Shulou(Shulou.com)06/01 Report--

This article shows you how to implement a specified UDF in DataWorks that can only be accessed by a specified account. The content is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Implement the specified resource to be accessed by the specified account in DataWorks

I have written an article about "the difference between DataWorks and MaxCompute internal authority system". Interested friends can click to read the details. However, some students will ask how I can implement a specific Resource,Table or UDF in DataWorks that can only be controlled by the permissions used by the users I specify. This UDF may involve the encryption and decryption algorithm of the data, which belongs to the scope of data security control.

Common scheme

Package scheme, through packaging authorization for refined control of permissions.

Create new roles on DataWorks (Administration > MaxCompute Advanced configuration > Custom user roles) for advanced control.

Role policy scheme, which customizes the permission set of role through role policy.

Alternative scheme

(1) package scheme, which carries out fine management and control of permissions through packaging authorization.

The basic knowledge of package is usually to solve the problem of user authorization for sharing data and resources across project spaces. When you pass package, you will find that the user has all permissions after being given the role of DataWorks developer. It's out of control.

First of all, the permissions for popularizing the well-known DataWorks developer role are as follows:

Cdn.com/6bad1105b21a5a7609c56fd7e908da55fa5d227b.png ">

From the perspective of permission configuration, it obviously does not meet our requirements, and it is clear that it has full permissions on package, functions, resources and table in project by default.

A projects/sz_mc/packages/*: *

A projects/sz_mc/registration/functions/*: *

A projects/sz_mc/resources/*: *

A projects/sz_mc/tables/*: *

Secondly, the sub-account is added through DataWorks and the developer role is given.

The above popularity should make it clear that we can not meet our needs by playing the default roles of package and DataWorks. For example, if I RAM$yangyi.pt@aliyun-test.com:ramtest a sub-account and give it a developer role, he will have all the action permissions of all Object in the current project by default. For more information, please see.

(2) create new roles on DataWorks (Administration > MaxCompute Advanced configuration > Custom user roles) for advanced management and control. However, in the DataWorks-MaxCompute advanced configuration, authorization can only be made for a table / item, not for resource and udf.

(3) role policy solution, through policy, you can finely manage the specific permission granularity of specific users for specific resources, which can meet the needs of our scenario. However, the official documents of the policy mechanism have not been made public, mainly considering whether users are familiar with policy or it will cause some troubles and problems and delay the development efficiency.

Role policy scheme

For security reasons, it is recommended that beginners find a test project to verify policy. The following operations are done through MaxCompute console. For more information, please see console configuration.

① creates a default deny access UDF role

Step1: create a role denyudfrole as follows:

Odps@ sz_mc > create role denyudfrole

Step2: create a policy authorization file, as follows:

{"Version": "1", "Statement": [{"Effect": "Deny", "Action": ["odps:Read", "odps:List"], "Resource": "acs:odps:*:projects/sz_mc/resources/getaddr.jar"}, {"Effect": "Deny", "Action": ["odps:Read", "odps:List"], "Resource": "acs:odps:*:projects/sz_mc/registration/functions/getregion"}]}

Step3: set up and view role policy. As follows:

Odps@ sz_mc > put policy / Users/yangyi/Desktop/role_policy.json on role denyudfrole

Step4: add users to role denyudfrole.

Odps@ sz_mc > grant denyudfrole to RAM$yangyi.pt@aliyun-test.com:ramtest

At this point, we verify that we log in to MaxCompute console with the sub-account RAM$yangyi.pt@aliyun-test.com:ramtest.

1. Log in to console to confirm the role.

2. Show grants to view the permissions of the currently logged in user.

You can see that the RAM sub-account has two roles, one is that role_project_dev is actually the default developer role of DataWorks, and the other is the denyudfrole that we just customized and created.

3. Verify the permissions of self-built UDF and dependent packages.

It has been successfully verified that the sub-account does not have read permission for self-built UDF:getregion under the premise that it has the DataWorks developer role. But it is still the last step before we expect that we can only specify a user to access the UDF. This requirement needs to be addressed in conjunction with project policy.

Configure project policy

Step1: write policy.

{"Version": "1", "Statement": [{"Effect": "Allow", "Principal": "RAM$yangyi.pt@aliyun-test.com:yangyitest", "Action": ["odps:Read", "odps:List", "odps:Select"], "Resource": "acs:odps:*:projects/sz_mc/resources/getaddr.jar"}, {"Effect": "Allow", "Principal": "RAM$yangyi.pt@aliyun-test.com:yangyitest", "Action": ["odps:Read" "odps:List", "odps:Select"], "Resource": "acs:odps:*:projects/sz_mc/registration/functions/getregion"]}

Step2: set up and view policy.

Odps@ sz_mc > put policy / Users/yangyi/Desktop/project_policy.json

Verify:

Run a SQL to have a look

View dependent packages:

So far, we have completed the requirements. Only the specified RAM sub-account can access the specified UDF and dependent packages under the specified project.

Some students here may have a clear understanding of the security system of DataWorks and MaxCompute, but some students may still be dizzy. The summary is as follows:

If you do not want to access specific resources, add the data developer permission to DataWorks and then configure it on MaxCompute console to deny access according to role policy.

If you specify an account to access resources, configure data developer permissions in DataWorks and then configure them on MaxCompute console to allow access permissions according to project policy.

The above is how to implement a specified UDF in DataWorks that can only be accessed by a specified account. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.