常规授权 添加子账号:add user RAM$zx037:cd-maxcompute; 新建角色: create role cddevelopment; 绑定project slb_http_logs到权限cddevelopment grant CreateInstance, CreateResource, CreateFunction, CreateTable, List ON PROJECT slb_http_logs TO ROLE cd_development; 绑定table slb_http_logs到权限cddevelopment grant Describe , Select ,Alter,Update ON TABLE slb_http_log TO ROLE cd_development; 将role绑定到子账号: grant cddevelopment to RAM$zx037:cd-maxcompute; 取消角色子账号绑定: revoke cddevelopment from RAM$zx037:cd-maxcompute;
针对整个project表授权(去除drop权限) [root@ops-server ~]# cat /tmp/cd_development.json { "Statement": [{ "Action": ["odps:Read","odps:CreateInstance","odps:CreateTable","odps:List"], "Effect": "Allow", "Resource": ["acs:odps::projects/zx037_stage"] }, { "Action": ["odps:Select","odps:Describe","odps:Alter","odps:Update"], "Effect": "Allow", "Resource": ["acs:odps::projects/zx037_stage/tables/"] }, { "Action": ["odps:Drop"], "Effect": "Deny", "Resource": ["acs:odps::projects/zx037_stage/tables/*"] } ], "Version": "1" } 查看role的policy语法:get policy on role cddevelopment; 将本地文件上传至role:put policy /tmp/cd_development.txt on role cddevelopment; 将role 绑定子账号:grant cddevelopment to RAM$zx037:cd-maxcompute; 查看子账号的权限:show grants for RAM$zx037:cd-maxcompute;
参考链接: https://yq.aliyun.com/articles/71902 https://help.aliyun.com/document_detail/27935.html?spm=a2c4g.11186623.6.860.759ecfe6r4suEm https://blog.csdn.net/yunqiinsight/article/details/82461136
