Actions Supported by Policy-based Authorization
This section describes the actions supported policy-based authorization for CFW.
Supported Actions
HSS provides system-defined policies that can be directly used in IAM. You can also create custom policies and use them to supplement system-defined policies, implementing more refined access control. The following are related concepts:
- Permissions: statements in a policy that allow or deny certain operations
- APIs: REST APIs that can be called by a user who has been granted specific permissions.
- Actions: Specific operations that are allowed or denied in a custom policy.
- Dependencies: Actions which a specific action depends on. When allowing an action for a user, you also need to allow its dependent actions for that user.
- IAM or enterprise projects: Type of projects for which an action will take effect. For example, if you set the authorization scope of a custom policy to both IAM projects and enterprise projects, the policy takes effect for user groups in either IAM or enterprise projects. If an action supports only IAM projects, the custom policy that contains this action will take effect only for user groups in IAM. Administrators can check whether an action supports IAM projects or enterprise projects in the action list. "√" indicates that the action supports the project and "×" indicates that the action does not support the project. For details about the differences between IAM and enterprise management, see Differences Between IAM and Enterprise Management.
CFW supports the following actions that can be defined in custom policies:
Authorization List describes CFW actions, such as querying firewall instances, creating CFW instances, and querying ACL rules.
Authorization List
|
Permission |
API |
Action |
Related Action |
IAM Project (Project) |
Enterprise Project (Enterprise Project) |
|---|---|---|---|---|---|
|
Enable or disable EIP protection. |
POST/v1/{project_id}/eip/protect |
cfw:eip:operate |
None |
√ |
√ |
|
Query the EIP list. |
GET/v1/{project_id}/eips/protect |
cfw:eip:list |
ecs:cloudServers:list nat:natGateways:list vpc:publicIps:list |
√ |
√ |
|
Query EIP statistics. |
GET/v1/{project_id}/eip-count/{object_id} |
cfw:eipStatistics:get |
None |
√ |
√ |
|
Create an ACL rule. |
POST/v1/{project_id}/acl-rule |
cfw:acl:create |
None |
√ |
√ |
|
Modify an ACL rule. |
PUT/v1/{project_id}/acl-rule/{acl_rule_id} |
cfw:acl:put |
None |
√ |
√ |
|
Delete an ACL rule. |
DELETE/v1/{project_id}/acl-rule/{acl_rule_id} |
cfw:acl:delete |
None |
√ |
√ |
|
Query the ACL rule list. |
GET/v1/{project_id}/acl-rules |
cfw:acl:list |
None |
√ |
√ |
|
Configure ACL rule priority. |
PUT/v1/{project_id}/acl-rule/order/{acl_rule_id} |
cfw:acl:setPriority |
None |
√ |
√ |
|
Create a blacklist or whitelist. |
POST/v1/{project_id}/black-white-list |
cfw:blackWhite:create |
None |
√ |
√ |
|
Modify a blacklist or whitelist. |
PUT/v1/{project_id}/black-white-list/{list_id} |
cfw:blackWhite:put |
None |
√ |
√ |
|
Delete a blacklist or whitelist. |
DELETE/v1/{project_id}/black-white-list/{list_id} |
cfw:blackWhite:delete |
None |
√ |
√ |
|
Query a blacklist or whitelist. |
GET/v1/{project_id}/black-white-lists |
cfw:blackWhite:list |
None |
√ |
√ |
|
Create an IP address group. |
POST/v1/{project_id}/address-set |
cfw:ipGroup:create |
None |
√ |
√ |
|
Modify an IP address group. |
PUT/v1/{project_id}/address-sets/{set_id} |
cfw:ipGroup:put |
None |
√ |
√ |
|
Delete an IP address group. |
DELETE/v1/{project_id}/address-sets/{set_id} |
cfw:ipGroup:delete |
None |
√ |
√ |
|
Query the IP address group list. |
GET/v1/{project_id}/address-sets |
cfw:ipGroup:list |
None |
√ |
√ |
|
Query the details of an IP address group. |
GET/v1/{project_id}/address-sets/{set_id} |
cfw:ipGroup:get |
None |
√ |
√ |
|
Add a member to an IP address group. |
POST/v1/{project_id}/address-items |
cfw:ipMember:create |
None |
√ |
√ |
|
Delete a member from an IP address group. |
DELETE/v1/{project_id}/address-items/{item_id} |
cfw:ipMember:delete |
None |
√ |
√ |
|
Query IP address group members. |
GET/v1/{project_id}/address-items |
cfw:ipMember:list |
None |
√ |
√ |
|
Create a service group. |
POST/v1/{project_id}/service-set |
cfw:serviceGroup:create |
None |
√ |
√ |
|
Modify a service group. |
PUT/v1/{project_id}/service-sets/{set_id} |
cfw:serviceGroup:put |
None |
√ |
√ |
|
Delete a service group. |
DELETE/v1/{project_id}/service-sets/{set_id} |
cfw:serviceGroup:delete |
None |
√ |
√ |
|
Query the details about a service group. |
GET/v1/{project_id}/service-sets/{set_id} |
cfw:serviceGroup:get |
None |
√ |
√ |
|
Query the service group list. |
GET/v1/{project_id}/service-sets |
cfw:serviceGroup:list |
None |
√ |
√ |
|
Add a member to a service group. |
POST/v1/{project_id}/service-items |
cfw:serviceMember:create |
None |
√ |
√ |
|
Delete a member from a service group. |
DELETE/v1/{project_id}/service-items/{item_id} |
cfw:serviceMember:delete |
None |
√ |
√ |
|
Query service group members. |
GET/v1/{project_id}/service-items |
cfw:serviceMember:list |
None |
√ |
√ |
|
Query the ACL log list. |
GET/v1/{project_id}/cfw/logs/access-control |
cfw:accessControlLog:list |
None |
√ |
√ |
|
Query the traffic log list. |
GET/v1/{project_id}/cfw/logs/flow |
cfw:flowLog:list |
None |
√ |
√ |
|
Query the attack log list. |
GET/v1/{project_id}/cfw/logs/attack |
cfw:attackLog:list |
None |
√ |
√ |
|
Configure the IPS mode. |
POST/v1/{project_id}/ips/protect |
cfw:ipsMode:operate |
None |
√ |
√ |
|
Query the IPS mode. |
GET/v1/{project_id}/ips/protect |
cfw:ipsMode:get |
None |
√ |
√ |
|
Query firewalls. |
GET /v1/{project_id}/firewall/exist |
cfw:instance:list |
None |
√ |
√ |
|
Update the DNS server. |
PUT /v1/{project_id}/dns/servers |
cfw:acl:put |
None |
√ |
√ |
|
Query the DNS server. |
GET /v1/{project_id}/dns/servers |
cfw:domain:get |
None |
√ |
√ |
|
Check a domain name. |
GET /v1/{project_id}/domain/parse/{domain_name} |
cfw:domain:get |
None |
√ |
√ |
|
Change the east-west protection status. |
POST /v1/{project_id}/firewall/east-west/protect |
cfw:instance:create |
None |
√ |
√ |
|
Query east-west firewalls. |
GET /v1/{project_id}/firewall/east-west |
cfw:instance:list |
None |
√ |
√ |
|
Query VPC protection. |
GET /v1/{project_id}/vpcs/protection |
cfw:instance:list |
None |
√ |
√ |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
