What is the overall architecture of MaxCompute access control?

Basic terminology

• project: Project space, the basic unit that MaxCompute provides users with self-service management.

• Access control: Check whether a request is credible and legal.

• ACL: Access control list, an expression of authorization.

• Policy: A rule-based authorization expression.

• Role: A collection of permissions, used to implement role-based permission management.

• LabelSecurity: Label-based access control, used to implement column-level permission management.

• ProjectProtection: Project space protection, used to enable data flow access control.

• TruestedProject: Trusted project space, used for access control authorization of project space data flow.

• ExceptionPolicy: A description of exceptions to the project space protection mechanism, project space data flow to access control authorization.

• Package: A medium for resource sharing between project spaces.

Overall architecture of MaxCompute access control

• Identity authentication: access MaxCompute first Identity authentication is required.

• Request source check (IP whitelist): Check the IP that submitted the access request and ensure that the IP is in the IP whitelist before you can access MaxCompute.

• Project space status check: often used for operations or maintenance. If MaxCompute is in arrears and the project is frozen, no requests can be passed to MaxCompute at this time.

• LabelSecurity check: Access control of column-level sensitive data.

• Role/Policy/ACL: Finally, check the permissions of the role, as well as the Policy and ACL permissions.

DataWorks permission management and MaxCompute permission management

The above is the detailed content of What is the overall architecture of MaxCompute access control?. For more information, please follow other related articles on the PHP Chinese website!