstance权限
      GRANT CreateInstance ON project <project_name> TO USER `RAM$<account_name>:role/<ramrole_name>`;

      参数说明如下:

      参数名

      描述

      account_name

      上文中获取的账号名称account_name

      ramrole_name

      创建好的RAM角色名称。

      project_name

      MaxCompute项目名称。

  3. 使用主账号,为已创建的RamUser授予AliyunSTSAssumeRoleAccess权限,便于后续调用AssumeRole API。

    1. 登录RAM控制台,进入身份管理 > 用户页面

    2. 单击创建好的RamUser用户名称,在用户详情页面单击权限管理页签。

    3. 个人权限页签单击新增授权,在弹出的新增授权面板中勾选AliyunSTSAssumeRoleAccess权限策略。

    4. 单击确认新增授权

  4. 使用主账号创建的RamRole登录MaxCompute客户端。

    1. 使用RamUser登录阿里云官网,调用AssumeRole API,获取扮演角色的临时身份凭证。

      image

    2. 通过终端命令行(如Windows系统的CMD)进入MaxCompute客户端的bin目录,使用临时身份凭证登录MaxCompute客户端,命令如下。

      其中AccessKeyIdAccessKeySecretSecurityToken为上文获取的临时身份凭证信息。

      odpscmd  --account-provider sts  --access-id <AccessKeyId> --access-key <AccessKeySecret> --sts-token  <SecurityToken>