Introduction to the permission system of MaxCompute and DataIDE

Original link: http://click.aliyun.com/m/27074/
Understand the permission system of big data development kits and big data computing services.

Product Relationship
MaxCompute is a big data computing engine independently developed by Alibaba Cloud. With MaxCompute, you can use the computing models of SQL, MapReduce, and Graph to process massive amounts of data. The product also provides machine learning functions, and is packaged as a machine learning product to provide external services. When users use MaxCompute, they can easily process massive data without caring about the underlying distributed computing details.

However, using MaxCompute directly has some inconveniences. For example, it is necessary to more conveniently manage the development code, import and export data, set the timing scheduling of tasks and upstream and downstream dependencies, manage the running status of tasks and make abnormal alarms. There are simple and convenient metadata management and more convenient data permission settings that we will talk about this time. To this end, the product of the Big Data Development Kit (Data IDE) was born. Data IDE wraps another layer on top of MaxComput. Users do not need to operate MaxComupt directly, but only need to operate on the Data IDE, which greatly simplifies the process of building a data warehouse. Sometimes, we even call Data IDE the development tool of MaxCompte.

As a computing engine, MaxCompte itself has a set of sound security rules and permission system. These permission settings are enough to allow the user to access only those data he is authorized to. On this basis, Data IDE provides a set of its own permission system, including authorization of modules on Data IDE and authorization on MaxCompte. By configuring on the Data IDE, you can easily grant the corresponding MaxCompte permissions to the account. Below we will make some descriptions of these two products.

MaxCompute permission settings
After a user is added to MaxCompute, the user can obtain the corresponding permissions through direct ACL authorization, role-based ACL authorization, policy authorization, and package authorization. Among them, ACL direct authorization and role-based ACL authorization are the currently provided access control methods. The two functions of Policy authorization and Package authorization are still in the internal testing stage. The MaxCompute documentation on the public cloud has not yet provided them, but the possibility that they will be provided in the future cannot be ruled out.

To add a user to

MaxCompute, you need to add a specific cloud account to the project before you can authorize the account. MaxComupte itself supports authorization to a specific cloud account or other sub-accounts under the main account. However, the following big data development kits only support sub-accounts under this account.

The way to add is:

main account: add user [email protected];
sub-account: add user [email protected]:ram_name;
ACL authorization

Direct ACL authorization is actually a simple one, authorizing XX permissions to YY, or a process of deauthorizing the XX authority on YY. After adding user, grant and revoke syntax are used to authorize or de-authorize. The specific syntax is

grant actions on object to subject
revoke actions on object from subject
. For a practical example, an account should be authorized to query a table. , and then deauthorize, the steps are

grant List, CreateTable, CreateInstance on project prj1 to user [email protected]; --Use the grant statement to
grant grant Describe, Select on table wc_in to user [email protected];
revoke Describe, Select on table wc_in from user [email protected];
revoke List, CreateTable, CreateInstance on project prj1 from user [email protected]; --Use revoke to deauthorize
and role-based ACL authorization is to define a role (or is a permission package), for example, create a role called developer, and then authorize the various permissions mentioned above to this role first. A researcher came later and needed such permission, just authorize the role of developer directly to him, and there is no need to re-authorize it all. You can see the authorization command

add user [email protected]; --Add user
create role dev; --Create role
grant List, CreateInstance on project prj1 to role dev; --Grant
Describe, Select on table userprofile to role dev;
grant dev to [email protected]; -- assign the role of dev to users and
others

introduce. However, it can be roughly explained:

Policy is authorized by setting the configuration in json format, which is more complicated to use and more functional.

Package is to first add resources to the resource package, and then grant the other party to install the resource package to realize cross-project authorization of

resources
. In IDE, after adding users, they can be granted roles of deployment, guest, project administrator, development, and operation and maintenance. In addition to the operation permissions of the corresponding module, it also obtained the corresponding permissions on the underlying computing engine MaxCompute, as shown in the
image .
For example, after I authorize the "development" role for the sub-account chuanxue, you can see the
image .
After the sub-account grants permissions, in addition to the permissions of the related modules on DataIDE, some project permissions (CreateTable, CreateInstance, List, Read, Write) required for the development of this MaxCompute project are also given; it can be seen that it is implemented through ACL ) and implement some other permissions with Policy.

In actual work, it is necessary to grant the corresponding role in the project member management to the sub-account user according to the actual IDE permissions required by the sub-account user. In general, this authorization is sufficient. However, if there are some MaxCompute permissions that need to be adjusted, you can use the MaxCompute authorization commands to adjust them.

In addition to this, DataIDE's data management module also supports permission application for tables. After the application is approved, the Describe and Select permissions of the corresponding table will be automatically obtained through ACL.

Typical Cases After the
above description, some practical examples may be needed to illustrate more clearly. There was such a case before. A user granted development permission in the project, but there was no prompt when querying that he did not have the query permission for this table. It stands to reason that after having the development permission, you already have the query permission for all the tables under this project. Judging from the error, we believe that the current permission exception is caused by the computing engine, so we need to check the permission settings on MaxCompute.

First go to https://workbench.data.aliyun.com/console?#/projectlist to see the display name corresponding to the project name to get the real project name. In fact, this is a very simple but error-prone situation. Many development engineers are not the creators of the project, and the alias they see is mistaken for the project name, which leads to the wrong project during the authorization check.
image
For example, in our screenshot, the project name is aliyun2014, but the display name is aliyun. Therefore, when there is a problem, it is necessary to check whether the permissions under the aliyun2014 project are correct.

Then we can create a SQL script in the big data development kit and execute whoami; to see if the current execution account is indeed the expected account, as shown in the
image
to see if the project name can match, and then check it See if Name matches your expectations.

After determining the project name and login account, you can use the project administrator's account to open the MaxCompute client and use Show grants for xxx to view all the permissions of the account (there is a screenshot of this show grants above). Through this method, you can see the actual permissions on the current computing engine of this account. If it is found that the permissions here are incorrect, it means that the corresponding permissions may have been mistakenly deleted from the computing engine level. You can make up for them through commands. Of course, the more convenient method is to cancel the development role on DataIDE and then add it again. , so that the authorization of MaxComupte's authority will be re-authorized when it is added.

This article is the original content of Yunqi Community, and cannot be reproduced without permission. If you need to reprint, please send an email to [email protected]; if you find any content suspected of plagiarism in this community, please send an email to: yqgroup@ service.aliyun.com reports and provides relevant evidence. Once verified, the community will immediately delete the allegedly infringing content.
Original link: http://click.aliyun.com/m/27074/