Managing CBH Instance Permissions and Supported Actions
This section describes fine-grained permissions management for your CBH. If your account does not need individual IAM users, then you may skip over this section.
By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign permissions policies to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.
Permissions are classified into roles and policies based on the authorization granularity. Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions.
Supported Actions
CBH provides system-defined policies that can be directly used in IAM. You can also create custom policies and use them to supplement system-defined policies, implementing more refined access control.
- Permission: A statement in a policy that allows or denies certain operations.
- Action: Specific operations that are allowed or denied.
Permission |
API |
Action |
IAM Project |
Enterprise Project |
---|---|---|---|---|
Querying total ECS quota |
GET /v2/{project_id}/cbs/instance/ecs-quota |
cbh:instance:getEcsQuota |
√ |
× |
Querying the AZ of a CBH instance |
GET /v2/{project_id}/cbs/available-zone |
cbh:instance:getAvailableZones |
√ |
× |
Logging in to a CBH instance |
POST /v2/{project_id}/cbs/instance/login |
cbh:instance:login |
√ |
× |
Stopping a CBH instance |
POST /v2/{project_id}/cbs/instance/stop |
cbh:instance:stop |
√ |
× |
Restarting a CBH instance |
POST /v2/{project_id}/cbs/instance/reboot |
cbh:instance:reboot |
√ |
× |
Upgrading the CBH system version |
POST /v2/{project_id}/cbs/instance/upgrade |
cbh:instance:upgrade |
√ |
× |
Changing the password of the admin user for a CBH instance |
PUT /v2/{project_id}/cbs/instance/password |
cbh:instance:resetPassword |
√ |
× |
Starting a CBH instance |
POST /v2/{project_id}/cbs/instance/start |
cbh:instance:start |
√ |
× |
Expanding a CBH instance edition |
PUT /v2/{project_id}/cbs/instance |
cbh:instance:alterSpec |
√ |
× |
Creating a CBH instance |
POST /v2/{project_id}/cbs/instance |
cbh:instance:create |
√ |
√ |
Binding or unbinding an EIP |
|
cbh:instance:eipOperate |
√ |
× |
Creating a CBH agency |
POST /v2/{project_id}/cbs/agency/authorization |
cbh:agency:authorize |
√ |
× |
Querying the CBH instance list |
GET /v2/{project_id}/cbs/instance/list |
cbh:instance:list |
√ |
× |
Permission |
API |
Action |
Permission Dependency |
IAM Project |
Enterprise Project |
---|---|---|---|---|---|
Grants the permission to obtain the ECS quota. |
GET /v2/{project_id}/cbs/instance/ecs-quota |
cbh::getEcsQuota |
ecs:cloudServerFlavors:get |
√ |
× |
Grants the permission to query the CBH instance quotas. |
GET /v2/{project_id}/cbs/instance/quota |
cbh::getQuota |
- |
√ |
× |
Grants the permission to query the CBH status. |
GET /v2/{project_id}/cbs/instance/{server_id}/status |
cbh:instance:getInstanceStatus |
- |
√ |
× |
Grants the permission to obtain the URLs for O&M of assets managed in CBH. |
GET /v2/{project_id}/cbs/instance/get-om-url |
cbh:instance:getOmUrl |
- |
√ |
× |
Grants the permission to obtain the authorization information of the CBH service from the tenant. |
GET /v2/{project_id}/cbs/agency/authorization |
cbh::getAuthorization |
|
√ |
× |
Grants the permission to query tags of CBH instances. |
GET /v2/{project_id}/cbs/instance/{resource_id}/tags |
cbh:instance:getInstanceTags |
- |
√ |
× |
Grants the permission to start a CBH instance. |
POST /v2/{project_id}/cbs/instance/start |
cbh:instance:startInstance |
- |
√ |
× |
Grants the permission to disable a CBH instance. |
POST /v2/{project_id}/cbs/instance/stop |
cbh:instance:stopInstance |
- |
√ |
× |
Grants the permission to restart a CBH instance. |
POST /v2/{project_id}/cbs/instance/reboot |
cbh:instance:rebootInstance |
- |
√ |
× |
Grants the permission to upgrade a CBH instance. |
POST /v2/{project_id}/cbs/instance/upgrade |
cbh:instance:upgradeInstance |
- |
√ |
× |
Grants the permission to roll back a CBH instance. |
POST /v2/{project_id}/cbs/instance/rollback |
cbh:instance:rollbackInstance |
- |
√ |
× |
Grants the permission to log in to a CBH instance as an IAM user. |
POST /v2/{project_id}/cbs/instance/login |
cbh:instance:loginInstance |
- |
√ |
× |
Grants the permission to reset a password for logging in to a CBH. |
PUT /v2/{project_id}/cbs/instance/password |
cbh:instance:resetInstancePassword |
- |
√ |
× |
Grant the permission to switch the VPC of the bastion host instance. |
PUT /v2/{project_id}/cbs/instance/vpc |
cbh:instance:switchInstanceVpc |
vpc:subnets:get |
√ |
× |
Grants the permission to reset the CBH instance login mode. |
PUT /v2/{project_id}/cbs/instance/login-method |
cbh:instance:resetInstanceLoginMethod |
- |
√ |
× |
Grants the permission to delete a faulty CBH instance. |
DELETE /v2/{project_id}/cbs/instance |
cbh:instance:deleteInstance |
- |
√ |
× |
Grants the permission to change a CBH instance. |
PUT /v2/{project_id}/cbs/instance |
cbh:instance:alterInstance |
- |
√ |
× |
Grants the permission to create a CBH instance. |
POST /v2/{project_id}/cbs/instance |
cbh:instance:createInstance |
|
√ |
√ |
Grants the permission to bind an EIP to a CBH instance. |
POST /v2/{project_id}/cbs/instance/{server_id}/eip/bind |
cbh:instance:bindInstanceEip |
|
√ |
× |
Grants the permission to unbind an EIP from a CBH instance. |
POST /v2/{project_id}/cbs/instance/{server_id}/eip/unbind |
cbh:instance:unbindInstanceEip |
|
√ |
× |
Grants the permission to update the security group of a CBH instance. |
PUT /v2/{project_id}/cbs/instance/{server_id}/security-groups |
cbh:instance:updateInstanceSecurityGroup |
|
√ |
× |
Grants the permission to create or cancel the agency authorization for the CBH service. |
POST /v2/{project_id}/cbs/agency/authorization |
cbh::operateAuthorization |
|
√ |
× |
Grants the permission to log in to a CBH instance as user admin. |
GET /v2/{project_id}/cbs/instances/{server_id}/admin-url |
cbh:instance:loginInstanceAdmin |
- |
√ |
× |
Grants the permission to modify the type of single-node CBH instances. |
PUT /v2/{project_id}/cbs/instance/type |
cbh:instance:changeInstanceType |
|
√ |
× |
Grants the permission to query all AZs. |
GET /v2/{project_id}/cbs/available-zone |
cbh::listAvailableZones |
- |
√ |
× |
Grants the permission to query the CBH specifications. |
GET /v2/{project_id}/cbs/instance/specification |
cbh::listSpecifications |
- |
√ |
× |
Grants the permission to list CBH instances. |
GET /v2/{project_id}/cbs/instance/list |
cbh:instance:listInstances |
eps:enterpriseProjects:list |
√ |
× |
Grants the permission to query all tags. |
GET /v2/{project_id}/cbs/instance/tags |
cbh::listTags |
- |
√ |
× |
Grants the permission to search for instances by tag. |
POST /v2/{project_id}/cbs/instance/filter |
cbh:instance:listInstancesByTag |
- |
√ |
× |
Grants the permission to count the number of instances that meet the tag conditions. |
POST /v2/{project_id}/cbs/instance/count |
cbh:instance:countInstancesByTag |
- |
√ |
× |
Grants the permission to operate the resource tags of the CBH instance. |
POST /v2/{project_id}/cbs/instance/{resource_id}/tags/action |
cbh:instance:operateInstanceTags |
- |
√ |
× |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.