Advanced Mode
The advanced mode provides a more flexible topic policy. You can specify which users and cloud services can perform which topic operations, for example, querying topic details, modifying topics, publishing messages, and deleting topics.
Introduction to Topic Policies
A topic policy is configured by a topic creator to allow or disallow other users or cloud services to perform specified operations to a topic. Table 1 lists the elements consisting of a topic policy.
|
Item |
Description |
Constraint |
|---|---|---|
|
Version |
Policy specification version |
Only 2016-09-07 is supported. |
|
Id |
Policy ID, which uniquely identifies a policy |
The policy ID must be specified. |
|
Statement |
You can use statements to grant topic operation permissions to other users or cloud services. Each topic policy may contain one or more statements. |
A policy must contain at least one statement. For details about elements in a statement, see Statement Elements. |
The following is an example topic policy, which contains two statements, Statement1 and Statement2.
{
"Version": "2016-09-07",
"Id": "access_policy_01",
"Statement": [
{Statement1},
{Statement2}
]
}
Statement Elements
The following example shows how to modify a topic policy. Table 2 lists the statement elements.
{
"Version": "2016-09-07",
"Id": "__default_policy_ID",
"Statement": [
//The first statement
{
"Sid": "__user_pub_0",
"Effect": "Allow",
"Principal": {
"CSP": [
"urn:csp:iam::123456789:root",
"urn:csp:iam::987654321:root"
]
},
"Action": [
"SMN:Publish",
"SMN:QueryTopicDetail"
],
"Resource": "urn:smn:regionId:e23bf08ebb924730b452426c60849564:ECM_BKS_Topic"
},
//The second statement
{
"Sid": "__service_pub_0",
"Effect": "Allow",
"Principal": {
"Service": [
"obs"
]
},
"Action": [
"SMN:Publish",
"SMN:QueryTopicDetail"
],
"Resource": "urn:smn:regionId:e23bf08ebb924730b452426c60849564:ECM_BKS_Topic"
}
]
}
|
Element |
Description |
Constraint |
|---|---|---|
|
Sid |
Statement ID |
The statement ID must be unique, for example, statement01 or statement02. |
|
Effect |
Statement effect |
The effect can be Allow or Deny. |
|
Principal NotPrincipal |
|
Either the Principal or NotPrincipal element must be configured. If you enter CSP, you must specify user information in the format urn:csp:iam::domainId:root. Obtain the account ID of each user you specify. If you enter Service, you must specify the cloud service names in lowercase. |
|
Action NotAction |
|
Either the Action or NotAction element must be configured. The following actions are supported:
For details about mappings between actions and APIs, see Mappings Between SMN Actions and APIs. |
|
Resource NotResource |
|
Either the Resource or NotResource element must be configured. Then, enter a topic URN. |
|
Condition |
(Optional) Condition under which a policy statement takes effect |
Enter supported conditional operators and keywords. For details, see Condition Elements. |
Condition Elements
Conditions determine whether a statement takes effect. They enable you to configure more fine-grained control over topic permissions. Table 3 lists elements in a condition.
|
Item |
Description |
Constraint |
|---|---|---|
|
Operation |
Character strings, digits, date, or time to be matched in the operation |
The time you entered must comply with ISO 8601 specifications. For details, see Table 4. |
|
Operation keyword |
Object on which the condition operator takes effect |
The operation keyword must be specified. For details, see Table 5. |
A statement allows the requested operation only when all conditions in the statement are met. Otherwise, the operation will be denied.
As shown in Figure 1, when a condition contains multiple operators, for example, condition1 and condition2, an AND operation is executed.
When the operator condition1 contains multiple keywords, for example, conditionKey1 and conditionKey2, an AND operation is executed.
When the keyword conditionKey1 contains multiple values, for example, value11 and value12, an OR operation is executed.
"Condition": {
"DateLessThan":{
"csp:CurrentTime":"2016-11-07T15:35:00Z"
},
"StringLike": {
"smn:Endpoint":["*@gmail.com","*@hotmail.com"]
}
}
|
Category |
Operator |
Description |
|---|---|---|
|
String |
StringEquals |
Match a string (case-sensitive). |
|
StringNotEquals |
Exclude a string (case-sensitive). |
|
|
StringEqualsIgnoreCase |
Match a string (case-insensitive). |
|
|
StringNotEqualsIgnoreCase |
Exclude a string (case-insensitive). |
|
|
StringLike |
Match a string. The value can contain one or more wildcard characters (*). |
|
|
StringNotLike |
Exclude a string. The value can contain one or more wildcard characters (*). |
|
|
Numeric |
NumericEquals |
Match an integer or decimal. |
|
NumericNotEquals |
Exclude an integer or decimal. |
|
|
NumericLessThan |
Match any number less than an integer or decimal. |
|
|
NumericLessThanEquals |
Match any number less than or equal to an integer or decimal. |
|
|
NumericGreaterThan |
Match any number greater than an integer or decimal. |
|
|
NumericGreaterThanEquals |
Match any number greater than or equal to an integer or decimal. |
|
|
Date |
DateEquals |
Match a date. |
|
DateNotEquals |
Exclude a date. |
|
|
DateLessThan |
Match any time earlier than a date and time point. |
|
|
DateLessThanEquals |
Match any time earlier than or equal to a date and time point. |
|
|
DateGreaterThan |
Match any time later than a date and time point. |
|
|
DateGreaterThanEquals |
Match any time later than or equal to a date and time point. |
|
|
Bool |
Bool |
Match a Boolean value. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
