Permissions and Supported Actions
You can use Identity and Access Management (IAM) for fine-grained permissions management of your CCE clusters. If your account does not need individual IAM users, you can skip this section.
New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specific operations on cloud services based on the assigned permissions. For more information about policy syntax and example policies, see Permissions Overview.
You can grant users permissions by using roles and policies. Roles are provided by IAM to define service-based permissions that match users' job responsibilities. Policies define API-based permissions for operations on specific resources under certain conditions, allowing for more fine-grained, secure access control of cloud resources.
If you want to allow or deny the access to an API, fine-grained authorization is a good choice.
An account has all of the permissions required to call all APIs, but IAM users must have the required permissions specifically assigned. The required permissions are determined by the actions supported by the API. Only users with the permissions allowing for those actions can call the API successfully. For example, if an IAM user wants to query ECSs using an API, the user must have been granted permissions that allow the ecs:servers:list action.
Supported Actions
CCE provides system-defined policies that can be directly used in IAM. You can also create custom policies to supplement system-defined policies for more refined access control. Operations supported by policies are specific to APIs. The following are common concepts related to policies:
- Permissions: statements in a policy that allow or deny certain operations.
- APIs: REST APIs that can be called by a user who has been granted specific permissions.
- Actions: specific operations that are allowed or denied in a custom policy.
- Dependencies: actions which a specific action depends on. When allowing an action for a user, you also need to allow any existing action dependencies for that user.
- IAM projects/Enterprise projects: the authorization scope of a custom policy. A custom policy can be applied to IAM projects or enterprise projects or both. Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only. For details about the differences between IAM and enterprise management, see What Are the Differences Between IAM and Enterprise Management?
CCE policies apply to all CCE products, including CCE standard, CCE Turbo, and CCE Autopilot clusters. Any permission that is specific for CCE Autopilot clusters will be described in special notes.
The check mark (√) and cross symbol (x) respectively indicate that an action takes effect or does not take effect for the corresponding type of projects.
CCE supports the following actions in custom policies.
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Obtaining clusters in a project |
[CCE standard and CCE Turbo clusters] GET /api/v3/projects/{project_id}/clusters [CCE Autopilot clusters] GET /autopilot/v3/projects/{project_id}/clusters |
cce:cluster:list |
√ |
√ |
|
Obtaining a cluster |
[CCE standard and CCE Turbo clusters] GET /api/v3/projects/{project_id}/clusters/{cluster_id} [CCE Autopilot clusters] GET /autopilot/v3/projects/{project_id}/clusters/{cluster_id} |
cce:cluster:get |
√ |
√ |
|
Creating a cluster |
[CCE standard and CCE Turbo clusters] POST /api/v3/projects/{project_id}/clusters [CCE Autopilot clusters] POST /autopilot/v3/projects/{project_id}/clusters |
cce:cluster:create |
√ |
√ |
|
Updating a cluster |
[CCE standard and CCE Turbo clusters] PUT /api/v3/projects/{project_id}/clusters/{cluster_id} [CCE Autopilot clusters] PUT /autopilot/v3/projects/{project_id}/clusters/{cluster_id} |
cce:cluster:update |
√ |
√ |
|
Deleting a cluster |
[CCE standard and CCE Turbo clusters] DELETE /api/v3/projects/{project_id}/clusters/{cluster_id} [CCE Autopilot clusters] DELETE /autopilot/v3/projects/{project_id}/clusters/{cluster_id} |
cce:cluster:delete |
√ |
√ |
|
Upgrading a cluster |
[CCE standard and CCE Turbo clusters] POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgrade [CCE Autopilot clusters] POST /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgrade |
cce:cluster:upgrade |
√ |
√ |
|
Waking up a cluster |
[CCE standard and CCE Turbo clusters] POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/awake [CCE Autopilot clusters] N/A |
cce:cluster:start |
√ |
√ |
|
Hibernating a cluster |
[CCE standard and CCE Turbo clusters] POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/hibernate [CCE Autopilot clusters] N/A |
cce:cluster:stop |
√ |
√ |
|
Changing the specifications of a cluster |
[CCE standard and CCE Turbo clusters] POST /api/v2/projects/{project_id}/clusters/:clusterid/resize [CCE Autopilot clusters] N/A |
cce:cluster:resize |
√ |
√ |
|
Binding/Unbinding the public API server address of a cluster |
[CCE standard and CCE Turbo clusters] PUT /api/v3/projects/{project_id}/clusters/{cluster_id}/mastereip [CCE Autopilot clusters] PUT /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/mastereip |
cce:cluster:update |
√ |
√ |
|
Obtaining the certificate of a cluster |
[CCE standard and CCE Turbo clusters] POST /api/v3/projects/{project_id}/clusters/{cluster_id}/clustercert [CCE Autopilot clusters] POST /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/clustercert |
cce:cluster:get |
√ |
√ |
|
Permissions |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Obtaining all nodes in a cluster |
[CCE standard and CCE Turbo clusters] GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes [CCE Autopilot clusters] N/A |
cce:node:list |
√ |
√ |
|
Obtaining a node |
[CCE standard and CCE Turbo clusters] GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/{node_id} [CCE Autopilot clusters] N/A |
cce:node:get |
√ |
√ |
|
Creating a node |
[CCE standard and CCE Turbo clusters] POST /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes [CCE Autopilot clusters] N/A |
cce:node:create |
√ |
√
NOTE:
If you use enterprise project authorization to create a node, you need to add the global permission of evs:quota:get. |
|
Updating a node |
[CCE standard and CCE Turbo clusters] PUT /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/{node_id} [CCE Autopilot clusters] N/A |
cce:node:update |
√ |
√ |
|
Deleting a node |
[CCE standard and CCE Turbo clusters] DELETE /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/{node_id} [CCE Autopilot clusters] N/A |
cce:node:delete |
√ |
√ |
|
Permissions |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Obtaining information about a job |
[CCE standard and CCE Turbo clusters] GET /api/v3/projects/{project_id}/jobs/{job_id} [CCE Autopilot clusters] GET /autopilot/v3/projects/{project_id}/jobs/{job_id} |
cce:job:get |
√ |
√ |
|
Listing all jobs |
[CCE standard and CCE Turbo clusters] GET /api/v2/projects/{project_id}/jobs [CCE Autopilot clusters] GET /autopilot/v2/projects/{project_id}/jobs |
cce:job:list |
√ |
√ |
|
Deleting one or all jobs |
[CCE standard and CCE Turbo clusters] DELETE /api/v2/projects/{project_id}/jobs DELETE /api/v2/projects/{project_id}/jobs/{job_id} [CCE Autopilot clusters] DELETE /autopilot/v2/projects/{project_id}/jobs DELETE /autopilot/v2/projects/{project_id}/jobs/{job_id} |
cce:job:delete |
√ |
√ |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Obtaining all node pools in a cluster |
[CCE standard and CCE Turbo clusters] GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools [CCE Autopilot clusters] N/A |
cce:nodepool:list |
√ |
√ |
|
Obtaining a node pool |
[CCE standard and CCE Turbo clusters] GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/{nodepool_id} [CCE Autopilot clusters] N/A |
cce:nodepool:get |
√ |
√ |
|
Creating a node pool |
[CCE standard and CCE Turbo clusters] POST /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools [CCE Autopilot clusters] N/A |
cce:nodepool:create |
√ |
√ |
|
Updating a node pool |
[CCE standard and CCE Turbo clusters] PUT /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/{nodepool_id} [CCE Autopilot clusters] N/A |
cce:nodepool:update |
√ |
√ |
|
Deleting a node pool |
[CCE standard and CCE Turbo clusters] DELETE /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/{nodepool_id} [CCE Autopilot clusters] N/A |
cce:nodepool:delete |
√ |
√ |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Updating a chart |
[CCE standard and CCE Turbo clusters] PUT /v2/charts/{id} [CCE Autopilot clusters] POST /autopilot/v2/charts |
cce:chart:update |
√ |
× |
|
Uploading a chart |
[CCE standard and CCE Turbo clusters] POST /v2/charts [CCE Autopilot clusters] POST /autopilot/v2/charts |
cce:chart:upload |
√ |
× |
|
Downloading a chart |
[CCE standard and CCE Turbo clusters] GET /v2/charts/{id}/archive [CCE Autopilot clusters] GET /autopilot/v2/charts/{id}/archive |
cce:chart:get |
√ |
× |
|
Listing all charts |
[CCE standard and CCE Turbo clusters] GET /v2/charts [CCE Autopilot clusters] GET /autopilot/v2/charts |
cce:chart:list |
√ |
× |
|
Obtaining information about a chart |
[CCE standard and CCE Turbo clusters] GET /v2/charts/{id} [CCE Autopilot clusters] GET /autopilot/v2/charts/{id} |
cce:chart:get |
√ |
× |
|
Obtaining a chart |
[CCE standard and CCE Turbo clusters] GET /v2/charts/{id}/values [CCE Autopilot clusters] GET /autopilot/v2/charts/{id}/values |
cce:chart:get |
√ |
× |
|
Deleting a chart |
[CCE standard and CCE Turbo clusters] DELETE /v2/charts/{id} [CCE Autopilot clusters] DELETE /autopilot/v2/charts/{id} |
cce:chart:delete |
√ |
× |
|
Obtaining the quota of a chart |
[CCE standard and CCE Turbo clusters] GET /v2/charts/{project_id}/quotas [CCE Autopilot clusters] GET /autopilot/v2/charts/{project_id}/quotas |
cce:chart:list |
√ |
× |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Updating a release |
[CCE standard and CCE Turbo clusters] PUT /cce/cam/v3/clusters/{cluster_id}/namespace/{namespace}/releases/{name} PUT /v2/releases/{name} (deprecated) [CCE Autopilot clusters] PUT /autopilot/cam/v3/clusters/{cluster_id}/namespace/{namespace}/releases/{name} |
cce:release:update |
√ |
√ |
|
Listing all releases |
[CCE standard and CCE Turbo clusters] GET /cce/cam/v3/clusters/{cluster_id}/releases GET /v2/releases (deprecated) [CCE Autopilot clusters] GET /autopilot/cam/v3/clusters/{cluster_id}/releases |
cce:release:list |
√ |
√ |
|
Creating a release |
[CCE standard and CCE Turbo clusters] POST /cce/cam/v3/clusters/{cluster_id}/releases POST /v2/releases (deprecated) [CCE Autopilot clusters] POST /autopilot/cam/v3/clusters/{cluster_id}/releases |
cce:release:create |
√ |
√ |
|
Obtaining information about a release |
[CCE standard and CCE Turbo clusters] GET /cce/cam/v3/clusters/{cluster_id}/namespace/{namespace}/releases/{name} GET /v2/releases/{name} (deprecated) [CCE Autopilot clusters] GET /autopilot/cam/v3/clusters/{cluster_id}/namespace/{namespace}/releases/{name} |
cce:release:get |
√ |
√ |
|
Querying historical records of a release |
[CCE standard and CCE Turbo clusters] GET /cce/cam/v3/clusters/{cluster_id}/namespace/{namespace}/releases/{name}/history GET /v2/releases/{name}/history (deprecated) [CCE Autopilot clusters] GET /autopilot/cam/v3/clusters/{cluster_id}/namespace/{namespace}/releases/{name} |
cce:release:get |
√ |
√ |
|
Deleting a release |
[CCE standard and CCE Turbo clusters] DELETE /cce/cam/v3/clusters/{cluster_id}/namespace/{namespace}/releases/{name} DELETE /v2/releases/{name} (deprecated) [CCE Autopilot clusters] DELETE /autopilot/cam/v3/clusters/{cluster_id}/namespace/{namespace}/releases/{name} |
cce:release:delete |
√ |
√ |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Creating a PVC (to be discarded) |
[CCE standard and CCE Turbo clusters] POST /api/v1/namespaces/{namespace}/cloudpersistentvolumeclaims [CCE Autopilot clusters] N/A |
cce:storage:create |
√ |
√ |
|
Deleting a PVC (to be discarded) |
[CCE standard and CCE Turbo clusters] DELETE /api/v1/namespaces/{namespace}/cloudpersistentvolumeclaims/{name} [CCE Autopilot clusters] N/A |
cce:storage:delete |
√ |
√ |
|
Listing all volumes |
[CCE standard and CCE Turbo clusters] GET /storage/api/v1/namespaces/{namespace}/listvolumes [CCE Autopilot clusters] N/A |
cce:storage:list |
√ |
√ |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Listing all add-on templates |
[CCE standard and CCE Turbo clusters] GET /api/v3/addontemplate [CCE Autopilot clusters] GET /autopilot/v3/addontemplates |
cce:addonTemplate:get |
√ |
x |
|
Creating an add-on instance |
[CCE standard and CCE Turbo clusters] POST /api/v3/addons [CCE Autopilot clusters] POST /autopilot/v3/addons |
cce:addonInstance:create |
√ |
√ |
|
Obtaining an add-on instance |
[CCE standard and CCE Turbo clusters] GET /api/v3/addons/{id}?cluster_id={cluster_id} [CCE Autopilot clusters] GET /autopilot/v3/addons/{id} |
cce:addonInstance:get |
√ |
√ |
|
Listing all add-on instances |
[CCE standard and CCE Turbo clusters] GET /api/v3/addons?cluster_id={cluster_id} [CCE Autopilot clusters] GET /autopilot/v3/addons?cluster_id={cluster_id} |
cce:addonInstance:list |
√ |
√ |
|
Deleting an add-on instance |
[CCE standard and CCE Turbo clusters] DELETE /api/v3/addons/{id} [CCE Autopilot clusters] DELETE /autopilot/v3/addons/{id} |
cce:addonInstance:delete |
√ |
√ |
|
Updating an add-on instance |
[CCE standard and CCE Turbo clusters] PUT /api/v3/addons/{id} [CCE Autopilot clusters] PUT /autopilot/v3/addons/{id} |
cce:addonInstance:update |
√ |
√ |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Obtaining quota details |
[CCE standard and CCE Turbo clusters] GET /api/v3/projects/{project_id}/quotas [CCE Autopilot clusters] GET /autopilot/v3/projects/{project_id}/quotas |
cce:quota:get |
√ |
√ |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Adding resource tags to a cluster in batches |
[CCE standard and CCE Turbo clusters] POST /api/v3/projects/{project_id}/clusters/{cluster_id}/tags/create [CCE Autopilot clusters] POST /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/tags/create |
cce:tag:operate |
√ |
√ |
|
Deleting resource tags from a cluster in batches |
[CCE standard and CCE Turbo clusters] POST /api/v3/projects/{project_id}/clusters/{cluster_id}/tags/delete [CCE Autopilot clusters] POST /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/tags/delete |
cce:tag:operate |
√ |
√ |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Obtaining the details about a cluster upgrade task |
[CCE standard and CCE Turbo clusters] GET /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgrade/tasks/{task_id} [CCE Autopilot clusters] GET /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgrade/tasks/{task_id} |
cce:cluster:get |
√ |
√ |
|
Obtaining a list of cluster upgrade task details |
[CCE standard and CCE Turbo clusters] GET /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgrade/tasks [CCE Autopilot clusters] GET /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgrade/tasks |
cce:cluster:get |
√ |
√ |
|
Retrying a cluster upgrade task |
[CCE standard and CCE Turbo clusters] POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgrade/retry [CCE Autopilot clusters] POST /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgrade/retry |
cce:cluster:upgrade |
√ |
√ |
|
Performing a pre-upgrade check for a cluster |
[CCE standard and CCE Turbo clusters] POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/precheck [CCE Autopilot clusters] POST /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/precheck |
cce:cluster:upgrade |
√ |
√ |
|
Obtaining details about a pre-upgrade check task of a cluster |
[CCE standard and CCE Turbo clusters] GET /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/precheck/tasks/{task_id} [CCE Autopilot clusters] GET /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/precheck/tasks/{task_id} |
cce:cluster:get |
√ |
√ |
|
Obtaining a list of pre-upgrade check tasks of a cluster |
[CCE standard and CCE Turbo clusters] GET /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/precheck/tasks [CCE Autopilot clusters] GET /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/precheck/tasks |
cce:cluster:get |
√ |
√ |
|
Performing a post-upgrade check for a cluster |
[CCE standard and CCE Turbo clusters] POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/postcheck [CCE Autopilot clusters] POST /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/postcheck |
cce:cluster:upgrade |
√ |
√ |
|
Backing up a cluster |
[CCE standard and CCE Turbo clusters] POST /api/v3.1/projects/{project_id}/clusters/{cluster_id}/operation/snapshot [CCE Autopilot clusters] POST /autopilot/v3.1/projects/{project_id}/clusters/{cluster_id}/operation/snapshot |
cce:cluster:upgrade |
√ |
√ |
|
Obtaining a list of cluster backup task details |
[CCE standard and CCE Turbo clusters] GET /api/v3.1/projects/{project_id}/clusters/{cluster_id}/operation/snapshot/tasks [CCE Autopilot clusters] GET /autopilot/v3.1/projects/{project_id}/clusters/{cluster_id}/operation/snapshot/tasks |
cce:cluster:get |
√ |
√ |
|
Obtaining details about a cluster upgrade task |
[CCE standard and CCE Turbo clusters] GET /api/v3/projects/{project_id}/clusters/{cluster_id}/upgradeinfo [CCE Autopilot clusters] GET /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/upgradeinfo |
cce:cluster:get |
√ |
√ |
|
Enabling the cluster upgrade booting task |
[CCE standard and CCE Turbo clusters] POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgradeworkflows [CCE Autopilot clusters] POST /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgradeworkflows |
cce:cluster:upgrade |
√ |
√ |
|
Obtaining a list of historical cluster upgrade booting tasks |
[CCE standard and CCE Turbo clusters] GET /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgradeworkflows [CCE Autopilot clusters] GET /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgradeworkflows |
cce:cluster:get |
√ |
√ |
|
Obtaining details about a specified cluster upgrade booting task |
[CCE standard and CCE Turbo clusters] GET /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgradeworkflows/{upgrade_workflow_id} [CCE Autopilot clusters] GET /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgradeworkflows/{upgrade_workflow_id} |
cce:cluster:get |
√ |
√ |
|
Updating the status of a cluster upgrade booting task |
[CCE standard and CCE Turbo clusters] PATCH /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgradeworkflows/{upgrade_workflow_id} [CCE Autopilot clusters] PATCH /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgradeworkflows/{upgrade_workflow_id} |
cce:cluster:upgrade |
√ |
√ |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
