Enabling and Authorizing CodeArts Pipeline
Prerequisites
You have signed up for a HUAWEI ID and enabled Huawei Cloud services.
Enabling CodeArts Pipeline
You need to subscribe to a CodeArts package before using CodeArts Pipeline.
- Access the CodeArts Pipeline console.
- Click Buy to purchase a CodeArts package.
- Purchase a package as needed. For details, see Purchasing CodeArts.
Authorizing CodeArts Pipeline
You can configure CodeArts Pipeline permissions at three levels to control user behaviors.
Level |
Module |
Description |
---|---|---|
Extension, tenant-level policy, tenant-level rule, and pipeline template |
Permissions to manage module resources in a tenant. You can configure permissions in IAM. The configurations take effect for all projects of a tenant. |
|
Pipeline, policy (project-level), microservice, environment, and change |
Permissions to manage module resources of a specific project. You can configure permissions in project settings. The configurations take effect for all resources of a project. |
|
Pipeline |
Permissions to perform operations for a specific pipeline. You can configure permissions in a pipeline. The configuration takes effect for a specified pipeline. |
- Tenant-level permissions
IAM allows you to configure permissions for specified users regarding tenant-level rules, tenant-level policies, extensions, and pipeline templates.
- Log in to CodeArts using a tenant account or an authorized account.
- Click the username in the upper right corner and select IAM.
- In the navigation pane on the left, choose User Groups. On the displayed page, create a user group or select an existing user group, and click Authorize.
Select the CodeArts Pipeline service to check related policies, as shown in the following table.
Table 2 Pipeline policies Policy Name
Description
CloudPipeline Tenant Rules FullAccess
Full permissions on tenant-level rules within CodeArts Pipeline.
- Permissions on rules correspond to cloudpipeline:rule:update in IAM. An administrator can use the system-defined policy CloudPipeline Tenant Rules FullAccess or custom policies to authorize users.
- Common users can check all tenant-level rules. Authorized users can check and manage all tenant-level rules.
CloudPipeline Tenant Rule Templates FullAccess
Full permissions on tenant-level policies within CodeArts Pipeline.
- Permissions on pipeline policies correspond to cloudpipeline:ruletemplate:update in IAM. An administrator can use the system-defined policy CloudPipeline Tenant Rule Templates FullAccess or custom policies to authorize users.
- Common users can check all tenant-level policies. Authorized users can check and manage all tenant-level policies.
CloudPipeline Tenant Extensions FullAccess
Full permissions on extensions within CodeArts Pipeline.
- Permissions on extensions correspond to cloudpipeline:extensions:update in IAM. An administrator can use the system-defined policy CloudPipeline Tenant Extensions FullAccess or custom policies to authorize users.
- Common users can view all extensions. Authorized users can view and manage all extensions.
CloudPipeline Tenant Pipeline Templates FullAccess
Full permissions on pipeline templates within CodeArts Pipeline.
- Permissions on pipeline templates correspond to cloudpipeline:pipelinetemplate:update in IAM. An administrator can use the system-defined policy CloudPipeline Tenant Pipeline Templates FullAccess or custom policies to authorize users.
- Common users can create templates and view all templates. However, they can manage only the templates created by themselves. Authorized users can view and manage all templates.
- Select the required policies, click Next, and set the minimum authorization scope for the user group.
- Add the specified users to the user group to complete user authorization.
In addition to system-defined policies, tenants can also create custom policies to grant permissions.
- Project-level permissions
CodeArts allows you to configure permissions on pipeline resources for each role in a project.
- Log in to the Huawei Cloud console.
- Click in the upper left corner of the page and choose from the service list.
- Click Access Service to access the CodeArts Pipeline homepage.
- On the top navigation bar, click Homepage to access the CodeArts homepage.
- Click a project name to access the project.
- In the left navigation pane, choose Settings > General > Service Permissions.
Pipeline-related resources are in CodeArts Pipeline, including pipelines, policies (project-level), microservices, environments, changes, and parameter groups.
By default, a user with permissions to edit or execute pipelines can also view pipelines.
Pipeline permissions
The following table lists the pipeline permissions for each role in a project in the initial state.
Table 3 Project-level permissions Role
View
Create
Execute
Edit
Delete
Group
Project creator
√
√
√
√
√
√
Project manager
√
√
√
√
√
√
Developer
√
√
√
×
×
×
Test manager
√
×
×
×
×
×
Tester
√
×
×
×
×
×
Participant
√
×
×
×
×
×
Viewer
√
×
×
×
×
×
Product manager
√
×
×
×
×
×
System engineer
√
√
√
√
√
√
Committer
√
√
√
×
×
×
- To clone a pipeline, you must have the permission to create a pipeline and edit the source pipeline.
- By default, role permissions in a pipeline inherit and are associated with the role permissions in the project until role permissions are modified in the pipeline.
- By default, a pipeline creator has all permissions on the pipeline.
Policy permissions
The following table lists the project-level policy permissions for each role in a project in the initial state.Table 4 Project-level policy permissions Role
View
Create
Edit
Delete
Project creator
√
√
√
√
Project manager
√
√
√
√
Developer
√
√
√
√
Test manager
√
×
×
×
Tester
√
×
×
×
Participant
√
×
×
×
Viewer
√
×
×
×
Product manager
√
×
×
×
System engineer
√
√
√
√
Committer
√
√
√
√
To clone a policy, you must have the permission to create a policy and edit the source policy.
Microservice permissions
The following table lists the microservice permissions for each role in a project in the initial state.Table 5 Project-level microservice permissions Role
View
Create
Edit
Delete
Project creator
√
√
√
√
Project manager
√
√
√
√
Developer
√
×
×
×
Test manager
√
×
×
×
Tester
√
×
×
×
Participant
√
×
×
×
Viewer
√
×
×
×
Product manager
√
×
×
×
System engineer
√
√
√
√
Committer
√
×
×
×
Change permissions
The following table lists the change permissions for each role in a project in the initial state.Table 6 Project-level change permissions Role
View
Create
Edit
Execute
Project creator
√
√
√
√
Project manager
√
√
√
√
Developer
√
√
√
√
Test manager
√
×
×
×
Tester
√
×
×
×
Participant
√
×
×
×
Viewer
√
×
×
×
Product manager
√
×
×
×
System engineer
√
√
√
√
Committer
√
√
√
√
Environment permissions
The following table lists the release environment permissions for each role in a project in the initial state.
Table 7 Project-level development environment permissions Role
View
Create
Edit
Delete
Execute
Roll Back
Project creator
√
√
√
√
√
√
Project manager
√
√
√
√
√
√
Developer
√
√
√
√
√
√
Test manager
√
×
×
×
×
×
Tester
√
×
×
×
×
×
Participant
√
×
×
×
×
×
Viewer
√
×
×
×
×
×
Product manager
√
√
√
√
√
√
System engineer
√
√
√
√
√
√
Committer
√
√
√
√
√
√
Table 8 Project-level test environment permissions Role
View
Create
Edit
Delete
Execute
Roll Back
Project creator
√
√
√
√
√
√
Project manager
√
√
√
√
√
√
Developer
√
×
×
×
×
×
Test manager
√
√
√
√
√
√
Tester
√
√
√
√
√
×
Participant
√
×
×
×
×
×
Viewer
√
×
×
×
×
×
Product manager
√
×
×
×
×
×
System engineer
√
×
×
×
×
×
Committer
√
√
√
√
√
√
Table 9 Project-level pre-production environment permissions Role
View
Create
Edit
Delete
Execute
Roll Back
Project creator
√
√
√
√
√
√
Project manager
√
√
√
√
√
√
Developer
√
×
×
×
×
×
Test manager
√
×
×
×
×
×
Tester
√
×
×
×
×
×
Participant
×
×
×
×
×
×
Viewer
×
×
×
×
×
×
Product manager
√
×
×
×
×
×
System engineer
√
×
×
×
×
×
Committer
√
√
√
√
√
√
Table 10 Project-level production permissions Role
View
Create
Edit
Delete
Execute
Roll Back
Project creator
√
√
√
√
√
√
Project manager
√
√
√
√
√
√
Developer
×
×
×
×
×
×
Test manager
×
×
×
×
×
×
Tester
×
×
×
×
×
×
Participant
×
×
×
×
×
×
Viewer
×
×
×
×
×
×
Product manager
×
×
×
×
×
×
System engineer
√
×
×
×
×
×
Committer
√
√
√
√
√
√
Parameter group permissions
The following table lists the parameter group permissions for each role in a project in the initial state.Table 11 Project-level parameter group permissions Role
Create
Delete
Edit
Associate
Project creator
√
√
√
√
Project manager
√
√
√
√
Developer
√
√
√
√
Test manager
×
×
×
×
Tester
×
×
×
×
Participant
×
×
×
×
Viewer
×
×
×
×
Product manager
×
×
×
×
System engineer
√
√
√
√
Committer
√
√
√
√
- Resource-level permissions
You can configure permissions for a single pipeline by role or user. For details, see Configuring Pipeline Permissions.
Role permissions
- The project creator, pipeline creator, and project manager can change pipeline role permissions.
- By default, role permissions for a pipeline are the same as the role permissions at the project level. If role permissions at the project level are changed, role permissions in a pipeline will be changed accordingly.
- If you change the role permissions for a pipeline, the changed permissions will take effect, because the resource-level permissions take precedence over the project-level permissions.
User permissions
- The project creator, pipeline creator, and project manager can change pipeline user permissions.
- By default, user and role permissions are consistent. If pipeline role permissions are changed, pipeline user permissions will be changed accordingly.
- If you change the pipeline user permissions, the changed permissions will take effect, because user permissions take precedence over role permissions.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot