Actions Supported by Role/Policy-based Authorization
This section describes the actions supported by CCE in role/policy-based authorization.
Supported Actions
CCE provides system-defined policies that can be directly used in IAM. You can also create custom policies to supplement system-defined policies for more refined access control. Operations supported by policies are specific to APIs. The common concepts related to policies are listed below.
- Permissions: statements in a policy that allow or deny certain operations.
- APIs: REST APIs that can be called by a user who has been granted specific permissions.
- Actions: specific operations that are allowed or denied in a custom policy.
- Dependencies: actions which a specific action depends on. When allowing an action for a user, you also need to allow any existing action dependencies for that user.
- IAM projects/Enterprise projects: the authorization scope of a custom policy. A custom policy can be applied to IAM projects or enterprise projects or both. Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only. For details about the differences between IAM and enterprise management, see What Are the Differences Between IAM and Enterprise Management?
The check mark (√) and cross symbol (×) respectively indicate that an action takes effect or does not take effect for the corresponding type of projects.
CCE supports the following actions in custom policies.
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Obtaining clusters in a project |
GET /api/v3/projects/{project_id}/clusters |
cce:cluster:list |
√ |
√ |
|
Obtaining a cluster |
GET /api/v3/projects/{project_id}/clusters/{cluster_id} |
cce:cluster:get |
√ |
√ |
|
Creating a cluster |
POST /api/v3/projects/{project_id}/clusters |
cce:cluster:create |
√ |
√ |
|
Updating a cluster |
PUT /api/v3/projects/{project_id}/clusters/{cluster_id} |
cce:cluster:update |
√ |
√ |
|
Deleting a cluster |
DELETE /api/v3/projects/{project_id}/clusters/{cluster_id} |
cce:cluster:delete |
√ |
√ |
|
Upgrading a cluster |
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgrade |
cce:cluster:upgrade |
√ |
√ |
|
Waking up a cluster |
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/awake |
cce:cluster:start |
√ |
√ |
|
Hibernating a cluster |
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/hibernate |
cce:cluster:stop |
√ |
√ |
|
Changing the specifications of a cluster |
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/resize |
cce:cluster:resize |
√ |
√ |
|
Obtaining the certificate of a cluster |
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/clustercert |
cce:cluster:get |
√ |
√ |
|
Obtaining the global OBS access secret configuration |
GET /api/v3/projects/{project_id}/longaksk/config |
cce:longaksk:getConfig |
√ |
√ |
|
Updating the global OBS access secret configuration |
PUT /api/v3/projects/{project_id}/longaksk/config |
cce:longaksk:updateConfig |
√ |
√ |
|
Updating the global OBS access secret configuration of a cluster |
PUT /api/v3/projects/{project_id}/clusters/{cluster_id}/longaksk/config |
cce:cluster:updateLongAKSKConfig |
√ |
√ |
|
Obtaining the global OBS access secret configuration of a cluster |
GET /api/v3/projects/{project_id}/clusters/{cluster_id}/longaksk/config |
cce:cluster:getLongAKSKConfig |
√ |
√ |
|
Revoking a cluster certificate |
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/clustercertrevoke |
cce:cluster:revokeClientCredential |
√ |
√ |
|
Updating a partition |
PUT /api/v3/projects/{project_id}/clusters/{cluster_id}/partitions/{partition_name} |
cce:partition:update |
√ |
√ |
|
Creating a partition |
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/partitions |
cce:partition:create |
√ |
√ |
|
Obtaining partition information |
GET /api/v3/projects/{project_id}/clusters/{cluster_id}/partitions/{partition_name} |
cce:partition:get |
√ |
√ |
|
Listing all partitions |
GET /api/v3/projects/{project_id}/clusters/{cluster_id}/partitions |
cce:partition:list |
√ |
√ |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Obtaining all nodes in a cluster |
GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes |
cce:node:list |
√ |
√ |
|
Obtaining a node |
GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/{node_id} |
cce:node:get |
√ |
√ |
|
Creating a node |
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes |
cce:node:create |
√ |
√
NOTE:
If you use enterprise project authorization to create a node, you need to add the global permission of evs:quotas:get and evs:types:get. |
|
Updating a node |
PUT /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/{node_id} |
cce:node:update |
√ |
√ |
|
Deleting a node |
DELETE /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/{node_id} |
cce:node:delete |
√ |
√ |
|
Removing a node |
PUT /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/operation/remove |
cce:node:remove |
√ |
√ |
|
Migrating a node |
PUT /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/operation/migrateto/{target_cluster_id} |
cce:node:migrate |
√ |
√ |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Obtaining information about a job |
GET /api/v3/projects/{project_id}/jobs/{job_id} |
cce:job:get |
√ |
√ |
|
Listing all jobs |
GET /api/v2/projects/{project_id}/jobs |
cce:job:list |
√ |
√ |
|
Deleting one or all jobs |
DELETE /api/v2/projects/{project_id}/jobs DELETE /api/v2/projects/{project_id}/jobs/{job_id} |
cce:job:delete |
√ |
√ |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Obtaining all node pools in a cluster |
GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools |
cce:nodepool:list |
√ |
√ |
|
Obtaining a node pool |
GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/{nodepool_id} |
cce:nodepool:get |
√ |
√ |
|
Creating a node pool |
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools |
cce:nodepool:create |
√ |
√ |
|
Updating a node pool |
PUT /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/{nodepool_id} |
cce:nodepool:update |
√ |
√ |
|
Deleting a node pool |
DELETE /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/{nodepool_id} |
cce:nodepool:delete |
√ |
√ |
|
Scaling a node pool |
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/{nodepool_id}/operation/scale |
cce:nodepool:scale |
√ |
√ |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Updating a chart |
PUT /v2/charts/{id} |
cce:chart:update |
√ |
× |
|
Uploading a chart |
POST /v2/charts |
cce:chart:upload |
√ |
× |
|
Listing all charts |
GET /v2/charts |
cce:chart:list |
√ |
× |
|
Obtaining information about a chart |
GET /v2/charts/{id} |
cce:chart:get |
√ |
× |
|
Deleting a chart |
DELETE /v2/charts/{id} |
cce:chart:delete |
√ |
× |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Updating a release |
PUT /v2/releases/{name} |
cce:release:update |
√ |
√ |
|
Listing all releases |
GET /v2/releases |
cce:release:list |
√ |
√ |
|
Creating a release |
POST /v2/releases |
cce:release:create |
√ |
√ |
|
Obtaining information about a release |
GET /v2/releases/{name} |
cce:release:get |
√ |
√ |
|
Deleting a release |
DELETE /v2/releases/{name} |
cce:release:delete |
√ |
√ |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Creating a PersistentVolumeClaim |
POST /api/v1/namespaces/{namespace}/cloudpersistentvolumeclaims |
cce:storage:create |
√ |
√ |
|
Deleting a PersistentVolumeClaim |
DELETE /api/v1/namespaces/{namespace}/cloudpersistentvolumeclaims/{name} |
cce:storage:delete |
√ |
√ |
|
Listing all volumes |
GET /storage/api/v1/namespaces/{namespace}/listvolumes |
cce:storage:list |
√ |
√ |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Creating an add-on pod |
POST /api/v3/addons |
cce:addonInstance:create |
√ |
√ |
|
Obtaining an add-on pod |
GET /api/v3/addons/{id}?cluster_id={cluster_id} |
cce:addonInstance:get |
√ |
√ |
|
Listing all add-on pods |
GET /api/v3/addons?cluster_id={cluster_id} |
cce:addonInstance:list |
√ |
√ |
|
Deleting an add-on pod |
DELETE /api/v3/addons/{id}?cluster_id={cluster_id} |
cce:addonInstance:delete |
√ |
√ |
|
Updating an add-on pod |
PUT /api/v3/addons/{id} |
cce:addonInstance:update |
√ |
√ |
|
Rolling back an add-on pod |
POST /api/v3/addons/{id}/operation/rollback |
cce:addonInstance:rollback |
√ |
√ |
|
Listing all add-on templates |
GET /api/v3/addontemplates |
cce:addonTemplate:list |
√ |
× |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Obtaining quota details |
GET /api/v3/projects/{project_id}/quotas |
cce:quota:get |
√ |
√ |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Adding resource tags to a cluster |
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/tags/create |
cce:tag:operate |
√ |
√ |
|
Deleting resource tags from a cluster |
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/tags/delete |
cce:tag:operate |
√ |
√ |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Creating an access policy |
POST /api/v3/access-policies |
cce:accessPolicy:post |
√ |
× |
|
Obtaining the access policy list |
GET /api/v3/access-policies |
cce:accessPolicy:list |
√ |
× |
|
Obtaining an access policy |
GET /api/v3/access-policies/{policy_id} |
cce:accessPolicy:get |
√ |
× |
|
Deleting an access policy |
DELETE /api/v3/access-policies/{policy_id} |
cce:accessPolicy:delete |
√ |
× |
|
Updating an access policy |
PUT /api/v3/access-policies/{policy_id} |
cce:accessPolicy:put |
√ |
× |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
