文档首页/ 应用服务网格 ASM/ API参考/ 权限和授权项/ 角色与策略授权参考
更新时间:2026-02-02 GMT+08:00
查看PDF
分享

角色与策略授权参考

本章节介绍ASM策略授权场景下支持的策略授权项。

支持的授权项

策略包含系统策略和自定义策略,如果系统策略不满足授权要求,管理员可以创建自定义策略,并通过给用户组授予自定义策略来进行精细的访问控制。策略支持的操作与API相对应,授权项列表说明如下:

  • 权限:允许或拒绝某项操作。
  • 对应API接口:自定义策略实际调用的API接口。
  • 授权项:自定义策略中支持的Action,在自定义策略中的Action中写入授权项,可以实现授权项对应的权限功能。
  • 依赖的授权项:部分Action存在对其他Action的依赖,需要将依赖的Action同时写入授权项,才能实现对应的权限功能。
  • 生命周期管理,包含SWR所有生命周期接口对应的授权项,如创建组织,查询组织列表,在组织下创建镜像仓库等接口。

    “√”表示支持,“x”表示暂不支持。

    应用服务网格(ASM)支持的自定义策略授权项如下所示:

    表1 Mesh

    权限

    对应API接口

    授权项(Action)

    IAM项目(Project)

    企业项目 (Enterprise Project)

    创建网格

    POST /v1/{project_id}/meshes

    asm:mesh:create

    删除网格

    DELETE /v1/{project_id}/meshes/{id}

    asm:mesh:delete

    查询网格列表

    GET /v1/{project_id}/meshes

    asm:mesh:get

    查询网格详情

    GET /v1/{project_id}/meshes/{id}

    asm:mesh:list

    网格升级

    POST /v1/{project_id}/mesh-upgrade

    GET /v1/{project_id}/mesh-upgrade/{id}

    PUT /v1/{project_id}/mesh-upgrade/{id}

    DELETE /v1/{project_id}/mesh-upgrade/{id}

    asm:mesh:upgrade

    查询网格升级任务

    GET /v1/{project_id}/mesh-job/{id}

    asm:mesh:getUpgradeJob

    更新网格

    PUT /v2/projects/:project_id/meshes/:mesh_id

    asm:mesh:update

    获取候选集群

    GET /v3/projects/:project_id/clusters-to-be-added

    asm:mesh:getAvailableClusters

    ×

    查询网格服务列表

    GET /v3/meshes/:mesh_id/namespaces/:namespace/services

    asm:mesh:listServices

    查询网咯服务

    GET /v3/meshes/:mesh_id/namespaces/:namespace/services/:service

    asm:mesh:getService

    校验网格服务

    POST /v2/meshes/:mesh_id/namespaces/:namespace/services/validate

    asm:mesh:getService

    一键修复网格服务

    POST /v2/meshes/:mesh_id/namespaces/:namespace/services/format

    asm:mesh:updateService

    查询网格服务访问鉴权

    GET /v3/meshes/:mesh_id/authorizations

    asm:mesh:getServiceGovernance

    创建网格服务访问鉴权

    POST /v3/meshes/:mesh_id/authorizations

    asm:mesh:updateServiceGovernance

    删除网格服务访问鉴权

    DELETE /v3/meshes/:mesh_id/authorizations

    asm:mesh:updateServiceGovernance

    更新命名空间注入配置

    PUT /v2/meshes/:mesh_id/injection

    asm:mesh:updateNamespace

    获取命名空间注入配置

    GET /v2/meshes/:mesh_id/injection

    asm:mesh:getNamespace

    获取命名空间

    GET /v2/meshes/:mesh_id/namespaces

    asm:mesh:listNamespaces

    获取灰度发布流量策略

    GET /v2/meshes/:mesh_id/namespaces/:namespace/services/:service/virtualroutes

    asm:mesh:getRelease

    更新灰度发布流量策略

    PUT /v2/meshes/:mesh_id/namespaces/:namespace/services/:service/virtualroutes

    asm:mesh:updateRelease

    创建灰度发布任务

    POST /v2/meshes/:mesh_id/namespaces/:namespace/releases

    asm:mesh:createRelease

    获取灰度发布任务详情

    GET /v2/meshes/:mesh_id/namespaces/:namespace/releases/:release_id

    asm:mesh:getRelease

    获取灰度发布任务列表

    GET /v2/meshes/:mesh_id/releases

    asm:mesh:listReleases

    更新灰度发布任务

    PUT /v2/meshes/:mesh_id/namespaces/:namespace/releases/:release_id

    asm:mesh:updateRelease

    删除灰度发布任务

    DELETE /v2/meshes/:mesh_id/namespaces/:namespace/releases/:release_id

    asm:mesh:deleteRelease

    创建网关

    POST /v2/meshes/:mesh_id/gateways

    asm:mesh:createGateway

    获取网关列表

    GET /v3/meshes/:mesh_id/gateways

    asm:mesh:listGateways

    删除网关

    POST /v2/meshes/:mesh_id/gateways/:gateway

    asm:mesh:deleteGateway

    网关添加路由

    POST /v3/meshes/:mesh_id/gateways/:gateway/addroute

    asm:mesh:createGatewayRoute

    网关获取路由列表

    POST /v2/meshes/:mesh_id/gateways/:gateway/routes

    asm:mesh:listGatewayRoutes

    网关移除路由

    POST /v3/meshes/:mesh_id/gateways/:gateway/removeroute

    asm:mesh:deleteGatewayRoute

    创建一键体验

    POST /v2/meshes/:mesh_id/workshops

    asm:mesh:createWorkshop

    删除一键体验

    DELETE /v2/meshes/:mesh_id/workshops/:workshop

    asm:mesh:deleteWorkshop

    获取一键体验列表

    GET /v2/meshes/:mesh_id/workshops

    asm:mesh:listWorkshops

    转发istio查询请求

    GET /apis/*.istio.io/*

    asm:mesh:getServiceGovernance

    转发istio创建请求

    POST /apis/*.istio.io/*

    asm:mesh:updateServiceGovernance

    转发istio删除请求

    DELETE /apis/*.istio.io/*

    asm:mesh:updateServiceGovernance

    转发istio更新请求

    PUT/apis/*.istio.io/*

    asm:mesh:updateServiceGovernance

    查询资源实例列表

    POST /v2/:project_id/:resourcetype/resource-instances/filter

    asm:mesh:listResourcesByTag

    ×

    查询资源实例数量

    POST /v2/:project_id/:resourcetype/resource-instances/count

    asm:mesh:listResourcesByTag

    ×

    批量创建资源标签

    POST /v2/:project_id/:resourcetype/:resourceid/tags/create

    asm:mesh:tagResource

    批量删除资源标签

    DELETE /v2/:project_id/:resourcetype/:resourceid/tags/delete

    asm:mesh:unTagResource

    查询资源标签

    GET /v2/:project_id/:resourcetype/:resourceid/tags

    asm:mesh:listTagsForResource

    查询项目标签

    GET /v2/:project_id/:resourcetype/tags

    asm:mesh:listTags

    ×

    查看服务拓扑

    GET /api/namespaces/:namespace/services/:service/graph

    GET /api/graph

    asm:mesh:getTopology

父主题: 权限和授权项

相关文档