Out-of-the-box security solutions: Introduction to Maxcompute Data security solutions

Absrtact: MaxCompute is a unified large data processing platform that supports multi-tenancy, and different users have varying requirements for data security. To meet the flexible needs of different tenants for data security, MaxCompute supports project space-level security configuration, Projectowner can tailor its own external account support and authentication model and to some extent ensure project data security.

MaxCompute is a unified large data processing platform that supports multi-tenancy, and different users have varying requirements for data security. To meet the flexible needs of different tenants for data security, MaxCompute supports project space-level security configuration, Projectowner can tailor its own external account support and authentication model and to some extent ensure project data security.

Typically, the common development pattern is maxcompute+dataworks , and the data security scenario for this scenario is as follows:

One, prohibit data download to local
Prohibit data outflow or download local
Mode ①:
The data protection mechanism is also referred to as opening the project space data protection, which can be turned on by Maxcompute console to prohibit data outflow:

Set Projectprotection=true
--Set Projectprotection rule: The data can only flow and cannot flow out.
--By default, the Projectprotection is not set and the value is false.
Mode ②:
So more developers are using DataWorks for data analysis, usually on the IDE and can download results, this can be opened in Project management > Project configuration "Can download select results in this project", specifically as follows:

In this case, the DataWorks Query results page will not be able to download the data locally via the "Download" button.

Data outflow method after turning on data protection mechanism
After your project has been set up for projectprotection, you may soon encounter the need for User1 to apply to you, and she does need to export the data from one table to your project space.

And after your review, the watch does not leak sensitive data that you care about. In order not to affect the normal business needs of User1, Maxcompute gives you two ways to export data after the projectprotection has been set up.

Mode ①:
Projectowner set up Exceptionpolicy to open exceptions to data protection for projects that have been turned on. This is done in the following way (required via Maxcompute console):

SET projectprotection=true with EXCEPTION <policyFile>
This policy differs from the policy authorization (although it is exactly the same as the policy authorization syntax), and it is only a description of the exception to the project space protection mechanism, where all access scenarios that are described in the policy can break the projectprotection rule. >>>policy Detailed Documentation

{
"Version": "1", [{
"Effect": "Allow",
"Principal": "[email protected]",
Br/> "Statement":
[{
"Effect": "Allow",
"Principal": "[email protected]",

"Resource": "acs:odps:*:p rojects/alipay/tables/table_test",
"Condition": {
"Stringequals": {
"Odps:tasktype": ["DT", "SQL"]
}
}
}]
}
Projectprotection is a control over the flow of data, not access control. It makes sense to control the flow of data only if the user has access to the data.

Alternatively, you can view a user right by show grants [for <USERNAME>] [on type <objecttype>] to see if the exception was successful.

Method ②:
Setting Trustedproject, if the current project space is protected, if the target space of the data outflow is set to the trustedproject of the current space, then the flow of data to the target project space will not be considered a violation of the projectprotection rule. Can be set by the following command (required via Maxcompute console):

List trustedprojects;
--View all trustedprojects in the current project
Add Trustedproject <projectname>;
--Add a trustedproject to the current project
Remove Trustedproject <projectname>;
--Remove a trustedproject in the current project
Second, IP White list control
Maxcompute supports the project-level IP whitelist.

Once the IP whitelist is set, only the IP in the Whitelist list (console or the export IP where the SDK is located) can access this project.
After you set up the IP whitelist, you need to wait five minutes before it takes effect.
Remember to set the white list, add your current machine IP, so as not to block themselves.
Setproject odps.security.ip.whitelist=101.132.236.134,100.116.0.0/16,101.132.236.134-101.132.236.144;
There are three representation formats for IP lists in the whitelist.

Simple IP: for example 101.132.236.134.
Subnet mask: 100.116.0.0/16.
Network segment: 101.132.236.134-101.132.236.144.
Specific detailed tutorials can be consulted, >>>>IP white list control.

More granular management
Of course, the Maxcompute policy mechanism can also be implemented to control a user/or role user from a specific IP address to access specific resources (tables, UDFs, resources) and so on.
Policy example:

{
"Version": "1", [{
"Effect": "Allow",
"Principal": "[email protected]",
Br/> "Statement":
[{
"Effect": "Allow",
"Principal": "[email protected]",
"Resource": "Acs:odps::p rojects/prj1 ",
"Condition": {
"DateLessThan": {
"Acs:currenttime": "2013-11-11t23:59:59z"
},
"IpAddress": {}
}
},
{
"Effect": "Deny",
"Principal": "[email protected]",
Br/> "Acs:sourceip": "10.32.180.0/23"
}
}
},
{
"Effect": "Deny",
"Principal": "[email protected]",

"Resource": "Acs:odps::p rojects/prj1/tables/* "
}]
}
Authorized users[email protected]Requests can only be submitted at the "2013-11-11t23:59:59z" point in time, only from the "10.32.180.0/23" IP segment, allowing only CreateInstance, createtable, and list operations to be performed in the project space prj1 , the deletion of any table under PRJ1 is prohibited. Refer to the policy documentation for details.

Third, data protective umbrella (data desensitization)
The data protection umbrella is a data security module of DataWorks, which can be understood by click-through, including data desensitization, security auditing and so on. Https://help.aliyun.com/document_detail/86320.html

You can display the DataWorks screen for sensitive data, as shown in:

Note: The data umbrella is a module of the DataWorks, if the data umbrella is used and the data is de-sensitized, but the tunnel download is not desensitization through the console.

Four, fine granularity of authority control
1. Column level labelsecurity access control
The labelsecurity security mechanism in the project space is turned off by default, and Projectowner can be turned on by itself.

"Application Scenario"
Scenario Description: User_profile is a table with sensitive data in a project space that contains 100 columns with 5 columns containing sensitive data: Id_card, Credit_card, Mobile, user_addr, birthday. The current DAC mechanism has authorized all users to select operations on the table. Projectowner hope that all users except admin will not be allowed access to the 5 columns of sensitive data.

Projectowner operation steps are as follows:

Set labelsecurity=true;
--Open labelsecurity mechanism
Set label 2 to table User_profile (mobile, user_addr, birthday);
--Set the sensitivity level of the specified column to 2
Set label 3 to table User_profile (Id_card, Credit_card);
--Set the sensitivity level of the specified column to 3
Alice is a member of the project space and, due to business needs, she will need access to User_profile's mobile column data for 1 weeks. The project space administrator steps as follows:

GRANT LABEL 2 on TABLE user_profile to user Alice with EXP 7;
More about Column level security Control documentation: https://help.aliyun.com/document_detail/34604.html

2. Role Policy Management Custom role
Many users will be due to the dataworks built-in data development, operations, administrators and other roles can not meet their individual needs, based on ACLs to create the role of their own business logic, such as data analysts, ETL development, based on these roles how to carry out complex authorization, such as batch grant Ods_ beginning of the table permissions , but the constraints, and the role of the Deny type, need to be refined and managed in combination with role policy.

One operation authorizes a set of objects, such as all functions, all tables that begin with "Taobao".
Authorization with restrictions, such as authorization, will only take effect for a specified period of time, the authorization will take effect when the requestor initiates a request from the specified IP address, or only allow the user to access a table using SQL (and not allowing other types of task).
Mode ①:
The policy action code is as follows:

Get policy--read policy for project space
Put policy <policyFile>--set (overwrite) policy for project space
Get policy on role <roleName>--read policy for a role in project space
Put policy <policyFile> on role <roleName>--set (overwrite) policy for a role in the project space
For more information about policy and how to do this, see the documentation: http://www.aiwanba.net/plugin/odps-doc/prddoc/odps_security/odps_sec_authorization_dac.html

Mode ②:
Done through the dataworks-project management-maxcompute configuration-custom user role.

To create a step:

"New role" click New Role, fill in the role name, tick the account that needs to be added to the role (sub account user).

"Role Authorization" includes two kinds of one is the table one is a project. Take the table as an example:

Select the tables that you want to authorize and give them the appropriate permissions to assign specific permissions to specific tables as follows.

Note: The biggest difference between the two approaches is that role policy can be used for bulk table authorization, such as Taobao_. But the DataWorks big way is to filter by table and configure permissions.

Iv. JDBC 2.4 (Data security hardening)
MaxCompute JDBC 2.4 is a challenge for data security hardening, specifically JDBC Address: https://github.com/aliyun/aliyun-odps-jdbc/releases

To use the data security hardening scenario in JDBC, follow these steps:
Download JDBC 2.4 (recommended)
Configure the JDBC URL, usually as follows to develop tunnel endpoint address, such as jdbc:odps:http://service.cn.maxcompute.aliyun-inc.com/api?tunnelendpoint= Http://dt.cn-shanghai.maxcompute.aliyun-inc.com.
The specific region corresponds to the Maxcompute endpoint and tunnel endpoint can refer to the documentation: https://help.aliyun.com/document_detail/34951.html
To open the project protection set Projectprotection=true, do not need to add exception exception, you can see the project protection mechanism chapter.
Open control returns the number of data bars: Setproject read_table_max_row=1000;
JDBC-based tools are queried, and the number of data return bars is controlled within 1000 lines.
Description: If you are using a version that is smaller than JDBC 2.4 and the project protection is turned on, the JDBC method will direct an error (no permissions).

Original link

This article is the original content of the cloud-Habitat community and cannot be reproduced without permission.

Out-of-the-box security solutions: Introduction to Maxcompute Data security solutions