云防火墙 cfw-j9九游会登录
云服务在iam预置了常用的权限,称为系统身份策略。如果iam系统身份策略无法满足授权要求,管理员可以根据各j9九游会登录的服务支持的授权项,创建iam自定义身份策略来进行精细的访问控制,iam自定义身份策略是对系统身份策略的扩展和补充。
除iam服务外,organizations服务中的服务控制策略(service control policy,以下简称scp)也可以使用这些授权项元素设置访问控制策略。
scp不直接进行授权,只划定权限边界。将scp绑定到组织单元或者成员账号时,并没有直接对组织单元或成员账号授予操作权限,而是规定了成员账号或组织单元包含的成员账号的授权范围。iam身份策略授予权限的有效性受scp限制,只有在scp允许范围内的权限才能生效。
iam服务与organizations服务在使用这些元素进行访问控制时,存在着一些区别,详情请参见:iam服务与organizations服务权限访问控制的区别。
本章节介绍iam服务身份策略授权场景中自定义身份策略和组织服务中scp使用的元素,这些元素包含了操作(action)、资源(resource)和条件(condition)。
操作(action)
操作(action)即为身份策略中支持的授权项。
- “访问级别”列描述如何对操作进行分类(list、read和write等)。此分类可帮助您了解在身份策略中相应操作对应的访问级别。
- “资源类型”列指每个操作是否支持资源级权限。
- 资源类型支持通配符号*表示所有。如果此列没有值(-),则必须在身份策略语句的resource元素中指定所有资源类型(“*”)。
- 如果该列包含资源类型,则必须在具有该操作的语句中指定该资源的urn。
- 资源类型列中必需资源在表中用星号(*)标识,表示使用此操作必须指定该资源类型。
关于cfw定义的资源类型的详细信息请参见资源类型(resource)。
- “条件键”列包括了可以在身份策略语句的condition元素中支持指定的键值。
- 如果该授权项资源类型列存在值,则表示条件键仅对列举的资源类型生效。
- 如果该授权项资源类型列没有值(-),则表示条件键对整个授权项生效。
- 如果此列条件键没有值(-),表示此操作不支持指定条件键。
关于cfw定义的条件键的详细信息请参见条件(condition)。
- “别名”列包括了可以在身份策略中配置的策略授权项。通过这些授权项,可以控制支持策略授权的api访问。详细信息请参见身份策略兼容性说明。
您可以在身份策略语句的action元素中指定以下cfw的相关操作。
|
授权项 |
描述 |
访问级别 |
资源类型(*为必须) |
条件键 |
别名 |
|---|---|---|---|---|---|
|
cfw:acl:createaclrule |
授予创建acl规则的权限。 |
write |
instance * |
cfw:acl:create |
|
|
cfw:acl:deleteaclrule |
授予删除acl规则的权限。 |
write |
acl * |
- |
cfw:acl:delete |
|
instance * |
|||||
|
cfw:acl:deletehitcount |
授予删除acl规则命中次数的权限。 |
write |
acl * |
- |
cfw:acl:list |
|
instance * |
|||||
|
cfw:instance:listdomainparseservers |
授予查询域名解析服务器列表的权限。 |
list |
instance * |
cfw:domain:get |
|
|
cfw:instance:getdomainparseresult |
授予解析域名的权限。 |
read |
instance * |
cfw:domain:get |
|
|
cfw:acl:getexportstatus |
授予查询acl规则导出状态的权限。 |
read |
instance * |
cfw:acl:list |
|
|
cfw:acl:getimportstatus |
授予查询acl规则导入状态的权限。 |
read |
instance * |
cfw:acl:list |
|
|
cfw:acl:getimporttemplate |
授予获取acl规则导入模板的权限。 |
read |
instance * |
cfw:acl:list |
|
|
cfw:acl:listaclrules |
授予查询acl规则列表的权限。 |
list |
instance * |
cfw:acl:list |
|
|
cfw:acl:listacltags |
授予查询acl规则标签列表的权限。 |
list |
instance * |
cfw:acl:list |
|
|
cfw:acl:updateaclrule |
授予更新acl规则的权限。 |
write |
acl * |
- |
cfw:acl:put |
|
instance * |
|||||
|
cfw:acl:updateaclruleaction |
授予更新acl规则动作的权限。 |
write |
acl * |
- |
cfw:acl:put |
|
instance * |
|||||
|
cfw:instance:updatedomainparseserver |
授予更新域名解析服务器的权限。 |
write |
instance * |
cfw:acl:put |
|
|
cfw:acl:setpriority |
授予设置acl规则优先级的权限。 |
write |
acl * |
- |
- |
|
instance * |
|||||
|
cfw:blackwhitelist:create |
授予创建黑白名单的权限。 |
write |
instance * |
cfw:blackwhite:create |
|
|
cfw:blackwhitelist:delete |
授予删除黑白名单的权限。 |
write |
blackwhitelist * |
- |
cfw:blackwhite:delete |
|
instance * |
|||||
|
cfw:blackwhitelist:list |
授予列出黑白名单列表的权限。 |
list |
instance * |
cfw:blackwhite:list |
|
|
cfw:blackwhitelist:update |
授予更新黑白名单的权限。 |
write |
blackwhitelist * |
- |
cfw:blackwhite:put |
|
instance * |
|||||
|
cfw:domaingroup:update |
授予更新域名组的权限。 |
write |
domaingroup * |
- |
cfw:ipgroup:put |
|
instance * |
|||||
|
cfw:domaingroup:create |
授予创建域名组的权限。 |
write |
instance * |
cfw:ipgroup:create |
|
|
cfw:domaingroup:delete |
授予删除域名组的权限。 |
write |
domaingroup * |
- |
cfw:ipgroup:delete |
|
instance * |
|||||
|
cfw:domaingroup:list |
授予列出域名组列表的权限。 |
list |
instance * |
cfw:ipgroup:list |
|
|
cfw:eip:count |
授予查询弹性公网ip数量的权限。 |
read |
instance * |
cfw:eipstatistics:get |
|
|
cfw:eip:list |
授予列出弹性公网ip列表的权限。 |
list |
instance * |
- |
|
|
cfw:eip:updateprotectstatus |
授予修改弹性公网ip防护状态的权限。 |
write |
eip * |
- |
cfw:eip:operate |
|
- |
|||||
|
cfw:instance:checknamerepeat |
授予检查云防火墙名称是否重复。 |
read |
- |
- |
cfw:instance:list |
|
cfw:instance:listadvanceipsrules |
授予查询云防火墙高级ips规则列表的权限。 |
list |
instance * |
cfw:ipsmode:get |
|
|
cfw:instance:listuseder |
授予查询已使用er列表的权限。 |
list |
- |
- |
cfw:instance:list |
|
cfw:instance:listusedinspectionvpc |
授予查询已使用inspectionvpc列表的权限。 |
list |
- |
- |
cfw:instance:list |
|
cfw:instance:addlogconfig |
授予添加云防火墙日志配置的权限。 |
write |
instance * |
cfw:instance:create |
|
|
- |
|||||
|
cfw:instance:updatecustomrule |
授予更新云防火墙用户自定义ips的权限。 |
write |
instance * |
cfw:ipsmode:operate |
|
|
cfw:instance:updatecustomruleaction |
授予更新云防火墙用户自定义ips动作的权限。 |
write |
instance * |
cfw:ipsmode:operate |
|
|
cfw:instance:updatelogconfig |
授予更新云防火墙lts日志配置的权限。 |
write |
instance * |
cfw:instance:upgrade |
|
|
- |
|||||
|
cfw:instance:createinstance |
授予创建云防火墙的权限。 |
write |
instance * |
- |
cfw:instance:create |
|
- |
|||||
|
cfw:instance:deletepostpaidinstance |
授予删除按需计费云防火墙的权限。 |
write |
instance * |
- |
|
|
cfw:instance:createcapturetask |
授予创建云防火墙抓包任务的权限。 |
write |
instance * |
cfw:capturetask:create |
|
|
cfw:instance:createcustomrule |
授予创建云防火墙自定义ips规则的权限。 |
write |
instance * |
cfw:ipsmode:operate |
|
|
cfw:instance:createtags |
授予创建云防火墙标签的权限。 |
tagging |
instance * |
cfw:instance:upgrade |
|
|
- |
|||||
|
cfw:instance:deleteinstance |
授予删除云防火墙实例的权限。 |
write |
instance * |
cfw:instance:delete |
|
|
cfw:instance:deletecapturetask |
授予删除云防火墙抓包任务的权限。 |
write |
instance * |
cfw:capturetask:delete |
|
|
cfw:instance:deletecustomrule |
授予删除云防火墙用户自定义ips规则的权限。 |
write |
instance * |
cfw:ipsmode:operate |
|
|
cfw:instance:deletelogsearchhistory |
授予删除云防火墙日志搜索历史的权限。 |
write |
instance * |
cfw:ipsmode:operate |
|
|
cfw:instance:deletetags |
授予删除云防火墙标签的权限。 |
tagging |
instance * |
cfw:instance:upgrade |
|
|
- |
|||||
|
cfw:instance:exportlog |
授予导出日志的权限。 |
read |
instance * |
cfw:accesscontrollog:list |
|
|
cfw:instance:listinstancebytags |
授予按标签查询云防火墙实例的权限。 |
list |
instance * |
cfw:instance:list |
|
|
- |
|||||
|
cfw:instance:getbaseversion |
授予查询基础版云防火墙的权限。 |
read |
instance * |
cfw:baseversion:get |
|
|
cfw:instance:getcapturetaskresult |
授予查询云防火墙抓包任务结果的权限。 |
read |
instance * |
cfw:capturetask:getresult |
|
|
cfw:instance:getcustomrule |
授予查询云防火墙自定义ips规则详情的权限。 |
read |
instance * |
cfw:ipsmode:get |
|
|
cfw:instance:getdomainparseserverstatus |
授予查询云防火墙域名服务器状态的权限。 |
read |
instance * |
cfw:domain:get |
|
|
cfw:instance:getipsmode |
授予查询云防火墙ips防护模式的权限。 |
read |
instance * |
cfw:ipsmode:get |
|
|
cfw:instance:getipsstatus |
授予查询云防火墙ips状态的权限。 |
read |
instance * |
cfw:ipsstatus:get |
|
|
cfw:instance:getlogconfig |
授予查询云防火墙lts日志配置的权限。 |
read |
instance * |
cfw:attacklog:list |
|
|
cfw:instance:getmaxcapturepacketnum |
授予查询云防火墙用户最大抓包数量的权限。 |
read |
- |
- |
cfw:capturetask:list |
|
cfw:instance:getpolicystatistics |
授予查询云防火墙防护策略统计信息的权限。 |
read |
instance * |
cfw:policystatistics:get |
|
|
cfw:instance:listprojecttags |
授予查询云防火墙项目标签列表的权限。 |
list |
- |
- |
cfw:instance:list |
|
cfw:instance:getregiondb |
授予查询云防火墙地理位置库的权限。 |
read |
instance * |
cfw:acl:list |
|
|
cfw:instance:listinstancetags |
授予查询云防火墙实例标签列表的权限。 |
list |
instance * |
cfw:instance:list |
|
|
cfw:instance:listinstance |
授予查询云防火墙列表的权限。 |
list |
instance * |
- |
cfw:instance:list |
|
cfw:instance:getinstance |
授予查询云防火墙详情的权限。 |
read |
instance * |
cfw:instance:list |
|
|
cfw:instance:listaccesscontrollog |
授予查询云防火墙访问控制日志列表的权限。 |
list |
instance * |
cfw:accesscontrollog:list |
|
|
cfw:instance:listattacklog |
授予查询云防火墙攻击日志列表的权限。 |
list |
instance * |
cfw:attacklog:list |
|
|
cfw:instance:listcapturetask |
授予查询云防火墙抓包任务列表的权限。 |
list |
instance * |
cfw:capturetask:list |
|
|
cfw:instance:listcustomrule |
授予查询云防火墙用户自定义ips列表的权限。 |
list |
instance * |
cfw:ipsmode:get |
|
|
cfw:instance:getew |
授予查询云防火墙东西向墙的权限。 |
read |
instance * |
cfw:instance:list |
|
|
cfw:instance:listflowlog |
授予展示云防火墙流量日志列表的权限。 |
list |
instance * |
cfw:flowlog:list |
|
|
cfw:instance:listipsrule |
授予展示云防火墙ips规则列表的权限。 |
list |
instance * |
cfw:ipsmode:get |
|
|
cfw:instance:listprotectedvpc |
授予查询云防火墙防护vpc列表的权限。 |
list |
instance * |
cfw:instance:list |
|
|
cfw:instance:updateipsmode |
授予更新云防火墙ips防护模式的权限。 |
write |
instance * |
cfw:ipsmode:operate |
|
|
cfw:instance:updateadvanceipsrule |
授予更新云防火墙高级ips规则的权限。 |
write |
instance * |
cfw:ipsmode:operate |
|
|
cfw:instance:updateipsruleaction |
授予更新云防火墙ips规则模式的权限。 |
write |
instance * |
cfw:ipsmode:operate |
|
|
cfw:instance:updateipsstatus |
授予更新云防火墙ips状态的权限。 |
write |
instance * |
cfw:ipsmode:operate |
|
|
cfw:instance:updateewprotectedstatus |
授予更新云防火墙东西向防火墙防护状态的权限。 |
write |
instance * |
cfw:instance:create |
|
|
cfw:instance:savetags |
授予替换云防火墙标签的权限。 |
tagging |
instance * |
cfw:instance:upgrade |
|
|
- |
|||||
|
cfw:instance:startbaseversion |
授予开通云防火墙基础版的权限。 |
write |
instance * |
cfw:baseversion:start |
|
|
cfw:instance:stopbaseversion |
授予关闭云防火墙基础版的权限。 |
write |
instance * |
cfw:baseversion:stop |
|
|
cfw:instance:stopcapturetask |
授予停止云防火墙抓包任务的权限。 |
write |
instance * |
cfw:capturetask:stop |
|
|
cfw:instance:updatealarmconfig |
授予更新云防火墙告警配置的权限。 |
write |
instance * |
cfw:instance:create |
|
|
cfw:instance:getalarmconfig |
授予查询云防火墙告警配置的权限。 |
read |
instance * |
cfw:instance:list |
|
|
cfw:instance:upgradeinstance |
授予升级云防火墙的权限。 |
write |
instance * |
cfw:instance:upgrade |
|
|
cfw:instance:updatename |
授予更新云防火墙名称的权限。 |
write |
instance * |
cfw:instance:upgrade |
|
|
cfw:instance:getaccesscontrollogstatistics |
授予查询云防火墙访问控制日志统计信息的权限。 |
read |
instance * |
cfw:accesscontrollogreport:get |
|
|
cfw:instance:getattacklogstatistics |
授予查询云防火墙攻击日志统计信息的权限。 |
read |
instance * |
cfw:attacklogreport:get |
|
|
cfw:instance:getlogsearchhistory |
授予查询云防火墙日志搜索历史的权限。 |
read |
instance * |
cfw:attacklogreport:get |
|
|
cfw:instance:getenginelogstatistics |
授予查询云防火墙引擎日志统计信息的权限。 |
read |
instance * |
cfw:attacklogreport:get |
|
|
cfw:instance:getflowlogstatistics |
授予查询云防火墙流量日志统计信息的权限。 |
read |
instance * |
cfw:flowlogreport:get |
|
|
cfw:instance:getiplogstatistics |
授予查询云防火墙ip日志统计信息的权限。 |
read |
instance * |
cfw:attacklogreport:get |
|
|
cfw:ipgroup:updateipgroupmember |
授予更新云防火墙地址组成员的权限。 |
write |
ipgroup * |
- |
cfw:ipmember:put |
|
instance * |
|||||
|
cfw:ipgroup:createipgroup |
授予修改云防火墙地址组成员的权限。 |
write |
instance * |
cfw:ipgroup:create |
|
|
cfw:ipgroup:createipgroupmember |
授予创建云防火墙地址组成员的权限。 |
write |
ipgroup * |
- |
cfw:ipmember:create |
|
instance * |
|||||
|
cfw:ipgroup:deleteipgroup |
授予删除云防火墙地址组的权限。 |
write |
ipgroup * |
- |
cfw:ipgroup:delete |
|
instance * |
|||||
|
cfw:ipgroup:deleteipgroupmember |
授予删除云防火墙地址组成员的权限。 |
write |
ipgroup * |
- |
cfw:ipmember:delete |
|
instance * |
|||||
|
cfw:ipgroup:getipgroup |
授予查询云防火墙地址组的权限。 |
read |
ipgroup * |
- |
cfw:ipgroup:get |
|
instance * |
|||||
|
cfw:ipgroup:listipgroups |
授予查询云防火墙地址组列表的权限。 |
list |
instance * |
cfw:ipgroup:list |
|
|
cfw:ipgroup:listipgroupmember |
授予查询云防火墙地址组成员列表的权限。 |
list |
ipgroup * |
- |
cfw:ipmember:list |
|
instance * |
|||||
|
cfw:ipgroup:updateipgroup |
授予更新云防火墙地址组的权限。 |
write |
ipgroup * |
- |
cfw:ipgroup:put |
|
instance * |
|||||
|
cfw:servicegroup:updateservicegroupmember |
授予修改云防火墙服务组成员的权限。 |
write |
servicegroup * |
- |
cfw:servicemember:put |
|
instance * |
|||||
|
cfw:servicegroup:create |
授予创建云防火墙服务组成员的权限。 |
write |
instance * |
- |
|
|
cfw:servicegroup:createservicegroupmember |
授予创建云防火墙服务组成员的权限。 |
write |
servicegroup * |
- |
cfw:servicemember:create |
|
instance * |
|||||
|
cfw:servicegroup:delete |
授予删除云防火墙服务组的权限。 |
write |
servicegroup * |
- |
- |
|
instance * |
|||||
|
cfw:servicegroup:deleteservicegroupmember |
授予删除云防火墙服务组成员的权限。 |
write |
servicegroup * |
- |
cfw:servicemember:delete |
|
instance * |
|||||
|
cfw:servicegroup:get |
授予查询云防火墙服务组的权限。 |
read |
servicegroup * |
- |
- |
|
instance * |
|||||
|
cfw:servicegroup:list |
授予查询云防火墙服务组列表的权限。 |
list |
instance * |
- |
|
|
cfw:servicegroup:listservicegroupmember |
授予查询云防火墙服务组列表的权限。 |
list |
servicegroup * |
- |
cfw:servicemember:list |
|
instance * |
|||||
|
cfw:servicegroup:update |
授予更新云防火墙服务组的权限。 |
write |
servicegroup * |
- |
cfw:servicegroup:put |
|
instance * |
|||||
|
cfw:instance:enablemultiaccount |
授予开启云防火墙多账号管理的权限。 |
write |
instance * |
- |
|
|
cfw:instance:listaccounts |
授予查看多账号列表的权限。 |
list |
instance * |
- |
|
|
cfw:instance:listorganizationtree |
授予查看组织树的权限。 |
list |
instance * |
- |
|
|
cfw:instance:addaccount |
授予添加账号的权限。 |
write |
instance * |
- |
|
|
cfw:instance:deleteaccount |
授予删除账号的权限。 |
write |
instance * |
- |
|
|
cfw:instance:getprotectedvpc |
授予查看防火墙防护vpc详情的权限。 |
read |
instance * |
- |
|
|
cfw:instance:deleteprotectedvpc |
授予删除防火墙防护vpc的权限。 |
write |
instance * |
- |
|
|
cfw:instance:addprotectedvpc |
授予添加防火墙防护vpc的权限。 |
write |
instance * |
- |
|
|
cfw:instance:updateprotectedvpc |
授予更新防火墙防护vpc的权限。 |
write |
instance * |
- |
|
|
cfw:instance:updateantivirusstatus |
授予更新云防火墙反病毒状态的权限。 |
write |
instance * |
- |
|
|
cfw:instance:getantivirusstatus |
授予查看云防火墙反病毒状态的权限。 |
read |
instance * |
- |
|
|
cfw:instance:updateantivirusrule |
授予更新云防火墙反病毒规则的权限。 |
write |
instance * |
- |
|
|
cfw:instance:getantivirusrule |
授予查看云防火墙反病毒规则的权限。 |
read |
instance * |
- |
|
|
cfw:instance:listreportprofile |
授予查看防火墙周报模板列表的权限。 |
list |
instance * |
- |
|
|
cfw:instance:createreportprofile |
授予创建防火墙周报模板的权限。 |
write |
instance * |
- |
|
|
cfw:instance:updatereportprofile |
授予更新防火墙周报模板的权限。 |
write |
instance * |
- |
|
|
cfw:instance:getreportprofile |
授予查看防火墙周报模板的权限。 |
read |
instance * |
- |
|
|
cfw:instance:deletereportprofile |
授予删除防火墙周报模板的权限。 |
write |
instance * |
- |
|
|
cfw:instance:importcertificate |
授予导入tls证书的权限。 |
write |
instance * |
- |
|
|
cfw:instance:getcertificate |
授予获取tls证书信息的权限。 |
read |
instance * |
- |
|
|
cfw:instance:deletecertificate |
授予删除tls证书的权限。 |
write |
instance * |
- |
|
|
cfw:instance:importipblacklist |
授予导入ip黑名单的权限。 |
write |
instance * |
- |
|
|
cfw:instance:deleteipblacklist |
授予删除ip黑名单的权限。 |
write |
instance * |
- |
|
|
cfw:instance:listipblacklist |
授予获取ip黑名单列表信息的权限。 |
list |
instance * |
- |
|
|
cfw:instance:exportipblacklist |
授予导出ip黑名单的权限。 |
read |
instance * |
- |
|
|
cfw:instance:enableipblacklist |
授予打开关闭ip黑名单功能的权限。 |
write |
instance * |
- |
|
|
cfw:instance:getipblacklistswitch |
授予获取ip黑名单功能开关状态的权限。 |
read |
instance * |
- |
cfw的api通常对应着一个或多个授权项。表2展示了api与授权项的关系,以及该api需要依赖的授权项。
|
api |
对应的授权项 |
依赖的授权项 |
|---|---|---|
|
get /v1/{project_id}/cfw/logs/flow |
cfw:instance:listflowlog |
- |
|
get /v1/{project_id}/cfw/logs/access-control |
cfw:instance:listaccesscontrollog |
- |
|
get /v1/{project_id}/cfw/logs/attack |
cfw:instance:listattacklog |
- |
|
get /v1/{project_id}/logs/count |
cfw:instance:getflowlogstatistics |
- |
|
get /v1/{project_id}/cfw/logs/flow-detail |
cfw:instance:getflowlogstatistics |
- |
|
get /v1/{project_id}/cfw/logs/flow-statistic |
cfw:instance:getflowlogstatistics |
- |
|
get /v1/{project_id}/cfw/logs/flow-trend |
cfw:instance:getflowlogstatistics |
- |
|
get /v1/{project_id}/cfw/logs/attack-statistic |
cfw:instance:getattacklogstatistics |
- |
|
get /v1/{project_id}/cfw/logs/total-attack |
cfw:instance:getattacklogstatistics |
- |
|
get /v1/{project_id}/cfw/logs/access-top |
cfw:instance:getaccesscontrollogstatistics |
- |
|
get /v1/{project_id}/cfw/logs/trend-attack |
cfw:instance:getattacklogstatistics |
- |
|
get /v1/{project_id}/cfw/logs/traffic-trend |
cfw:instance:getenginelogstatistics |
- |
|
get /v1/{project_id}/cfw/logs/configuration |
cfw:instance:getlogconfig |
- |
|
post /v1/{project_id}/cfw/logs/configuration |
cfw:instance:addlogconfig |
- |
|
put /v1/{project_id}/cfw/logs/configuration |
cfw:instance:updatelogconfig |
- |
|
post /v1/{project_id}/cfw/{fw_instance_id}/logs/export |
cfw:instance:exportlog |
- |
|
get /v1/{project_id}/cfw/logs/search-history |
cfw:instance:getlogsearchhistory |
- |
|
delete /v1/{project_id}/cfw/logs/search-history |
cfw:instance:deletelogsearchhistory |
- |
|
post /v1/{project_id}/acl-rule |
cfw:acl:createaclrule |
- |
|
put /v1/{project_id}/acl-rule/{acl_rule_id} |
cfw:acl:updateaclrule |
- |
|
put /v1/{project_id}/acl-rule/action |
cfw:acl:updateaclruleaction |
- |
|
delete /v1/{project_id}/acl-rule/{acl_rule_id} |
cfw:acl:deleteaclrule |
- |
|
get /v1/{project_id}/acl-rules |
cfw:acl:listaclrules |
- |
|
put /v1/{project_id}/acl-rule/order/{acl_rule_id} |
cfw:acl:setpriority |
- |
|
get /v2/{project_id}/cfw-acl/tags |
cfw:acl:listacltags |
- |
|
post /v1/{project_id}/acl-rule/import |
cfw:acl:createaclrule |
- |
|
post /v1/{project_id}/acl-rule/export |
cfw:acl:listaclrules |
- |
|
get /v1/{project_id}/acl-rule/import-template |
cfw:acl:getimporttemplate |
- |
|
get /v1/{project_id}/acl-rule/import-status |
cfw:acl:getimportstatus |
- |
|
get /v1/{project_id}/acl-rule/export-status |
cfw:acl:getexportstatus |
- |
|
get /v1/{project_id}/acl-rule/import-result |
cfw:acl:getimportstatus |
- |
|
get /v1/{project_id}/acl-rule/export-result |
cfw:acl:getexportstatus |
- |
|
delete /v1/{project_id}/acl-rule/count |
cfw:acl:deletehitcount |
- |
|
post /v1/{project_id}/acl-rule/count |
cfw:acl:listaclrules |
- |
|
post /v1/{project_id}/black-white-lists |
cfw:blackwhitelist:create |
- |
|
put /v1/{project_id}/black-white-list/{list_id} |
cfw:blackwhitelist:update |
- |
|
delete /v1/{project_id}/black-white-list/{list_id} |
cfw:blackwhitelist:delete |
- |
|
delete /v1/{project_id}/black-white-list |
cfw:blackwhitelist:delete |
- |
|
get /v1/{project_id}/black-white-lists |
cfw:blackwhitelist:list |
- |
|
get /v1/{project_id}/firewall/exist |
cfw:instance:getinstance |
- |
|
post /v1/{project_id}/firewall/east-west |
cfw:instance:createinstance |
|
|
delete /v2/{project_id}/firewall/{resource_id} |
cfw:instance:deleteinstance |
- |
|
put /v1/{project_id}/firewall/name |
cfw:instance:updatename |
- |
|
post /v2/{project_id}/cfw-cfw/{fw_instance_id}/tags/create |
cfw:instance:createtags |
- |
|
delete /v2/{project_id}/cfw-cfw/{fw_instance_id}/tags/delete |
cfw:instance:deletetags |
- |
|
post /v1/{project_id}/firewalls/list |
cfw:instance:listinstance |
|
|
get /v1/{project_id}/eip/protection-status/{fw_instance_id} |
cfw:instance:getinstance |
- |
|
get /v1/{project_id}/firewall/east-west |
cfw:instance:getew |
- |
|
get /v1/{project_id}/vpcs/protection |
cfw:instance:listprotectedvpc |
- |
|
get /v1/{project_id}/firewall/east-west/protected-vpc/{vpc_id} |
cfw:instance:getprotectedvpc |
- |
|
delete /v1/{project_id}/firewall/east-west/protected-vpc/{vpc_id} |
cfw:instance:deleteprotectedvpc |
- |
|
post /v1/{project_id}/firewall/east-west/protected-vpc |
cfw:instance:addprotectedvpc |
- |
|
put /v1/{project_id}/firewall/east-west/protected-vpc |
cfw:instance:updateprotectedvpc |
- |
|
get /v1/{project_id}/firewall/east-west |
cfw:instance:getew |
- |
|
get /v1/{project_id}/vpcs/protection |
cfw:instance:listprotectedvpc |
- |
|
get /v2/{project_id}/cfw/{fw_instance_id}/quota |
cfw:instance:listinstance |
- |
|
post /v1/{project_id}/service-set |
cfw:servicegroup:create |
- |
|
put /v1/{project_id}/service-sets/{set_id} |
cfw:servicegroup:update |
- |
|
get /v1/{project_id}/service-sets/{set_id} |
cfw:servicegroup:get |
- |
|
delete /v1/{project_id}/service-sets/{set_id} |
cfw:servicegroup:delete |
- |
|
post /v1/{project_id}/service-items |
cfw:servicegroup:createservicegroupmember |
- |
|
get /v1/{project_id}/service-items |
cfw:servicegroup:listservicegroupmember |
- |
|
delete /v1/{project_id}/service-items |
cfw:servicegroup:deleteservicegroupmember |
- |
|
get /v1/{project_id}/service-sets |
cfw:servicegroup:list |
- |
|
get /v1/{project_id}/eip-count/{object_id} |
cfw:eip:count |
- |
|
post /v1/{project_id}/eip/protect |
cfw:eip:updateprotectstatus |
|
|
get /v1/{project_id}/eips/protect |
cfw:eip:list |
|
|
put /v1/{project_id}/address-items/{item_id} |
cfw:ipgroup:updateipgroupmember |
- |
|
delete /v1/{project_id}/address-items/{item_id} |
cfw:ipgroup:deleteipgroupmember |
- |
|
get /v1/{project_id}/address-items |
cfw:ipgroup:listipgroupmember |
- |
|
post /v1/{project_id}/address-items |
cfw:ipgroup:createipgroupmember |
- |
|
post /v1/{project_id}/address-set |
cfw:ipgroup:createipgroup |
- |
|
get /v1/{project_id}/address-sets |
cfw:ipgroup:listipgroups |
- |
|
get /v1/{project_id}/address-sets/{set_id} |
cfw:ipgroup:getipgroup |
- |
|
put /v1/{project_id}/address-sets/{set_id} |
cfw:ipgroup:updateipgroup |
- |
|
post /v1/{project_id}/address-sets/batch-delete |
cfw:ipgroup:deleteipgroup |
- |
|
delete /v1/{project_id}/address-sets/{set_id} |
cfw:ipgroup:deleteipgroup |
- |
|
delete /v1/{project_id}/address-items |
cfw:ipgroup:deleteipgroupmember |
- |
|
get /v1/{project_id}/ips-rule |
cfw:instance:listipsrule |
- |
|
post /v1/{project_id}/ips-rule/mode |
cfw:instance:updateipsruleaction |
- |
|
get /v1/{project_id}/regions |
cfw:instance:getregiondb |
- |
|
get /v1/{project_id}/advanced-ips-rules |
cfw:instance:listadvanceipsrules |
- |
|
post /v1/{project_id}/advanced-ips-rule |
cfw:instance:updateadvanceipsrule |
- |
|
post /v1/{project_id}/ips/switch |
cfw:instance:updateipsstatus |
- |
|
get /v1/{project_id}/ips/switch |
cfw:instance:getipsstatus |
- |
|
get /v1/{project_id}/ips/custom-rule |
cfw:instance:listcustomrule |
- |
|
put /v1/{project_id}/ips/custom-rule/{ips_cfw_id} |
cfw:instance:updatecustomrule |
- |
|
post /v1/{project_id}/ips/custom-rule/action |
cfw:instance:updatecustomruleaction |
- |
|
post /v1/{project_id}/ips/custom-rule/batch-delete |
cfw:instance:deletecustomrule |
- |
|
post /v1/{project_id}/ips/custom-rule |
cfw:instance:createcustomrule |
- |
|
get /v1/{project_id}/ips/custom-rule/{ips_cfw_id} |
cfw:instance:getcustomrule |
- |
|
get /v1/{project_id}/ips/protect |
cfw:instance:getipsmode |
- |
|
post /v1/{project_id}/ips/protect |
cfw:instance:updateipsmode |
- |
|
get /v1/{project_id}/cfw/alarm/config |
cfw:instance:getalarmconfig |
- |
|
put /v1/{project_id}/cfw/alarm/config |
cfw:instance:updatealarmconfig |
- |
|
get /v2/{project_id}/cfw-cfw/{fw_instance_id}/tags |
cfw:instance:listinstancetags |
- |
|
post /v2/{project_id}/cfw-cfw/{fw_instance_id}/tags/create |
cfw:instance:createtags |
- |
|
delete /v2/{project_id}/cfw-cfw/{fw_instance_id}/tags/delete |
cfw:instance:deletetags |
- |
|
put /v2/{project_id}/cfw-cfw/{fw_instance_id}/tags/save |
cfw:instance:savetags |
- |
|
get /v2/{project_id}/cfw-cfw/tags |
cfw:instance:listprojecttags |
- |
|
get /v1/{project_id}/capture-task |
cfw:instance:listcapturetask |
- |
|
post /v1/{project_id}/capture-task |
cfw:instance:createcapturetask |
- |
|
post /v1/{project_id}/capture-task/stop |
cfw:instance:stopcapturetask |
- |
|
post /v1/{project_id}/capture-task/batch-delete |
cfw:instance:deletecapturetask |
- |
|
get /v1/{project_id}/capture-task/capture-result |
cfw:instance:getcapturetaskresult |
- |
|
get /v1/{project_id}/dns/servers |
cfw:instance:listdomainparseservers |
- |
|
put /v1/{project_id}/dns/servers |
cfw:instance:updatedomainparseserver |
- |
|
post /v1/{project_id}/domain-set |
cfw:domaingroup:create |
- |
|
put /v1/{project_id}/domain-set/{set_id} |
cfw:domaingroup:update |
- |
|
delete /v1/{project_id}/domain-set/{set_id} |
cfw:domaingroup:delete |
- |
|
post /v1/{project_id}/domain-sets/batch-delete |
cfw:domaingroup:delete |
- |
|
get /v1/{project_id}/domain-sets |
cfw:domaingroup:list |
- |
|
get /v1/{project_id}/domain-set/{domain_set_id} |
cfw:domaingroup:list |
- |
|
post /v1/{project_id}/system/multi-account/enable |
cfw:instance:enablemultiaccount |
|
|
get /v1/{project_id}/system/multi-account/accounts |
cfw:instance:listaccounts |
|
|
post /v1/{project_id}/system/multi-account/accounts |
cfw:instance:addaccount |
|
|
get /v1/{project_id}/system/multi-account/organization-tree |
cfw:instance:listorganizationtree |
|
|
post /v1/{project_id}/system/multi-account/batch-delete |
cfw:instance:deleteaccount |
|
|
get /v1/{project_id}/anti-virus/switch |
cfw:instance:getantivirusstatus |
- |
|
put /v1/{project_id}/anti-virus/switch |
cfw:instance:updateantivirusstatus |
- |
|
get /v1/{project_id}/anti-virus/rule |
cfw:instance:getantivirusrule |
- |
|
put /v1/{project_id}/anti-virus/rule |
cfw:instance:updateantivirusrule |
- |
|
put /v1/{project_id}/report-profile/{report_profile_id} |
cfw:instance:updatereportprofile |
- |
|
get /v1/{project_id}/report-profile/{report_profile_id} |
cfw:instance:getreportprofile |
- |
|
delete /v1/{project_id}/report-profile/{report_profile_id} |
cfw:instance:deletereportprofile |
- |
|
post /v1/{project_id}/report-profile |
cfw:instance:createreportprofile |
- |
|
get /v1/{project_id}/report-profile |
cfw:instance:listreportprofile |
- |
|
post /v1/{project_id}/ptf/ip-blacklist/import |
cfw:instance:importipblacklist |
- |
|
get /v1/{project_id}/ptf/ip-blacklist |
cfw:instance:listipblacklist |
- |
|
delete /v1/{project_id}/ptf/ip-blacklist |
cfw:instance:deleteipblacklist |
- |
|
post /v1/{project_id}/ptf/ip-blacklist/export |
cfw:instance:exportipblacklist |
- |
|
post /v1/{project_id}/ptf/ip-blacklist/retry |
cfw:instance:importipblacklist |
- |
|
post /v1/{project_id}/ptf/ip-blacklist/switch |
cfw:instance:enableipblacklist |
- |
|
get /v1/{project_id}/ptf/ip-blacklist/switch |
cfw:instance:getipblacklistswitch |
- |
|
delete /v1/{project_id}/address-items |
cfw:ipgroup:deleteipgroupmember |
- |
|
get /v1/{project_id}/address-sets/{set_id} |
cfw:ipgroup:getipgroup |
- |
|
get /v1/{project_id}/address-items |
cfw:ipgroup:listipgroupmember |
- |
|
get /v1/{project_id}/address-sets |
cfw:ipgroup:listipgroups |
- |
|
delete /v1/{project_id}/domain-set/domains/{set_id} |
cfw:domaingroup:delete |
- |
|
get /v1/{project_id}/service-items |
cfw:servicegroup:listservicegroupmember |
- |
|
delete /v1/{project_id}/service-items/{item_id} |
cfw:servicegroup:deleteservicegroupmember |
- |
|
post /v1/{project_id}/black-white-list |
cfw:blackwhitelist:create |
- |
|
delete /v1/{project_id}/service-sets/{set_id} |
cfw:servicegroup:delete |
- |
|
post /v1/{project_id}/firewalls/list |
cfw:instance:listinstance |
- |
|
put /v1/{project_id}/service-sets/{set_id} |
cfw:servicegroup:update |
- |
|
post /v1/{project_id}/eip/protect |
cfw:eip:updateprotectstatus |
- |
|
post /v1/{project_id}/domain-set |
cfw:domaingroup:create |
- |
|
get /v1/{project_id}/firewall/exist |
cfw:instance:getinstance |
- |
|
delete /v1/{project_id}/acl-rule |
cfw:acl:deleteaclrule |
- |
|
get /v1/{project_id}/domain/parse/{domain_name} |
cfw:instance:listdomainparseservers |
- |
|
post /v1/{project_id}/acl-rule/count |
cfw:acl:listaclrules |
- |
|
delete /v1/{project_id}/address-sets/{set_id} |
cfw:ipgroup:deleteipgroup |
- |
|
post /v1/{project_id}/firewall/east-west/protect |
cfw:instance:updateewprotectedstatus |
- |
|
post /v1/{project_id}/domain-set/domains/{set_id} |
cfw:domaingroup:create |
- |
|
get /v1/{project_id}/service-sets |
cfw:servicegroup:list |
- |
|
get /v2/{project_id}/cfw-acl/tags |
cfw:acl:listacltags |
- |
|
post /v1/{project_id}/service-set |
cfw:servicegroup:create |
- |
|
delete /v1/{project_id}/service-items |
cfw:servicegroup:deleteservicegroupmember |
- |
|
post /v1/{project_id}/ips/switch |
cfw:instance:updateipsstatus |
- |
|
post /v1/{project_id}/ips/protect |
cfw:instance:updateipsmode |
- |
|
get /v1/{project_id}/service-sets/{set_id} |
cfw:servicegroup:get |
- |
|
delete /v1/{project_id}/acl-rule/count |
cfw:acl:deletehitcount |
- |
|
put /v1/{project_id}/address-sets/{set_id} |
cfw:ipgroup:updateipgroup |
- |
|
delete /v1/{project_id}/acl-rule/{acl_rule_id} |
cfw:acl:deleteaclrule |
- |
|
put /v1/{project_id}/acl-rule/action |
cfw:acl:updateaclruleaction |
- |
|
post /v1/{project_id}/address-set |
cfw:ipgroup:createipgroup |
- |
|
put /v1/{project_id}/black-white-list/{list_id} |
cfw:blackwhitelist:update |
- |
|
delete /v1/{project_id}/address-items/{item_id} |
cfw:ipgroup:deleteipgroupmember |
- |
|
get /v1/{project_id}/ips/switch |
cfw:instance:getipsstatus |
- |
|
put /v1/{project_id}/acl-rule/{acl_rule_id} |
cfw:acl:updateaclrule |
- |
|
get /v1/{project_id}/vpcs/protection |
cfw:instance:listprotectedvpc |
- |
|
get /v1/{project_id}/eip-count/{object_id} |
cfw:eip:count |
- |
|
get /v1/{project_id}/black-white-lists |
cfw:blackwhitelist:list |
- |
|
get /v1/{project_id}/eips/protect |
cfw:eip:list |
- |
|
delete /v1/{project_id}/black-white-list/{list_id} |
cfw:blackwhitelist:delete |
- |
|
get /v1/{project_id}/acl-rules |
cfw:acl:listaclrules |
- |
|
get /v1/{project_id}/domain-set/domains/{domain_set_id} |
cfw:domaingroup:list |
- |
|
post /v1/{project_id}/acl-rule |
cfw:acl:createaclrule |
- |
|
put /v1/{project_id}/acl-rule/order/{acl_rule_id} |
cfw:acl:setpriority |
- |
|
post /v1/{project_id}/address-items |
cfw:ipgroup:createipgroupmember |
- |
|
get /v1/{project_id}/ips/protect |
cfw:instance:getipsmode |
- |
|
post /v1/{project_id}/service-items |
cfw:servicegroup:createservicegroupmember |
- |
|
post /v2/{project_id}/firewall |
cfw:instance:createinstance |
- |
|
get /v3/{project_id}/jobs/{job_id} |
cfw:instance:listinstance |
- |
|
get /v1/{project_id}/eip/alarm-whitelist/{fw_instance_id} |
cfw:instance:getalarmconfig |
- |
|
get /v1/{project_id}/ips-rule/detail |
cfw:instance:listipsrule |
- |
|
post /v1/{project_id}/eip/auto-protect-status/switch |
cfw:eip:updateprotectstatus |
- |
|
get /v1/{project_id}/eip/auto-protect-status/{object_id} |
cfw:eip:list |
- |
资源类型(resource)
资源类型(resource)表示身份策略所作用的资源。如表3中的某些操作指定了可以在该操作指定的资源类型,则必须在具有该操作的身份策略语句中指定该资源的urn,身份策略仅作用于此资源;如未指定,resource默认为“*”,则身份策略将应用到所有资源。您也可以在身份策略中设置条件,从而指定资源类型。
cfw定义了以下可以在自定义身份策略的resource元素中使用的资源类型。
|
资源类型 |
urn |
|---|---|
|
blackwhitelist |
cfw: |
|
acl |
cfw: |
|
instance |
cfw: |
|
servicegroup |
cfw: |
|
domaingroup |
cfw: |
|
ipgroup |
cfw: |
|
eip |
cfw: |
条件(condition)
条件键概述
条件(condition)是身份策略生效的特定条件,包括条件键和运算符。
- 条件键表示身份策略语句的condition元素中的键值。根据适用范围,分为全局级条件键和服务级条件键。
- 全局级条件键(前缀为g:)适用于所有操作,在鉴权过程中,云服务不需要提供用户身份信息,系统将自动获取并鉴权。详情请参见:全局条件键。
- 服务级条件键(前缀通常为服务缩写,如cfw:)仅适用于对应服务的操作,详情请参见表4。
- 单值/多值表示api调用时请求中与条件关联的值数。单值条件键在api调用时的请求中最多包含一个值,多值条件键在api调用时请求可以包含多个值。例如:g:sourcevpce是单值条件键,表示仅允许通过某个vpc终端节点发起请求访问某资源,一个请求最多包含一个vpc终端节点id值。g:tagkeys是多值条件键,表示请求中携带的所有标签的key组成的列表,当用户在调用api请求时传入标签可以传入多个值。
- 运算符与条件键、条件值一起构成完整的条件判断语句,当请求信息满足该条件时,身份策略才能生效。支持的运算符请参见:运算符。
cfw支持的服务级条件键
cfw定义了以下可以在自定义身份策略的condition元素中使用的条件键,您可以使用这些条件键进一步细化身份策略语句应用的条件。
|
服务级条件键 |
类型 |
单值/多值 |
说明 |
|---|---|---|---|
|
cfw:loggroupid |
string |
单值 |
根据请求参数中指定的lts日志组id过滤访问。 |
相关文档
意见反馈
文档内容是否对您有帮助?
如您有其它疑问,您也可以通过华为云社区问答频道来与我们联系探讨
