Introduction
You can use Identity and Access Management (IAM) for fine-grained permissions management of your CloudDC resources. If your Huawei Cloud account does not need individual IAM users, you can skip this section.
With IAM, you can control access to specific Huawei Cloud resources from principals (IAM users, user groups, agencies, or trust agencies). IAM supports role/policy-based authorization and identity policy-based authorization.
Authorization Model |
Core Relationship |
Permissions |
Authorization Method |
Description |
---|---|---|---|---|
Role/Policy |
User-permission-authorization scope |
|
Assigning roles or policies to principals |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It is hard to provide fine-grained permissions control using authorization by user groups and a limited number of condition keys. This method is suitable for small and medium enterprises. |
Identity policy |
User-policy |
|
|
You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium and large enterprises. |
Assume that you want to grant IAM users permission to create CloudDC resources in CN North-Beijing4 and CN South-Guangzhou. With policy-based authorization, the administrator needs to create two custom policies and assign both to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom identity policy and configure the condition key g:RequestTag for the policy, and then attaches the policy to the users or grants the users the access permissions to the specified regions. Identity policy-based authorization is more flexible than policy-based authorization.
Policies/identity policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model.
If you use IAM users in your account to call an API, the IAM users must be granted the required permissions. The required permissions are determined by the actions supported by the API. Only users with the policies allowing for those actions can call the API successfully.
Assume that an IAM user wants to call an API to query iMetal servers. With policy-based authorization, the IAM user must be granted the permissions allowing for action clouddc:imetal:list. With identity policy-based authorization, the IAM user must be granted the permissions allowing for action clouddc:imetal:list.
Actions
CloudDC provides system-defined policies that can be directly used in IAM. You can also create custom policies to supplement system-defined policies for more refined access control. Operations supported by policies are specific to APIs. The following are common concepts related to policies:
- Permissions: statements in a policy that allow or deny certain operations.
- APIs: REST APIs that can be called in a custom policy.
- Actions: added to a custom policy to control permissions for specific operations.
- Dependencies: actions which a specific action depends on. When allowing an action for a user, you also need to allow any existing action dependencies for that user.
- IAM projects/Enterprise projects: the authorization scope of a custom policy. A custom policy can be applied to IAM projects or enterprise projects or both. Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only. Administrators can check whether an action supports IAM projects or enterprise projects in the action list. For details about the differences between IAM and enterprise management, see What Are the Differences Between IAM and Enterprise Management?
CloudDC supports the following actions that can be defined in custom policies.
Permission |
API |
Action |
IAM Project |
Enterprise Project |
---|---|---|---|---|
Updating an intelligent rack |
PUT /api/v1/{project_id}/iracks/{irack_id} |
clouddc:irack:update |
Supported |
Not supported |
Querying the intelligent rack list |
GET /api//v1/{project_id}/iracks |
clouddc:irack:list |
Supported |
Not supported |
Permission |
API |
Action |
IAM Project |
Enterprise Project |
---|---|---|---|---|
Modifying the IDC description |
PUT /api/v1/{project_id}/idcs |
clouddc:idc:update |
Supported |
Not supported |
Querying the IDC list |
GET /api/v1/{project_id}/idcs |
clouddc:idc:list |
Supported |
Not supported |
Permission |
API |
Action |
IAM Project |
Enterprise Project |
---|---|---|---|---|
Batch querying physical servers |
GET /v1/{project_id}/physicalservers |
clouddc:imetal:listServer |
Supported |
Not supported |
Querying information about physical servers |
GET /v1/{project_id}/physicalservers/{id} |
clouddc:imetal:getServer |
Supported |
Not supported |
Obtaining the console address |
GET /v1/{project_id}/physicalservers/{id}/remote-console-address |
clouddc:imetal:createRemoteConsoleLink |
Supported |
Not supported |
Querying the server hardware details |
GET /v1/{project_id}/physicalservers/{id}/hardware-attributes |
clouddc:imetal:getHardwareAttribute |
Supported |
Not supported |
Querying the firmware details |
GET /v1/{project_id}/physicalservers/{id}/firmware-attributes |
clouddc:imetal:getFirmwareAttribute |
Supported |
Not supported |
Batch modifying the power statuses of physical servers |
PUT /v1/{project_id}/physicalservers/power-state |
clouddc:imetal:updatePowerStatus |
Supported |
Not supported |
Exporting server logs |
POST /v1/{project_id}/physicalservers/{id}/logs/exports |
clouddc:imetal:createDumpLog |
Supported |
Not supported |
Querying the export status of logs |
GET /v1/{project_id}/physicalservers/{id}/logs/exports/{export_id} |
clouddc:imetal:getDumpLogProgress |
Supported |
Not supported |
Downloading a log file |
GET /v1/{project_id}/physicalservers/{id}/logs/exports/{export_id}/content |
clouddc:imetal:createDownloadLog |
Supported |
Not supported |
Permission |
API |
Action |
IAM Project |
Enterprise Project |
---|---|---|---|---|
Batch creating instances |
POST /v1/{project_id}/instances/batch-create |
clouddc:instance:createBatch |
Supported |
Not supported |
Creating an instance |
POST /v1/{project_id}/instances |
clouddc:instance:create |
Supported |
Not supported |
Batch querying instances |
GET /v1/{project_id}/instances |
clouddc:instance:list |
Supported |
Not supported |
Batch deleting instances |
POST /v1/{project_id}/instances/batch-delete |
clouddc:instance:deleteBatch |
Supported |
Not supported |
Querying instance status |
GET /v1/{project_id}/instances/{id}/status |
clouddc:instance:get |
Supported |
Not supported |
Batch reinstalling OSs |
PUT /v1/{project_id}/instances/reinstall |
clouddc:instance:reinstallOS |
Supported |
Not supported |
Batch changing instance passwords |
PUT /v1/{project_id}/instances/password |
clouddc:instance:changePassword |
Supported |
Not supported |
Deleting instances |
DELETE /v1/{project_id}/instances/{id} |
clouddc:instance:delete |
Supported |
Not supported |
Changing the IP address of an instance |
PUT /v1/{project_id}/instances/{id}/ip |
clouddc:imetal:updateIP |
Supported |
Not supported |
Permission |
API |
Action |
IAM Project |
Enterprise Project |
---|---|---|---|---|
Obtaining server overview |
GET /v1/{project_id}/physicalservers/status |
clouddc::listStatus |
Supported |
Not supported |
Obtaining server alarm overview |
GET /v1/{project_id}/physicalservers/alarms/summary |
clouddc::listAlarmStat |
Supported |
Not supported |
Obtaining server alarm trend |
GET /v1/{project_id}/physicalservers/alarms/trend |
clouddc::listAlarmTrend |
Supported |
Not supported |
Obtaining server alarm list |
GET /v1/{project_id}/physicalservers/alarms |
clouddc::listAlarm |
Supported |
Not supported |
The server event list is returned. |
GET /v1/{project_id}/physicalservers/events |
clouddc::listEvent |
Supported |
Not supported |
Querying event definitions |
GET /v1/{project_id}/physicalservers/events/{event_id} |
clouddc::listIEventDicts |
Supported |
Not supported |
Permission |
API |
Action |
IAM Project |
Enterprise Project |
---|---|---|---|---|
Batch creating rack tags |
POST https://www.example.com/v1/{project_id}/iracks/{id}/tags/create |
clouddc:irack:tagResource |
Supported |
Not supported |
Batch deleting rack tags |
POST https://www.example.com/v1/{project_id}/iracks/{id}/tags/delete |
clouddc:irack:unTagResource |
Supported |
Not supported |
Batch creating resource tags |
POST /v1/{project_id}/{resource_type}/{resource_id}/tags/create |
clouddc::tagResource |
Supported |
Not supported |
Batch deleting tags from a resource |
POST /v1/{project_id}/{resource_type}/{resource_id}/tags/delete |
clouddc::unTagResource |
Supported |
Not supported |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot