文档首页/ VPC终端节点 VPCEP/ API参考/ API/ 终端节点功能/ 修改终端节点策略
更新时间:2024-09-11 GMT+08:00
在线调试
CLI示例
查看PDF
分享

修改终端节点策略

功能介绍

修改终端节点策略。

调用方法

请参见如何调用API

URI

PUT /v1/{project_id}/vpc-endpoints/{vpc_endpoint_id}/policy

表1 路径参数

参数

是否必选

参数类型

描述

project_id

String

项目ID

最小长度:1

最大长度:64

vpc_endpoint_id

String

终端节点的ID。

最小长度:1

最大长度:64

请求参数

表2 请求Header参数

参数

是否必选

参数类型

描述

X-Auth-Token

String

用户Token。通过调用IAM服务获取用户Token接口获取(响应消息头中X-Subject-Token的值)。

Content-Type

String

发送的实体的MIME类型。推荐用户默认使用application/json, 如果API是对象、镜像上传等接口,媒体类型可按照流类型的不同进行确定。

缺省值:application/json
表3 请求Body参数

参数

是否必选

参数类型

描述

policy_statement

Array of PolicyStatement objects

Gateway类型终端节点策略信息,仅限OBS、SFS的终端节点服务的enable_policy值为true时支持该参数。

policy_document

Object

终端节点策略信息,仅当终端节点服务的enable_policy值为true时支持该参数,默认值为完全访问权限。(OBS、SFS的终端节点服务暂不支持该参数)

数组长度:0 - 20480
表4 PolicyStatement

参数

是否必选

参数类型

描述

Effect

String

  • Allow,允许控制访问权限

  • Deny,拒绝控制访问权限

Action

Array of strings

obs访问权限

Resource

Array of strings

obs对象

响应参数

状态码: 200

表5 响应Body参数

参数

参数类型

描述

id

String

终端节点的ID,唯一标识。

最小长度:1

最大长度:64

service_type

String

终端节点连接的终端节点服务类型。

  • gateway:由运维人员配置。用户无需创建,可直接使用。

  • interface:包括运维人员配置的云服务和用户自己创建的私有服务。 其中,运维人员配置的云服务无需创建,用户可直接使用。 您可以通过查询公共终端节点服务列表, 查看由运维人员配置的所有用户可见且可连接的终端节点服务, 并通过创建终端节点服务创建Interface类型的终端节点服务。

status

String

终端节点的连接状态。

  • pendingAcceptance:待接受

  • creating:创建中

  • accepted:已接受

  • rejected:已拒绝

  • failed:失败

  • deleting:删除中

active_status

Array of strings

账号状态。

  • frozen:冻结

  • active:解冻

endpoint_service_name

String

终端节点服务的名称。

marker_id

Integer

终端节点的报文标识。

endpoint_service_id

String

终端节点服务的ID。

最小长度:1

最大长度:64

ip

String

访问所连接的终端节点服务的IP。 仅当同时满足如下条件时,返回该参数: 当查询连接interface类型终端节点服务的终端节点时。 终端节点服务启用“连接审批”功能,且已经“接受”连接审批。 “status”可以是“accepted”或者“rejected(仅支持“接受”连接审批后再“拒绝”的情况)”。

最小长度:1

最大长度:64

vpc_id

String

终端节点所在的VPC的ID。

最小长度:1

最大长度:64

created_at

String

终端节点的创建时间。 采用UTC时间格式,格式为:YYYY-MM-DDTHH:MM:SSZ

updated_at

String

终端节点的更新时间。 采用UTC时间格式,格式为:YYYY-MM-DDTHH:MM:SSZ

project_id

String

项目ID,获取方法请参见获取项目ID。

最小长度:1

最大长度:64

tags

Array of TagList objects

标签列表,没有标签默认为空数组。

error

Array of QueryError objects

错误信息。 当终端节点状态异常,即“status”的值为“failed”时,会返回该字段。

whitelist

Array of strings

控制访问终端节点的白名单。 若未创建,则返回空列表。 创建连接Interface类型终端节点服务的终端节点时,显示此参数。

最小长度:0

最大长度:32

enable_whitelist

Boolean

是否开启网络ACL隔离。

  • true:开启网络ACL隔离

  • false:不开启网络ACL隔离 若未指定,则返回false。 创建连接Interface类型终端节点服务的终端节点时,显示此参数。

routetables

Array of strings

路由表ID列表。 若未指定,返回默认VPC下路由表ID。 创建gateway类型终端节点服务的终端节点时,显示此参数。

最小长度:0

最大长度:64

description

String

描述字段,支持中英文字母、数字等字符,不支持“<”或“>”字符。

最小长度:0

最大长度:512

policy_statement

Array of PolicyStatement objects

Gateway类型终端节点策略信息,仅限OBS、SFS的终端节点服务的enable_policy值为true时支持该参数。

数组长度:0 - 10

policy_document

Object

终端节点策略信息,仅当终端节点服务的enable_policy值为true时支持该参数,默认值为完全访问权限。(OBS、SFS的终端节点服务暂不支持该参数)

数组长度:0 - 20480

endpoint_pool_id

String

待废弃,实例相关联的集群ID

最小长度:1

最大长度:64

public_border_group

String

终端节点关联的Public Border Group信息,只有当终端节点和边缘Pool相关联时才会返回该字段
表6 TagList

参数

参数类型

描述

key

String

键。 key不能为空,长度1~128个字符(中文也可以输入128个字符)。 可用 UTF-8 格式表示的字母(包含中文、西班牙语、葡语等)、数字和空格,以及以下字符: _ . : = + - @。 _sys_开头属于系统标签,租户不能输入。 key两头不能有空格字符。

最小长度:1

最大长度:128

value

String

值。 长度0~255个字符(中文也可以输入255个字符)。 可用 UTF-8 格式表示的字母(包含中文、西班牙语、葡语等)、数字和空格,以及以下字符: _ . : / = + - @。 资源标签值可以为空字符串。

最大长度:255
表7 QueryError

参数

参数类型

描述

error_code

String

错误编码。

最小长度:0

最大长度:10

error_message

String

错误信息。

最小长度:0

最大长度:1024
表8 PolicyStatement

参数

参数类型

描述

Effect

String

  • Allow,允许控制访问权限

  • Deny,拒绝控制访问权限

Action

Array of strings

obs访问权限

Resource

Array of strings

obs对象

请求示例

  • 修改网关型终端节点策略,设置OBS访问权限和OBS对象并允许访问。

    PUT https://{endpoint}/v1/{project_id}/vpc-endpoints/938c8167-631e-40a4-99f9-493753fbd16b/policy

{
  "policy_statement" : [ {
    "Action" : [ "obs:*:*" ],
    "Resource" : [ "obs:*:*:*:*/*", "obs:*:*:*:*" ],
    "Effect" : "Allow"
  } ]
}

  • 修改终端节点策略信息。

    PUT https://{endpoint}/v1/{project_id}/vpc-endpoints/2af6c328-057a-4146-882b-6828e270e594/policy

{
  "policy_document" : {
    "Version" : "5.0",
    "Statement" : [ {
      "Effect" : "Allow",
      "Principal" : "*",
      "Action" : [ "*" ],
      "Resource" : [ "*" ]
    } ]
  }
}

响应示例

状态码: 200

服务器已成功处理了请求

  • {
  "id" : "938c8167-631e-40a4-99f9-493753fbd16b",
  "status" : "accepted",
  "tags" : [ ],
  "marker_id" : 302035929,
  "active_status" : [ "active" ],
  "vpc_id" : "0da03835-1dcf-4361-9b87-34139d58dd59",
  "service_type" : "gateway",
  "project_id" : "0605767a3300d5762fb7c0186d9e1779",
  "routetables" : [ "99477d3b-87f6-49d2-8f3b-2ffc72731a38" ],
  "created_at" : "2022-08-03T03:03:54Z",
  "updated_at" : "2022-08-03T03:03:57Z",
  "endpoint_service_id" : "4651bc78-5cec-41b7-b448-f77326ebbed0",
  "endpoint_service_name" : "br-abc-aaa1.obs_test.4651bc78-5cec-41b7-b448-f77326ebbed0",
  "policy_statement" : [ {
    "Action" : [ "obs:*:*" ],
    "Resource" : [ "obs:*:*:*:*/*", "obs:*:*:*:*" ],
    "Effect" : "Allow"
  } ],
  "description" : "",
  "endpoint_pool_id" : "b0ad6a4f-55c0-43f1-a26d-278639661fc2"
}
  • {
  "id" : "2af6c328-057a-4146-882b-6828e270e594",
  "status" : "accepted",
  "tags" : [ ],
  "marker_id" : 335620220,
  "active_status" : [ "active" ],
  "vpc_id" : "a8494c3b-5dc9-46a4-8ca1-17a54f588d17",
  "service_type" : "interface",
  "project_id" : "0df9cbd6cf00f37***0c64b5af21",
  "created_at" : "2022-08-03T03:03:54Z",
  "updated_at" : "2022-08-03T03:03:57Z",
  "endpoint_service_id" : "925b47bd-ffef-4abe-a450-d997f4f4e2be",
  "endpoint_service_name" : "com.myhuaweicloud.cn-southwest-2.swr",
  "policy_document" : {
    "Version" : "5.0",
    "Statement" : [ {
      "Effect" : "Allow",
      "Principal" : "*",
      "Action" : [ "*" ],
      "Resource" : [ "*" ]
    } ]
  },
  "description" : "",
  "endpoint_pool_id" : "15027791-b2b5-4b12-8e01-8dec1b576bf1"
}

SDK代码示例

SDK代码示例如下。

  • 修改网关型终端节点策略,设置OBS访问权限和OBS对象并允许访问。

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
    		 
    package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.vpcep.v1.region.VpcepRegion;
import com.huaweicloud.sdk.vpcep.v1.*;
import com.huaweicloud.sdk.vpcep.v1.model.*;

import java.util.List;
import java.util.ArrayList;

public class UpdateEndpointPolicySolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");

        ICredential auth = new BasicCredentials()
                .withAk(ak)
                .withSk(sk);

        VpcepClient client = VpcepClient.newBuilder()
                .withCredential(auth)
                .withRegion(VpcepRegion.valueOf("<YOUR REGION>"))
                .build();
        UpdateEndpointPolicyRequest request = new UpdateEndpointPolicyRequest();
        UpdateEndpointPolicyRequestBody body = new UpdateEndpointPolicyRequestBody();
        List<String> listPolicyStatementResource = new ArrayList<>();
        listPolicyStatementResource.add("obs:*:*:*:*/*");
        listPolicyStatementResource.add("obs:*:*:*:*");
        List<String> listPolicyStatementAction = new ArrayList<>();
        listPolicyStatementAction.add("obs:*:*");
        List<PolicyStatement> listbodyPolicyStatement = new ArrayList<>();
        listbodyPolicyStatement.add(
            new PolicyStatement()
                .withEffect(PolicyStatement.EffectEnum.fromValue("Allow"))
                .withAction(listPolicyStatementAction)
                .withResource(listPolicyStatementResource)
        );
        body.withPolicyStatement(listbodyPolicyStatement);
        request.withBody(body);
        try {
            UpdateEndpointPolicyResponse response = client.updateEndpointPolicy(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

  • 修改终端节点策略信息。

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
    		 
    package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.vpcep.v1.region.VpcepRegion;
import com.huaweicloud.sdk.vpcep.v1.*;
import com.huaweicloud.sdk.vpcep.v1.model.*;


public class UpdateEndpointPolicySolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");

        ICredential auth = new BasicCredentials()
                .withAk(ak)
                .withSk(sk);

        VpcepClient client = VpcepClient.newBuilder()
                .withCredential(auth)
                .withRegion(VpcepRegion.valueOf("<YOUR REGION>"))
                .build();
        UpdateEndpointPolicyRequest request = new UpdateEndpointPolicyRequest();
        UpdateEndpointPolicyRequestBody body = new UpdateEndpointPolicyRequestBody();
        body.withPolicyDocument("{\"Version\":\"5.0\",\"Statement\":[{\"Action\":[\"*\"],\"Resource\":[\"*\"],\"Effect\":\"Allow\",\"Principal\":\"*\"}]}");
        request.withBody(body);
        try {
            UpdateEndpointPolicyResponse response = client.updateEndpointPolicy(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

  • 修改网关型终端节点策略,设置OBS访问权限和OBS对象并允许访问。

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
    		 
    # coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkvpcep.v1.region.vpcep_region import VpcepRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkvpcep.v1 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]

    credentials = BasicCredentials(ak, sk)

    client = VpcepClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(VpcepRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = UpdateEndpointPolicyRequest()
        listResourcePolicyStatement = [
            "obs:*:*:*:*/*",
            "obs:*:*:*:*"
        ]
        listActionPolicyStatement = [
            "obs:*:*"
        ]
        listPolicyStatementbody = [
            PolicyStatement(
                effect="Allow",
                action=listActionPolicyStatement,
                resource=listResourcePolicyStatement
            )
        ]
        request.body = UpdateEndpointPolicyRequestBody(
            policy_statement=listPolicyStatementbody
        )
        response = client.update_endpoint_policy(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

  • 修改终端节点策略信息。

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
    		 
    # coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkvpcep.v1.region.vpcep_region import VpcepRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkvpcep.v1 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]

    credentials = BasicCredentials(ak, sk)

    client = VpcepClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(VpcepRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = UpdateEndpointPolicyRequest()
        request.body = UpdateEndpointPolicyRequestBody(
            policy_document="{\"Version\":\"5.0\",\"Statement\":[{\"Action\":[\"*\"],\"Resource\":[\"*\"],\"Effect\":\"Allow\",\"Principal\":\"*\"}]}"
        )
        response = client.update_endpoint_policy(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

  • 修改网关型终端节点策略,设置OBS访问权限和OBS对象并允许访问。

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
    		 
    package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    vpcep "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/vpcep/v1"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/vpcep/v1/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/vpcep/v1/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        Build()

    client := vpcep.NewVpcepClient(
        vpcep.VpcepClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.UpdateEndpointPolicyRequest{}
	var listResourcePolicyStatement = []string{
        "obs:*:*:*:*/*",
	    "obs:*:*:*:*",
    }
	var listActionPolicyStatement = []string{
        "obs:*:*",
    }
	var listPolicyStatementbody = []model.PolicyStatement{
        {
            Effect: model.GetPolicyStatementEffectEnum().ALLOW,
            Action: listActionPolicyStatement,
            Resource: listResourcePolicyStatement,
        },
    }
	request.Body = &model.UpdateEndpointPolicyRequestBody{
		PolicyStatement: &listPolicyStatementbody,
	}
	response, err := client.UpdateEndpointPolicy(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

  • 修改终端节点策略信息。

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
    		 
    package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    vpcep "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/vpcep/v1"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/vpcep/v1/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/vpcep/v1/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        Build()

    client := vpcep.NewVpcepClient(
        vpcep.VpcepClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.UpdateEndpointPolicyRequest{}
	var policyDocumentUpdateEndpointPolicyRequestBody interface{} = "{\"Version\":\"5.0\",\"Statement\":[{\"Action\":[\"*\"],\"Resource\":[\"*\"],\"Effect\":\"Allow\",\"Principal\":\"*\"}]}"
	request.Body = &model.UpdateEndpointPolicyRequestBody{
		PolicyDocument: &policyDocumentUpdateEndpointPolicyRequestBody,
	}
	response, err := client.UpdateEndpointPolicy(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

更多编程语言的SDK代码示例,请参见API Explorer的代码示例页签,可生成自动对应的SDK代码示例。

状态码

状态码

描述

200

服务器已成功处理了请求

错误码

请参见错误码

父主题: 终端节点功能

相关文档