身份策略与策略如何兼容
对于IAM目前支持的角色与策略权限模型和身份策略权限模型来说,他们既相互隔离但又用法类似。
推荐新注册的华为云账号仅使用身份策略进行授权管理,可以实现更加安全和精细化的权限控制。但是,存量的账号可能会同时使用角色与策略权限模型和身份策略权限模型进行授权管理。也就是说一个IAM身份可能会被同时授予多个IAM权限,包含系统角色、系统策略、自定义策略、系统身份策略和自定义身份策略等,这些权限可以同时生效。其中,系统角色是IAM最初提供的一种根据用户的工作职能定义权限的粗粒度授权机制,不具有可配置性,用户根据自己的业务需求实际选择即可。而系统策略、自定义策略、系统身份策略和自定义身份策略在使用上则更加细粒度,它们的混合使用较为复杂。
对于策略和身份策略来说,最主要的是选择业务所需要的授权项。以IAM为例,与IAM服务相关的全部的授权项请参见权限和授权项,其中在“策略授权参考”中包含了策略授权项与支持的API的对应关系,在身份策略授权参考中包含了身份策略授权项与支持的API的对应关系。为了在身份策略中兼容使用原本仅支持策略授权项的API,IAM在身份策略中增加了能够对这些API进行操作的部分身份策略授权项。在这些身份策略授权项中,因为命名规范原因,一部分沿用了原来符合规范的策略授权项,另外一部分则是对原来不符合规范的策略授权项进行了重命名。因为进行了重命名,所以称原来的策略授权项为现在身份策略授权项的别名。
对于IAM服务来说,直接使用原有策略授权项作为身份策略授权项的列表见表1,对策略授权项进行重命名作为身份策略授权项的列表见表2。
|
身份策略授权项 |
访问级别 |
策略授权项 |
|---|---|---|
|
iam:identityProviders:listMappings |
列表 |
iam:identityProviders:listMappings |
|
iam:identityProviders:getMapping |
读 |
iam:identityProviders:getMapping |
|
iam:identityProviders:createMapping |
写 |
iam:identityProviders:createMapping |
|
iam:identityProviders:deleteMapping |
写 |
iam:identityProviders:deleteMapping |
|
iam:identityProviders:updateMapping |
写 |
iam:identityProviders:updateMapping |
|
iam:identityProviders:listProtocols |
列表 |
iam:identityProviders:listProtocols |
|
iam:identityProviders:getProtocol |
读 |
iam:identityProviders:getProtocol |
|
iam:identityProviders:createProtocol |
写 |
iam:identityProviders:createProtocol |
|
iam:identityProviders:deleteProtocol |
写 |
iam:identityProviders:deleteProtocol |
|
iam:identityProviders:updateProtocol |
写 |
iam:identityProviders:updateProtocol |
|
iam:securityPolicies:getProtectPolicy |
读 |
iam:securityPolicies:getProtectPolicy |
|
iam:securityPolicies:updateProtectPolicy |
写 |
iam:securityPolicies:updateProtectPolicy |
|
iam:securityPolicies:getPasswordPolicy |
读 |
iam:securityPolicies:getPasswordPolicy |
|
iam:securityPolicies:updatePasswordPolicy |
写 |
iam:securityPolicies:updatePasswordPolicy |
|
iam:securityPolicies:getLoginPolicy |
读 |
iam:securityPolicies:getLoginPolicy |
|
iam:securityPolicies:updateLoginPolicy |
写 |
iam:securityPolicies:updateLoginPolicy |
|
iam:securityPolicies:getConsoleAclPolicy |
读 |
iam:securityPolicies:getConsoleAclPolicy |
|
iam:securityPolicies:updateConsoleAclPolicy |
写 |
iam:securityPolicies:updateConsoleAclPolicy |
|
iam:securityPolicies:getApiAclPolicy |
读 |
iam:securityPolicies:getApiAclPolicy |
|
iam:securityPolicies:updateApiAclPolicy |
写 |
iam:securityPolicies:updateApiAclPolicy |
|
身份策略授权项 |
访问级别 |
策略授权项(身份策略授权项的别名) |
|---|---|---|
|
iam::listAccessKeys |
列表 |
iam:credentials:listCredentials |
|
iam::createAccessKey |
写 |
iam:credentials:createCredential |
|
iam::getAccessKey |
读 |
iam:credentials:getCredential |
|
iam::updateAccessKey |
写 |
iam:credentials:updateCredential |
|
iam::deleteAccessKey |
写 |
iam:credentials:deleteCredential |
|
iam:projects:list |
列表 |
iam:projects:listProjects |
|
iam:projects:create |
写 |
iam:projects:createProject |
|
iam:projects:listForUser |
列表 |
iam:projects:listProjectsForUser |
|
iam:projects:update |
写 |
iam:projects:updateProject |
|
iam:groups:list |
列表 |
iam:groups:listGroups |
|
iam:groups:create |
写 |
iam:groups:createGroup |
|
iam:groups:get |
读 |
iam:groups:getGroup |
|
iam:groups:delete |
写 |
iam:groups:deleteGroup |
|
iam:groups:update |
写 |
iam:groups:updateGroup |
|
iam:groups:removeUser |
写 |
iam:permissions:removeUserFromGroup |
|
iam:groups:listUsers |
列表 |
iam:users:listUsersForGroup |
|
iam:groups:checkUser |
读 |
iam:permissions:checkUserInGroup |
|
iam:groups:addUser |
写 |
iam:permissions:addUserToGroup |
|
iam:users:create |
写 |
iam:users:createUser |
|
iam:users:get |
读 |
iam:users:getUser |
|
iam:users:update |
写 |
iam:users:updateUser |
|
iam:users:list |
列表 |
iam:users:listUsers |
|
iam:users:delete |
写 |
iam:users:deleteUser |
|
iam:users:listGroups |
列表 |
iam:groups:listGroupsForUser |
|
iam:users:listVirtualMFADevices |
列表 |
iam:mfa:listVirtualMFADevices |
|
iam:users:createVirtualMFADevice |
写 |
iam:mfa:createVirtualMFADevice |
|
iam:users:deleteVirtualMFADevice |
写 |
iam:mfa:deleteVirtualMFADevice |
|
iam:users:getVirtualMFADevice |
读 |
iam:mfa:getVirtualMFADevice |
|
iam:users:bindVirtualMFADevice |
写 |
iam:mfa:bindMFADevice |
|
iam:users:unbindVirtualMFADevice |
写 |
iam:mfa:unbindMFADevice |
|
iam:identityProviders:list |
列表 |
iam:identityProviders:listIdentityProviders |
|
iam:identityProviders:get |
读 |
iam:identityProviders:getIdentityProvider |
|
iam:identityProviders:create |
写 |
iam:identityProviders:createIdentityProvider |
|
iam:identityProviders:delete |
写 |
iam:identityProviders:deleteIdentityProvider |
|
iam:identityProviders:update |
写 |
iam:identityProviders:updateIdentityProvider |
|
iam:identityProviders:getSAMLMetadata |
读 |
iam:identityProviders:getIDPMetadata |
|
iam:identityProviders:createSAMLMetadata |
写 |
iam:identityProviders:createIDPMetadata |
|
iam:identityProviders:getOIDCConfig |
读 |
iam:identityProviders:getOpenIDConnectConfig |
|
iam:identityProviders:createOIDCConfig |
写 |
iam:identityProviders:createOpenIDConnectConfig |
|
iam:identityProviders:updateOIDCConfig |
写 |
iam:identityProviders:updateOpenIDConnectConfig |
|
iam:users:listLoginProtectSettings |
列表 |
iam:users:listUserLoginProtects |
|
iam:users:getLoginProtectSetting |
读 |
iam:users:getUserLoginProtect |
|
iam:users:updateLoginProtectSetting |
写 |
iam:users:setUserLoginProtect |
|
iam:quotas:list |
列表 |
iam:quotas:listQuotas |
|
iam:quotas:listForProject |
列表 |
iam:quotas:listQuotasForProject |
在表2中策略授权项也就是身份策略授权参考中的别名。这两种方式都可以实现利用身份策略授权项对原本仅支持策略授权项的API进行控制,例如使用表1中的iam:identityProviders:listMappings授权项时,在IAM新版控制台中创建授予iam:identityProviders:listMappings身份策略授权项的身份策略,可以实现对原本仅支持策略授权项的GET /v3/OS-FEDERATION/mappings接口进行控制,来查询身份提供商的映射列表,操作步骤请参阅创建自定义身份策略。
{
"Version": "5.0",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:identityProviders:listMappings"
]
}
]
}
这与在IAM旧版控制台中创建授予iam:identityProviders:listMappings策略授权项的策略效果一致,操作步骤请参阅创建自定义策略。
{
"Version": "1.1",
"Statement": [{
"Effect": "Allow",
"Action": [
"iam:identityProviders:listMappings"
]
}]
}
而在使用表2中的iam::listAccessKeys授权项时,在IAM新版控制台中创建授予iam::listAccessKeys身份策略授权项的身份策略,可以实现原本仅支持策略授权项的GET /v3.0/OS-CREDENTIAL/credentials接口进行控制,来查询所有永久访问密钥:
{
"Version": "5.0",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam::listAccessKeys"
]
}
]
}
这与在IAM旧版控制台中创建授予iam:credentials:listCredentials策略授权项的策略效果一致:
{
"Version": "1.1",
"Statement": [{
"Effect": "Allow",
"Action": [
"iam:credentials:listCredentials"
]
}]
}
