API网关 APIGAPI网关 APIG

文档首页> API网关 APIG> API参考> 权限策略和授权项
更新时间:2021/06/18 GMT+08:00
分享

权限策略和授权项

如果您需要对您所拥有的API网关服务进行精细的权限管理,您可以使用统一身份认证服务(Identity and Access Management,简称IAM),如果华为云帐号已经能满足您的要求,不需要创建独立的IAM用户,您可以跳过本章节,不影响您使用API网关服务的其它功能。

策略是以JSON格式描述权限集的语言。默认情况下,新建的IAM用户没有任何权限,您需要将其加入用户组,并给用户组授予策略,才能使用户组中的用户获得策略定义的权限,这一过程称为授权。授权后,用户就可以基于策略对云服务进行操作。关于策略的语法结构及示例,请参见权限管理章节。

帐号具备所有接口的调用权限,如果使用帐号下的IAM用户发起API请求时,该IAM用户必须具备调用该接口所需的权限,否则,API请求将调用失败。每个接口所需要的权限,与各个接口所对应的授权项相对应,只有发起请求的用户被授予授权项所对应的策略,该用户才能成功调用该接口。例如,用户要调用接口来创建API,那么这个IAM用户被授予的策略中必须包含允许“apig:apis:create”的授权项,该接口才能调用成功。

支持的授权项

细粒度策略支持的操作与API相对应,授权项列表说明如下:

  • 权限:自定义策略中授权项定义的内容即为权限。
  • 授权项:自定义策略中支持的Action,在自定义策略中的Action中写入授权项,可以实现授权项对应的权限功能。
  • 授权范围:自定义策略的授权范围,包括IAM项目与企业项目。授权范围如果同时支持IAM项目和企业项目,表示此授权项对应的自定义策略,可以在IAM和企业管理两个服务中给用户组授权并生效。如果仅支持IAM项目,不支持企业项目,表示仅能在IAM中给用户组授权并生效,如果在企业管理中授权,则该自定义策略不生效。关于IAM项目与企业项目的区别,详情请参见:IAM与企业管理的区别
  • 对应API接口:自定义策略实际调用的API接口。

API网关服务管理控制操作相关的授权项,明细如下表所示。用户调用如下API时,需要获取对应的权限。权限获取请参考统一身份认证服务(IAM)的帮助指导。

表1 API网关权限明细

权限描述

授权项

对应的API

IAM项目(Project)

企业项目(Enterprise Project)

创建API网关专享版实例

apig:instances:create

POST /v1/{project_id}/instances

删除API网关专享版实例

apig:instances:delete

DELETE /v1/{project_id}/instances/{instance_id}

更新API网关专享版实例

apig:instances:update

PUT

/v1/{project_id}/instances/{instance_id}

PUT,DELETE

/v1/{project_id}/instances/{instance_id}/eip

POST,PUT,DELETE

/v1/{project_id}/instances/{instance_id}/nat-eip

查看API网关专享版实例

apig:instances:get

GET

/v1/{project_id}/instances/{instance_id}

查看API网关专享版实例列表

apig:instances:list

GET /v1/{project_id}/instances

创建API分组

apig:groups:create

POST /v1/{project_id}/instances/{instance_id}/api-groups;

删除API分组

apig:groups:delete

DELETE /v1/{project_id}/instances/{instance_id}/api-groups/{group_id};

更新API分组

apig:groups:update

PUT

/v1/{project_id}/instances/{instance_id}/api-groups/{group_id};

查看API分组

apig:groups:get

GET

/v1/{project_id}/instances/{instance_id}/api-groups/{group_id};

GET

/v1/{project_id}/instances/{instance_id}/resources/outline/groups;

查看API分组列表

apig:groups:list

GET

/v1/{project_id}/instances/{instance_id}/api-groups

创建分组域名

apig:domains:create

POST

/v1/{project_id}/instances/{instance_id}/api-groups/{group_id}/domains;

删除分组域名

apig:domains:delete

DELETE

/v1/{project_id}/instances/{instance_id}/api-groups/{group_id}/domains/{domain_id};

分组域名绑定证书

apig:domains:bindCertificate

POST

/v1/{project_id}/instances/{instance_id}/api-groups/{group_id}/domains/{domain_id}/certificate;

分组域名解绑证书

apig:domains:unbindCertificate

POST

/v1/{project_id}/instances/{instance_id}/api-groups/{group_id}/domains/{domain_id}/certificate/{cert_id};

查看分组域名绑定的证书

apig:domains:getCertificate

GET

/v1/{project_id}/instances/{instance_id}/api-groups/{group_id}/domains/{domain_id}/certificate/{cert_id};

创建环境变量

apig:variables:create

POST

/v1/{project_id}/instances/{instance_id}/env-variables;

删除环境变量

apig:variables:delete

DELETE

/v1/{project_id}/instances/{instance_id}/env-variables/{variable_id};

查看环境变量

apig:variables:get

GET

/v1/{project_id}/instances/{instance_id}/env-variables/{variable_id};

查看环境变量列表

apig:variables:list

GET

/v1/{project_id}/instances/{instance_id}/env-variables;

创建API

apig:apis:create

POST

/v1/{project_id}/instances/{instance_id}/apis;

删除API

apig:apis:delete

DELETE /v1/{project_id}/instances/{instance_id}/apis/{api_id};

PUT

/v1/{project_id}/instances/{instance_id}/apis;

更新API

apig:apis:update

PUT

/v1/{project_id}/instances/{instance_id}/apis/{api_id};

发布API

apig:apis:publish

POST,PUT /v1/{project_id}/instances/{instance_id}/apis/publish/{api_id};

PUT

/v1/{project_id}/instances/{instance_id}/apis/publish?action=online;

下线API

apig:apis:offline

DELETE /v1/{project_id}/instances/{instance_id}/apis/publish/{api_id};

PUT

/v1/{project_id}/instances/{instance_id}/apis/publish?action=offline;

DELETE

/v1/{project_id}/instances/{instance_id}/apis/versions/{version_id};

调试API

apig:apis:debug

POST /v1/{project_id}/instances/{instance_id}/apis/debug/{api_id};

导入API

apig:apis:import

POST

/v1/{project_id}/instances/{instance_id}/openapi;

PUT

/v1/{project_id}/instances/{instance_id}/openapi;

导出API

apig:apis:export

POST /v1/{project_id}/instances/{instance_id}/openapi/apis;

GET

/v1/{project_id}/instances/{instance_id}/openapi;

/v1/{project_id}/instances/{instance_id}/openapi/{api_id};

授权API

apig:apis:grantAppAccess

POST

/v1/{project_id}/instances/{instance_id}/app-auths;

解授权API

apig:apis:relieveAppAccess

DELETE

/v1/{project_id}/instances/{instance_id}/app-auths;

API绑定签名

apig:apis:bindSigns

POST

/v1/{project_id}/instances/{instance_id}/app-auths;

API解绑签名

apig:apis:unbindSigns

DELETE

/v1/{project_id}/instances/{instance_id}/app-auths;

API绑定访问控制

apig:apis:bindAcls

POST

/v1/{project_id}/instances/{instance_id}/acl-bindings;

API解绑访问控制

apig:apis:unbindAcls

DELETE

/v1/{project_id}/instances/{instance_id}/acl-bindings;

PUT

/v1/{project_id}/instances/{instance_id}/acl-bindings;

API绑定流控

apig:apis:bindThrottles

POST

/v1/{project_id}/instances/{instance_id}/throttle-bindings;

API解绑流控

apig:apis:unbindThrottles

DELETE

/v1/{project_id}/instances/{instance_id}/throttle-bindings;

PUT

/v1/{project_id}/instances/{instance_id}/throttle-bindings;

查看API

apig:apis:get

GET /v1/{project_id}/instances/{instance_id}/apis/{api_id};

GET

/v1/{project_id}/instances/{instance_id}/apis/publish/{api_id};

/v1/{project_id}/instances/{instance_id}/apis/runtime/{api_id};

GET

/v1/{project_id}/instances/{instance_id}/statistics/api/latest?api_id={api_id};

GET

/v1/{project_id}/instances/{instance_id}/apis/versions/{version_id};

GET

/v1/{project_id}/instances/{instance_id}/resources/outline/apis;

查看API列表

apig:apis:list

GET

/v1/{project_id}/instances/{instance_id}/apis;

查看API绑定的APP列表

apig:apis:listBindedApps

GET

/v1/{project_id}/instances/{instance_id}/app-auths/binded-apps;

查看API绑定的签名列表

apig:apis:listBindedSigns

GET

/v1/{project_id}/instances/{instance_id}/sign-bindings/binded-signs;

查看API绑定的访问控制列表

apig:apis:listBindedAcls

GET

/v1/{project_id}/instances/{instance_id}/acl-bindings/binded-acls;

查看API绑定的流控列表

apig:apis:listBindedTrottles

GET

/v1/{project_id}/instances/{instance_id}/throttole-bindings/binded-throttles;

创建环境

apig:envs:create

POST /v1/{project_id}/instances/{instance_id}/envs;

删除环境

apig:envs:delete

DELETE /v1/{project_id}/instances/{instance_id}/envs/{env_id};

更新环境

apig:envs:update

PUT

/v1/{project_id}/instances/{instance_id}/envs/{env_id};

查看环境列表

apig:envs:list

GET

/v1/{project_id}/instances/{instance_id}/envs

创建应用

apig:apps:create

POST

/v1/{project_id}/instances/{instance_id}/apps;

删除应用

apig:apps:delete

DELETE

/v1/{project_id}/instances/{instance_id}/apps/{app_id};

更新应用

apig:apps:update

PUT

/v1/{project_id}/instances/{instance_id}/apps/{app_id};

/v1/{project_id}/instances/{instance_id}/apps/secret/{app_id};

查看应用

apig:apps:get

GET /v1/{project_id}/instances/{instance_id}/apps/{app_id};

GET /v1/{project_id}/instances/{instance_id}/resources/outline/apps;

查看应用列表

apig:apps:list

GET

/v1/{project_id}/instances/{instance_id}/apps;

查看应用绑定的api列表

apig:apps:listBindedApis

GET

/v1/{project_id}/instances/{instance_id}/app-auths/binded-apis;

查看应用未绑定的api列表

apig:apps:listUnbindedApis

GET

/v1/{project_id}/instances/{instance_id}/app-auths/unbinded-apis

创建签名

apig:signs:create

POST /v1/{project_id}/instances/{instance_id}/signs;

删除签名

apig:signs:delete

DELETE /v1/{project_id}/instances/{instance_id}/signs/{sign_id};

更新签名

apig:signs:update

PUT

/v1/{project_id}/instances/{instance_id}/signs/{sign_id};

查看签名列表

apig:signs:list

GET

/v1/{project_id}/instances/{instance_id}/signs;

查看签名绑定的api列表

apig:signs:listBindedApis

GET

/v1/{project_id}/instances/{instance_id}/sign-bindings/binded-apis;

查看签名未绑定的api列表

apig:signs:listUnbindedApis

GET

/v1/{project_id}/instances/{instance_id}/sign-bindings/unbinded-apis

创建访问控制

apig:acls:create

POST /v1/{project_id}/instances/{instance_id}/acls;

删除访问控制

apig:acls:delete

DELETE /v1/{project_id}/instances/{instance_id}/acls/{acl_id};

PUT /v1/{project_id}/instances/{instance_id}/acls;

更新访问控制

apig:acls:update

PUT

/v1/{project_id}/instances/{instance_id}/acls/{acl_id};

查看访问控制

apig:acls:get

GET /v1/{project_id}/instances/{instance_id}/acls/{acl_id};

查看访问控制列表

apig:acls:list

GET

/v1/{project_id}/instances/{instance_id}/acls;

查看访问控制绑定的api列表

apig:acls:listBindedApis

GET

/v1/{project_id}/instances/{instance_id}/acl-bindings/binded-apis;

查看访问控制未绑定的api列表

apig:acls:listUnbindedApis

GET

/v1/{project_id}/instances/{instance_id}/acl-bindings/unbinded-apis

创建流量控制

apig:throttles:create

POST /v1/{project_id}/instances/{instance_id}/throttles;

删除流量控制

apig:throttles:delete

DELETE /v1/{project_id}/instances/{instance_id}/throttles/{throttle_id};

PUT /v1/{project_id}/instances/{instance_id}/throttles;

更新流量控制

apig:throttles:update

PUT

/v1/{project_id}/instances/{instance_id}/throttles/{throttle_id};

查看流量控制

apig:throttles:get

GET /v1/{project_id}/instances/{instance_id}/throttles/{throttle_id};

查看流量控制列表

apig:throttles:list

GET

/v1/{project_id}/instances/{instance_id}/throttles;

查看流量控制绑定的api列表

apig:throttles:listBindedApis

GET

/v1/{project_id}/instances/{instance_id}/throttle-bindings/binded-apis;

查看流量控制未绑定的api列表

apig:throttles:listUnbindedApis

GET

/v1/{project_id}/instances/{instance_id}/throttle-bindings/unbinded-apis

创建特殊流量控制

apig:specialThrottles:create

POST

/v1/{project_id}/instances/{instance_id}/throttle-specials;

删除特殊流量控制

apig:specialThrottles:delete

DELETE

/v1/{project_id}/instances/{instance_id}/throttle-specials/{throttle_id};

更新特殊流量控制

apig:specialThrottles:update

PUT

/v1/{project_id}/instances/{instance_id}/throttle-specials/{throttle_id};

查看特殊流量控制

apig:specialThrottles:get

GET /v1/{project_id}/instances/{instance_id}/throttle-specials/{throttle_id};

创建负载通道

apig:vpcChannels:create

POST /v1/{project_id}/instances/{instance_id}/vpc-channels;

删除负载通道

apig:vpcChannels:delete

DELETE /v1/{project_id}/instances/{instance_id}/vpc-channels/{vpc_id};

更新负载通道

apig:vpcChannels:update

PUT

/v1/{project_id}/instances/{instance_id}/vpc-channels/{vpc_id};

创建后端实例

apig:vpcChannels:addInstance

POST

/v1/{project_id}/instances/{instance_id}/vpc-channels/{vpc_id}/members;

删除后端实例

apig:vpcChannels:deleteInstance

POST

/v1/{project_id}/instances/{instance_id}/vpc-channels/{vpc_id}/members/{member_id};

查看负载通道

apig:vpcs:get

GET

/v1/{project_id}/instances/{instance_id}/vpc-channels/{vpc_id};

/v1/{project_id}/instances/{instance_id}/vpc-channels/{vpc_id}/members;

查看负载通道列表

apig:vpcs:list

GET

/v1/{project_id}/instances/{instance_id}/vpc-channels;

创建自定义认证

apig:authorizers:create

POST /v1/{project_id}/instances/{instance_id}/authorizers;

删除自定义认证

apig:authorizers:delete

DELETE /v1/{project_id}/instances/{instance_id}/authorizers/{authorizer_id};

更新自定义认证

apig:authorizers:update

PUT

/v1/{project_id}/instances/{instance_id}/authorizers/{authorizer_id};

查看自定义认证

apig:authorizers:get

GET /v1/{project_id}/instances/{instance_id}/authorizers/{authorizer_id};

查看自定义认证列表

apig:authorizers:list

GET

/v1/{project_id}/instances/{instance_id}/authorizers;

查看标签列表

apig:tags:list

GET

/v1/{project_id}/instances/{instance_id}/tags;

创建网关响应

apig:gatewayResponses:create

POST

/v1/{project_id}/instances/{instance_id}/api-groups/{group_id}/gateway-responses;

更新网关响应

apig:gatewayResponses:update

PUT

/v1/{project_id}/instances/{instance_id}/api-groups/{group_id}/gateway-responses/{response_id};

/v1/{project_id}/instances/{instance_id}/api-groups/{group_id}/gateway-responses/{response_id}/{response_type};

DELETE

/v1/{project_id}/instances/{instance_id}/api-groups/{group_id}/gateway-responses/{response_id}/{response_type};

删除网关响应

apig:gatewayResponses:delete

DELETE

/v1/{project_id}/instances/{instance_id}/api-groups/{group_id}/gateway-responses/{response_id};

查看网关响应

apig:gatewayResponses:get

GET

/v1/{project_id}/instances/{instance_id}/api-groups/{group_id}/gateway-responses/{response_id};

/v1/{project_id}/instances/{instance_id}/api-groups/{group_id}/gateway-responses/{response_id}/{response_type};

查看网关响应列表

apig:gatewayResponses:list

GET

/v1/{project_id}/instances/{instance_id}/api-groups/{group_id}/gateway-responses;

查看实例特性列表

apig:features:list

GET

/v1/{project_id}/instances/{instance_id}/features;

创建实例特性

apig:features:create

POST

/v1/{project_id}/instances/{instance_id}/features;

分享:

    相关文档

    相关产品