策略授权参考
本章节介绍TaurusDB策略授权场景下支持的策略授权项。
支持的授权项
策略包含系统策略和自定义策略,如果系统策略不满足授权要求,管理员可以创建自定义策略,并通过给用户组授予自定义策略来进行精细的访问控制。策略支持的操作与API相对应,授权项列表说明如下:
- 权限:允许或拒绝某项操作。
- 对应API接口:自定义策略实际调用的API接口。
- 授权项:自定义策略中支持的Action,在自定义策略中的Action中写入授权项,可以实现授权项对应的权限功能。
- 依赖的授权项:部分Action存在对其他Action的依赖,需要将依赖的Action同时写入授权项,才能实现对应的权限功能。
- IAM项目(Project)/企业项目(Enterprise Project):自定义策略的授权范围,包括IAM项目与企业项目。授权范围如果同时支持IAM项目和企业项目,表示此授权项对应的自定义策略,可以在IAM和企业管理两个服务中给用户组授权并生效。如果仅支持IAM项目,不支持企业项目,表示仅能在IAM中给用户组授权并生效,如果在企业管理中授权,则该自定义策略不生效。管理员可以在授权项列表中查看授权项是否支持IAM项目或企业项目,“√”表示支持,“×”表示暂不支持。关于IAM项目与企业项目的区别,详情请参见:IAM与企业管理的区别。
TaurusDB的支持自定义策略授权项如下所示:
权限 | 对应API接口 | 授权项(Action) | IAM项目(Project) | 企业项目(Enterprise Project) |
|---|---|---|---|---|
查询数据库引擎版本 | GET /v3/{project_id}/datastores/{database_name} | gaussdb:instance:list | √ | √ |
查询数据库规格 | GET /v3/{project_id}/flavors/{database_name} | gaussdb:instance:list | √ | √ |
权限 | 对应API接口 | 授权项(Action) | IAM项目(Project) | 企业项目(Enterprise Project) |
|---|---|---|---|---|
创建数据库实例 | POST /v3/{project_id}/instances | gaussdb:instance:create | √ | √ |
查询实例列表 | GET /v3/{project_id}/instances | gaussdb:instance:list | √ | √ |
重启数据库实例 | POST /v3/{project_id}/instances/{instance_id}/restart | gaussdb:instance:restart | √ | √ |
删除/退订数据库实例 | DELETE /v3/{project_id}/instances/{instance_id} | gaussdb:instance:delete | √ | √ |
查询实例详情信息 | GET /v3/{project_id}/instances/{instance_id} | gaussdb:instance:list | √ | √ |
批量查询实例详情 | GET /v3/{project_id}/instances/details | gaussdb:instance:list | √ | √ |
创建只读节点 | POST /v3/{project_id}/instances/{instance_id}/nodes/enlarge | gaussdb:instance:addNodes | √ | √ |
删除/退订只读节点 | DELETE /v3/{project_id}/instances/{instance_id}/nodes/{node_id} | gaussdb:instance:deleteNodes | √ | √ |
包周期存储扩容 | POST /v3/{project_id}/instances/{instance_id}/volume/extend | gaussdb:instance:modifyStorageSize | √ | √ |
修改实例名称 | PUT /v3/{project_id}/instances/{instance_id}/name | gaussdb:instance:rename | √ | √ |
重置数据库密码 | POST /v3/{project_id}/instances/{instance_id}/password | gaussdb:instance:modifyPassword | √ | √ |
变更实例规格 | POST /v3/{project_id}/instances/{instance_id}/action | gaussdb:instance:modifySpec | √ | √ |
查询专属资源池列表 | GET /v3/{project_id}/dedicated-resources | gaussdb:instance:list | √ | √ |
查询专属资源信息详情 | GET /v3/{project_id}/dedicated-resource/{dedicated_resource_id} | gaussdb:instance:list | √ | √ |
设置实例秒级监控 | PUT /v3/{project_id}/instances/{instance_id}/monitor-policy | gaussdb:instance:modify gaussdb:instance:modifyMonitorPolicy | √ | √ |
查询实例秒级监控 | GET /v3/{project_id}/instances/{instance_id}/monitor-policy | gaussdb:instance:list | √ | √ |
节点重启 | POST /v3/{project_id}/instances/{instance_id}/nodes/{node_id}/restart | gaussdb:instance:restart | √ | √ |
内核版本升级 | POST /v3/{project_id}/instances/{instance_id}/db-upgrade | gaussdb:instance:upgrade | √ | √ |
开关SSL | PUT /v3/{project_id}/instances/{instance_id}/ssl-option | gaussdb:instance:modifySSL | √ | √ |
绑定弹性公网IP | PUT /v3/{project_id}/instances/{instance_id}/public-ips/bind | gaussdb:instance:bindPublicIp | √ | √ |
解绑弹性公网IP | PUT /v3/{project_id}/instances/{instance_id}/public-ips/unbind | gaussdb:instance:unbindPublicIp | √ | √ |
手动主备倒换 | PUT /v3/{project_id}/instances/{instance_id}/switchover | gaussdb:instance:switchover | √ | √ |
设置可维护时间段 | PUT /v3/{project_id}/instances/{instance_id}/ops-window | gaussdb:instance:modifyMaintenanceWindow | √ | √ |
修改安全组 | PUT /v3/{project_id}/instances/{instance_id}/security-group | gaussdb:instance:modifySecurityGroup | √ | √ |
修改内网地址 | PUT /v3/{project_id}/instances/{instance_id}/internal-ip | gaussdb:instance:modifyIp | √ | √ |
修改实例端口 | PUT /v3/{project_id}/instances/{instance_id}/port | gaussdb:instance:modifyPort | √ | √ |
修改实例备注 | PUT /v3/{project_id}/instances/{instance_id}/alias | gaussdb:instance:modify | √ | √ |
申请内网域名 | POST /v3/{project_id}/instances/{instance_id}/dns | gaussdb:instance:createDns | √ | √ |
修改内网域名 | PUT /v3/{project_id}/instances/{instance_id}/dns | gaussdb:instance:modifyDns | √ | √ |
权限 | 对应API接口 | 授权项(Action) | IAM项目(Project) | 企业项目(Enterprise Project) |
|---|---|---|---|---|
设置备份策略 | PUT /v3/{project_id}/instances/{instance_id}/backups/policy/update | gaussdb:instance:modifyBackupPolicy | √ | √ |
创建手动备份 | POST /v3/{project_id}/backups/create | gaussdb:backup:create | √ | √ |
查询备份列表 | GET /v3/{project_id}/backups | gaussdb:backup:list | √ | √ |
查询自动备份策略 | GET /v3/{project_id}/instances/{instance_id}/backups/policy | gaussdb:backup:list | √ | √ |
删除手动备份 | DELETE /v3/{project_id}/backups/{backup_id} | gaussdb:backup:delete | √ | √ |
备份恢复到当前实例或已有实例 | POST /v3/{project_id}/instances/restore | gaussdb:instance:restoreInPlace | √ | √ |
查询可恢复时间段 | GET /v3/{project_id}/instances/{instance_id}/restore-time | gaussdb:backup:list | √ | √ |
打开或关闭备份加密 | POST /v3/{project_id}/instances/{instance_id}/backups/encryption | gaussdb:backup:encrypt | √ | √ |
查询实例是否开启备份加密功能 | GET /v3/{project_id}/instances/{instance_id}/backups/encryption | gaussdb:backup:list | √ | √ |
获取指定实例备份列表 | GET /v3/{project_id}/instances/{instance_id}/backups | gaussdb:backup:list | √ | √ |
权限 | 对应API接口 | 授权项(Action) | IAM项目(Project) | 企业项目(Enterprise Project) |
|---|---|---|---|---|
查询参数模板 | GET /v3/{project_id}/configurations | gaussdb:param:list | √ | √ |
创建参数模板 | POST /v3/{project_id}/configurations | gaussdb:param:create | √ | √ |
删除参数模板 | DELETE /v3/{project_id}/configurations/{configuration_id} | gaussdb:param:delete | √ | √ |
获取参数模板详情 | GET /v3/{project_id}/configurations/{configuration_id} | gaussdb:param:list | √ | √ |
修改参数模板 | PUT /v3/{project_id}/configurations/{configuration_id} | gaussdb:param:modify | √ | √ |
应用参数模板 | PUT /v3/{project_id}/configurations/{configuration_id}/apply | gaussdb:param:apply | √ | √ |
权限 | 对应API接口 | 授权项(Action) | IAM项目(Project) | 企业项目(Enterprise Project) |
|---|---|---|---|---|
查询租户的实例配额 | GET /v3/{project_id}/project-quotas | gaussdb:instance:list | √ | √ |
查询租户基于企业项目的资源配额 | GET /v3/{project_id}/quotas | gaussdb:instance:list | √ | √ |
设置租户基于企业项目的资源配额 | POST /v3/{project_id}/quotas | gaussdb:quota:modify | √ | √ |
修改租户基于企业项目的资源配额 | PUT /v3/{project_id}/quotas | gaussdb:quota:modify | √ | √ |
权限 | 对应API接口 | 授权项(Action) | IAM项目(Project) | 企业项目(Enterprise Project) |
|---|---|---|---|---|
开启数据库代理 | POST /v3/{project_id}/instances/{instance_id}/proxy | gaussdb:proxy:create | √ | √ |
关闭数据库代理 | DELETE /v3/{project_id}/instances/{instance_id}/proxy | gaussdb:proxy:delete | √ | √ |
查询数据库代理信息列表 | GET /v3/{project_id}/instances/{instance_id}/proxies | gaussdb:proxy:list | √ | √ |
查询数据库代理规格信息 | GET /v3/{project_id}/instances/{instance_id}/proxy/flavors | gaussdb:proxy:list | √ | √ |
扩容数据库代理节点的数量 | POST /v3/{project_id}/instances/{instance_id}/proxy/enlarge | gaussdb:proxy:addNodes | √ | √ |
数据库代理规格变更 | PUT /v3/{project_id}/instances/{instance_id}/proxy/{proxy_id}/flavor | gaussdb:proxy:modifySpec | √ | √ |
设置读写分离权重 | PUT /v3/{project_id}/instances/{instance_id}/proxy/{proxy_id}/weight | gaussdb:proxy:modifyWeight | √ | √ |
设置proxy事务拆分 | POST /v3/{project_id}/instances/{instance_id}/proxy/transaction-split | gaussdb:proxy:modifyTransactionSplit | √ | √ |
修改代理会话一致性 | PUT /v3/{project_id}/instances/{instance_id}/proxy/{proxy_id}/session-consistence | gaussdb:proxy:modifyConsistency | √ | √ |
更改数据库代理连接池类型 | PUT /v3/{project_id}/instances/{instance_id}/proxy/{proxy_id}/connection-pool-type | gaussdb:proxy:switchConnectionPoolType | √ | √ |
修改读写分离端口号 | POST /v3/{project_id}/instances/{instance_id}/proxy/{proxy_id}/port | gaussdb:proxy:modifyPort | √ | √ |
设置读写分离路由模式 | PUT /v3/{project_id}/instances/{instance_id}/proxy/{proxy_id}/route-mode | gaussdb:proxy:modifyRouteMode | √ | √ |
权限 | 对应API接口 | 授权项(Action) | IAM项目(Project) | 企业项目(Enterprise Project) |
|---|---|---|---|---|
开启或者关闭全量SQL | POST /v3/{project_id}/instance/{instance_id}/audit-log/switch | gaussdb:instance:modifyTraceSQLPolicy | √ | √ |
查询全量SQL开关状态 | GET /v3/{project_id}/instance/{instance_id}/audit-log/switch-status | gaussdb:instance:list | √ | √ |
获取慢日志详情列表 | POST /v3.1/{project_id}/instances/{instance_id}/slow-logs | gaussdb:log:list | √ | √ |
获取错误日志详情列表 | POST /v3.1/{project_id}/instances/{instance_id}/error-logs | gaussdb:log:list | √ | √ |
权限 | 对应API接口 | 授权项(Action) | IAM项目(Project) | 企业项目(Enterprise Project) |
|---|---|---|---|---|
查询资源标签 | GET /v3/{project_id}/instances/{instance_id}/tags | gaussdb:tag:list | √ | √ |
查询项目标签 | GET /v3/{project_id}/tags | gaussdb:tag:list | √ | √ |
批量添加或删除标签 | POST /v3/{project_id}/instances/{instance_id}/tags/action | gaussdb:instance:dealTag | √ | √ |
权限 | 对应API接口 | 授权项(Action) | IAM项目(Project) | 企业项目(Enterprise Project) |
|---|---|---|---|---|
创建数据库用户 | POST /v3/{project_id}/instances/{instance_id}/db-users | gaussdb:user:create | √ | √ |
查询数据库用户 | GET /v3/{project_id}/instances/{instance_id}/db-users | gaussdb:user:list | √ | √ |
删除数据库用户 | DELETE /v3/{project_id}/instances/{instance_id}/db-users | gaussdb:user:delete | √ | √ |
修改数据库用户备注 | PUT /v3/{project_id}/instances/{instance_id}/db-users/comment | gaussdb:database:modify | √ | √ |
修改数据库用户密码 | PUT /v3/{project_id}/instances/{instance_id}/db-users/password | gaussdb:user:modify | √ | √ |
授予数据库用户数据库权限 | POST /v3/{project_id}/instances/{instance_id}/db-users/privilege | gaussdb:user:grantPrivilege | √ | √ |
删除数据库用户的数据库权限 | DELETE /v3/{project_id}/instances/{instance_id}/db-users/privilege | gaussdb:user:revokePrivilege | √ | √ |
权限 | 对应API接口 | 授权项(Action) | IAM项目(Project) | 企业项目(Enterprise Project) |
|---|---|---|---|---|
查询数据库可用字符集 | GET /v3/{project_id}/instances/{instance_id}/databases/charsets | gaussdb:database:list | √ | √ |
创建数据库 | POST /v3/{project_id}/instances/{instance_id}/databases | gaussdb:database:create | √ | √ |
查询数据库列表 | GET /v3/{project_id}/instances/{instance_id}/databases | gaussdb:database:list | √ | √ |
删除数据库 | DELETE /v3/{project_id}/instances/{instance_id}/databases | gaussdb:database:delete | √ | √ |
修改数据库备注 | PUT /v3/{project_id}/instances/{instance_id}/databases/comment | gaussdb:user:modify | √ | √ |
权限 | 对应API接口 | 授权项(Action) | IAM项目(Project) | 企业项目(Enterprise Project) |
|---|---|---|---|---|
开启或者关闭SQL限流 | POST /v3/{project_id}/instances/{instance_id}/sql-filter/switch | gaussdb:param:modify | √ | √ |
查询SQL限流开关状态 | GET /v3/{project_id}/instances/{instance_id}/sql-filter/switch | gaussdb:param:list | √ | √ |
设置SQL限流规则 | PUT /v3/{project_id}/instances/{instance_id}/sql-filter/rules | gaussdb:param:modify | √ | √ |
查询SQL限流规则 | GET /v3/{project_id}/instances/{instance_id}/sql-filter/rules | gaussdb:param:list | √ | √ |
删除SQL限流规则 | DELETE /v3/{project_id}/instances/{instance_id}/sql-filter/rules | gaussdb:param:modify | √ | √ |
查询节点用户会话线程 | GET /v3/{project_id}/instances/{instance_id}/nodes/{node_id}/processes | gaussdb:instance:listProcesses | √ | √ |
终止节点用户会话线程 | DELETE /v3/{project_id}/instances/{instance_id}/nodes/{node_id}/processes | gaussdb:instance:deleteProcesses | √ | √ |
查询历史SQL限流规则 | GET /v3/{project_id}/instances/{instance_id}/sql-filter/history-rules | gaussdb:param:list | √ | √ |
开启自治限流 | PUT /v3/{project_id}/instances/{instance_id}/auto-sql-limiting | gaussdb:param:modify | √ | √ |
关闭自治限流 | DELETE /v3/{project_id}/instances/{instance_id}/auto-sql-limiting | gaussdb:param:modify | √ | √ |
查询自治限流规则 | POST /v3/{project_id}/instances/{instance_id}/auto-sql-limiting | gaussdb:param:list | √ | √ |
查询自治限流执行记录 | GET /v3/{project_id}/instances/{instance_id}/nodes/{node_id}/auto-sql-limiting/log | gaussdb:param:list | √ | √ |
权限 | 对应API接口 | 授权项(Action) | IAM项目(Project) | 企业项目(Enterprise Project) |
|---|---|---|---|---|
获取指定ID的任务信息 | GET /v3/{project_id}/jobs | gaussdb:instance:list | √ | √ |
获取即时任务列表 | GET /v3/{project_id}/immediate-jobs | gaussdb:instance:list | √ | √ |
获取定时任务列表 | GET /v3/{project_id}/scheduled-jobs | gaussdb:instance:list | √ | √ |
取消定时任务 | DELETE /v3/{project_id}/scheduled-jobs | gaussdb:instance:delete | √ | √ |
删除指定任务记录 | DELETE /v3/{project_id}/jobs/{job_id} | gaussdb:instance:delete | √ | √ |
