Help Center> > API Reference >Permissions Policies and Supported Actions

Permissions Policies and Supported Actions

This chapter describes fine-grained permissions management for your CCI. If your HUAWEI CLOUD account does not need individual IAM users, then you may skip over this chapter.

A policy is a set of permissions defined in JSON format. By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign permissions policies to these groups. The user then inherits permissions from the groups it is a member of. This process is called authorization. After authorization, the user can perform specified operations on CCI based on the permissions.

There are fine-grained policies and role-based access control (RBAC) policies. An RBAC policy consists of permissions for an entire service. Users in a group with such a policy assigned are granted all of the permissions required for that service. A fine-grained policy consists of API-based permissions for operations on specific resource types. Fine-grained policies, as the name suggests, allow for more fine-grained control than RBAC policies.

NOTE:
  • Fine-grained policies are currently available for open beta testing. You can apply to use the fine-grained access control function free of charge. For more information, see Applying for Fine-Grained Access Control.
  • If you want to allow or deny the access to an API, fine-grained authorization is a good choice.

A HUAWEI CLOUD account has all of the permissions required to call all APIs, but IAM users must have the required permissions specifically assigned. The permissions required for calling an API are determined by the actions supported by the API. Only users that have been granted permissions allowing the actions can call the API successfully. For example, if an IAM user queries pods using an API, the user must have been granted permissions that allow the CCI:namespaceSubResource:Get action.

Supported Actions

Operations supported by a fine-grained policy are specific to APIs. The following describes the headers of the action tables provided in this chapter:

  • Permissions: Defined by actions in a custom policy.
  • Actions: Added to a custom policy to control permissions for specific operations.
  • Authorization Scope: A custom policy can be applied to IAM projects or enterprise projects or both. Policies that contain actions supporting both IAM and enterprise projects can be assigned to user groups and take effect in both IAM and Enterprise Management. Policies that only contain actions supporting IAM projects can be assigned to user groups and only take effect for IAM. Such policies will not take effect if they are assigned to user groups in Enterprise Management. For details about the differences between IAM and enterprise projects, see Differences Between IAM Projects and Enterprise Projects.
  • APIs: REST APIs that can be called in a custom policy.

CCI supports the following actions that can be defined in custom policies:

Namespace Management

Permissions

Actions

Authorization Scope

APIs

Creating a Namespace

CCI:namespace:create

Supported: IAM projects and enterprise projects

POST /api/v1/namespaces

Reading a Namespace

CCI:namespace:get

Supported: IAM projects and enterprise projects

GET /api/v1/namespaces/{name}

Listing Namespaces

CCI:namespace:list

Supported: IAM projects and enterprise projects

GET /api/v1/namespaces

Deleting a Namespace

CCI:namespace:delete

Supported: IAM projects and enterprise projects

DELETE /api/v1/namespaces/{name}

Pod Management

Permissions

Actions

Authorization Scope

APIs

Creating a Pod

CCI:namespaceSubResource:Create

Supported: IAM projects and enterprise projects

POST /api/v1/namespaces/{namespace}/pods

Reading a Pod

CCI:namespaceSubResource:Get

Supported: IAM projects and enterprise projects

GET /api/v1/namespaces/{namespace}/pods/{name}

Reading All Pods Under a Specified Namespace

CCI:namespaceSubResource:List

Supported: IAM projects and enterprise projects

GET /api/v1/namespaces/{namespace}/pods

Reading the Status of a Pod

CCI:namespaceSubResource:Get

Supported: IAM projects and enterprise projects

GET /api/v1/namespaces/{namespace}/pods/{name}/status

Reading Pod Logs

CCI:namespaceSubResource:Get

Supported: IAM projects and enterprise projects

GET /api/v1/namespaces/{namespace}/pods/{name}/log

Listing All Pods of a User

cci:namespaceSubResource:List

Supported: IAM projects and enterprise projects

GET /api/v1/pods

Replacing a Pod

CCI:namespaceSubResource:Update

Supported: IAM projects and enterprise projects

PUT /api/v1/namespaces/{namespace}/pods/{name}

Updating a Pod

CCI:namespaceSubResource:Update

Supported: IAM projects and enterprise projects

PATCH /api/v1/namespaces/{namespace}/pods/{name}

Deleting a Pod

CCI:namespaceSubResource:Delete

Supported: IAM projects and enterprise projects

DELETE /api/v1/namespaces/{namespace}/pods/{name}

Deleting All Pods

CCI:namespaceSubResource:Delete

Supported: IAM projects and enterprise projects

DELETE /api/v1/namespaces/{namespace}/pods

Deployment Management

Permissions

Actions

Authorization Scope

APIs

Creating a Deployment

  • CCI:namespaceSubResource:Create
  • elb:loadbalancers:create

Supported: IAM projects and enterprise projects

POST /apis/apps/v1/namespaces/{namespace}/deployments

Reading a Deployment

CCI:namespaceSubResource:Get

Supported: IAM projects and enterprise projects

GET /apis/apps/v1/namespaces/{namespace}/deployments/{name}

Reading All Deployments Under a Namespace

CCI:namespaceSubResource:List

Supported: IAM projects and enterprise projects

GET /apis/apps/v1/namespaces/{namespace}/deployments

Reading the Status of a Deployment

CCI:namespaceSubResource:Get

Supported: IAM projects and enterprise projects

GET /apis/apps/v1/namespaces/{namespace}/deployments/{name}/status

Reading the Scaling Operation of a Specified Deployment

CCI:namespaceSubResource:Get

Supported: IAM projects and enterprise projects

GET /apis/apps/v1/namespaces/{namespace}/deployments/{name}/scale

Listing All Deployments of a User

CCI:namespaceSubResource:List

Supported: IAM projects and enterprise projects

GET /apis/apps/v1/deployments

Replacing a Deployment

CCI:namespaceSubResource:Update

Supported: IAM projects and enterprise projects

PUT /apis/apps/v1/namespaces/{namespace}/deployments/{name}

Replacing the Scaling Operation of a Specified Deployment

CCI:namespaceSubResource:Update

Supported: IAM projects and enterprise projects

PUT /apis/apps/v1/namespaces/{namespace}/deployments/{name}/scale

Updating a Deployment

CCI:namespaceSubResource:Update

Supported: IAM projects and enterprise projects

PATCH /apis/apps/v1/namespaces/{namespace}/deployments/{name}

Update the Scaling Operation of a Specified Deployment

CCI:namespaceSubResource:Update

Supported: IAM projects and enterprise projects

PATCH /apis/apps/v1/namespaces/{namespace}/deployments/{name}/scale

Deleting a Deployment

CCI:namespaceSubResource:Delete

Supported: IAM projects and enterprise projects

DELETE /apis/apps/v1/namespaces/{namespace}/deployments/{name}

Deleting All Deployments Under a Specified Namespace

CCI:namespaceSubResource:Delete

Supported: IAM projects and enterprise projects

DELETE /apis/apps/v1/namespaces/{namespace}/deployments

StatefulSet Management

Permissions

Actions

Authorization Scope

APIs

Creating a StatefulSet

  • CCI:namespaceSubResource:Create
  • elb:loadbalancers:create

Supported: IAM projects and enterprise projects

POST /apis/apps/v1/namespaces/{namespace}/statefulsets

Reading a StatefulSet

CCI:namespaceSubResource:Get

Supported: IAM projects and enterprise projects

GET /apis/apps/v1/namespaces/{namespace}/statefulsets/{name}

Reading All StatefulSets Under a Specified Namespace

CCI:namespaceSubResource:List

Supported: IAM projects and enterprise projects

GET /apis/apps/v1/namespaces/{namespace}/statefulsets

Reading the Status of a StatefulSet

CCI:namespaceSubResource:Get

Supported: IAM projects and enterprise projects

GET /apis/apps/v1/namespaces/{namespace}/statefulsets/{name}/status

Listing All StatefulSets of a User

CCI:namespaceSubResource:List

Supported: IAM projects and enterprise projects

GET /apis/apps/v1/statefulsets

Replacing a StatefulSet

CCI:namespaceSubResource:Update

Supported: IAM projects and enterprise projects

PUT /apis/apps/v1/namespaces/{namespace}/statefulsets/{name}

Updating a StatefulSet

CCI:namespaceSubResource:Update

Supported: IAM projects and enterprise projects

PATCH /apis/apps/v1/namespaces/{namespace}/statefulsets/{name}

Deleting a StatefulSet

CCI:namespaceSubResource:Delete

Supported: IAM projects and enterprise projects

DELETE /apis/apps/v1/namespaces/{namespace}/statefulsets/{name}

Deleting All StatefulSets

CCI:namespaceSubResource:Delete

Supported: IAM projects and enterprise projects

DELETE /apis/apps/v1/namespaces/{namespace}/statefulsets

Job Management

Permissions

Actions

Authorization Scope

APIs

Creating a Job

  • CCI:namespaceSubResource:Create
  • elb:loadbalancers:create

Supported: IAM projects and enterprise projects

POST /apis/batch/v1/namespaces/{namespace}/jobs

Reading a Job

CCI:namespaceSubResource:Get

Supported: IAM projects and enterprise projects

GET /apis/batch/v1/namespaces/{namespace}/jobs/{name}

Reading All Jobs Under a Specified Namespace

CCI:namespaceSubResource:List

Supported: IAM projects and enterprise projects

GET /apis/batch/v1/namespaces/{namespace}/jobs

Reading the Status of a Job

CCI:namespaceSubResource:Get

Supported: IAM projects and enterprise projects

GET /apis/batch/v1/namespaces/{namespace}/jobs/{name}/status

Listing All Jobs of a User

CCI:namespaceSubResource:List

Supported: IAM projects and enterprise projects

GET /apis/batch/v1/jobs

Replacing a Job

CCI:namespaceSubResource:Update

Supported: IAM projects and enterprise projects

PUT /apis/batch/v1/namespaces/{namespace}/jobs/{name}

Updating a Job

CCI:namespaceSubResource:Update

Supported: IAM projects and enterprise projects

PATCH /apis/batch/v1/namespaces/{namespace}/jobs/{name}

Deleting a Job

CCI:namespaceSubResource:Delete

Supported: IAM projects and enterprise projects

DELETE /apis/batch/v1/namespaces/{namespace}/jobs/{name}

Deleting All Jobs

CCI:namespaceSubResource:Delete

Supported: IAM projects and enterprise projects

DELETE /apis/batch/v1/namespaces/{namespace}/jobs

Service Management

Permissions

Actions

Authorization Scope

APIs

Creating a Service

  • CCI:namespaceSubResource:Create
  • elb:loadbalancers:create

Supported: IAM projects and enterprise projects

POST /api/v1/namespaces/{namespace}/services

Reading a Service

CCI:namespaceSubResource:Get

Supported: IAM projects and enterprise projects

GET /api/v1/namespaces/{namespace}/services/{name}

Listing Services

CCI:namespaceSubResource:List

Supported: IAM projects and enterprise projects

GET /api/v1/namespaces/{namespace}/services

Reading the Status of a Service

CCI:namespaceSubResource:Get

Supported: IAM projects and enterprise projects

GET /api/v1/namespaces/{namespace}/services/{name}/status

Replacing a Service

CCI:namespaceSubResource:Update

Supported: IAM projects and enterprise projects

PUT /api/v1/namespaces/{namespace}/services/{name}

Updating a Service

CCI:namespaceSubResource:Update

Supported: IAM projects and enterprise projects

PATCH /api/v1/namespaces/{namespace}/services/{name}

Deleting a Service

CCI:namespaceSubResource:Delete

Supported: IAM projects and enterprise projects

DELETE /api/v1/namespaces/{namespace}/services/{name}

Ingress Management

Permissions

Actions

Authorization Scope

APIs

Creating an Ingress

  • CCI:namespaceSubResource:Create
  • elb:loadbalancers:create

Supported: IAM projects and enterprise projects

POST /apis/extensions/v1beta1/namespaces/{namespace}/ingresses

Reading an Ingress

CCI:namespaceSubResource:Get

Supported: IAM projects and enterprise projects

GET /apis/extensions/v1beta1/namespaces/{namespace}/ingresses/{name}

Listing Ingresses

CCI:namespaceSubResource:List

Supported: IAM projects and enterprise projects

GET /apis/extensions/v1beta1/namespaces/{namespace}/ingresses

Reading the Status of an Ingress

CCI:namespaceSubResource:Get

Supported: IAM projects and enterprise projects

GET /apis/extensions/v1beta1/namespaces/{namespace}/ingresses/{name}/status

Replacing an Ingress

CCI:namespaceSubResource:Update

Supported: IAM projects and enterprise projects

PUT /apis/extensions/v1beta1/namespaces/{namespace}/ingresses/{name}

Updating an Ingress

CCI:namespaceSubResource:Update

Supported: IAM projects and enterprise projects

PATCH /apis/extensions/v1beta1/namespaces/{namespace}/ingresses/{name}

Deleting an Ingress

CCI:namespaceSubResource:Delete

Supported: IAM projects and enterprise projects

DELETE /apis/extensions/v1beta1/namespaces/{namespace}/ingresses/{name}

Deleting All Ingresses

CCI:namespaceSubResource:Delete

Supported: IAM projects and enterprise projects

DELETE /apis/extensions/v1beta1/namespaces/{namespace}/ingresses

Network Management

Permissions

Actions

Authorization Scope

APIs

Creating a Network

  • CCI:namespaceSubResource:Create
  • vpc:vpcs:create
  • vpc:ports:create
  • vpc:vpcs:get
  • vpc:subnets:get
  • vpc:publicIps:get
  • vpc:bandwidths:get
  • vpc:ports:get
  • vpc:peerings:get
  • vpc:quotas:list
  • vpc:privateIps:get
  • vpc:securityGroups:get
  • vpc:securityGroupRules:get
  • vpc:networks:get
  • vpc:routers:get
  • vpc:floatingIps:get
  • vpc:firewallRules:get

Supported: IAM projects and enterprise projects

POST /apis/networking.cci.io/v1beta1/namespaces/{namespace}/networks

Reading a Network

CCI:namespaceSubResource:Get

Supported: IAM projects and enterprise projects

GET /apis/networking.cci.io/v1beta1/namespaces/{namespace}/networks/{name}

Listing Networks

CCI:namespaceSubResource:List

Supported: IAM projects and enterprise projects

GET /apis/networking.cci.io/v1beta1/namespaces/{namespace}/networks

Reading the Status of a Network

CCI:namespaceSubResource:Get

Supported: IAM projects and enterprise projects

GET /apis/networking.cci.io/v1beta1/namespaces/{namespace}/networks/{name}/status

Deleting a Network

  • CCI:namespaceSubResource:Delete
  • vpc:vpcs:delete
  • vpc:ports:delete

Supported: IAM projects and enterprise projects

DELETE /apis/networking.cci.io/v1beta1/namespaces/{namespace}/networks/{name}

Deleting All Networks

  • CCI:namespaceSubResource:Delete
  • vpc:vpcs:delete
  • vpc:ports:delete

Supported: IAM projects and enterprise projects

DELETE /apis/networking.cci.io/v1beta1/namespaces/{namespace}/networks

PersistentVolumeClaim Management

Permissions

Actions

Authorization Scope

APIs

Creating a PersistentVolumeClaim

  • CCI:namespaceSubResource:Create
    • EVS volumes

      evs:volumes:create

      evs:volumes:get

      evs:types:get

    • SFS volumes

      sfs:shares:createShare

      sfs:shares:getOSQuotaSets

      sfs:shares:ShareAction

Supported: IAM projects and enterprise projects

POST /api/v1/namespaces/{namespace}/persistentvolumeclaims

Reading a PersistentVolumeClaim

  • CCI:namespaceSubResource:Get
    • EVS volumes

      evs:volumes:get

    • SFS volumes

      sfs:shares:getAllSharesDetail

Supported: IAM projects and enterprise projects

GET /api/v1/namespaces/{namespace}/persistentvolumeclaims/{name}

Listing PersistentVolumeClaims

  • CCI:namespaceSubResource:List
  • EVS volumes

    evs:volumes:list

  • SFS volumes

    sfs:shares:getAllSharesDetail

    sfs:shares:ShareAction

  • OBS volumes

    obs:bucket:ListAllMyBuckets

Supported: IAM projects and enterprise projects

GET /api/v1/namespaces/{namespace}/persistentvolumeclaims

Deleting a PersistentVolumeClaim

  • CCI:namespaceSubResource:Delete
  • EVS volumes

    evs:volumes:delete

    evs:volumes:get

  • SFS volumes

    sfs:shares:deleteShare

Supported: IAM projects and enterprise projects

DELETE /api/v1/namespaces/{namespace}/persistentvolumeclaims/{name}

ConfigMap Management

Permissions

Actions

Authorization Scope

APIs

Creating a ConfigMap

CCI:namespaceSubResource:Create

Supported: IAM projects and enterprise projects

POST /api/v1/namespaces/{namespace}/configmaps

Reading a ConfigMap

CCI:namespaceSubResource:Get

Supported: IAM projects and enterprise projects

GET /api/v1/namespaces/{namespace}/configmaps/{name}

Listing ConfigMaps

CCI:namespaceSubResource:List

Supported: IAM projects and enterprise projects

GET /api/v1/namespaces/{namespace}/configmaps

Replacing a ConfigMap

CCI:namespaceSubResource:Update

Supported: IAM projects and enterprise projects

PUT /api/v1/namespaces/{namespace}/configmaps/{name}

Updating a ConfigMap

CCI:namespaceSubResource:Update

Supported: IAM projects and enterprise projects

PATCH /api/v1/namespaces/{namespace}/configmaps/{name}

Deleting a ConfigMap

CCI:namespaceSubResource:Delete

Supported: IAM projects and enterprise projects

DELETE /api/v1/namespaces/{namespace}/configmaps/{name}

Deleting All ConfigMaps

CCI:namespaceSubResource:Delete

Supported: IAM projects and enterprise projects

DELETE /api/v1/namespaces/{namespace}/configmaps

Secret Management

Permissions

Actions

Authorization Scope

APIs

Creating a Secret

CCI:namespaceSubResource:Create

Supported: IAM projects and enterprise projects

POST /api/v1/namespaces/{namespace}/secrets

Replacing a Secret

CCI:namespaceSubResource:Update

Supported: IAM projects and enterprise projects

PUT /api/v1/namespaces/{namespace}/secrets/{name}

Updating a Secret

CCI:namespaceSubResource:Update

Supported: IAM projects and enterprise projects

PATCH /api/v1/namespaces/{namespace}/secrets/{name}

Deleting a Secret

CCI:namespaceSubResource:Delete

Supported: IAM projects and enterprise projects

DELETE /api/v1/namespaces/{namespace}/secrets/{name}

Deleting All Secrets

CCI:namespaceSubResource:Delete

Supported: IAM projects and enterprise projects

DELETE /api/v1/namespaces/{namespace}/secrets