云应用引擎 cae-j9九游会登录
云服务在iam预置了常用授权项,称为系统身份策略。如果iam系统身份策略无法满足授权要求,管理员可以根据各j9九游会登录的服务支持的授权项,创建iam自定义身份策略来进行精细的访问控制,iam自定义身份策略是对系统身份策略的扩展和补充。
除iam服务外,organizations服务中的服务控制策略(service control policy,以下简称scp)也可以使用这些授权项元素设置访问控制策略。
scp不直接进行授权,只划定权限边界。将scp绑定到组织单元或者成员账号时,并没有直接对组织单元或成员账号授予操作权限,而是规定了成员账号或组织单元包含的成员账号的授权范围。iam身份策略授予权限的有效性受scp限制,只有在scp允许范围内的权限才能生效。
iam服务与organizations服务在使用这些元素进行访问控制时,存在着一些区别,详情请参见:iam服务与organizations服务权限访问控制的区别。
本章节介绍iam服务身份策略授权场景中自定义身份策略和组织服务中scp使用的元素,这些元素包含了操作(action)、资源(resource)和条件(condition)。
操作(action)
操作(action)即为身份策略中支持的授权项。
- “访问级别”列描述如何对操作进行分类(list、read和write等)。此分类可帮助您了解在身份策略中相应操作对应的访问级别。
- “资源类型”列指每个操作是否支持资源级权限。
- 资源类型支持通配符号*表示所有。如果此列没有值(-),则必须在身份策略语句的resource元素中指定所有资源类型(“*”)。
- 如果该列包含资源类型,则必须在具有该操作的语句中指定该资源的urn。
- 资源类型列中必需资源在表中用星号(*)标识,表示使用此操作必须指定该资源类型。
关于cae定义的资源类型的详细信息请参见资源类型(resource)。
- “条件键”列包括了可以在身份策略语句的condition元素中支持指定的键值。
- 如果该授权项资源类型列存在值,则表示条件键仅对列举的资源类型生效。
- 如果该授权项资源类型列没有值(-),则表示条件键对整个授权项生效。
- 如果此列条件键没有值(-),表示此操作不支持指定条件键。
关于cae定义的条件键的详细信息请参见条件(condition)。
- “别名”列包括了可以在身份策略中配置的策略授权项。通过这些授权项,可以控制支持策略授权的api访问。详细信息请参见身份策略兼容性说明。
您可以在身份策略语句的action元素中指定以下cae的相关操作。
|
授权项 |
描述 |
访问级别 |
资源类型(*为必须) |
条件键 |
别名 |
|---|---|---|---|---|---|
|
cae:environment:listenvironments |
授予查询所有环境的权限。 |
list |
environment * |
- |
|
|
cae:environment:createenvironment |
授予创建环境的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:environment:deleteenvironment |
授予删除环境的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:environment:getenvironment |
授予查询环境的权限。 |
read |
environment * |
- |
|
|
- |
|||||
|
cae:environment:listcloudvolumes |
授予查询所有云存储的权限。 |
list |
environment * |
- |
|
|
- |
|||||
|
cae:environment:createcloudvolume |
授予授权云存储的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:environment:deletecloudvolume |
授予解绑云存储的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:environment:listdomains |
授予查询所有域名的权限。 |
list |
environment * |
- |
|
|
- |
|||||
|
cae:environment:createdomain |
授予创建域名的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:environment:deletedomain |
授予删除域名的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:environment:listcertificates |
授予查询所有证书的权限。 |
list |
environment * |
- |
|
|
- |
|||||
|
cae:environment:createcertificate |
授予创建证书的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:environment:deletecertificate |
授予删除证书的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:environment:updatecertificate |
授予更新证书的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:environment:listtimerrules |
授予查询所有启停规则的权限。 |
list |
environment * |
- |
|
|
- |
|||||
|
cae:environment:createtimerrule |
授予创建启停规则的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:environment:deletetimerrule |
授予删除启停规则的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:environment:updatetimerrule |
授予更新启停规则的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:environment:gettimerrule |
授予查询启停规则的权限。 |
read |
environment * |
- |
|
|
- |
|||||
|
cae:environment:listeips |
授予查看所有eip(环境与公网互相访问)的权限。 |
list |
environment * |
- |
|
|
- |
|||||
|
cae:environment:updateeip |
授予更新eip(环境与公网互相访问)的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:environment:listvpcegresses |
授予查看所有vpcegress(环境访问vpc)的权限。 |
list |
environment * |
- |
|
|
- |
|||||
|
cae:environment:createvpcegress |
授予创建vpcegress(环境访问vpc)的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:environment:deletevpcegress |
授予删除vpcegress(环境访问vpc)的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:environment:listvpcingresses |
授予查看所有vpcingress(vpc访问环境)的权限。 |
list |
environment * |
- |
|
|
- |
|||||
|
cae:environment:createvpcingress |
授予创建vpcingress(vpc访问环境)的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:environment:deletevpcingress |
授予删除vpcingress(vpc访问环境)的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:environment:createmonitorsystem |
授予创建监控系统的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:environment:updatemonitorsystem |
授予更新监控系统的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:environment:getmonitorsystem |
授予查询监控系统的权限。 |
read |
environment * |
- |
|
|
- |
|||||
|
cae:environment:listingressconfigs |
授予查看所有入网配置的权限。 |
list |
environment * |
- |
|
|
- |
|||||
|
cae:environment:createingressconfig |
授予创建入网配置的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:environment:deleteingressconfig |
授予删除入网配置的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:environment:updateingressconfig |
授予更新入网配置的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:environment:getegressconfig |
授予查询出网配置的权限。 |
read |
environment * |
- |
|
|
- |
|||||
|
cae:environment:updateegressconfig |
授予更新出网配置的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:environment:geturlmonitorconfig |
授予查询url监控配置的权限。 |
read |
environment * |
- |
|
|
- |
|||||
|
cae:environment:updateurlmonitorconfig |
授予更新url监控配置的权限。 |
write |
environment * |
- |
|
|
- |
|||||
|
cae:application:listapplications |
授予查询所有应用的权限。 |
list |
application * |
- |
|
|
cae:application:createapplication |
授予创建应用的权限。 |
write |
application * |
- |
|
|
- |
|||||
|
cae:application:deleteapplication |
授予删除应用的权限。 |
write |
application * |
- |
|
|
- |
|||||
|
cae:component:listcomponents |
授予查询所有组件的权限。 |
list |
component * |
- |
|
|
- |
|||||
|
cae:component:createcomponent |
授予创建组件的权限。 |
write |
component * |
- |
|
|
- |
|||||
|
cae:component:deletecomponent |
授予删除组件的权限。 |
write |
component * |
- |
|
|
- |
|||||
|
cae:component:updatecomponent |
授予更新组件的权限。 |
write |
component * |
- |
|
|
- |
|||||
|
cae:component:getcomponent |
授予查询组件的权限。 |
read |
component * |
- |
|
|
- |
|||||
|
cae:component:createwithconfigcomponent |
授予创建、生效配置并部署组件的权限。 |
write |
component * |
- |
|
|
- |
|||||
|
cae:component:operatecomponent |
授予操作(deploy|scale|upgrade|rollback|start|stop|restart|configure)组件的权限。 |
write |
component * |
- |
|
|
- |
|||||
|
cae:component:deploycomponent |
授予部署组件的权限(元戎共享版)。 |
write |
component * |
- |
- |
|
- |
|||||
|
cae:component:scalecomponent |
授予修改组件实例个数的权限(元戎共享版)。 |
write |
component * |
- |
- |
|
- |
|||||
|
cae:component:upgradecomponent |
授予升级组件的权限(元戎共享版)。 |
write |
component * |
- |
- |
|
- |
|||||
|
cae:component:rollbackcomponent |
授予回退组件的权限(元戎共享版)。 |
write |
component * |
- |
- |
|
- |
|||||
|
cae:component:startcomponent |
授予启动组件的权限(元戎共享版)。 |
write |
component * |
- |
- |
|
- |
|||||
|
cae:component:stopcomponent |
授予停止组件的权限(元戎共享版)。 |
write |
component * |
- |
- |
|
- |
|||||
|
cae:component:restartcomponent |
授予重启组件的权限(元戎共享版)。 |
write |
component * |
- |
- |
|
- |
|||||
|
cae:component:labelcomponent |
授予标记组件的权限(元戎共享版)。 |
write |
component * |
- |
- |
|
- |
|||||
|
cae:component:configurecomponent |
授予生效组件配置的权限(元戎共享版)。 |
write |
component * |
- |
- |
|
- |
|||||
|
cae:component:listconfigurations |
授予查询组件所有配置的权限。 |
list |
component * |
- |
|
|
- |
|||||
|
cae:component:createconfiguration |
授予创建(更新)组件配置的权限。 |
write |
component * |
- |
|
|
- |
|||||
|
cae:component:deleteconfiguration |
授予删除(取消)组件配置的权限。 |
write |
component * |
- |
|
|
- |
|||||
|
cae:component:getconfiguration |
授予查询组件配置的权限。 |
read |
component * |
- |
|
|
- |
|||||
|
cae:component:createinstancewebshell |
授予创建远程登录的权限。 |
write |
component * |
- |
|
|
- |
|||||
|
cae:component:listconfigitems |
授予查询所有配置项的权限(元戎共享版)。 |
list |
component * |
- |
- |
|
- |
|||||
|
cae:component:createconfigitem |
授予创建配置项的权限(元戎共享版)。 |
write |
component * |
- |
- |
|
- |
|||||
|
cae:component:deleteconfigitem |
授予删除配置项的权限(元戎共享版)。 |
write |
component * |
- |
- |
|
- |
|||||
|
cae::listnoticerules |
授予查询所有事件通知规则的权限。 |
list |
- |
|
|
|
cae::createnoticerule |
授予创建事件通知规则的权限。 |
write |
- |
|
|
|
cae::deletenoticerule |
授予删除事件通知规则的权限。 |
write |
- |
|
|
|
cae::updatenoticerule |
授予更新事件通知规则的权限。 |
write |
- |
|
|
|
cae::getnoticerule |
授予查询事件通知规则的权限。 |
read |
- |
|
|
|
cae::listdewsecrets |
授予查询所有凭据的权限。 |
list |
- |
|
|
|
cae::createdewsecret |
授予创建凭据的权限。 |
write |
- |
|
|
|
cae::deletedewsecret |
授予删除凭据的权限。 |
write |
- |
|
|
|
cae::updatedewsecret |
授予更新凭据的权限。 |
write |
- |
|
|
|
cae::getdewsecret |
授予查询凭据的权限。 |
read |
- |
|
|
|
cae::listimagesecrets |
授予查询所有镜像访问凭据的权限(元戎共享版)。 |
list |
- |
|
|
|
cae::createimagesecret |
授予创建镜像访问凭据的权限(元戎共享版)。 |
write |
- |
|
|
|
cae::deleteimagesecret |
授予删除镜像访问凭据的权限(元戎共享版)。 |
write |
- |
|
|
|
cae::listcomponentspecificationwhitelists |
授予查询所有组件规格白名单的权限(元戎共享版)。 |
list |
- |
|
|
|
cae::createcomponentspecificationwhitelist |
授予创建组件规格白名单的权限(元戎共享版)。 |
write |
- |
|
|
|
cae::updatecomponentspecificationwhitelist |
授予更新组件规格白名单的权限。 |
write |
- |
|
|
|
cae::deletecomponentspecificationwhitelist |
授予删除组件规格白名单的权限(元戎共享版)。 |
write |
- |
|
|
|
cae::listmaintenanceconfigs |
授予查询所有运维配置的权限(元戎共享版)。 |
list |
- |
|
|
|
cae::createmaintenanceconfig |
授予创建运维配置的权限(元戎共享版)。 |
write |
- |
|
|
|
cae::deletemaintenanceconfig |
授予删除运维配置的权限(元戎共享版)。 |
write |
- |
|
|
|
cae::buypackage |
授予购买套餐包的权限。 |
write |
- |
|
cae的api通常对应着一个或多个授权项。表2展示了api与授权项的关系,以及该api需要依赖的授权项。
|
api |
对应的授权项 |
依赖的授权项 |
|---|---|---|
|
get /v1/{project_id}/cae/environments |
cae:environment:listenvironments |
- |
|
post /v1/{project_id}/cae/environments |
cae:environment:createenvironment |
- |
|
delete /v1/{project_id}/cae/environments/{environment_id} |
cae:environment:deleteenvironment |
- |
|
post /v1/{project_id}/cae/environments/{environment_id}/wakeup |
cae:environment:createenvironment |
- |
|
get /v1/{project_id}/cae/collections |
cae:environment:getenvironment |
- |
|
get /v1/{project_id}/cae/applications/comb |
cae:environment:getenvironment |
- |
|
get /v1/{project_id}/cae/volumes |
cae:environment:listcloudvolumes |
- |
|
post /v1/{project_id}/cae/volumes |
cae:environment:createcloudvolume |
- |
|
delete /v1/{project_id}/cae/volumes/{id} |
cae:environment:deletecloudvolume |
- |
|
get /v1/{project_id}/cae/domains |
cae:environment:listdomains |
- |
|
post /v1/{project_id}/cae/domains |
cae:environment:createdomain |
- |
|
delete /v1/{project_id}/cae/domains/{domain_id} |
cae:environment:deletedomain |
- |
|
get /v1/{project_id}/cae/certificates |
cae:environment:listcertificates |
- |
|
post /v1/{project_id}/cae/certificates |
cae:environment:createcertificate |
- |
|
put /v1/{project_id}/cae/certificates/{certificate_id} |
cae:environment:updatecertificate |
- |
|
delete /v1/{project_id}/cae/certificates/{certificate_id} |
cae:environment:deletecertificate |
- |
|
get /v1/{project_id}/cae/timer-rules |
cae:environment:listtimerrules |
- |
|
post /v1/{project_id}/cae/timer-rules |
cae:environment:createtimerrule |
- |
|
delete /v1/{project_id}/cae/timer-rules/{timer_rule_id} |
cae:environment:deletetimerrule |
- |
|
put /v1/{project_id}/cae/timer-rules/{timer_rule_id} |
cae:environment:updatetimerrule |
- |
|
get /v1/{project_id}/cae/timer-rules/{timer_rule_id}/execution-results |
cae:environment:gettimerrule |
- |
|
get /v1/{project_id}/cae/eips |
cae:environment:listeips |
- |
|
put /v1/{project_id}/cae/eips |
cae:environment:updateeip |
- |
|
get /v1/{project_id}/cae/vpc-egress |
cae:environment:listvpcegresses |
- |
|
post /v1/{project_id}/cae/vpc-egress |
cae:environment:createvpcegress |
- |
|
delete /v1/{project_id}/cae/vpc-egress/{vpc_egress_id} |
cae:environment:deletevpcegress |
- |
|
get /v1/{project_id}/cae/vpc-ingress |
cae:environment:listvpcingresses |
- |
|
post /v1/{project_id}/cae/vpc-ingress |
cae:environment:createvpcingress |
- |
|
delete /v1/{project_id}/cae/vpc-ingress/{vpc_ingress_id} |
cae:environment:deletevpcingress |
- |
|
get /v1/{project_id}/cae/monitor-system |
cae:environment:getmonitorsystem |
- |
|
post /v1/{project_id}/cae/monitor-system |
cae:environment:createmonitorsystem |
- |
|
put /v1/{project_id}/cae/monitor-system/{monitor_system_id} |
cae:environment:updatemonitorsystem |
- |
|
get /v1/{project_id}/cae/applications |
cae:application:listapplications |
- |
|
post /v1/{project_id}/cae/applications |
cae:application:createapplication |
- |
|
delete /v1/{project_id}/cae/applications/{application_id} |
cae:application:deleteapplication |
- |
|
get /v1/{project_id}/cae/applications/{application_id} |
cae:application:listapplications |
- |
|
post /v1/{project_id}/cae/applications/{application_id}/components |
cae:component:createcomponent |
- |
|
get /v1/{project_id}/cae/applications/{application_id}/components |
cae:component:listcomponents |
- |
|
get /v1/{project_id}/cae/applications/{application_id}/components/{component_id} |
cae:component:getcomponent |
- |
|
put /v1/{project_id}/cae/applications/{application_id}/components/{component_id} |
cae:component:updatecomponent |
- |
|
delete /v1/{project_id}/cae/applications/{application_id}/components/{component_id} |
cae:component:deletecomponent |
- |
|
post /v1/{project_id}/cae/applications/{application_id}/components/{component_id}/action |
cae:component:operatecomponent |
- |
|
get /v1/{project_id}/cae/applications/{application_id}/components/{component_id}/configurations |
cae:component:listconfigurations |
- |
|
post /v1/{project_id}/cae/applications/{application_id}/components/{component_id}/configurations |
cae:component:createconfiguration |
- |
|
delete /v1/{project_id}/cae/applications/{application_id}/components/{component_id}/configurations |
cae:component:deleteconfiguration |
- |
|
get /v1/{project_id}/cae/applications/{application_id}/components/{component_id}/configuration-history-time |
cae:component:getconfiguration |
- |
|
get /v1/{project_id}/cae/applications/{application_id}/components/{component_id}/configuration-history |
cae:component:getconfiguration |
- |
|
get /v1/{project_id}/cae/applications/{application_id}/components/{component_id}/instances |
cae:component:getcomponent |
- |
|
delete /v1/{project_id}/cae/applications/{application_id}/components/{component_id}/instances/{instance_name} |
cae:component:deletecomponent |
- |
|
post /v1/{project_id}/cae/remote-console/{instance_id} |
cae:component:createinstancewebshell |
- |
|
get /v1/{project_id}/cae/jobs/{job_id} |
cae:environment:getenvironment |
- |
|
post /v1/{project_id}/cae/jobs/{job_id} |
cae:environment:createenvironment |
- |
|
post /v1/{project_id}/cae/notice-rules |
cae::createnoticerule |
- |
|
get /v1/{project_id}/cae/notice-rules |
cae::listnoticerules |
- |
|
put /v1/{project_id}/cae/notice-rules/{rule_id} |
cae::updatenoticerule |
- |
|
get /v1/{project_id}/cae/notice-rules/{rule_id} |
cae::getnoticerule |
- |
|
delete /v1/{project_id}/cae/notice-rules/{rule_id} |
cae::deletenoticerule |
- |
|
post /v1/{project_id}/cae/dew-secrets |
cae::createdewsecret |
- |
|
get /v1/{project_id}/cae/dew-secrets |
cae::listdewsecrets |
- |
|
put /v1/{project_id}/cae/dew-secrets/{secret_id} |
cae::updatedewsecret |
- |
|
delete /v1/{project_id}/cae/dew-secrets/{secret_id} |
cae::deletedewsecret |
- |
|
get /v1/{project_id}/cae/dew-secrets/{secret_id}/effective-components |
cae::getdewsecret |
- |
|
get /v1/{project_id}/cae/demo |
cae:component:getcomponent |
- |
|
post /v1/{project_id}/cae/demo/install |
cae:component:createcomponent |
- |
|
post /v1/{project_id}/cae/orders |
cae::buypackage |
- |
资源类型(resource)
资源类型(resource)表示身份策略所作用的资源。如表3中的某些操作指定了可以在该操作指定的资源类型,则必须在具有该操作的身份策略语句中指定该资源的urn,身份策略仅作用于此资源;如未指定,resource默认为“*”,则身份策略将应用到所有资源。您也可以在身份策略中设置条件,从而指定资源类型。
cae定义了以下可以在自定义身份策略的resource元素中使用的资源类型。
|
资源类型 |
urn |
|---|---|
|
component |
cae: |
|
environment |
cae: |
|
application |
cae: |
条件(condition)
cae服务不支持在身份策略中的条件键中配置服务级的条件键。cae可以使用适用于所有服务的全局条件键,请参考全局条件键。
相关文档
意见反馈
文档内容是否对您有帮助?
如您有其它疑问,您也可以通过华为云社区问答频道来与我们联系探讨
