Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you suggestions about MaxCompute/DataWorks permissions. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article.

Recommendations for troubleshooting MaxCompute/DataWorks permission issues

_ _ premise: _ _ MaxCompute and DataWorks are two products, and there are both overlap and certain differences in the permission system. Before the permission issue, you need to understand the unique permission system of the two products.

MaxCompute: computing engine

The underlying computing engine of MaxCompute has its own security authority system, including ACL and Policy authorization system. You can learn more about https://help.aliyun.com/document_detail/27924.html.

Cdn.nlark.com/lark/0/2018/png/26173/1545360736789-995dc63f-bfae-4744-81e4-30c848b568e4.png ">

DataWorks: data workshop

DataWorks is a cloud repository development tool for the upper layer of MaxCompute. It not only has its own permission model, but also supports the underlying MaxCompute underlying data authorization system. For more information, please see https://help.aliyun.com/document_detail/92594.html

View roles on MaxCompute

The role system can be seen through the MaxCompute Console command list roles;. The beginning of role_ is the role and authority system encapsulated by DataWorks based on MaxCompute. The introduction is as follows:

Rolename

Corresponding product and permission name

Admin

MaxCompute underlying engine default admin role

Role_project_admin

DataWorks Project Manager

Role_project_deploy

DataWorks deployment role

Role_project_dev

DataWorks developer role

Role_project_guest

DataWorks Guest role

Role_project_pe

DataWorks operation and maintenance role

Role_project_scheduler

DataWorks production escrow account

Role_project_security

DataWorks Security Administrator

The default admin role of the _ _ admin:__MaxCompute computing engine, which can access all objects in the project space, manage users or roles, and authorize users or roles. Compared with the project space Owner, the admin role cannot assign admin permissions to users, can not set the security configuration of the project space, cannot modify the authentication model of the project space, and the permissions corresponding to the admin role can not be modified. In general, if the permission has not been modified, there is only one project owner account for the admin role user.

Odps@ clouder_bi > describe role admin; [users] ALIYUN$***@aliyun-test.comAuthorization Type: Admin

MaxCompute project owner can grant the admin role to other sub-accounts for managing the underlying permission model of MaxCompute.

Roles at the beginning of role_ can also view the permission points of their roles and the list of users in their roles through describe role. Take the developer role as an example:

Odps@ clouder_bi > describe role role_project_dev [users] RAM$yangyi.pt@aliyun-test.com:yangyitestAuthorization Type: PolicyA projects/clouder_bi: * A projects/clouder_bi/instances/*: * A projects/clouder_bi/jobs/*: * A projects/clouder_bi/offlinemodels/*: * A projects/clouder_bi/packages/*: * A projects/clouder_bi/registration/functions/*: * A projects/clouder_bi/resources/*: * A projects/clouder_bi/ Tables/*: * A projects/clouder_bi/volumes/*: * troubleshooting recommendations:

After popularizing the permission system of the two products, more users will encounter questions or problems of various permissions. You can usually troubleshoot in the following ways:

First, view the permissions that the current user or the specified user has.

Show grants;-- View the current user's own access rights show grants for;-- View the access permissions of the specified user. Only ProjectOwner and Admin can have the execute permission. Show grants for RAM$ main account: sub-account

You can see the roles and related permission points that the user has.

View the authorization list of the specified object, and generally get the table to the person.

Show acl for [on type];-- View the objecTtype supported by the user and role authorization list on the specified object: PROJECT, TABLE, JOB, VOLUME, INSTANCE, RESOURCE, FUNCTION,PACKAGE,TOPOLOGY,MATRIX,XFLOW,OFFLINEMODEL,STREAMJOB

Check whether ACL is in effect (often returns OK after authorization, but permission verification still fails)

Show SecurityConfiguration;-- views the security configuration of the project space

In addition to using the command line, you can also confirm whether it is turned on through the ACL switch in _ + + DataWorks > Project Management > MaxCompute Advanced configuration + + _.

Query authorized by Policy

There are generally two types of policy authorization, one at the project level and the other at the role level.

Get policy;-- gets the project-level policy configuration; get policy on role;-- gets the specified role policy settings.

The above is what the editor shares with you about the MaxCompute/DataWorks permission problem. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.