Shulou(Shulou.com)05/31 Report--

This article mainly explains "what is MaxCompute data security method". The explanation content in this article is simple and clear, easy to learn and understand. Please follow the idea of Xiaobian to study and learn "what is MaxCompute data security method" together.

MaxCompute is a unified big data processing platform that supports multiple tenants. Different users have different data security requirements. MaxCompute supports security configuration at the project space level to meet the flexible data security requirements of different tenants. ProjectOwner can customize its own external account support and authentication model and guarantee the data security of the Project to some extent.

In general, the common development mode is__MaxCompute+DataWorks__mode, and the data security scheme for this scenario is as follows:

1. Prohibiting Data Downloading to Locally Prohibiting Data Outflow or Downloading Locally

Method 1:

The data protection mechanism is also called enabling project space data protection, which can be enabled by MaxCompute console to prohibit data outflow from the server:

set projectProtection=true --Set ProjectProtection rules: data can only flow in, not out. -- By default, ProjectProtection is not set and has a value of false.

Method 2:

Then more developers through DataWorks data analysis, usually screen on the IDE and can download the results, this can be opened through the project management> project configuration "select results can be downloaded in this project", as follows:

cdn.nlark.com/lark/0/2018/png/26173/1535360164897-8273a6f6-2f53-4b39-8a7c-1f8d080d9a98.png">

In this case, you cannot download data locally through the "Download" button on the DataWorks query result page.

Data outflow method after opening data protection mechanism

After your Project is set up with Project Protection, you may soon encounter a request from user1 that she does need to export data from a table out of your project space.

And after your review, that table did not leak sensitive data that you care about. In order not to affect the normal business needs of user1, MaxCompute provides you with two ways to export data after ProjectProtection is set.

Method 1:

ProjectOwner sets ExceptionPolicy to make exceptions for projects with data protection enabled. This is done as follows (via MaxCompute console):

SET ProjectProtection=true WITH EXCEPTION

This policy differs from Policy authorization (although it is identical to Policy authorization syntax) in that it is merely a description of an exception to the project-space protection mechanism, i.e., all access situations described in the policy can break the ProjectProtection rule.>>> policy detailed documentation

{ "Version": "1", "Statement": [{ "Effect":"Allow", "Principal":"ALIYUN$Alice@aliyun.com", "Action":["odps:Select"], "Resource":"acs:odps:*:projects/alipay/tables/table_test", "Condition":{ "StringEquals": { "odps:TaskType":["DT", "SQL"] } } }] }

Project Protection is a control of data flow, not access control. Controlling the flow of data makes sense only if users have access to it.

*** In addition, you can check the permissions of a certain user by showing grants [for ] [on type ] to see if the exception is added successfully.

Method 2:

Set TrustedProject so that if the current project space is protected, data flow to the target project space will not be considered a violation of Project Protection rules if the target space for data flow is set to TrustedProject for the current space. This can be done via the MaxCompute console:

list trustedprojects;--View all TrustedProjectsadd trustedproject in the current project;--Add a TrustedProjectremove trustedproject in the current project;--Remove a TrustedProject in the current project II. IP whitelist control

MaxCompute supports IP whitelisting at the Project level.

After the IP whitelist is set, only IPs in the whitelist (console or exit IP where SDK is located) can access the Project.

After setting up the IP whitelist, you need to wait five minutes before it takes effect.

Remember to add your current machine IP when setting up the white list, so as not to shield yourself.

setproject odps.security.ip.whitelist=101.132.236.134,100.116.0.0/16,101.132.236.134-101.132.236.144;

The IP list in the whitelist can be represented in three formats.

Simple IP: For example, 101.132.236.134.

Subnet mask: 100.116.0.0/16.

Network segment: 101.132.236.134-101.132.236.144.

For details, please refer to>>>IP whitelist control.

more refined management

Of course, MaxCompute Policy mechanism can also control a user/user of a role to access specific resources (tables, UDFs, resources) from specific IP addresses.

Sample Policy:

{ "Version": "1", "Statement": [{ "Effect":"Allow", "Principal":"ALIYUN$alice@aliyun.com", "Action":["odps:CreateTable","odps:CreateInstance","odps:List"], "Resource":"acs:odps:*:projects/prj1", "Condition":{ "DateLessThan": { "acs:CurrentTime":"2013-11-11T23:59:59Z" }, "IpAddress": { "acs:SourceIp":"10.32.180.0/23" } } }, { "Effect":"Deny", "Principal":"ALIYUN$alice@aliyun.com", "Action":"odps:Drop", "Resource":"acs:odps:*:projects/prj1/tables/*" }] }

Authorized user alice@aliyun.com can only submit requests from the IP segment" 10.32.180.0/23" before the time point of "2013-11-11T23:59:59Z." CreateInstance, CreateTable and List operations are only allowed in project space prj1. Delete any table under prj1 is prohibited. For details, please refer to the Policy document.

III. Data umbrella (data desensitization)

Data Umbrella is a data security module of DataWorks, which can be accessed by clicking on it, including data desensitization, security audit, etc. https://help.aliyun.com/document_detail/86320.html

Sensitive data can be displayed with ** on DataWorks screen, as shown in the following figure:

Note: Data umbrella is a module of DataWorks. If data umbrella is used and data desensitization is performed, but tunnel download through console is still not desensitized.

Fourth, fine-grained permission control

1. Column Level LabelSecurity Access Control

LabelSecurity in the project space is off by default, and ProjectOwner can turn it on by itself.

[Application Scenarios]

Scenario description: user_profile is a table containing sensitive data in a project space. It contains 100 columns, of which 5 columns contain sensitive data: id_card, credit_card, mobile, user_addr, birthday. The current DAC mechanism authorizes all users to select the table. ProjectOwner wants to deny access to those five columns of sensitive data to all users except Admin.

ProjectOwner operation steps are as follows:

set LabelSecurity=true; --Enable LabelSecurity mechanism set label 2 to table user_profile(mobile, user_addr, birthday); --Set sensitivity level of specified column to 2set label 3 to table user_profile(id_card, credit_card); --Set sensitivity level of specified column to 3

Alice is a member of the project space, and due to business needs, she wants to request access to the mobile column data of user_profile, which requires access for 1 week. The project space administrator operates as follows:

GRANT LABEL 2 ON TABLE user_profile TO USER alice WITH EXP 7;

For more information on column-level security control documentation: https://help.aliyun.com/document_detail/34604.html

2. Role Policy Management Custom Role

Many users will create roles that conform to their own business logic based on ACL, such as data analyst and ETL development, because the built-in roles of data development, operation and maintenance, administrator, etc. cannot meet their personalized requirements. Based on how these roles perform complex authorization, such as granting table permissions starting with ods_in batches, but with restrictions, and Deny roles, at this time, it is necessary to combine Role policy to refine management.

An operation authorizes a set of objects, such as all functions, all tables that begin with "taobao."

Conditional authorization, such as authorization that takes effect only for a specified period of time, authorization that takes effect only when the requester initiates a request from a specified IP address, or authorization that allows users to access a table only using SQL (and not other types of Task).

Method 1:

The Policy action code is as follows:

get policy --Read Policyput policy of project space--Set (override) Policyget policy on role of project space--Read Policyput policy on role of a role in project space--Set (override) Policy of a role in project space

For more information about Policy, see http://www.aiwanba.net/plugin/odps-doc/prddoc/odps_security/odps_sec_authorization_dac.html

Method 2:

Through DataWorks-Project Management-MaxCompute Configuration-Custom User Roles.

Create steps:

[New Role] Click New Role, fill in the role name, and check the account (sub-account user) to be added to the role.

[Role Authorization] includes two types, one is a table and the other is an item. Take the table as an example:

Select the table to be authorized, and grant the corresponding operation permission, as shown below, to assign specific permissions to specific tables.

Note: The biggest difference between the above two methods is that role policy can perform batch table authorization, such as those starting with taobao_. But DataWorks 'big approach requires filtering and configuring permissions table by table.

JDBC 2.4 (Data Security Hardening)

MaxCompute JDBC 2.4 makes certain challenges for data security hardening. Specific JDBC address: https://github.com/aliyun/aliyun-odps-jdbc/releases

Specific steps to use the data security hardening scheme in JDBC:

Download JDBC 2.4 (recommended)

Configure jdbc url, usually specify Tunnel endpoint address as follows, such as jdbc:odps: http://service.cn.maxcompute.aliyun-inc.com/api? tunnelEndpoint=http://dt.cn-shanghai.maxcompute.aliyun-inc.com 。

MaxCompute Endpoint and Tunnel Endpoint corresponding to specific regions are not analyzed

Enable SET ProjectProtection=true, no exception is required. For details, please see Project Protection Mechanism section.

Number of returned data items: setproject READ_TABLE_MAX_ROW=1000;

Based on JDBC tools for queries, the number of data returned will be controlled within 1000.

Note: If you are using a version less than JDBC 2.4 and project protection is enabled, then an error will be reported directly by JDBC (no permissions).

Thank you for reading, the above is the content of "MaxCompute data security method is what", after the study of this article, I believe that everyone has a deeper understanding of what MaxCompute data security method is, and the specific use situation needs to be verified by practice. Here is, Xiaobian will push more articles related to knowledge points for everyone, welcome to pay attention!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.