策略授权参考
本章节介绍密码安全中心(Data Encryption Workshop, DEW)策略授权场景下支持的策略授权项。
支持的授权项
策略包含系统策略和自定义策略,如果系统策略不满足授权要求,管理员可以创建自定义策略,并通过给用户组授予自定义策略来进行精细的访问控制。策略支持的操作与API相对应,授权项列表说明如下:
- 权限:允许或拒绝某项操作。
- 对应API接口:自定义策略实际调用的API接口。
- 授权项:自定义策略中支持的Action,在自定义策略中的Action中写入授权项,可以实现授权项对应的权限功能。
- 依赖的授权项:部分Action存在对其他Action的依赖,需要将依赖的Action同时写入授权项,才能实现对应的权限功能。
- IAM项目(Project)/企业项目(Enterprise Project):自定义策略的授权范围,包括IAM项目与企业项目。授权范围如果同时支持IAM项目和企业项目,表示此授权项对应的自定义策略,可以在IAM和企业管理两个服务中给用户组授权并生效。如果仅支持IAM项目,不支持企业项目,表示仅能在IAM中给用户组授权并生效,如果在企业管理中授权,则该自定义策略不生效。管理员可以在授权项列表中查看授权项是否支持IAM项目或企业项目,“√”表示支持,“×”表示暂不支持。关于IAM项目与企业项目的区别,详情请参见:IAM与企业管理的区别。
KMS策略授权项、KPS策略授权项、CSMS策略授权项、CPCS策略授权项的支持自定义策略授权项如下所示:
| 权限 | 对应API接口 | 授权项(Action) | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|
| 取消计划删除密钥 | /v1.0/{project_id}/kms/cancel-key-deletion | kms:cmk:cancelKeyDeletion | √ | √ |
| 创建密钥 | /v1.0/{project_id}/kms/create-key | kms:cmk:create | √ | √ |
| 计划删除密钥 | /v1.0/{project_id}/kms/schedule-key-deletion | kms:cmk:scheduleKeyDeletion | √ | √ |
| 禁用密钥 | /v1.0/{project_id}/kms/disable-key | kms:cmk:disable | √ | √ |
| 启用密钥 | /v1.0/{project_id}/kms/enable-key | kms:cmk:enable | √ | √ |
| 修改密钥别名 | /v1.0/{project_id}/kms/update-key-alias | kms:cmk:updateKeyAlias | √ | √ |
| 修改密钥描述 | /v1.0/{project_id}/kms/update-key-description | kms:cmk:updateKeyDescription | √ | √ |
| 创建数据密钥 | /v1.0/{project_id}/kms/create-datakey | kms:cmk:createDataKey | √ | √ |
| 创建不含明文数据密钥 | /v1.0/{project_id}/kms/create-datakey-without-plaintext | kms:cmk:createDataKeyWithoutPlaintext | √ | √ |
| 创建EC数据密钥对 | /v1.0/{project_id}/kms/create-ec-datakey-pair | kms:cmk:createDataKeyPair | √ | √ |
| 创建PIN码 | /v1.0/{project_id}/kms/create-pin | 不涉及 | 不涉及 | 不涉及 |
| 创建随机数 | /v1.0/{project_id}/kms/gen-random | kms::generateRandom | √ | √ |
| 创建RSA数据密钥对 | /v1.0/{project_id}/kms/create-rsa-datakey-pair | kms:cmk:createDataKeyPair | √ | √ |
| 解密数据密钥 | /v1.0/{project_id}/kms/decrypt-datakey | kms:cmk:decryptDataKey | √ | √ |
| 加密数据密钥 | /v1.0/{project_id}/kms/encrypt-datakey | kms:cmk:encryptDataKey | √ | √ |
| 获取密钥导入参数 | /v1.0/{project_id}/kms/get-parameters-for-import | kms:cmk:getMaterial | √ | √ |
| 删除密钥材料 | /v1.0/{project_id}/kms/delete-imported-key-material | kms:cmk:deleteMaterial | √ | √ |
| 导入密钥材料 | /v1.0/{project_id}/kms/import-key-material | kms:cmk:importMaterial | √ | √ |
| 撤销授权 | /v1.0/{project_id}/kms/revoke-grant | kms:cmk:revokeGrant | √ | √ |
| 退役授权 | /v1.0/{project_id}/kms/retire-grant | kms:cmk:retireGrant | √ | √ |
| 创建授权 | /v1.0/{project_id}/kms/create-grant | kms:cmk:createGrant | √ | √ |
| 查询授权列表 | /v1.0/{project_id}/kms/list-grants | kms:cmk:listGrants | √ | √ |
| 查询可退役授权列表 | /v1.0/{project_id}/kms/list-retirable-grants | kms::listRetirableGrants | √ | √ |
| 解密数据 | /v1.0/{project_id}/kms/decrypt-data | kms:cmk:decryptData | √ | √ |
| 加密数据 | /v1.0/{project_id}/kms/encrypt-data | kms:cmk:encryptData | √ | √ |
| 签名数据 | /v1.0/{project_id}/kms/sign | kms:cmk:sign | √ | √ |
| 验证签名 | /v1.0/{project_id}/kms/verify | kms:cmk:verify | √ | √ |
| 关闭密钥轮换 | /v1.0/{project_id}/kms/disable-key-rotation | kms:cmk:disableRotation | √ | √ |
| 开启密钥轮换 | /v1.0/{project_id}/kms/enable-key-rotation | kms:cmk:enableRotation | √ | √ |
| 查询密钥轮换状态 | /v1.0/{project_id}/kms/get-key-rotation-status | kms:cmk:getRotation | √ | √ |
| 修改密钥轮换周期 | /v1.0/{project_id}/kms/update-key-rotation-interval | kms:cmk:updateRotation | √ | √ |
| 批量添加删除密钥标签 | /v1.0/{project_id}/kms/{key_id}/tags/action | kms:cmk:createTags | √ | √ |
| 添加密钥标签 | /v1.0/{project_id}/kms/{key_id}/tags | kms:cmk:createTag | √ | √ |
| 删除密钥标签 | /v1.0/{project_id}/kms/{key_id}/tags/{key} | kms:cmk:deleteTag | √ | √ |
| 查询密钥实例 | /v1.0/{project_id}/kms/{resource_instances}/action | kms:cmk:listKeysByTag | √ | √ |
| 查询项目标签 | /v1.0/{project_id}/kms/tags | kms::listAllTags | √ | √ |
| 查询密钥标签 | /v1.0/{project_id}/kms/{key_id}/tags | kms:cmk:getTags | √ | √ |
| 查询密钥信息 | /v1.0/{project_id}/kms/describe-key | kms:cmk:get | √ | √ |
| 查询密钥列表 | /v1.0/{project_id}/kms/list-keys | kms:cmk:list | √ | √ |
| 查询公钥信息 | /v1.0/{project_id}/kms/get-publickey | kms:cmk:getPublicKey | √ | √ |
| 查询实例数 | /v1.0/{project_id}/kms/user-instances | kms::getInstance | √ | × |
| 查询配额 | /v1.0/{project_id}/kms/user-quotas | kms::getQuota | √ | × |
| 查询指定版本信息 | /{version_id} | 不涉及 | 不涉及 | 不涉及 |
| 查询版本信息列表 | / | 不涉及 | 不涉及 | 不涉及 |
| 创建专属密钥库 | /v1.0/{project_id}/keystores | kms:keystore:create | √ | × |
| 删除专属密钥库 | /v1.0/{project_id}/keystores/{keystore_id} | kms:keystore:delete | √ | × |
| 禁用专属密钥库 | /v1.0/{project_id}/keystores/{keystore_id}/disable | kms:keystore:disable | √ | × |
| 启用专属密钥库 | /v1.0/{project_id}/keystores/{keystore_id}/enable | kms:keystore:enable | √ | × |
| 查询专属密钥库列表 | /v1.0/{project_id}/keystores | kms:keystore:list | √ | × |
| 获取专属密钥库 | /v1.0/{project_id}/keystores/{keystore_id} | kms:keystore:get | √ | × |
| 查询跨区域密钥所支持的区域 | /v2/{project_id}/kms/regions | 不涉及 | 不涉及 | 不涉及 |
| 复制密钥到指定区域 | /v2/{project_id}/kms/keys/{key_id}/replicate | kms:cmk:replicate | √ | √ |
| 修改密钥所属的主区域 | /v2/{project_id}/kms/keys/{key_id}/update-primary-region | kms:cmk:updatePrimaryRegion | √ | √ |
| 生成消息验证码 | /v1.0/{project_id}/kms/generate-mac | kms:cmk:generateMac | √ | √ |
| 校验消息验证码 | /v1.0/{project_id}/kms/verify-mac | kms:cmk:verifyMac | √ | √ |
| 关联密钥别名 | /v1.0/{project_id}/kms/alias/associate | kms:alias:associate | √ | × |
| 创建密钥别名 | /v1.0/{project_id}/kms/aliases | kms:alias:create | √ | × |
| 删除密钥别名 | /v1.0/{project_id}/kms/aliases | kms:alias:delete | √ | × |
| 查询密钥关联的别名 | /v1.0/{project_id}/kms/aliases | kms:alias:list | √ | × |
| 权限 | 对应API接口 | 授权项(Action) | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|
| 批量导出密钥对私钥 | /v3/{project_id}/keypairs/private-key/batch-export | kps:domainKeypairs:exportpk | √ | × |
| 批量导入SSH密钥对 | /v3/{project_id}/keypairs/batch-import | kps:domainKeypairs:create | √ | × |
| 清除私钥 | /v3/{project_id}/keypairs/{keypair_name}/private-key | kps:domainKeypairs:clearpk | √ | × |
| 创建和导入SSH密钥对 | /v3/{project_id}/keypairs | kps:domainKeypairs:create | √ | × |
| 删除SSH密钥对 | /v3/{project_id}/keypairs/{keypair_name} | kps:domainKeypairs:delete | √ | × |
| 导出私钥 | /v3/{project_id}/keypairs/private-key/export | kps:domainKeypairs:exportpk | √ | × |
| 导入私钥 | /v3/{project_id}/keypairs/private-key/import | kps:domainKeypairs:importpk | √ | × |
| 查询SSH密钥对详细信息 | /v3/{project_id}/keypairs/{keypair_name} | kps:domainKeypairs:get | √ | × |
| 查询SSH密钥对列表 | /v3/{project_id}/keypairs | kps:domainKeypairs:list | √ | × |
| 更新SSH密钥对描述 | /v3/{project_id}/keypairs/{keypair_name} | kps:domainKeypairs:update | √ | × |
| 绑定SSH密钥对 | /v3/{project_id}/keypairs/associate | kps:domainKeypairs:bind | √ | × |
| 批量导入SSH密钥对 | /v3/{project_id}/keypairs/batch-import | kps:domainKeypairs:create | √ | × |
| 删除所有失败的任务 | /v3/{project_id}/failed-tasks | kps:domainKeypairs:deletefailtasks | √ | × |
| 删除失败的任务 | /v3/{project_id}/failed-tasks/{task_id} | kps:domainKeypairs:deletefailtask | √ | × |
| 解绑SSH密钥对 | /v3/{project_id}/keypairs/disassociate | kps:domainKeypairs:unbind | √ | × |
| 查询失败的任务信息 | /v3/{project_id}/failed-tasks | kps:domainKeypairs:getfailtask | √ | × |
| 查询任务信息 | /v3/{project_id}/tasks/{task_id} | kps:domainKeypairs:gettask | √ | × |
| 查询正在处理的任务信息 | /v3/{project_id}/running-tasks | kps:domainKeypairs:getrunningtask | √ | × |
| 权限 | 对应API接口 | 授权项(Action) | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|
| 批量删除凭据 | /v1/{project_id}/secrets/batch-delete | csms:secret:delete | √ | × |
| 创建凭据 | /v1/{project_id}/secrets | csms:secret:create | √ | √ |
| 立即删除凭据 | /v1/{project_id}/secrets/{secret_name} | csms:secret:delete | √ | √ |
| 创建凭据的定时删除任务 | /v1/{project_id}/secrets/{secret_name}/scheduled-deleted-tasks/create | csms:secret:scheduleDeletion | √ | √ |
| 下载凭据备份 | /v1/{project_id}/secrets/{secret_name}/backup | csms:secret:get | √ | √ |
| 查询凭据列表 | /v1/{project_id}/secrets | csms:secret:list | √ | √ |
| 取消凭据的定时删除任务 | /v1/{project_id}/secrets/{secret_name}/scheduled-deleted-tasks/cancel | csms:secret:restoreSecret | √ | √ |
| 轮转凭据 | /v1/{project_id}/secrets/{secret_name}/rotate | csms:secret:rotate | √ | √ |
| 查询凭据 | /v1/{project_id}/secrets/{secret_name} | csms:secret:get | √ | √ |
| 更新凭据 | /v1/{project_id}/secrets/{secret_name} | csms:secret:update | √ | √ |
| 恢复凭据对象 | /v1/{project_id}/secrets/restore | csms:secret:create | √ | × |
| 创建凭据版本 | /v1/{project_id}/secrets/{secret_name}/versions | csms:secret:createVersion | √ | √ |
| 查询凭据的版本列表 | /v1/{project_id}/secrets/{secret_name}/versions | csms:secret:listVersion | √ | √ |
| 查询凭据的版本与凭据值 | /v1/{project_id}/secrets/{secret_name}/versions/{version_id} | csms:secret:getVersion | √ | √ |
| 更新凭据版本 | /v1/{project_id}/secrets/{secret_name}/versions/{version_id} | csms:secret:updateVersion | √ | √ |
| 创建凭据的版本状态 | /v1/{project_id}/secrets/{secret_name}/stages | csms:secret:createStage | √ | √ |
| 查询凭据的版本状态 | /v1/{project_id}/secrets/{secret_name}/stages/{stage_name} | csms:secret:getStage | √ | √ |
| 删除凭据的版本状态 | /v1/{project_id}/secrets/{secret_name}/stages/{stage_name} | csms:secret:deleteStage | √ | √ |
| 更新凭据的版本状态 | /v1/{project_id}/secrets/{secret_name}/stages/{stage_name} | csms:secret:updateStage | √ | √ |
| 批量添加或删除凭据标签 | /v1/{project_id}/csms/{secret_id}/tags/action | csms:secret:batchCreateOrDeleteTags | √ | √ |
| 添加凭据标签 | /v1/{project_id}/csms/{secret_id}/tags | csms:secret:createTag | √ | √ |
| 删除凭据标签 | /v1/{project_id}/csms/{secret_id}/tags/{key} | csms:secret:deleteTag | √ | √ |
| 查询项目标签 | /v1/{project_id}/csms/tags | csms::listProjectTags | √ | × |
| 查询凭据实例 | /v1/{project_id}/csms/{resource_instances}/action | csms:secret:getSecretsByTag | √ | × |
| 查询凭据标签 | /v1/{project_id}/csms/{secret_id}/tags | csms:secret:listTags | √ | √ |
| 创建事件 | /v1/{project_id}/csms/events | csms::createEvent | √ | × |
| 立即删除事件 | /v1/{project_id}/csms/events/{event_name} | csms::deleteEvent | √ | × |
| 查询已触发的事件通知记录 | /v1/{project_id}/csms/notification-records | csms::listNotificationRecords | √ | × |
| 查询事件列表 | /v1/{project_id}/csms/events | csms::listEvents | √ | × |
| 查询事件 | /v1/{project_id}/csms/events/{event_name} | csms::getEvent | √ | × |
| 更新事件 | /v1/{project_id}/csms/events/{event_name} | csms::updateEvent | √ | × |
| 创建服务委托 | /v1/csms/agencies | 不涉及 | √ | × |
| 获取凭据轮转函数模板 | /v1/csms/function-templates | 不涉及 | √ | × |
| 查看是否有服务委托 | /v1/csms/agencies | 不涉及 | √ | × |
| 查询任务列表 | /v1/{project_id}/csms/tasks | csms::listTasks | √ | × |
| 权限 | 对应API接口 | 授权项(Action) | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|
| AK/SK 换取Cpcs token | /v1/{project_id}/dew/cpcs/token/switch | cpcs::switchCpcsToken+H2:H36ByIamToken | √ | × |
| 查询密码服务的镜像 | /v1/{project_id}/dew/cpcs/images | cpcs::listImages | √ | × |
| 获取应用状态监控 | /v1/{project_id}/dew/cpcs/app/status | cpcs::getStatusApp | √ | × |
| 获取证书分布统计信息 | /v1/{project_id}/dew/cpcs/certificate/statistic | cpcs::getStatisticCertificate | √ | × |
| 获取集群监控信息 | /v1/{project_id}/dew/cpcs/cluster/status | cpcs::getStatusCluster | √ | × |
| 获取实例监控信息 | /v1/{project_id}/dew/cpcs/instance/status | cpcs::getStatusInstance | √ | × |
| 获取接口调用统计信息 | /v1/{project_id}/dew/cpcs/interface/statistic | cpcs::getStatisticInterface | √ | × |
| 查询租户的资源分布信息 | /v1/{project_id}/dew/cpcs/resource-info | cpcs::getResourceInfo | √ | × |
| 获取AK详情 | /v1/{project_id}/dew/cpcs/resource/access-key | cpcs::getResourceDetailAccessKey | √ | × |
| 获取证书详情 | /v1/{project_id}/dew/cpcs/resource/certificates | cpcs::getResourceDetailCertificate | √ | × |
| 获取资源总量统计信息 | /v1/{project_id}/dew/cpcs/resource/statistic | cpcs::getStatisticResource | √ | × |
| 获取密钥分布统计信息 | /v1/{project_id}/dew/cpcs/secret-key/statistic | cpcs::getStatisticSecretKey | √ | × |
| 获取服务监控信息 | /v1/{project_id}/dew/cpcs/service/status | cpcs::getStatusService | √ | × |
| 密码资源指标监控 | /v1/{project_id}/dew/cpcs/vm-monitor | cpcs::getVMInfo | √ | × |
| 查询应用的访问密钥列表 | /v1/{project_id}/dew/cpcs/apps/{app_id}/access-keys | cpcs:app:listAccessKeys | √ | × |
| 创建访问密钥 | /v1/{project_id}/dew/cpcs/apps/{app_id}/access-keys | cpcs:app:createAccessKey | √ | × |
| 停用应用的访问密钥 | /v1/{project_id}/dew/cpcs/apps/{app_id}/access-keys/disable | cpcs:app:disableAccessKey | √ | × |
| 启用应用的访问密钥 | /v1/{project_id}/dew/cpcs/apps/{app_id}/access-keys/enable | cpcs:app:enableAccessKey | √ | × |
| 删除应用的访问密钥 | /v1/{project_id}/dew/cpcs/apps/{app_id}/access-keys/{access_key_id} | cpcs:app:deleteAccessKey | √ | × |
| 下载访问密钥 | /v1/{project_id}/dew/cpcs/apps/{app_id}/access-keys/{access_key_id} | cpcs:app:downloadAccessKey | √ | × |
| 创建密码服务集群与应用绑定关系 | /v1/{project_id}/dew/cpcs/associate-apps | cpcs:cluster:associateApps | √ | × |
| 查询密码服务集群与应用的绑定关系列表 | /v1/{project_id}/dew/cpcs/associations | cpcs::listAssociations | √ | × |
| 解除密码服务集群与应用绑定关系 | /v1/{project_id}/dew/cpcs/disassociate-apps | cpcs:cluster:disassociateApps | √ | × |
| 查询应用列表 | /v1/{project_id}/dew/cpcs/apps | cpcs:app:list | √ | × |
| 创建应用 | /v1/{project_id}/dew/cpcs/apps | cpcs:app:create | √ | × |
| 删除应用 | /v1/{project_id}/dew/cpcs/apps/{app_id} | cpcs:app:delete | √ | × |
| 查询密码服务集群已授权的访问密钥列表 | /v1/{project_id}/dew/cpcs/cluster/{cluster_id}/access-keys | cpcs:cluster:listClusterAccessKeys | √ | × |
| 密码服务集群授予应用访问密钥的访问权限 | /v1/{project_id}/dew/cpcs/cluster/{cluster_id}/authorize-access-keys | cpcs:cluster:authorizeAccessKey | √ | × |
| 密码服务集群解除对访问密钥的授权 | /v1/{project_id}/dew/cpcs/cluster/{cluster_id}/de-authorize-access-keys | cpcs:cluster:deAuthorizeAccessKey | √ | × |
| 查询可创建密码服务集群的可用区列表 | /v1/{project_id}/dew/cpcs/az | cpcs::getAvailableAz | √ | × |
| 查询密码服务集群列表 | /v1/{project_id}/dew/cpcs/cluster | cpcs:cluster:list | √ | × |
| 创建密码服务集群 | /v1/{project_id}/dew/cpcs/cluster | cpcs:cluster:create | √ | × |
| 删除密码服务集群 | /v1/{project_id}/dew/cpcs/cluster/{cluster_id} | cpcs:cluster:delete | √ | × |
| 查询密码服务集群详情 | /v1/{project_id}/dew/cpcs/cluster/{cluster_id} | cpcs:cluster:get | √ | × |
| 查询平台审计日志 | /v1/{project_id}/dew/cpcs/platform/audit-log | cpcs::listAuditLog | √ | × |
| 查询密码服务实例列表 | /v1/{project_id}/dew/cpcs/instances | cpcs:cluster:listInstances | √ | × |
| 停用密码服务实例的业务功能 | /v1/{project_id}/dew/cpcs/instances/{instance_id}/disable | cpcs:cluster:disableInstance | √ | × |
| 启用密码服务实例的业务功能 | /v1/{project_id}/dew/cpcs/instances/{instance_id}/enable | cpcs:cluster:enableInstance | √ | × |
| 获取密码服务管理界面URL | /v1/{project_id}/dew/cpcs/cluster/{cluster_id}/uri | cpcs:cluster:getClusterServiceUrl | √ | × |
| 查询集群模式端口列表 | /v1/{project_id}/dew/cpcs/cluster/{cluster_id}/port | cpcs:cluster:listELBPort | √ | × |
| 创建集群模式端口 | /v1/{project_id}/dew/cpcs/cluster/{cluster_id}/port | cpcs:cluster:createELBPort | √ | × |
| 删除集群模式端口 | /v1/{project_id}/dew/cpcs/cluster/{cluster_id}/port/{id} | cpcs:cluster:deleteELBPort | √ | × |
| 检测集群模式端口是否正常 | /v1/{project_id}/dew/cpcs/cluster/{cluster_id}/port/{id} | cpcs:cluster:getELBPortStatus | √ | × |
