基本操作
- ./odpscmd
- 添加子账号:add user RAM$zx037:cd-maxcompute;
- 新建角色: create role cddevelopment;
- 绑定project slb_http_logs到权限cddevelopment
- grant CreateInstance, CreateResource, CreateFunction, CreateTable, List ON PROJECT slb_http_logs TO ROLE cd_development;
- 绑定table slb_http_logs到权限cddevelopment
- grant Describe , Select ,Alter,Update ON TABLE slb_http_log TO ROLE cd_development;
- 将role绑定到子账号:
- grant cddevelopment to RAM$zx037:cd-maxcompute;
- 取消角色子账号绑定:
- revoke cddevelopment from RAM$zx037:cd-maxcompute;
针对整个project表授权(去除drop权限)
[root@ops-server ~]# cat /tmp/cd_development.json
{
“Statement”: [{
“Action”: [“odps:Read”,“odps:CreateInstance”,“odps:CreateTable”,“odps:List”],
“Effect”: “Allow”,
“Resource”: [“acs:odps::projects/zx"]
},
{
“Action”: [“odps:Select”,“odps:Describe”,“odps:Alter”,“odps:Update”],
“Effect”: “Allow”,
“Resource”: ["acs:odps::projects/zx/tables/"]
},
{
“Action”: [“odps:Drop”],
“Effect”: “Deny”,
“Resource”: ["acs:odps::projects/zx/tables/*”]
}
],
“Version”: “1”
}
其他用法
查看role的policy语法:get policy on role cddevelopment;
将本地文件上传至role:put policy /tmp/cd_development.txt on role cddevelopment;
将role 绑定子账号:grant cddevelopment to RAM$zx037:cd-maxcompute;
查看子账号的权限:show grants for RAM$zx037:cd-maxcompute;
参考链接:
云栖社区maxcompute
阿里云授权文档
自定义授权