Policy-Based Authorization
This section describes the actions supported by CSS in terms of policy-based authorization.
Supported Actions
CSS provides system-defined policies that can be directly used in IAM. You can also create custom policies and use them to supplement system-defined policies, implementing more refined access control. Actions supported by policies are specific to APIs. The following are common concepts related to policies:
- Permissions: statements in a policy that allow or deny certain operations.
- APIs: REST APIs that can be called by a custom policy.
- Actions: added to a custom policy to control permissions for specific operations.
- Related actions: actions that a specific action depends on. When assigning permissions for the action to a user, you also need to assign permissions for the dependent actions.
- IAM or enterprise projects: type of projects for which an action will take effect. Policies that contain actions supporting both IAM and enterprise projects can be assigned to user groups and take effect in both IAM and Enterprise Management. Policies that only contain actions supporting IAM projects can be assigned to user groups and only take effect for IAM. Administrators can check whether an action supports IAM projects or enterprise projects in the action list. For details about the differences between IAM and enterprise management, see Differences Between IAM and Enterprise Management.
CSS supports the following actions that can be defined in custom policies:
- Cluster Management: includes actions supported by CSS cluster management, such as the APIs for creating clusters, scaling out clusters, viewing cluster details, and obtaining instance specifications.
- Custom Word Dictionaries: includes actions supported by the CSS custom word dictionaries, such as loading a custom word dictionary, querying the word dictionary status, and deleting a custom word dictionary.
- Kibana Public Access: includes actions supported by Kibana public access, such as enabling Kibana public access, disabling Kibana public access, and Kibana public access modification.
- Managing Logs: includes actions supported by CSS log management, such as enabling, disabling, modifying, and querying logs.
- Public IP Address: includes actions supported by CSS public network access, such as the APIs for enabling, disabling, and modifying public network access.
- Snapshot Management: includes actions supported by the CSS snapshot function, such as data backup and restoration. You can use APIs to create, restore, and delete snapshots.
- Endpoints: includes actions supported by CSS VPC endpoint services, such as the APIs for enabling and disabling the VPC endpoint service, obtaining a VPC endpoint service connection, and updating a VPC endpoint service connection.
- Parameter Settings: includes actions supported by CSS parameter configuration, such as the API for modifying cluster parameter configurations.
Cluster Management
|
Permission |
API |
Action |
IAM Project (Project) |
Enterprise Project (Enterprise Project) |
|---|---|---|---|---|
|
Creating a cluster |
POST /v1.0/{project_id}/clusters |
css:cluster:create |
√ |
√ |
|
Querying a cluster list |
GET /v1.0/{project_id}/clusters |
css:cluster:list |
√ |
√ |
|
Querying cluster details |
GET /v1.0/{project_id}/clusters/{cluster_id} |
css:cluster:get |
√ |
√ |
|
Deleting a cluster |
DELETE /v1.0/{project_id}/clusters/{cluster_id} |
css:cluster:delete |
√ |
√ |
|
Changing the billing mode of a cluster from pay-per-use to yearly/monthly |
POST /v1.0/{project_id}/cluster/{cluster_id}/period |
css:cluster:create |
√ |
√ |
|
Changing a cluster name |
POST /v1.0/{project_id}/clusters/{cluster_id}/changename |
css:cluster:modifyName |
√ |
√ |
|
Changing the password |
POST /v1.0/{project_id}/clusters/{cluster_id}/password/reset |
css:cluster:modifyPassword |
√ |
√ |
|
Restarting a cluster |
POST /v1.0/{project_id}/clusters/{cluster_id}/restart |
css:cluster:restart |
√ |
√ |
|
Scaling out a cluster |
POST /v1.0/{project_id}/clusters/{cluster_id}/extend |
css:cluster:scaleOut |
√ |
√ |
|
Adding instances and expanding instance storage capacity |
POST /v1.0/{project_id}/clusters/{cluster_id}/role_extend |
css:cluster:expand |
√ |
√ |
|
Modifying resource specifications |
POST /v1.0/{project_id}/clusters/{cluster_id}/flavor |
css:cluster:modifySpecifications |
√ |
√ |
|
Obtaining the instance specifications list |
GET /v1.0/{project_id}/es-flavors |
css:cluster:listFlavors |
√ |
√ |
|
Querying all tags |
GET /v1.0/{project_id}/{resource_type}/tags |
css:tag:list |
√ |
√ |
|
Querying tags of a specified cluster |
GET /v1.0/{project_id}/{resource_type}/{cluster_id}/tags |
css:tag:get |
√ |
√ |
|
Adding tags to a cluster |
POST /v1.0/{project_id}/{resource_type}/{cluster_id}/tags |
css:tag:edit |
√ |
√ |
|
Deleting a tag |
DELETE /v1.0/{project_id}/{resource_type}/{cluster_id}/tags/{key} |
css:tag:delete |
√ |
√ |
|
Adding or deleting cluster tags in batches |
POST /v1.0/{project_id}/{resource_type}/{cluster_id}/tags/action |
css:tag:addOrDelete |
√ |
√ |
|
Changing the specifications of a specified node type |
POST /v1.0/{project_id}/clusters/{cluster_id}/{types}/flavor |
css:cluster:modifySpecifications |
√ |
√ |
|
Scaling in a cluster by removing specific nodes |
POST /v1.0/{project_id}/clusters/{cluster_id}/node/offline |
css:cluster:shrinkNodes |
√ |
√ |
|
Scaling in nodes of a specific type |
POST /v1.0/extend/{project_id}/clusters/{cluster_id}/role/shrink |
css:cluster:scaleIn |
√ |
√ |
|
Downloading the security certificate |
GET /v1.0/{project_id}/cer/download |
css:cluster:downloadCert |
√ |
√ |
|
Replacing nodes |
PUT /v1.0/{project_id}/clusters/{cluster_id}/instance/{instance_id}/replace |
css:cluster:upgradeCluster |
√ |
√ |
|
Changing the security mode |
POST /v1.0/{project_id}/clusters/{cluster_id}/mode/change |
css:cluster:changeMode |
√ |
√ |
|
Adding Master and Client Nodes |
POST /v1.0/{project_id}/clusters/{cluster_id}/type/{type}/independent |
css:cluster:addIndependenceNodes |
√ |
√ |
|
Changing the security group |
POST /v1.0/{project_id}/clusters/{cluster_id}/sg/change |
css:cluster:modifySecurityGroup |
√ |
√ |
|
Creating a cluster (V2) |
POST /v2.0/{project_id}/clusters |
css:cluster:create |
√ |
√ |
|
Restarting a cluster (V2) |
POST /v2.0/{project_id}/clusters/{cluster_id}/restart |
css:cluster:restart |
√ |
√ |
|
Rolling restart |
POST /v2.0/{project_id}/clusters/{cluster_id}/rolling_restart |
css:cluster:rollingReboot |
√ |
√ |
Custom Word Dictionaries
|
Permission |
API |
Action |
IAM Project (Project) |
Enterprise Project (Enterprise Project) |
|---|---|---|---|---|
|
Loading a custom word dictionary |
POST /v1.0/{project_id}/clusters/{cluster_id}/thesaurus |
css:IKThesaurus:load |
√ |
√ |
|
Querying the status of a custom word dictionary |
GET /v1.0/{project_id}/clusters/{cluster_id}/thesaurus |
css:IKThesaurus:get |
√ |
√ |
|
Deleting a custom word dictionary |
DELETE /v1.0/{project_id}/clusters/{cluster_id}/thesaurus |
css:IKThesaurus:delete |
√ |
√ |
Kibana Public Access
|
Permission |
API |
Action |
IAM Project (Project) |
Enterprise Project (Enterprise Project) |
|---|---|---|---|---|
|
Enabling Kibana public access |
POST /v1.0/{project_id}/clusters/{cluster_id}/publickibana/open |
css:publicKibana:open |
√ |
√ |
|
Disabling Kibana public access |
PUT /v1.0/{project_id}/clusters/{cluster_id}/publickibana/close |
css:publicKibana:close |
√ |
√ |
|
Modifying the Kibana public network bandwidth |
POST /v1.0/{project_id}/clusters/{cluster_id}/publickibana/bandwidth |
css:publicIPAddress:modifyBandwidth |
√ |
√ |
|
Modifying Kibana public network access control |
POST /v1.0/{project_id}/clusters/{cluster_id}/publickibana/whitelist/update |
ss:publicIPAddress:setAccessControl |
√ |
√ |
|
Disabling Kibana public network access control |
PUT /v1.0/{project_id}/clusters/{cluster_id}/publickibana/whitelist/close |
css:publicIPAddress:setAccessControl |
√ |
√ |
Managing Logs
|
Permission |
API |
Action |
IAM Project (Project) |
Enterprise Project (Enterprise Project) |
|---|---|---|---|---|
|
Enabling logging |
POST /v1.0/{project_id}/clusters/{cluster_id}/logs/open |
css:cluster:openLogSetting |
√ |
√ |
|
Disabling logging |
PUT /v1.0/{project_id}/clusters/{cluster_id}/logs/close |
css:log:enableOrDisableLogFunction |
√ |
√ |
|
Querying a job list |
GET /v1.0/{project_id}/clusters/{cluster_id}/logs/records |
css:log:listJob |
√ |
√ |
|
Querying basic log configurations |
GET /v1.0/{project_id}/clusters/{cluster_id}/logs/settings |
css:log:getBasicConfigurations |
√ |
√ |
|
Modifying basic log configurations |
POST /v1.0/{project_id}/clusters/{cluster_id}/logs/settings |
css:log:setBasicConfigurations |
√ |
√ |
|
Enabling the automatic log backup policy |
POST /v1.0/{project_id}/clusters/{cluster_id}/logs/policy/update |
css:log:updateBackupPolicy |
√ |
√ |
|
Disabling the automatic log backup policy |
PUT /v1.0/{project_id}/clusters/{cluster_id}/logs/policy/close |
css:log:updateBackupPolicy |
√ |
√ |
|
Backing up logs |
POST /v1.0/{project_id}/clusters/{cluster_id}/logs/collect |
css:log:backup |
√ |
√ |
|
Querying logs |
OST /v1.0/{project_id}/clusters/{cluster_id}/logs/search |
css:log:list |
√ |
√ |
Public IP Address
|
Permission |
API |
Action |
IAM Project (Project) |
Enterprise Project (Enterprise Project) |
|---|---|---|---|---|
|
Enabling public network access |
POST /v1.0/{project_id}/clusters/{cluster_id}/public/open |
css:publicIPAddress:associates |
√ |
√ |
|
Disabling public network access |
PUT /v1.0/{project_id}/clusters/{cluster_id}/public/close |
css:publicIPAddress:disassociates |
√ |
√ |
|
Modifying public network access bandwidth |
POST /v1.0/{project_id}/clusters/{cluster_id}/public/bandwidth |
css:publicIPAddress:modifyBandwidth |
√ |
√ |
|
Enabling the public network access whitelist |
POST /v1.0/{project_id}/clusters/{cluster_id}/public/whitelist/update |
css:publicIPAddress:setAccessControl |
√ |
√ |
|
Disabling the public network access whitelist |
PUT /v1.0/{project_id}/clusters/{cluster_id}/public/whitelist/close |
css:publicIPAddress:setAccessControl |
√ |
√ |
Snapshot Management
|
Permission |
API |
Action |
IAM Project (Project) |
Enterprise Project (Enterprise Project) |
|---|---|---|---|---|
|
(Not recommended) Automatically configuring basic settings of a cluster snapshot |
POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/auto_setting |
css:snapshot:enableAtomaticSnapsot |
√ |
√ |
|
Modifying basic configurations of a cluster snapshot |
POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/setting |
css:snapshot:setSnapshotContiguration |
√ |
√ |
|
Manually creating a snapshot |
POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot |
css:snapshot:create |
√ |
√ |
|
Restoring a snapshot |
POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/{snapshot_id}/restore |
css:snapshot:restore |
√ |
√ |
|
Deleting a snapshot |
DELETE /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/{snapshot_id} |
css:snapshot:delete |
√ |
√ |
|
Setting the automatic snapshot creation policy |
POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/policy |
css:snapshot:setSnapshotPolicy |
√ |
√ |
|
Querying the automatic snapshot creation policy |
GET /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/policy |
css:snapshot:getSnapshotPolicy |
√ |
√ |
|
Querying the snapshot list |
GET /v1.0/{project_id}/clusters/{cluster_id}/index_snapshots |
css:snapshot:list |
√ |
√ |
|
Disabling the snapshot function |
DELETE /v1.0/{project_id}/clusters/{cluster_id}/index_snapshots |
css:snapshot:disableSnapshotFuction |
√ |
√ |
|
Enabling automatic snapshot creation |
POST /v2.0/{project_id}/clusters/{cluster_id}/snapshots/policy/open |
css:snapshot:setSnapshotPolicy |
√ |
√ |
|
Disabling automatic snapshot creation |
PUT /v2.0/{project_id}/clusters/{cluster_id}/snapshots/policy/close |
css:snapshot:setSnapshotPolicy |
√ |
√ |
Endpoints
|
Permission |
API |
Action |
IAM Project (Project) |
Enterprise Project (Enterprise Project) |
|---|---|---|---|---|
|
Enabling the VPC endpoint service |
POST /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/open |
css:VPCEndpoint:enableOrDisable |
√ |
√ |
|
Disabling the VPC endpoint service |
PUT /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/close |
css:VPCEndpoint:enableOrDisable |
√ |
√ |
|
Obtaining an endpoint connection |
GET /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/connections |
css:VPCEndpoint:listConnection |
√ |
√ |
|
Updating an endpoint connection |
POST /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/connections |
css:VPCEndpoint:manageConnection |
√ |
√ |
|
Modifying the endpoint service whitelist |
POST /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/permissions |
css:VPCEndpoint:updateWhitelist |
√ |
√ |
Parameter Settings
|
Permission |
API |
Action |
IAM Project (Project) |
Enterprise Project (Enterprise Project) |
|---|---|---|---|---|
|
Modifying parameter configurations |
POST /v1.0/{project_id}/clusters/{cluster_id}/ymls/update |
css:configurations:modify |
√ |
√ |
|
Obtaining the task list of parameter configurations |
GET /v1.0/{project_id}/clusters/{cluster_id}/ymls/joblists |
css:configurations:list |
√ |
√ |
|
Obtaining the parameter configuration list |
GET /v1.0/{project_id}/clusters/{cluster_id}/ymls/template |
css:configurations:get |
√ |
√ |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
