更新时间:2026-01-13 gmt 08:00

云防火墙 cfw-j9九游会登录

云服务在iam预置了常用的权限,称为系统身份策略。如果iam系统身份策略无法满足授权要求,管理员可以根据各j9九游会登录的服务支持的授权项,创建iam自定义身份策略来进行精细的访问控制,iam自定义身份策略是对系统身份策略的扩展和补充。

除iam服务外,organizations服务中的服务控制策略(service control policy,以下简称scp)也可以使用这些授权项元素设置访问控制策略。

scp不直接进行授权,只划定权限边界。将scp绑定到组织单元或者成员账号时,并没有直接对组织单元或成员账号授予操作权限,而是规定了成员账号或组织单元包含的成员账号的授权范围。iam身份策略授予权限的有效性受scp限制,只有在scp允许范围内的权限才能生效。

iam服务与organizations服务在使用这些元素进行访问控制时,存在着一些区别,详情请参见:iam服务与organizations服务权限访问控制的区别

本章节介绍iam服务身份策略授权场景中自定义身份策略和组织服务中scp使用的元素,这些元素包含了操作(action)、资源(resource)和条件(condition)。

操作(action)

操作(action)即为身份策略中支持的授权项。

  • “访问级别”列描述如何对操作进行分类(list、read和write等)。此分类可帮助您了解在身份策略中相应操作对应的访问级别。
  • “资源类型”列指每个操作是否支持资源级权限。
    • 资源类型支持通配符号*表示所有。如果此列没有值(-),则必须在身份策略语句的resource元素中指定所有资源类型(“*”)。
    • 如果该列包含资源类型,则必须在具有该操作的语句中指定该资源的urn。
    • 资源类型列中必需资源在表中用星号(*)标识,表示使用此操作必须指定该资源类型。

    关于cfw定义的资源类型的详细信息请参见资源类型(resource)

  • “条件键”列包括了可以在身份策略语句的condition元素中支持指定的键值。
    • 如果该授权项资源类型列存在值,则表示条件键仅对列举的资源类型生效。
    • 如果该授权项资源类型列没有值(-),则表示条件键对整个授权项生效。
    • 如果此列条件键没有值(-),表示此操作不支持指定条件键。

    关于cfw定义的条件键的详细信息请参见条件(condition)

  • “别名”列包括了可以在身份策略中配置的策略授权项。通过这些授权项,可以控制支持策略授权的api访问。详细信息请参见身份策略兼容性说明

您可以在身份策略语句的action元素中指定以下cfw的相关操作。

表1 cfw支持的授权项

授权项

描述

访问级别

资源类型(*为必须)

条件键

别名

cfw:acl:createaclrule

授予创建acl规则的权限。

write

instance *

cfw:acl:create

cfw:acl:deleteaclrule

授予删除acl规则的权限。

write

acl *

-

cfw:acl:delete

instance *

cfw:acl:deletehitcount

授予删除acl规则命中次数的权限。

write

acl *

-

cfw:acl:list

instance *

cfw:instance:listdomainparseservers

授予查询域名解析服务器列表的权限。

list

instance *

cfw:domain:get

cfw:instance:getdomainparseresult

授予解析域名的权限。

read

instance *

cfw:domain:get

cfw:acl:getexportstatus

授予查询acl规则导出状态的权限。

read

instance *

cfw:acl:list

cfw:acl:getimportstatus

授予查询acl规则导入状态的权限。

read

instance *

cfw:acl:list

cfw:acl:getimporttemplate

授予获取acl规则导入模板的权限。

read

instance *

cfw:acl:list

cfw:acl:listaclrules

授予查询acl规则列表的权限。

list

instance *

cfw:acl:list

cfw:acl:listacltags

授予查询acl规则标签列表的权限。

list

instance *

cfw:acl:list

cfw:acl:updateaclrule

授予更新acl规则的权限。

write

acl *

-

cfw:acl:put

instance *

cfw:acl:updateaclruleaction

授予更新acl规则动作的权限。

write

acl *

-

cfw:acl:put

instance *

cfw:instance:updatedomainparseserver

授予更新域名解析服务器的权限。

write

instance *

cfw:acl:put

cfw:acl:setpriority

授予设置acl规则优先级的权限。

write

acl *

-

-

instance *

cfw:blackwhitelist:create

授予创建黑白名单的权限。

write

instance *

cfw:blackwhite:create

cfw:blackwhitelist:delete

授予删除黑白名单的权限。

write

blackwhitelist *

-

cfw:blackwhite:delete

instance *

cfw:blackwhitelist:list

授予列出黑白名单列表的权限。

list

instance *

cfw:blackwhite:list

cfw:blackwhitelist:update

授予更新黑白名单的权限。

write

blackwhitelist *

-

cfw:blackwhite:put

instance *

cfw:domaingroup:update

授予更新域名组的权限。

write

domaingroup *

-

cfw:ipgroup:put

instance *

cfw:domaingroup:create

授予创建域名组的权限。

write

instance *

cfw:ipgroup:create

cfw:domaingroup:delete

授予删除域名组的权限。

write

domaingroup *

-

cfw:ipgroup:delete

instance *

cfw:domaingroup:list

授予列出域名组列表的权限。

list

instance *

cfw:ipgroup:list

cfw:eip:count

授予查询弹性公网ip数量的权限。

read

instance *

cfw:eipstatistics:get

cfw:eip:list

授予列出弹性公网ip列表的权限。

list

instance *

g:resourcetag/

-

cfw:eip:updateprotectstatus

授予修改弹性公网ip防护状态的权限。

write

eip *

-

cfw:eip:operate

-

g:enterpriseprojectid

cfw:instance:checknamerepeat

授予检查云防火墙名称是否重复。

read

-

-

cfw:instance:list

cfw:instance:listadvanceipsrules

授予查询云防火墙高级ips规则列表的权限。

list

instance *

cfw:ipsmode:get

cfw:instance:listuseder

授予查询已使用er列表的权限。

list

-

-

cfw:instance:list

cfw:instance:listusedinspectionvpc

授予查询已使用inspectionvpc列表的权限。

list

-

-

cfw:instance:list

cfw:instance:addlogconfig

授予添加云防火墙日志配置的权限。

write

instance *

cfw:instance:create

-

cfw:loggroupid

cfw:instance:updatecustomrule

授予更新云防火墙用户自定义ips的权限。

write

instance *

cfw:ipsmode:operate

cfw:instance:updatecustomruleaction

授予更新云防火墙用户自定义ips动作的权限。

write

instance *

cfw:ipsmode:operate

cfw:instance:updatelogconfig

授予更新云防火墙lts日志配置的权限。

write

instance *

cfw:instance:upgrade

-

cfw:loggroupid

cfw:instance:createinstance

授予创建云防火墙的权限。

write

instance *

-

cfw:instance:create

-

cfw:instance:deletepostpaidinstance

授予删除按需计费云防火墙的权限。

write

instance *

-

cfw:instance:createcapturetask

授予创建云防火墙抓包任务的权限。

write

instance *

cfw:capturetask:create

cfw:instance:createcustomrule

授予创建云防火墙自定义ips规则的权限。

write

instance *

cfw:ipsmode:operate

cfw:instance:createtags

授予创建云防火墙标签的权限。

tagging

instance *

cfw:instance:upgrade

-

cfw:instance:deleteinstance

授予删除云防火墙实例的权限。

write

instance *

cfw:instance:delete

cfw:instance:deletecapturetask

授予删除云防火墙抓包任务的权限。

write

instance *

cfw:capturetask:delete

cfw:instance:deletecustomrule

授予删除云防火墙用户自定义ips规则的权限。

write

instance *

cfw:ipsmode:operate

cfw:instance:deletelogsearchhistory

授予删除云防火墙日志搜索历史的权限。

write

instance *

cfw:ipsmode:operate

cfw:instance:deletetags

授予删除云防火墙标签的权限。

tagging

instance *

cfw:instance:upgrade

-

g:tagkeys

cfw:instance:exportlog

授予导出日志的权限。

read

instance *

cfw:accesscontrollog:list

cfw:instance:listinstancebytags

授予按标签查询云防火墙实例的权限。

list

instance *

cfw:instance:list

-

g:tagkeys

cfw:instance:getbaseversion

授予查询基础版云防火墙的权限。

read

instance *

cfw:baseversion:get

cfw:instance:getcapturetaskresult

授予查询云防火墙抓包任务结果的权限。

read

instance *

cfw:capturetask:getresult

cfw:instance:getcustomrule

授予查询云防火墙自定义ips规则详情的权限。

read

instance *

cfw:ipsmode:get

cfw:instance:getdomainparseserverstatus

授予查询云防火墙域名服务器状态的权限。

read

instance *

cfw:domain:get

cfw:instance:getipsmode

授予查询云防火墙ips防护模式的权限。

read

instance *

cfw:ipsmode:get

cfw:instance:getipsstatus

授予查询云防火墙ips状态的权限。

read

instance *

cfw:ipsstatus:get

cfw:instance:getlogconfig

授予查询云防火墙lts日志配置的权限。

read

instance *

cfw:attacklog:list

cfw:instance:getmaxcapturepacketnum

授予查询云防火墙用户最大抓包数量的权限。

read

-

-

cfw:capturetask:list

cfw:instance:getpolicystatistics

授予查询云防火墙防护策略统计信息的权限。

read

instance *

cfw:policystatistics:get

cfw:instance:listprojecttags

授予查询云防火墙项目标签列表的权限。

list

-

-

cfw:instance:list

cfw:instance:getregiondb

授予查询云防火墙地理位置库的权限。

read

instance *

cfw:acl:list

cfw:instance:listinstancetags

授予查询云防火墙实例标签列表的权限。

list

instance *

cfw:instance:list

cfw:instance:listinstance

授予查询云防火墙列表的权限。

list

instance *

-

cfw:instance:list

cfw:instance:getinstance

授予查询云防火墙详情的权限。

read

instance *

cfw:instance:list

cfw:instance:listaccesscontrollog

授予查询云防火墙访问控制日志列表的权限。

list

instance *

cfw:accesscontrollog:list

cfw:instance:listattacklog

授予查询云防火墙攻击日志列表的权限。

list

instance *

cfw:attacklog:list

cfw:instance:listcapturetask

授予查询云防火墙抓包任务列表的权限。

list

instance *

cfw:capturetask:list

cfw:instance:listcustomrule

授予查询云防火墙用户自定义ips列表的权限。

list

instance *

cfw:ipsmode:get

cfw:instance:getew

授予查询云防火墙东西向墙的权限。

read

instance *

cfw:instance:list

cfw:instance:listflowlog

授予展示云防火墙流量日志列表的权限。

list

instance *

cfw:flowlog:list

cfw:instance:listipsrule

授予展示云防火墙ips规则列表的权限。

list

instance *

cfw:ipsmode:get

cfw:instance:listprotectedvpc

授予查询云防火墙防护vpc列表的权限。

list

instance *

cfw:instance:list

cfw:instance:updateipsmode

授予更新云防火墙ips防护模式的权限。

write

instance *

cfw:ipsmode:operate

cfw:instance:updateadvanceipsrule

授予更新云防火墙高级ips规则的权限。

write

instance *

cfw:ipsmode:operate

cfw:instance:updateipsruleaction

授予更新云防火墙ips规则模式的权限。

write

instance *

cfw:ipsmode:operate

cfw:instance:updateipsstatus

授予更新云防火墙ips状态的权限。

write

instance *

cfw:ipsmode:operate

cfw:instance:updateewprotectedstatus

授予更新云防火墙东西向防火墙防护状态的权限。

write

instance *

cfw:instance:create

cfw:instance:savetags

授予替换云防火墙标签的权限。

tagging

instance *

cfw:instance:upgrade

-

cfw:instance:startbaseversion

授予开通云防火墙基础版的权限。

write

instance *

cfw:baseversion:start

cfw:instance:stopbaseversion

授予关闭云防火墙基础版的权限。

write

instance *

cfw:baseversion:stop

cfw:instance:stopcapturetask

授予停止云防火墙抓包任务的权限。

write

instance *

cfw:capturetask:stop

cfw:instance:updatealarmconfig

授予更新云防火墙告警配置的权限。

write

instance *

cfw:instance:create

cfw:instance:getalarmconfig

授予查询云防火墙告警配置的权限。

read

instance *

cfw:instance:list

cfw:instance:upgradeinstance

授予升级云防火墙的权限。

write

instance *

cfw:instance:upgrade

cfw:instance:updatename

授予更新云防火墙名称的权限。

write

instance *

cfw:instance:upgrade

cfw:instance:getaccesscontrollogstatistics

授予查询云防火墙访问控制日志统计信息的权限。

read

instance *

cfw:accesscontrollogreport:get

cfw:instance:getattacklogstatistics

授予查询云防火墙攻击日志统计信息的权限。

read

instance *

cfw:attacklogreport:get

cfw:instance:getlogsearchhistory

授予查询云防火墙日志搜索历史的权限。

read

instance *

cfw:attacklogreport:get

cfw:instance:getenginelogstatistics

授予查询云防火墙引擎日志统计信息的权限。

read

instance *

cfw:attacklogreport:get

cfw:instance:getflowlogstatistics

授予查询云防火墙流量日志统计信息的权限。

read

instance *

cfw:flowlogreport:get

cfw:instance:getiplogstatistics

授予查询云防火墙ip日志统计信息的权限。

read

instance *

cfw:attacklogreport:get

cfw:ipgroup:updateipgroupmember

授予更新云防火墙地址组成员的权限。

write

ipgroup *

-

cfw:ipmember:put

instance *

cfw:ipgroup:createipgroup

授予修改云防火墙地址组成员的权限。

write

instance *

cfw:ipgroup:create

cfw:ipgroup:createipgroupmember

授予创建云防火墙地址组成员的权限。

write

ipgroup *

-

cfw:ipmember:create

instance *

cfw:ipgroup:deleteipgroup

授予删除云防火墙地址组的权限。

write

ipgroup *

-

cfw:ipgroup:delete

instance *

cfw:ipgroup:deleteipgroupmember

授予删除云防火墙地址组成员的权限。

write

ipgroup *

-

cfw:ipmember:delete

instance *

cfw:ipgroup:getipgroup

授予查询云防火墙地址组的权限。

read

ipgroup *

-

cfw:ipgroup:get

instance *

cfw:ipgroup:listipgroups

授予查询云防火墙地址组列表的权限。

list

instance *

cfw:ipgroup:list

cfw:ipgroup:listipgroupmember

授予查询云防火墙地址组成员列表的权限。

list

ipgroup *

-

cfw:ipmember:list

instance *

cfw:ipgroup:updateipgroup

授予更新云防火墙地址组的权限。

write

ipgroup *

-

cfw:ipgroup:put

instance *

cfw:servicegroup:updateservicegroupmember

授予修改云防火墙服务组成员的权限。

write

servicegroup *

-

cfw:servicemember:put

instance *

cfw:servicegroup:create

授予创建云防火墙服务组成员的权限。

write

instance *

-

cfw:servicegroup:createservicegroupmember

授予创建云防火墙服务组成员的权限。

write

servicegroup *

-

cfw:servicemember:create

instance *

cfw:servicegroup:delete

授予删除云防火墙服务组的权限。

write

servicegroup *

-

-

instance *

cfw:servicegroup:deleteservicegroupmember

授予删除云防火墙服务组成员的权限。

write

servicegroup *

-

cfw:servicemember:delete

instance *

cfw:servicegroup:get

授予查询云防火墙服务组的权限。

read

servicegroup *

-

-

instance *

cfw:servicegroup:list

授予查询云防火墙服务组列表的权限。

list

instance *

-

cfw:servicegroup:listservicegroupmember

授予查询云防火墙服务组列表的权限。

list

servicegroup *

-

cfw:servicemember:list

instance *

cfw:servicegroup:update

授予更新云防火墙服务组的权限。

write

servicegroup *

-

cfw:servicegroup:put

instance *

cfw:instance:enablemultiaccount

授予开启云防火墙多账号管理的权限。

write

instance *

-

cfw:instance:listaccounts

授予查看多账号列表的权限。

list

instance *

-

cfw:instance:listorganizationtree

授予查看组织树的权限。

list

instance *

-

cfw:instance:addaccount

授予添加账号的权限。

write

instance *

-

cfw:instance:deleteaccount

授予删除账号的权限。

write

instance *

-

cfw:instance:getprotectedvpc

授予查看防火墙防护vpc详情的权限。

read

instance *

-

cfw:instance:deleteprotectedvpc

授予删除防火墙防护vpc的权限。

write

instance *

-

cfw:instance:addprotectedvpc

授予添加防火墙防护vpc的权限。

write

instance *

-

cfw:instance:updateprotectedvpc

授予更新防火墙防护vpc的权限。

write

instance *

-

cfw:instance:updateantivirusstatus

授予更新云防火墙反病毒状态的权限。

write

instance *

-

cfw:instance:getantivirusstatus

授予查看云防火墙反病毒状态的权限。

read

instance *

-

cfw:instance:updateantivirusrule

授予更新云防火墙反病毒规则的权限。

write

instance *

-

cfw:instance:getantivirusrule

授予查看云防火墙反病毒规则的权限。

read

instance *

-

cfw:instance:listreportprofile

授予查看防火墙周报模板列表的权限。

list

instance *

-

cfw:instance:createreportprofile

授予创建防火墙周报模板的权限。

write

instance *

-

cfw:instance:updatereportprofile

授予更新防火墙周报模板的权限。

write

instance *

-

cfw:instance:getreportprofile

授予查看防火墙周报模板的权限。

read

instance *

-

cfw:instance:deletereportprofile

授予删除防火墙周报模板的权限。

write

instance *

-

cfw:instance:importcertificate

授予导入tls证书的权限。

write

instance *

-

cfw:instance:getcertificate

授予获取tls证书信息的权限。

read

instance *

-

cfw:instance:deletecertificate

授予删除tls证书的权限。

write

instance *

-

cfw:instance:importipblacklist

授予导入ip黑名单的权限。

write

instance *

-

cfw:instance:deleteipblacklist

授予删除ip黑名单的权限。

write

instance *

-

cfw:instance:listipblacklist

授予获取ip黑名单列表信息的权限。

list

instance *

-

cfw:instance:exportipblacklist

授予导出ip黑名单的权限。

read

instance *

-

cfw:instance:enableipblacklist

授予打开关闭ip黑名单功能的权限。

write

instance *

-

cfw:instance:getipblacklistswitch

授予获取ip黑名单功能开关状态的权限。

read

instance *

-

cfw的api通常对应着一个或多个授权项。表2展示了api与授权项的关系,以及该api需要依赖的授权项。

表2 api与授权项的关系

api

对应的授权项

依赖的授权项

get /v1/{project_id}/cfw/logs/flow

cfw:instance:listflowlog

-

get /v1/{project_id}/cfw/logs/access-control

cfw:instance:listaccesscontrollog

-

get /v1/{project_id}/cfw/logs/attack

cfw:instance:listattacklog

-

get /v1/{project_id}/logs/count

cfw:instance:getflowlogstatistics

-

get /v1/{project_id}/cfw/logs/flow-detail

cfw:instance:getflowlogstatistics

-

get /v1/{project_id}/cfw/logs/flow-statistic

cfw:instance:getflowlogstatistics

-

get /v1/{project_id}/cfw/logs/flow-trend

cfw:instance:getflowlogstatistics

-

get /v1/{project_id}/cfw/logs/attack-statistic

cfw:instance:getattacklogstatistics

-

get /v1/{project_id}/cfw/logs/total-attack

cfw:instance:getattacklogstatistics

-

get /v1/{project_id}/cfw/logs/access-top

cfw:instance:getaccesscontrollogstatistics

-

get /v1/{project_id}/cfw/logs/trend-attack

cfw:instance:getattacklogstatistics

-

get /v1/{project_id}/cfw/logs/traffic-trend

cfw:instance:getenginelogstatistics

-

get /v1/{project_id}/cfw/logs/configuration

cfw:instance:getlogconfig

-

post /v1/{project_id}/cfw/logs/configuration

cfw:instance:addlogconfig

-

put /v1/{project_id}/cfw/logs/configuration

cfw:instance:updatelogconfig

-

post /v1/{project_id}/cfw/{fw_instance_id}/logs/export

cfw:instance:exportlog

-

get /v1/{project_id}/cfw/logs/search-history

cfw:instance:getlogsearchhistory

-

delete /v1/{project_id}/cfw/logs/search-history

cfw:instance:deletelogsearchhistory

-

post /v1/{project_id}/acl-rule

cfw:acl:createaclrule

-

put /v1/{project_id}/acl-rule/{acl_rule_id}

cfw:acl:updateaclrule

-

put /v1/{project_id}/acl-rule/action

cfw:acl:updateaclruleaction

-

delete /v1/{project_id}/acl-rule/{acl_rule_id}

cfw:acl:deleteaclrule

-

get /v1/{project_id}/acl-rules

cfw:acl:listaclrules

-

put /v1/{project_id}/acl-rule/order/{acl_rule_id}

cfw:acl:setpriority

-

get /v2/{project_id}/cfw-acl/tags

cfw:acl:listacltags

-

post /v1/{project_id}/acl-rule/import

cfw:acl:createaclrule

-

post /v1/{project_id}/acl-rule/export

cfw:acl:listaclrules

-

get /v1/{project_id}/acl-rule/import-template

cfw:acl:getimporttemplate

-

get /v1/{project_id}/acl-rule/import-status

cfw:acl:getimportstatus

-

get /v1/{project_id}/acl-rule/export-status

cfw:acl:getexportstatus

-

get /v1/{project_id}/acl-rule/import-result

cfw:acl:getimportstatus

-

get /v1/{project_id}/acl-rule/export-result

cfw:acl:getexportstatus

-

delete /v1/{project_id}/acl-rule/count

cfw:acl:deletehitcount

-

post /v1/{project_id}/acl-rule/count

cfw:acl:listaclrules

-

post /v1/{project_id}/black-white-lists

cfw:blackwhitelist:create

-

put /v1/{project_id}/black-white-list/{list_id}

cfw:blackwhitelist:update

-

delete /v1/{project_id}/black-white-list/{list_id}

cfw:blackwhitelist:delete

-

delete /v1/{project_id}/black-white-list

cfw:blackwhitelist:delete

-

get /v1/{project_id}/black-white-lists

cfw:blackwhitelist:list

-

get /v1/{project_id}/firewall/exist

cfw:instance:getinstance

-

post /v1/{project_id}/firewall/east-west

cfw:instance:createinstance

  • er:instances:list
  • er:instances:listvpcattachments
  • er:attachments:create
  • vpc:vpcs:list
  • vpc:subnets:get
  • vpc:subnets:create
  • vpc:routetables:list
  • vpc:routetables:update
  • vpc:quotas:list
  • nat:natgateways:list

delete /v2/{project_id}/firewall/{resource_id}

cfw:instance:deleteinstance

-

put /v1/{project_id}/firewall/name

cfw:instance:updatename

-

post /v2/{project_id}/cfw-cfw/{fw_instance_id}/tags/create

cfw:instance:createtags

-

delete /v2/{project_id}/cfw-cfw/{fw_instance_id}/tags/delete

cfw:instance:deletetags

-

post /v1/{project_id}/firewalls/list

cfw:instance:listinstance

  • er:instances:listvpcattachments
  • nat:natgateways:list
  • vpc:vpcs:list

get /v1/{project_id}/eip/protection-status/{fw_instance_id}

cfw:instance:getinstance

-

get /v1/{project_id}/firewall/east-west

cfw:instance:getew

-

get /v1/{project_id}/vpcs/protection

cfw:instance:listprotectedvpc

-

get /v1/{project_id}/firewall/east-west/protected-vpc/{vpc_id}

cfw:instance:getprotectedvpc

-

delete /v1/{project_id}/firewall/east-west/protected-vpc/{vpc_id}

cfw:instance:deleteprotectedvpc

-

post /v1/{project_id}/firewall/east-west/protected-vpc

cfw:instance:addprotectedvpc

-

put /v1/{project_id}/firewall/east-west/protected-vpc

cfw:instance:updateprotectedvpc

-

get /v1/{project_id}/firewall/east-west

cfw:instance:getew

-

get /v1/{project_id}/vpcs/protection

cfw:instance:listprotectedvpc

-

get /v2/{project_id}/cfw/{fw_instance_id}/quota

cfw:instance:listinstance

-

post /v1/{project_id}/service-set

cfw:servicegroup:create

-

put /v1/{project_id}/service-sets/{set_id}

cfw:servicegroup:update

-

get /v1/{project_id}/service-sets/{set_id}

cfw:servicegroup:get

-

delete /v1/{project_id}/service-sets/{set_id}

cfw:servicegroup:delete

-

post /v1/{project_id}/service-items

cfw:servicegroup:createservicegroupmember

-

get /v1/{project_id}/service-items

cfw:servicegroup:listservicegroupmember

-

delete /v1/{project_id}/service-items

cfw:servicegroup:deleteservicegroupmember

-

get /v1/{project_id}/service-sets

cfw:servicegroup:list

-

get /v1/{project_id}/eip-count/{object_id}

cfw:eip:count

-

post /v1/{project_id}/eip/protect

cfw:eip:updateprotectstatus

  • organizations:trustedservices:list
  • organizations:organizations:get
  • organizations:delegatedadministrators:list

get /v1/{project_id}/eips/protect

cfw:eip:list

  • ecs:cloudservers:listserversdetails
  • nat:natgateways:list
  • eip:publicips:list
  • rms:resources:list
  • organizations:trustedservices:list
  • organizations:organizations:get
  • organizations:delegatedadministrators:list
  • organizations:roots:list
  • organizations:ous:list
  • organizations:accounts:list

put /v1/{project_id}/address-items/{item_id}

cfw:ipgroup:updateipgroupmember

-

delete /v1/{project_id}/address-items/{item_id}

cfw:ipgroup:deleteipgroupmember

-

get /v1/{project_id}/address-items

cfw:ipgroup:listipgroupmember

-

post /v1/{project_id}/address-items

cfw:ipgroup:createipgroupmember

-

post /v1/{project_id}/address-set

cfw:ipgroup:createipgroup

-

get /v1/{project_id}/address-sets

cfw:ipgroup:listipgroups

-

get /v1/{project_id}/address-sets/{set_id}

cfw:ipgroup:getipgroup

-

put /v1/{project_id}/address-sets/{set_id}

cfw:ipgroup:updateipgroup

-

post /v1/{project_id}/address-sets/batch-delete

cfw:ipgroup:deleteipgroup

-

delete /v1/{project_id}/address-sets/{set_id}

cfw:ipgroup:deleteipgroup

-

delete /v1/{project_id}/address-items

cfw:ipgroup:deleteipgroupmember

-

get /v1/{project_id}/ips-rule

cfw:instance:listipsrule

-

post /v1/{project_id}/ips-rule/mode

cfw:instance:updateipsruleaction

-

get /v1/{project_id}/regions

cfw:instance:getregiondb

-

get /v1/{project_id}/advanced-ips-rules

cfw:instance:listadvanceipsrules

-

post /v1/{project_id}/advanced-ips-rule

cfw:instance:updateadvanceipsrule

-

post /v1/{project_id}/ips/switch

cfw:instance:updateipsstatus

-

get /v1/{project_id}/ips/switch

cfw:instance:getipsstatus

-

get /v1/{project_id}/ips/custom-rule

cfw:instance:listcustomrule

-

put /v1/{project_id}/ips/custom-rule/{ips_cfw_id}

cfw:instance:updatecustomrule

-

post /v1/{project_id}/ips/custom-rule/action

cfw:instance:updatecustomruleaction

-

post /v1/{project_id}/ips/custom-rule/batch-delete

cfw:instance:deletecustomrule

-

post /v1/{project_id}/ips/custom-rule

cfw:instance:createcustomrule

-

get /v1/{project_id}/ips/custom-rule/{ips_cfw_id}

cfw:instance:getcustomrule

-

get /v1/{project_id}/ips/protect

cfw:instance:getipsmode

-

post /v1/{project_id}/ips/protect

cfw:instance:updateipsmode

-

get /v1/{project_id}/cfw/alarm/config

cfw:instance:getalarmconfig

-

put /v1/{project_id}/cfw/alarm/config

cfw:instance:updatealarmconfig

-

get /v2/{project_id}/cfw-cfw/{fw_instance_id}/tags

cfw:instance:listinstancetags

-

post /v2/{project_id}/cfw-cfw/{fw_instance_id}/tags/create

cfw:instance:createtags

-

delete /v2/{project_id}/cfw-cfw/{fw_instance_id}/tags/delete

cfw:instance:deletetags

-

put /v2/{project_id}/cfw-cfw/{fw_instance_id}/tags/save

cfw:instance:savetags

-

get /v2/{project_id}/cfw-cfw/tags

cfw:instance:listprojecttags

-

get /v1/{project_id}/capture-task

cfw:instance:listcapturetask

-

post /v1/{project_id}/capture-task

cfw:instance:createcapturetask

-

post /v1/{project_id}/capture-task/stop

cfw:instance:stopcapturetask

-

post /v1/{project_id}/capture-task/batch-delete

cfw:instance:deletecapturetask

-

get /v1/{project_id}/capture-task/capture-result

cfw:instance:getcapturetaskresult

-

get /v1/{project_id}/dns/servers

cfw:instance:listdomainparseservers

-

put /v1/{project_id}/dns/servers

cfw:instance:updatedomainparseserver

-

post /v1/{project_id}/domain-set

cfw:domaingroup:create

-

put /v1/{project_id}/domain-set/{set_id}

cfw:domaingroup:update

-

delete /v1/{project_id}/domain-set/{set_id}

cfw:domaingroup:delete

-

post /v1/{project_id}/domain-sets/batch-delete

cfw:domaingroup:delete

-

get /v1/{project_id}/domain-sets

cfw:domaingroup:list

-

get /v1/{project_id}/domain-set/{domain_set_id}

cfw:domaingroup:list

-

post /v1/{project_id}/system/multi-account/enable

cfw:instance:enablemultiaccount

  • organizations:trustedservices:list
  • organizations:organizations:get
  • organizations:trustedservices:enable

get /v1/{project_id}/system/multi-account/accounts

cfw:instance:listaccounts

  • organizations:trustedservices:list
  • organizations:organizations:get
  • organizations:delegatedadministrators:list

post /v1/{project_id}/system/multi-account/accounts

cfw:instance:addaccount

  • organizations:trustedservices:list
  • organizations:organizations:get
  • organizations:delegatedadministrators:list
  • organizations:roots:list

get /v1/{project_id}/system/multi-account/organization-tree

cfw:instance:listorganizationtree

  • organizations:trustedservices:list
  • organizations:organizations:get
  • organizations:delegatedadministrators:list
  • organizations:roots:list
  • organizations:ous:list
  • organizations:accounts:list

post /v1/{project_id}/system/multi-account/batch-delete

cfw:instance:deleteaccount

  • organizations:trustedservices:list
  • organizations:organizations:get
  • organizations:delegatedadministrators:list

get /v1/{project_id}/anti-virus/switch

cfw:instance:getantivirusstatus

-

put /v1/{project_id}/anti-virus/switch

cfw:instance:updateantivirusstatus

-

get /v1/{project_id}/anti-virus/rule

cfw:instance:getantivirusrule

-

put /v1/{project_id}/anti-virus/rule

cfw:instance:updateantivirusrule

-

put /v1/{project_id}/report-profile/{report_profile_id}

cfw:instance:updatereportprofile

-

get /v1/{project_id}/report-profile/{report_profile_id}

cfw:instance:getreportprofile

-

delete /v1/{project_id}/report-profile/{report_profile_id}

cfw:instance:deletereportprofile

-

post /v1/{project_id}/report-profile

cfw:instance:createreportprofile

-

get /v1/{project_id}/report-profile

cfw:instance:listreportprofile

-

post /v1/{project_id}/ptf/ip-blacklist/import

cfw:instance:importipblacklist

-

get /v1/{project_id}/ptf/ip-blacklist

cfw:instance:listipblacklist

-

delete /v1/{project_id}/ptf/ip-blacklist

cfw:instance:deleteipblacklist

-

post /v1/{project_id}/ptf/ip-blacklist/export

cfw:instance:exportipblacklist

-

post /v1/{project_id}/ptf/ip-blacklist/retry

cfw:instance:importipblacklist

-

post /v1/{project_id}/ptf/ip-blacklist/switch

cfw:instance:enableipblacklist

-

get /v1/{project_id}/ptf/ip-blacklist/switch

cfw:instance:getipblacklistswitch

-

delete /v1/{project_id}/address-items

cfw:ipgroup:deleteipgroupmember

-

get /v1/{project_id}/address-sets/{set_id}

cfw:ipgroup:getipgroup

-

get /v1/{project_id}/address-items

cfw:ipgroup:listipgroupmember

-

get /v1/{project_id}/address-sets

cfw:ipgroup:listipgroups

-

delete /v1/{project_id}/domain-set/domains/{set_id}

cfw:domaingroup:delete

-

get /v1/{project_id}/service-items

cfw:servicegroup:listservicegroupmember

-

delete /v1/{project_id}/service-items/{item_id}

cfw:servicegroup:deleteservicegroupmember

-

post /v1/{project_id}/black-white-list

cfw:blackwhitelist:create

-

delete /v1/{project_id}/service-sets/{set_id}

cfw:servicegroup:delete

-

post /v1/{project_id}/firewalls/list

cfw:instance:listinstance

-

put /v1/{project_id}/service-sets/{set_id}

cfw:servicegroup:update

-

post /v1/{project_id}/eip/protect

cfw:eip:updateprotectstatus

-

post /v1/{project_id}/domain-set

cfw:domaingroup:create

-

get /v1/{project_id}/firewall/exist

cfw:instance:getinstance

-

delete /v1/{project_id}/acl-rule

cfw:acl:deleteaclrule

-

get /v1/{project_id}/domain/parse/{domain_name}

cfw:instance:listdomainparseservers

-

post /v1/{project_id}/acl-rule/count

cfw:acl:listaclrules

-

delete /v1/{project_id}/address-sets/{set_id}

cfw:ipgroup:deleteipgroup

-

post /v1/{project_id}/firewall/east-west/protect

cfw:instance:updateewprotectedstatus

-

post /v1/{project_id}/domain-set/domains/{set_id}

cfw:domaingroup:create

-

get /v1/{project_id}/service-sets

cfw:servicegroup:list

-

get /v2/{project_id}/cfw-acl/tags

cfw:acl:listacltags

-

post /v1/{project_id}/service-set

cfw:servicegroup:create

-

delete /v1/{project_id}/service-items

cfw:servicegroup:deleteservicegroupmember

-

post /v1/{project_id}/ips/switch

cfw:instance:updateipsstatus

-

post /v1/{project_id}/ips/protect

cfw:instance:updateipsmode

-

get /v1/{project_id}/service-sets/{set_id}

cfw:servicegroup:get

-

delete /v1/{project_id}/acl-rule/count

cfw:acl:deletehitcount

-

put /v1/{project_id}/address-sets/{set_id}

cfw:ipgroup:updateipgroup

-

delete /v1/{project_id}/acl-rule/{acl_rule_id}

cfw:acl:deleteaclrule

-

put /v1/{project_id}/acl-rule/action

cfw:acl:updateaclruleaction

-

post /v1/{project_id}/address-set

cfw:ipgroup:createipgroup

-

put /v1/{project_id}/black-white-list/{list_id}

cfw:blackwhitelist:update

-

delete /v1/{project_id}/address-items/{item_id}

cfw:ipgroup:deleteipgroupmember

-

get /v1/{project_id}/ips/switch

cfw:instance:getipsstatus

-

put /v1/{project_id}/acl-rule/{acl_rule_id}

cfw:acl:updateaclrule

-

get /v1/{project_id}/vpcs/protection

cfw:instance:listprotectedvpc

-

get /v1/{project_id}/eip-count/{object_id}

cfw:eip:count

-

get /v1/{project_id}/black-white-lists

cfw:blackwhitelist:list

-

get /v1/{project_id}/eips/protect

cfw:eip:list

-

delete /v1/{project_id}/black-white-list/{list_id}

cfw:blackwhitelist:delete

-

get /v1/{project_id}/acl-rules

cfw:acl:listaclrules

-

get /v1/{project_id}/domain-set/domains/{domain_set_id}

cfw:domaingroup:list

-

post /v1/{project_id}/acl-rule

cfw:acl:createaclrule

-

put /v1/{project_id}/acl-rule/order/{acl_rule_id}

cfw:acl:setpriority

-

post /v1/{project_id}/address-items

cfw:ipgroup:createipgroupmember

-

get /v1/{project_id}/ips/protect

cfw:instance:getipsmode

-

post /v1/{project_id}/service-items

cfw:servicegroup:createservicegroupmember

-

post /v2/{project_id}/firewall

cfw:instance:createinstance

-

get /v3/{project_id}/jobs/{job_id}

cfw:instance:listinstance

-

get /v1/{project_id}/eip/alarm-whitelist/{fw_instance_id}

cfw:instance:getalarmconfig

-

get /v1/{project_id}/ips-rule/detail

cfw:instance:listipsrule

-

post /v1/{project_id}/eip/auto-protect-status/switch

cfw:eip:updateprotectstatus

-

get /v1/{project_id}/eip/auto-protect-status/{object_id}

cfw:eip:list

-

资源类型(resource)

资源类型(resource)表示身份策略所作用的资源。如表3中的某些操作指定了可以在该操作指定的资源类型,则必须在具有该操作的身份策略语句中指定该资源的urn,身份策略仅作用于此资源;如未指定,resource默认为“*”,则身份策略将应用到所有资源。您也可以在身份策略中设置条件,从而指定资源类型。

cfw定义了以下可以在自定义身份策略的resource元素中使用的资源类型。

表3 cfw支持的资源类型

资源类型

urn

blackwhitelist

cfw:::blackwhitelist:

acl

cfw:::acl:

instance

cfw:::instance:

servicegroup

cfw:::servicegroup:

domaingroup

cfw:::domaingroup:

ipgroup

cfw:::ipgroup:

eip

cfw:::eip:

条件(condition)

条件键概述

条件(condition)是身份策略生效的特定条件,包括条件键运算符

  • 条件键表示身份策略语句的condition元素中的键值。根据适用范围,分为全局级条件键和服务级条件键。
    • 全局级条件键(前缀为g:)适用于所有操作,在鉴权过程中,云服务不需要提供用户身份信息,系统将自动获取并鉴权。详情请参见:全局条件键
    • 服务级条件键(前缀通常为服务缩写,如cfw:)仅适用于对应服务的操作,详情请参见表4
    • 单值/多值表示api调用时请求中与条件关联的值数。单值条件键在api调用时的请求中最多包含一个值,多值条件键在api调用时请求可以包含多个值。例如:g:sourcevpce是单值条件键,表示仅允许通过某个vpc终端节点发起请求访问某资源,一个请求最多包含一个vpc终端节点id值。g:tagkeys是多值条件键,表示请求中携带的所有标签的key组成的列表,当用户在调用api请求时传入标签可以传入多个值。
  • 运算符与条件键、条件值一起构成完整的条件判断语句,当请求信息满足该条件时,身份策略才能生效。支持的运算符请参见:运算符

cfw支持的服务级条件键

cfw定义了以下可以在自定义身份策略的condition元素中使用的条件键,您可以使用这些条件键进一步细化身份策略语句应用的条件。

表4 cfw支持的服务级条件键

服务级条件键

类型

单值/多值

说明

cfw:loggroupid

string

单值

根据请求参数中指定的lts日志组id过滤访问。

相关文档

网站地图