Alibaba Cloud Big Data Practical Record 9: MaxCompute RAM Users and Authorization

Source of problem: maxcompute administrator cannot access sensitive columns?

Let me ask a question first: As the administrator of maxcompute, with higher permissions, why can't I access the data with sensitive columns set?
This question is one of the conundrums I've encountered recently.

At first, I thought that as a maxcompute administrator, I should be able to "unimpede", but I didn't expect that the sensitive columns could not be accessed for a long time. I spent a lot of effort and read a lot of official documents. The final conclusion was that the owner or super of the maxcompute project was required. The administrator sets the user level (Label) for me or gives me administrator rights, and I configure it myself.

Note that the above involves many concepts. I don’t know if my naming is reasonable, but it seems reasonable to me. If you are already familiar with the permission issues of Alibaba Cloud big data services, you may easily understand what I mean, but if you are a novice, you may have some doubts. It's okay, let me explain in detail.

First of all, maxcompute and maxcompute projects are two different things, so they should not be confused!
You can think of maxcompute as a server, and the maxcompute project is a database, and sensitive tables and columns are tables and table fields in the library.

But as a database administrator, shouldn’t it be possible to access all data in the database? This involves another concept: user level, officially defined as User Label. Since my account level is level 0, and the sensitive column level is higher than level 0, the level can allow high-level access to low-level, but it cannot reverse the low-level access to high-level, so it cannot be accessed.

With this understanding, you should be able to understand why, as the administrator of maxcompute, you cannot access the data of sensitive columns.

Label policy is an important reference standard. Even if the data protection umbrella has set up a whitelist, sensitive data still cannot be accessed.

Main question: How to improve user level

So, how to improve the user level?

From the official document below, we can know that increasing the user level requires executing commands through the terminal.

Label access control: https://help.aliyun.com/zh/maxcompute/user-guide/label-based-access-control?#section-4ha-2x9-h5i

The command to modify the RAM user level is as follows:

set Label 3 to USER [email protected]:Allen;

Among them, the number 3is the target level, that is, which level you want to upgrade to, RAMit refers to the RAM user, [email protected]it is the email address of the main account, and Allenit is the RAM user name. If the adjustment is for the main account, [email protected]:Allenchange it to [email protected].

There are multiple places to execute commands (relevant links can be found in the documentation):

• MaxCompute client
• Analyze connections using SQL
• MaxCompute Studio
• Connect using DataWorks

Here we take MaxCompute as an example. For example, my account is: xindata, the main account is: [email protected], and the target level is level 1, then the command is as follows:

set Label 1 to USER RAM$123456@qq.com:xindata;

Open the maxcompute console in the browser: https://maxcompute.console.aliyun.com/ , and then click [Command Line] in the picture below. This is the ODPS CMD. The one above is the cloud command line. You can also use the cloud command line. , but you need to switch the path and enter ODPS CMD. The command is cloudshell-odpscmd -p "项目名称". I made a mistake at first. When I clicked the cloud command line and entered the above command, I kept getting an error saying that the command does not exist, hahaha.



After clicking on the command line and selecting the corresponding item, you can open a window and enter the above command. The result returned is that I did not operate safely.

Authorization Failed [4003], You have NO privilege to do the PROJECT SECURITY OPERATION for {acs:odps:*:projects/xxx/authorization/users}.

By searching the error message, I found a solution document: https://help.aliyun.com/zh/maxcompute/user-guide/odps-0420095?#pAFKK


From the solution document message, authorization is required, and there are two authorization methods. :

• Can be the admin or super_administrator role of the project
• It can also be a list of project management permissions .

The form provides a way to authorize users by adding a new policy action. The action I need is SetDataLabel.


So I edited the relevant permission policies:

{
    
    
  "Version": "1",
  "Statement": [
    {
    
    
      "Effect": "Allow",
      "Action": [
        "odps:SetDataLabel"
      ],
      "Resource": [
        *  // 开始使用："acs:odps:*:projects/xxx/authorization/users" 但提示格式有误，改 *
      ],
      "Condition": {
    
    }
    }
  ]
}

But where does this strategy fit?

When I didn't know the difference between the maxcompute and maxcompute projects at the beginning, I created a new policy in the permission policy of the RAM console for authorization. As you can imagine, this was invalid! In fact, in the RAM console, I already have management permissions for maxcompute, so I don't need to configure it like this again.

The actual configuration location is in the maxcompute project. The specific path is in the project management of the maxcompute console. Select the corresponding project list and click Management on the right. In the project details, click Role Permissions. If you do not have permissions, an error message will appear. Since I don't have permission, it is empty (error reporting has been turned off).

Refer to managing user permissions through the console (new version): https://help.aliyun.com/zh/maxcompute/user-guide/manage-user-permissions-in-the-maxcompute-console

Therefore, the second path is impossible. Without administrative rights, it is impossible to configure user permissions.

The conclusion is: it can only be handled by the project's admin or super_administrator role.

Derived question 1: How do you know your own level and the level of the form?

In fact, when using the table, if there is a permission problem, an error message will be reported:

The sensitive label of column ‘xxx’ is 1, but your effective label from package is 0.

If you want to query directly, you can also query through the following command:

# 查看自己的等级信息，第一条是当前用户，第二条是指定用户
show label grants;
show label grants for RAM$123456@qq.com:xindata;
# 查看表的等级信息，注意，如果提示没有 odps:describe 权限，去安全中心申请表单权限，获取 describe 权限。
desc 项目名.表名称;

Derived question 2: Why does the dataworks space administrator not have permission to set levels?

DataWorks is a one-stop big data development and management platform provided by Alibaba Cloud. One-stop data development and management operations such as MaxCompute job development, periodic scheduling, job operation and maintenance, and data governance can be performed on DataWorks. You can create a DataWorks workspace in the DataWorks console, and directly create and bind the MaxCompute project in the process. You can then develop MaxCompute jobs in the DataWorks workspace.
The permissions of DataWorks and maxcompute are similar, but there are also differences. The specific differences are as follows:

Refer to the permission relationship between MaxCompute and DataWorks: https://help.aliyun.com/zh/maxcompute/user-guide/permissions?#section-u7s-ys0-vv0

It can be seen that the administrator role of MaxCompute cannot be set through DataWorks. Even if it is a DataWorks space administrator, the mapping in MaxCompute is only a Role_Project_Admin role. The corresponding permissions are only all permissions under the current project project/table/fuction/resource/instance/joband the read permission of the package, not management. member.
Therefore, the DataWorks space administrator does not have the authority to set levels.

Derivative question 3: Where do sensitive columns come from?

The first is the project settings. In the details of the MaxCompute project, we can see the project configuration information, which will restrict one column: enable Label access control. If enabled, you can configure sensitive columns.
The configuration place of sensitive columns is in the data protection umbrella , which can be found by opening all products on the DataWorks homepage.



Then add rules to identify sensitive data in [Sensitive Data Identification]. Before doing this, you may need to add categories and levels of classification and classification in [Data Classification and Grading].

After configuration, you can also add user groups in [User Group Management] and add a whitelist in [Data Anonymization Management], but this does not cover user level restrictions, and lower levels still cannot access high-level data.

summary

During this exploration process, I discovered a problem. Each Alibaba Cloud product may have its own console and its own set of permission management. Before configuring permissions, you need to think about which platform this permission is used on. Then go to the corresponding documents and corresponding console to find solutions.

Just like this time, the content dealt with was actually a MaxCompute project-level problem, and I needed to find a solution in the project. At the beginning, I configured RAM user-related permissions, and also tried solutions on data protection umbrella and DataWorks user management. However, it is all useless efforts and cannot ultimately solve the problem. It only provides a clearer understanding of Alibaba Cloud's permission management logic.