云搜索服务 css-j9九游会登录

云服务在iam预置了常用授权项，称为系统身份策略。如果iam系统身份策略无法满足授权要求，管理员可以根据各j9九游会登录的服务支持的授权项，创建iam自定义身份策略来进行精细的访问控制，iam自定义身份策略是对系统身份策略的扩展和补充。

除iam服务外，organizations服务中的服务控制策略（service control policy，以下简称scp）也可以使用这些授权项元素设置访问控制策略。

scp不直接进行授权，只划定权限边界。将scp绑定到组织单元或者成员账号时，并没有直接对组织单元或成员账号授予操作权限，而是规定了成员账号或组织单元包含的成员账号的授权范围。iam身份策略授予权限的有效性受scp限制，只有在scp允许范围内的权限才能生效。

iam服务与organizations服务在使用这些元素进行访问控制时，存在着一些区别，详情请参见：iam服务与organizations服务权限访问控制的区别。

本章节介绍iam服务身份策略授权场景中自定义身份策略和组织服务中scp使用的元素，这些元素包含了操作（action）、资源（resource）和条件（condition）。

如何使用这些元素编辑iam自定义身份策略，请参考创建自定义身份策略。
如何使用这些元素编辑scp自定义策略，请参考创建scp。

操作（action）

操作（action）即为身份策略中支持的授权项。

“访问级别”列描述如何对操作进行分类（list、read和write等）。此分类可帮助您了解在身份策略中相应操作对应的访问级别。
“资源类型”列指每个操作是否支持资源级权限。
- 资源类型支持通配符号*表示所有。如果此列没有值（-），则必须在身份策略语句的resource元素中指定所有资源类型（“*”）。
- 如果该列包含资源类型，则必须在具有该操作的语句中指定该资源的urn。
- 资源类型列中必需资源在表中用星号（*）标识，表示使用此操作必须指定该资源类型。
关于css定义的资源类型的详细信息请参见资源类型（resource）。
“条件键”列包括了可以在身份策略语句的condition元素中支持指定的键值。
- 如果该授权项资源类型列存在值，则表示条件键仅对列举的资源类型生效。
- 如果该授权项资源类型列没有值（-），则表示条件键对整个授权项生效。
- 如果此列条件键没有值（-），表示此操作不支持指定条件键。
关于css定义的条件键的详细信息请参见条件（condition）。
“别名”列包括了可以在身份策略中配置的策略授权项。通过这些授权项，可以控制支持策略授权的api访问。详细信息请参见身份策略兼容性说明。

您可以在身份策略语句的action元素中指定以下css的相关操作。

表1 css支持的授权项
授权项	描述	访问级别	资源类型（*为必须）	条件键	别名
css:vpcendpoint:updatewhitelist	授予权限更新已存在的终端节点白名单。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:log:updatebackuppolicy	授予权限日志备份修改或删除。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:snapshot:setsnapshotpolicy	授予权限操作备份策略。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:snapshot:getsnapshotpolicy	授予权限查询备份策略。	read	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:snapshot:restore	授予权限恢复快照。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:snapshot:create	授予权限创建快照。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:publicipaddress:associates	授予权限开启或关闭公网访问。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:publicipaddress:setaccesscontrol	授予权限对白名单列表进行操作。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:tag:get	授予权限查询资源标签。	read	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:publicipaddress:modifybandwidth	授予权限修改带宽大小。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:vpcendpoint:enableordisable	授予权限创建或删除vpcep。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:log:getbasicconfigurations	授予权限日志基础配置查询。	read	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:snapshot:list	授予权限查看快照列表。	list	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:log:list	授予权限查看日志。	list	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:snapshot:setsnapshotcontiguration	授予权限设置快照基础配置。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:listflavors	授予权限查询规格id列表。	list	-	-	css:cluster:showflavor
css:cluster:listdisktype	授予权限列举可用磁盘类型。	list	-	-	-
css:tag:list	授予权限查询项目标签。	list	cluster *	-	-
css:vpcendpoint:manageconnection	授予权限操作终端节点的连接。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:log:listjob	授予权限查询作业列表。	list	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:downloadcert	授予权限获取证书内容。	read	-	-	-
css:cluster:get	授予权限查询集群详情。	read	cluster *	g:enterpriseprojectid g:resourcetag/	css:cluster:getinstance
css:snapshot:enableatomaticsnapsot	授予权限设置快照自动备份的基础配置。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:snapshot:delete	授予权限删除指定快照。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:ikthesaurus:get	授予权限查看自定义词库配置。	read	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:restart	授予权限重启elasticsearch集群。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:modifysecuritygroup	授予权限修改集群安全组。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:configurations:list	授予权限查询获取参数配置的任务操作列表。	list	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:delete	授予权限删除集群。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:modifyspecifications	授予权限修改集群规格。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:list	授予权限列举集群信息。	list	cluster *	-	css:cluster:getinstances
css:cluster:scaleout	授予权限扩容集群。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:ikthesaurus:load	授予权限加载自定义词库。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:configurations:modify	授予权限更新参数配置。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:configurations:get	授予权限列举参数配置列表。	list	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:ikthesaurus:delete	授予权限删除词库。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:expand	授予权限扩容实例的数量和存储容量。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:snapshot:disablesnapshotfuction	授予权限关闭集群快照功能。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:upgradecluster	授予权限升级集群或节点替换。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:vpcendpoint:listconnection	授予权限查询vpcep的连接。	list	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:scalein	授予权限对集群缩容。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:log:setbasicconfigurations	授予权限日志基础配置设置。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:tag:addordelete	授予权限批量添加删除资源标签。	tagging	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:tag:addordelete	授予权限批量添加删除资源标签。	tagging	-	g:requesttag/ g:tagkeys	-
css:publickibana:close	授予权限关闭公网访问。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:tag:edit	授予权限修改集群标签。	tagging	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:tag:edit	授予权限修改集群标签。	tagging	-	g:requesttag/ g:tagkeys	-
css:cluster:create	授予权限创建集群。	write	cluster *	-	-
css:cluster:create	授予权限创建集群。	write	-	g:enterpriseprojectid g:requesttag/ g:tagkeys	-
css:cluster:toperiod	授予权限对集群转包周期。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:modifyname	授予权限修改集群名称。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:log:backup	授予权限对日志备份。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:closelogsetting	授予权限关闭日志功能。	write	cluster *	g:enterpriseprojectid g:resourcetag/	css:log:enableordisablelogfunction
css:cluster:openlogsetting	授予权限开启日志功能。	write	cluster *	g:enterpriseprojectid g:resourcetag/	css:log:enableordisablelogfunction
css:cluster:modifypassword	授予权限修改集群密码。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:publicipaddress:disassociates	授予权限解绑公网。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:publickibana:open	授予权限绑定公网。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:tag:delete	授予权限删除标签。	tagging	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:tag:delete	授予权限删除标签。	tagging	-	g:tagkeys	-
css:cluster:shrinknodes	授予权限指定节点缩容。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:changemode	授予权限修改安全模式。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:addindependencenodes	授予权限添加独立master,client。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:rollingreboot	授予权限滚动重启elasticsearch集群。	write	cluster *	g:enterpriseprojectid g:resourcetag/	css:cluster:rollingrestart
css:logstash:listactions	授予权限查询操作记录。	read	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:uploadcerts	授予权限上传证书。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:deletecerts	授予权限删除证书。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:listcerts	授予权限查询证书列表。	list	cluster *	g:enterpriseprojectid g:resourcetag/	css:cluster:getcertslist
css:cluster:getcertsdetail	授予权限查询证书详情。	read	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:logstash:deleteconftemplate	授予权限删除自定义模板。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:logstash:listconfigtemplate	授予权限查询模板列表。	list	-	-	css:logstash:configlisttemplate
css:logstash:confstop	授予权限停止或热停止pipeline迁移数据。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:logstash:checkconnection	授予权限连通性测试。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:logstash:confdelete	授予权限删除配置文件。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:logstash:confstart	授予权限启动或热启动pipeline迁移数据。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:logstash:getconfdetail	授予权限用于查询配置文件内容。	read	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:azmigrate	授予权限进行可用区切换。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:logstash:confupdate	授予权限更新配置文件。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:logstash:listpipelines	授予权限查询pipeline列表。	list	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:retryaction	授予权限重试该任务或终止该任务的影响。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:logstash:listconfs	授予权限查询配置文件列表。	list	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:logstash:configfavorites	授予权限添加到自定义模板。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:listupgradecluster	授予权限获取升级镜像id及升级详情。	list	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:logstash:submitconf	授予权限创建配置文件。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:plugin:list	授予权限查询集群插件列表。	list	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:plugin:getoperationrecords	授予权限查询插件的操作记录。	read	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:plugin:delete	授予权限删除插件。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:plugin:installoruninstall	授予权限安装或卸载插件。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:plugin:upload	授予权限上传插件。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:plugin:getdefault	授予权限查询默认插件。	read	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:getagencies	授予权限获取代理。	read	-	-	-
css:cluster:modifyroute	授予权限修改集群路由。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:getroutes	授予权限获取集群路由。	read	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:logstash:actionlist	授予权限查询集群任务列表。	list	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:createuserinfo	授予权限查询创建用户信息。	write	cluster *	-	-
css:vpcendpoint:modifyconnections	授予权限修改连接大小。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:queryneeddeleteinstances	授予权限查询需要删除的节点。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:querykey	授予权限获得密钥。	read	-	-	-
css:cluster:querykeys	授予权限获得密钥列表。	list	-	-	-
css:cluster:getpubliczonepice	授予权限获取带宽价格。	read	cluster *	-	-
css:datastore:get	授予权限获取数据引擎。	read	cluster *	-	-
css:datastore:list	授予权限获取数据引擎列表。	list	cluster *	-	-
css:cluster:getdiskusage	授予权限获取集群存储容量状态。	read	cluster *	-	-
css:snapshot:showdetail	授予权限获得快照详情。	read	cluster *	-	-
css:cluster:getavailablebuckets	授予权限获取可用obs桶。	list	-	-	-
css:cluster:checkcssname	授予权限检查集群名称。	write	cluster *	-	-
css:snapshot:deleteallfailedtask	授予权限删除所有的失败任务。	write	-	-	-
css:snapshot:deletesinglefailedtask	授予权限删除指定失败任务。	write	-	-	-
css:snapshot:getallfailedtask	授予权限查看备份失败任务。	list	-	-	-
css::createserviceagency	授予权限创建委托。	write	-	-	-
css:cluster:createaiops	授予权限创建检测任务。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:listaiops	授予权限获取检测任务列表。	list	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:deleteaiops	授予权限删除检测任务。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:listsmntopics	授予权限获取smn主题列表。	list	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:listelbs	授予权限下获取当前集群可用的负载均衡器列表。	list	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:elbswitch	授予权限打开或关闭负载均衡功能。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:createelblistener	授予权限为当前集群创建监听器。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:updateelblistener	授予权限修改当前集群的监听器。	write	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:getelbdetail	授予权限查询当前集群使用的负载均衡器信息。	read	cluster *	g:enterpriseprojectid g:resourcetag/	-
css:cluster:listelbcerts	授予权限获取负载均衡器证书列表。	list	cluster *	g:enterpriseprojectid g:resourcetag/	-

css的api通常对应着一个或多个授权项。表2展示了api与授权项的关系，以及该api需要依赖的授权项。

表2 api与授权项的关系
api	对应的授权项	依赖的授权项
post /v1.0/{project_id}/clusters	css:cluster:create	ecs:cloudserverflavors:get evs:types:get vpc:vpcs:list vpc:securitygroups:list vpc:securitygroups:get vpc:subnets:list vpc:subnets:get vpc:ports:create vpc:ports:update vpc:ports:delete vpc:ports:get css:cluster:getagencies iam:agencies:listagencies iam:permissions:listrolesforagency iam:permissions:listrolesforagencyonproject iam:agencies:pass
post /v2.0/{project_id}/clusters	css:cluster:create	ecs:cloudserverflavors:get evs:types:get vpc:vpcs:list vpc:securitygroups:list vpc:securitygroups:get vpc:subnets:list vpc:subnets:get vpc:ports:create vpc:ports:update vpc:ports:delete vpc:ports:get css:cluster:getagencies iam:agencies:listagencies iam:permissions:listrolesforagency iam:permissions:listrolesforagencyonproject iam:agencies:pass
post /v1.0/{project_id}/clusters/{cluster_id}/sg/change	css:cluster:modifysecuritygroup	vpc:securitygroups:list vpc:ports:update
get /v1.0/{project_id}/clusters	css:cluster:list	-
get /v1.0/{project_id}/clusters/{cluster_id}	css:cluster:get	-
delete /v1.0/{project_id}/clusters/{cluster_id}	css:cluster:delete	-
post /v1.0/{project_id}/cluster/{cluster_id}/period	css:cluster:toperiod	-
post /v1.0/{project_id}/clusters/{cluster_id}/changename	css:cluster:modifyname	-
post /v1.0/{project_id}/clusters/{cluster_id}/password/reset	css:cluster:modifypassword	-
post /v1.0/{project_id}/clusters/{cluster_id}/restart	css:cluster:restart	-
post /v2.0/{project_id}/clusters/{cluster_id}/restart	css:cluster:restart	-
post /v1.0/{project_id}/clusters/{cluster_id}/extend	css:cluster:scaleout	ecs:cloudserverflavors:get evs:types:get vpc:vpcs:list vpc:subnets:list vpc:subnets:get vpc:ports:create vpc:ports:update vpc:ports:delete vpc:ports:get
post /v1.0/{project_id}/clusters/{cluster_id}/role_extend	css:cluster:expand	ecs:cloudserverflavors:get evs:types:get vpc:vpcs:list vpc:subnets:list vpc:subnets:get vpc:ports:create vpc:ports:update vpc:ports:delete vpc:ports:get
post /v1.0/{project_id}/clusters/{cluster_id}/flavor	css:cluster:modifyspecifications	ecs:cloudserverflavors:get
get /v1.0/{project_id}/es-flavors	css:cluster:listflavors	ecs:cloudserverflavors:get
get /v1.0/{project_id}/{resource_type}/tags	css:tag:list	-
get /v1.0/{project_id}/{resource_type}/{cluster_id}/tags	css:tag:get	-
post /v1.0/{project_id}/{resource_type}/{cluster_id}/tags	css:tag:edit	-
delete /v1.0/{project_id}/{resource_type}/{cluster_id}/tags/{key}	css:tag:delete	-
post /v1.0/{project_id}/{resource_type}/{cluster_id}/tags/action	css:tag:addordelete	-
post /v1.0/{project_id}/clusters/{cluster_id}/{types}/flavor	css:cluster:modifyspecifications	ecs:cloudserverflavors:get
post /v1.0/extend/{project_id}/clusters/{cluster_id}/role/shrink	css:cluster:scalein	iam:agencies:listagencies iam:permissions:listrolesforagency iam:permissions:listrolesforagencyonproject
get /v1.0/{project_id}/cer/download	css:cluster:downloadcert	-
put /v1.0/{project_id}/clusters/{cluster_id}/instance/{instance_id}/replace	css:cluster:upgradecluster	iam:agencies:listagencies iam:permissions:listrolesforagency iam:permissions:listrolesforagencyonproject
post /v1.0/{project_id}/clusters/{cluster_id}/node/offline	css:cluster:shrinknodes	iam:agencies:listagencies iam:permissions:listrolesforagency iam:permissions:listrolesforagencyonproject
post /v1.0/{project_id}/clusters/{cluster_id}/mode/change	css:cluster:changemode	-
post /v1.0/{project_id}/clusters/{cluster_id}/type/{type}/independent	css:cluster:addindependencenodes	ecs:cloudserverflavors:get evs:types:get vpc:vpcs:list vpc:subnets:list vpc:subnets:get vpc:ports:create vpc:ports:update vpc:ports:delete vpc:ports:get
post /v1.0/{project_id}/clusters/{cluster_id}/inst-type/{inst_type}/image/upgrade	css:cluster:upgradecluster	-
post /v1.0/{project_id}/clusters/{cluster_id}/inst-type/{inst_type}/azmigrate	css:cluster:azmigrate	iam:agencies:listagencies iam:permissions:listrolesforagency iam:permissions:listrolesforagencyonproject
get /v1.0/{project_id}/clusters/{cluster_id}/upgrade/detail	css:cluster:listupgradecluster	-
get /v1.0/{project_id}/clusters/{cluster_id}/target/{upgrade_type}/images	css:cluster:listupgradecluster	-
put /v1.0/{project_id}/clusters/{cluster_id}/upgrade/{action_id}/retry	css:cluster:retryaction	-
post /v1.0/{project_id}/clusters/{cluster_id}/thesaurus	css:ikthesaurus:load	obs:bucket:listallmybuckets obs:bucket:getbucketlocation obs:bucket:getbucketstoragepolicy obs:object:getobject
get /v1.0/{project_id}/clusters/{cluster_id}/thesaurus	css:ikthesaurus:get	-
delete /v1.0/{project_id}/clusters/{cluster_id}/thesaurus	css:ikthesaurus:delete	-
post /v1.0/{project_id}/clusters/{cluster_id}/publickibana/open	css:publickibana:open	-
put /v1.0/{project_id}/clusters/{cluster_id}/publickibana/close	css:publickibana:close	-
post /v1.0/{project_id}/clusters/{cluster_id}/publickibana/bandwidth	css:publicipaddress:modifybandwidth	-
post /v1.0/{project_id}/clusters/{cluster_id}/publickibana/whitelist/update	css:publicipaddress:setaccesscontrol	-
put /v1.0/{project_id}/clusters/{cluster_id}/publickibana/whitelist/close	css:publicipaddress:setaccesscontrol	-
post /v1.0/{project_id}/clusters/{cluster_id}/logs/open	css:cluster:openlogsetting	iam:agencies:pass obs:bucket:listallmybuckets obs:bucket:getbucketlocation obs:bucket:getbucketstoragepolicy iam:agencies:listagencies
put /v1.0/{project_id}/clusters/{cluster_id}/logs/close	css:cluster:closelogsetting	-
get /v1.0/{project_id}/clusters/{cluster_id}/logs/records	css:log:listjob	-
get /v1.0/{project_id}/clusters/{cluster_id}/logs/settings	css:log:getbasicconfigurations	-
post /v1.0/{project_id}/clusters/{cluster_id}/logs/settings	css:log:setbasicconfigurations	obs:bucket:listallmybuckets obs:bucket:getbucketlocation obs:bucket:getbucketstoragepolicy iam:agencies:listagencies iam:agencies:pass
post /v1.0/{project_id}/clusters/{cluster_id}/logs/policy/update	css:log:updatebackuppolicy	-
put /v1.0/{project_id}/clusters/{cluster_id}/logs/policy/close	css:log:updatebackuppolicy	-
post /v1.0/{project_id}/clusters/{cluster_id}/logs/collect	css:log:backup	-
post /v1.0/{project_id}/clusters/{cluster_id}/logs/search	css:log:list	-
post /v1.0/{project_id}/clusters/{cluster_id}/public/open	css:publicipaddress:associates	-
put /v1.0/{project_id}/clusters/{cluster_id}/public/close	css:publicipaddress:disassociates	-
post /v1.0/{project_id}/clusters/{cluster_id}/public/bandwidth	css:publicipaddress:modifybandwidth	-
post /v1.0/{project_id}/clusters/{cluster_id}/public/whitelist/update	css:publicipaddress:setaccesscontrol	-
put /v1.0/{project_id}/clusters/{cluster_id}/public/whitelist/close	css:publicipaddress:setaccesscontrol	-
post /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/auto_setting	css:snapshot:enableatomaticsnapsot	obs:bucket:createbucket obs:bucket:headbucket iam:agencies:listagencies iam:agencies:createagency iam:permissions:grantroletoagency
post /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/setting	css:snapshot:setsnapshotcontiguration	obs:bucket:listallmybuckets obs:bucket:getbucketlocation obs:bucket:getbucketstoragepolicy iam:agencies:listagencies iam:agencies:pass
post /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot	css:snapshot:create	iam:agencies:pass
post /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/{snapshot_id}/restore	css:snapshot:restore	-
delete /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/{snapshot_id}	css:snapshot:delete	-
post /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/policy	css:snapshot:setsnapshotpolicy	-
get /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/policy	css:snapshot:getsnapshotpolicy	-
get /v1.0/{project_id}/clusters/{cluster_id}/index_snapshots	css:snapshot:list	-
delete /v1.0/{project_id}/clusters/{cluster_id}/index_snapshots	css:snapshot:disablesnapshotfuction	-
post /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/open	css:vpcendpoint:enableordisable	vpcep:endpoints:create vpcep:endpoints:list vpcep:endpoints:get vpcep:endpoints:delete vpcep:endpoints:update
put /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/close	css:vpcendpoint:enableordisable	vpcep::listquotas vpcep:endpoints:create vpcep:endpoints:list vpcep:endpoints:get vpcep:endpoints:delete vpcep:endpoints:update
get /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/connections	css:vpcendpoint:listconnection	vpcep:endpoints:get
post /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/connections	css:vpcendpoint:manageconnection	-
post /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/permissions	css:vpcendpoint:updatewhitelist	-
post /v1.0/{project_id}/clusters/{cluster_id}/ymls/update	css:configurations:modify	-
get /v1.0/{project_id}/clusters/{cluster_id}/ymls/joblists	css:configurations:list	-
get /v1.0/{project_id}/clusters/{cluster_id}/ymls/template	css:configurations:get	-
post /v2.0/{project_id}/clusters/{cluster_id}/snapshots/policy/open	css:snapshot:setsnapshotpolicy	-
put /v2.0/{project_id}/clusters/{cluster_id}/snapshots/policy/close	css:snapshot:setsnapshotpolicy	-
post /v2.0/{project_id}/clusters/{cluster_id}/rolling_restart	css:cluster:rollingreboot	-
get /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/listactions	css:logstash:listactions	-
delete /v1.0/{project_id}/lgsconf/deletetemplate	css:logstash:deleteconftemplate	-
post /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/stop	css:logstash:confstop	-
post /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/hot-stop	css:logstash:confstop	-
post /v1.0/{project_id}/clusters/{cluster_id}/checkconnection	css:logstash:checkconnection	-
delete /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/delete	css:logstash:confdelete	-
post /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/start	css:logstash:confstart	-
post /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/hot-start	css:logstash:confstart	-
get /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/confdetail	css:logstash:getconfdetail	-
post /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/update	css:logstash:confupdate	-
get /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/listpipelines	css:logstash:listpipelines	-
post /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/submit	css:logstash:submitconf	-
post /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/favorite	css:logstash:configfavorites	-
get /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/listconfs	css:logstash:listconfs	-
get /v1.0/{project_id}/lgsconf/template	css:logstash:listconfigtemplate	-
post /v1.0/{project_id}/clusters/{cluster_id}/certs/upload	css:cluster:uploadcerts	-
delete /v1.0/{project_id}/clusters/{cluster_id}/certs/{cert_id}/delete	css:cluster:deletecerts	-
get /v1.0/{project_id}/clusters/{cluster_id}/certs	css:cluster:listcerts	-
get /v1.0/{project_id}/clusters/{cluster_id}/certs/{cert_id}	css:cluster:getcertsdetail	-
post /v1.0/{project_id}/clusters/{cluster_id}/route	css:cluster:modifyroute	-
get /v1.0/{project_id}/clusters/{cluster_id}/route	css:cluster:getroutes	-
post /v1.0/{project_id}/clusters/{cluster_id}/ai-ops	css:cluster:createaiops	-
get /v1.0/{project_id}/clusters/{cluster_id}/ai-ops	css:cluster:listaiops	-
delete /v1.0/{project_id}/clusters/{cluster_id}/ai-ops/{aiops_id}	css:cluster:deleteaiops	-
get /v1.0/{project_id}/domains/{domain_id}/ai-ops/smn-topics	css:cluster:listsmntopics	css:cluster:getagencies iam:agencies:list iam:agencies:listagencies iam:agencies:listattachedpolicies iam:agencies:pass
get /v1.0/{project_id}/clusters/{cluster_id}/loadbalancers	css:cluster:listelbs	elb:loadbalancers:list
post /v1.0/{project_id}/clusters/{cluster_id}/loadbalancers/es-switch	css:cluster:elbswitch	elb:loadbalancers:list iam:agencies:listagencies iam:permissions:listrolesforagency iam:permissions:listrolesforagencyonproject iam:agencies:pass
post /v1.0/{project_id}/clusters/{cluster_id}/es-listeners	css:cluster:createelblistener	-
get /v1.0/{project_id}/clusters/{cluster_id}/es-listeners	css:cluster:getelbdetail	-
get /v1.0/{project_id}/clusters/{cluster_id}/elb/certificates	css:cluster:listelbcerts	-
put /v1.0/{project_id}/clusters/{cluster_id}/es-listeners/{listener_id}	css:cluster:updateelblistener	-

资源类型（resource）

资源类型（resource）表示身份策略所作用的资源。如表3中的某些操作指定了可以在该操作指定的资源类型，则必须在具有该操作的身份策略语句中指定该资源的urn，身份策略仅作用于此资源；如未指定，resource默认为“*”，则身份策略将应用到所有资源。您也可以在身份策略中设置条件，从而指定资源类型。

css定义了以下可以在自定义身份策略的resource元素中使用的资源类型。

表3 css支持的资源类型
资源类型	urn
cluster	css:::cluster:

条件（condition）

条件键概述

条件（condition）是身份策略生效的特定条件，包括条件键和运算符。

条件键表示身份策略语句的condition元素中的键值。根据适用范围，分为全局级条件键和服务级条件键。
- 全局级条件键（前缀为g:）适用于所有操作，在鉴权过程中，云服务不需要提供用户身份信息，系统将自动获取并鉴权。详情请参见：全局条件键。
- 服务级条件键（前缀通常为服务缩写，如css:）仅适用于对应服务的操作，详情请参见表4。
- 单值/多值表示api调用时请求中与条件关联的值数。单值条件键在api调用时的请求中最多包含一个值，多值条件键在api调用时请求可以包含多个值。例如：g:sourcevpce是单值条件键，表示仅允许通过某个vpc终端节点发起请求访问某资源，一个请求最多包含一个vpc终端节点id值。g:tagkeys是多值条件键，表示请求中携带的所有标签的key组成的列表，当用户在调用api请求时传入标签可以传入多个值。
运算符与条件键、条件值一起构成完整的条件判断语句，当请求信息满足该条件时，身份策略才能生效。支持的运算符请参见：运算符。

css支持的服务级条件键

css定义了以下可以在身份策略的condition元素中使用的条件键，您可以使用这些条件键进一步细化身份策略语句应用的条件。

表4 css支持的服务级条件键
服务级条件键	类型	单值/多值	说明
css:associatepublicip	boolean	单值	是否允许实例开启公网访问。

条件键示例

css:associatepublicip

示例：禁止创建带eip的css集群

{
  "version": "5.0",
  "statement": [
    {
      "effect": "deny",
      "action": [
        "css:cluster:create"
      ],
      "condition": {
        "bool": {
          "css:associatepublicip": [
            "true"
          ]
        }
      }
    }
  ]
}

示例：禁止给css集群绑定eip

{
  "version": "5.0",
  "statement": [
    {
      "effect": "deny",
      "action": [
        "css:publicipaddress:associates",
        "css:publickibana:open"
      ]
    }
  ]
}

父主题：

下一篇：数据治理中心 dataarts studio

意见反馈

文档内容是否对您有帮助？

提交成功！非常感谢您的反馈，我们会继续努力做到更好！您可在查看反馈及问题处理状态。

系统繁忙，请稍后重试

在使用文档中是否遇到以下问题

内容与产品页面不一致

内容不易理解

缺失示例代码

步骤不可操作

搜不到想要的内容

缺少最佳实践

意见反馈（选填）

0/500

请至少选择一项反馈信息并填写问题反馈

字符长度不能超过500

如您有其它疑问，您也可以通过华为云社区问答频道来与我们联系探讨