Actions Supported by Policy-based Authorization
This section describes the actions supported by DMS for Kafka in policy-based authorization.
Supported Actions
System-defined policies that can be directly used in IAM are provided. You can also create custom policies to supplement system-defined policies for more refined access control. Operations supported by policies are specific to APIs. The following are common concepts related to policies:
- Permissions: statements in a policy that allow or deny certain operations
- APIs: REST APIs that can be called by a user who has been granted specific permissions
- Actions: specific operations that are allowed or denied in a custom policy
- Dependencies: actions which a specific action depends on. When allowing an action for a user, you also need to allow any existing action dependencies for that user.
- IAM projects/Enterprise projects: the authorization scope of a custom policy. A custom policy can be applied to IAM projects or enterprise projects or both. Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only. Administrators can check whether an action supports IAM projects or enterprise projects in the action list. For details about the differences between IAM and enterprise management, see Differences Between IAM and Enterprise Management.
DMS for Kafka supports the following actions in custom policies:
- Lifecycle management actions, including actions supported by Kafka instance lifecycle management APIs, such as the APIs for creating an instance, querying the instance list, modifying instance information, and batch restarting or deleting instances.
- Instance management actions, including actions supported by Kafka instance management APIs, such as the APIs for resetting passwords and querying Kafka cluster metadata.
- Smart Connect actions, including actions supported by Smart Connect APIs, such as the APIs for enabling or disabling Smart Connect, creating a Smart Connect task.
- Specification modification management action, supported by the specification modification management APIs, such as the APIs for scaling up an instance and querying the product information for instance specification modification.
- Topic management actions, including actions supported by topic management APIs, such as the APIs for creating, querying, and modifying topics.
- Consumer group management actions, including actions supported by consumer group management APIs, such as the APIs for creating, querying, and deleting consumer groups.
- User management actions, including actions supported by user management APIs, such as the APIs for creating users, querying users, and configuring user permissions.
- Message management actions, including actions supported by message management APIs, such as the API for querying and deleting messages.
- Background task management actions, including actions supported by background task management APIs, such as the APIs for querying the background task list of an instance and querying a specified background task.
- Tag management actions, including actions supported by tag management APIs, such as the APIs for querying instance tags and project tags.
- Diagnosis management actions, including actions supported by diagnosis management APIs, such as the APIs for creating a message stack diagnosis task and querying a diagnosis report list.
- Others, including actions supported by APIs for querying the maintenance time window and querying AZs.
Lifecycle Management
| Permission | API | Action | IAM (Project) | Enterprise (Enterprise Project) |
|---|---|---|---|---|
| Creating an instance | POST /v2/{project_id}/kafka/instances | dms:instance:create | √ | √ |
| Querying the instance list | GET /v2/{project_id}/instances | dms:instance:list | √ | √ |
| Querying an instance | GET /v2/{project_id}/instances/{instance_id} | dms:instance:get | √ | √ |
| Deleting an instance | DELETE /v2/{project_id}/instances/{instance_id} | dms:instance:delete | √ | √ |
| Modifying an instance | PUT /v2/{project_id}/instances/{instance_id} | dms:instance:modify | √ | √ |
| Batch restarting or deleting instances | POST /v2/{project_id}/instances/action | Restart: dms:instance:modifyStatus Delete: dms:instance:delete | √ | √ |
| Obtaining Instance Configurations | GET /v2/{project_id}/instances/{instance_id}/configs | dms:instance:get | √ | √ |
| Modifying Instance Configurations | PUT /v2/{project_id}/instances/{instance_id}/configs | dms:instance:modify | √ | √ |
| Upgrading an Instance | POST /v2/{project_id}/kafka/instances/{instance_id}/upgrade | dms:instance:modify | √ | √ |
| Querying the Kafka Instance Version | GET /v2/{project_id}/kafka/instances/{instance_id}/upgrade | dms:instance:get | √ | √ |
Instance Management
| Permission | API | Action | IAM (Project) | Enterprise (Enterprise Project) |
|---|---|---|---|---|
| Resetting a password | POST /v2/{project_id}/instances/{instance_id}/password | dms:instance:resetAuthInfo | √ | √ |
| Resetting the Kafka Manager password | PUT /v2/{project_id}/instances/{instance_id}/kafka-manager-password | dms:instance:resetAuthInfo | √ | √ |
| Restarting Kafka Manager | PUT /v2/{project_id}/instances/{instance_id}/restart-kafka-manager | dms:instance:modifyStatus | √ | √ |
| Modifying the private IP address for cross-VPC access | POST /v2/{project_id}/instances/{instance_id}/crossvpc/modify | dms:instance:modify | √ | √ |
| Querying Kafka Cluster Metadata | GET /v2/{project_id}/instances/{instance_id}/management/cluster | dms:instance:get | √ | √ |
| Querying Coordinator Details of a Kafka Instance | GET /v2/{project_id}/instances/{instance_id}/management/coordinators | dms:instance:get | √ | √ |
| Modifying Kafka Access Modes | POST /v2/{project_id}/{engine}/instances/{instance_id}/plain-ssl-switch | dms:ssl | √ | √ |
| Querying the Disk Usage Status of Topics | GET /v2/{project_id}/instances/{instance_id}/topics/diskusage | dms:instance:get | √ | √ |
| Disabling Kafka Manager | DELETE /v2/{project_id}/kafka/instances/{instance_id}/management | dms:instance:modify | √ | √ |
| Restoring Instances from the Recycle Bin | POST /v2/{project_id}/recycle | dms:instance:modify | √ | √ |
| Querying the Recycle Bin Instance List | GET /v2/{project_id}/recycle | dms:instance:get | √ | √ |
| Updating the Recycle Bin Policy | PUT /v2/{project_id}/recycle | dms:instance:modify | √ | √ |
| Querying Kafka Instance Rebalancing Log Details | GET /v2/kafka/{project_id}/instances/{instance_id}/log/rebalance-log | dms:instance:get | √ | √ |
| Enabling Kafka Instance Rebalancing Logging | POST /v2/kafka/{project_id}/instances/{instance_id}/log/rebalance-log | dms:instance:modify | √ | √ |
| Disabling Kafka Instance Rebalancing Logging | DELETE /v2/kafka/{project_id}/instances/{instance_id}/log/rebalance-log | dms:instance:modify | √ | √ |
| Configuring Public Access to a Kafka Instance | POST /v1/{project_id}/instances/{instance_id}/public-boundwidth | dms:instance:modify | √ | √ |
| Querying Kafka Cluster Information | GET /v2/{project_id}/instances/{instance_id}/manage/cluster | dms:instance:get | √ | √ |
Smart Connect
| Permission | API | Action | IAM Project | Enterprise Project |
|---|---|---|---|---|
| Querying Resource Information Required for Enabling Smart Connect | GET /v2/{project_id}/instances/{instance_id}/connector | dms:instance:get | √ | √ |
| Enabling Smart Connect | POST /v2/{project_id}/instances/{instance_id}/connector | dms:instance:connector | √ | √ |
| Disabling Smart Connect | POST /v2/{project_id}/kafka/instances/{instance_id}/delete-connector | dms:instance:connector | √ | √ |
| Creating a Smart Connect task | POST /v2/{project_id}/instances/{instance_id}/connector/tasks | dms:instance:createConnectorSinkTask | √ | √ |
| Listing Smart Connect tasks | GET /v2/{project_id}/instances/{instance_id}/connector/tasks | dms:instance:listConnectorSinkTask | √ | √ |
| Querying Smart Connect task details | GET /v2/{project_id}/instances/{instance_id}/connector/tasks/{task_id} | dms:instance:getConnectorSinkTask | √ | √ |
| Deleting Smart Connect tasks | DELETE /v2/{project_id}/instances/{instance_id}/connector/tasks/{task_id} | dms:instance:deleteConnectorSinkTask | √ | √ |
| Modifying the Smart Connect Task Configuration | PUT /v2/{project_id}/instances/{instance_id}/connector/tasks/{task_id} | dms:instance:modifyConnectorSinkTask | √ | √ |
| Verifying Connector Connectivity | POST /v2/{project_id}/instances/{instance_id}/connector/validate | dms:instance:connector | √ | √ |
| Pausing Smart Connect tasks | PUT /v2/{project_id}/instances/{instance_id}/connector/tasks/{task_id}/pause | dms:instance:updateConnectorTask | √ | √ |
| Restarting Smart Connect tasks | PUT /v2/{project_id}/instances/{instance_id}/connector/tasks/{task_id}/resume | dms:instance:updateConnectorTask | √ | √ |
| Starting a Smart Connect task or restarting a paused or running Smart Connect task | PUT /v2/{project_id}/kafka/instances/{instance_id}/connector/tasks/{task_id}/restart | dms:instance:updateConnectorTask | √ | √ |
| Querying the OBS Bucket List | GET /v1.0/dms/obs/buckets | dms:instance:get | √ | √ |
Specification Modification Management
| Permission | API | Action | IAM Project | Enterprise Project |
|---|---|---|---|---|
| Increasing Instance Specifications | POST /v2/{project_id}/kafka/instances/{instance_id}/extend | dms:instance:scale | √ | √ |
| Querying Product Information for Instance Specification Modification | GET /v2/{project_id}/kafka/instances/{instance_id}/extend | dms:instance:get | √ | √ |
| Querying the Automatic Disk Storage Expansion Configuration | GET /v2/{project_id}/instances/{instance_id}/auto-volume-expand | dms:instance:get | √ | √ |
| Modifying the Automatic Disk Storage Expansion Configuration | PUT /v2/{project_id}/instances/{instance_id}/auto-volume-expand | dms:instance:scale | √ | √ |
| Obtaining Pre-check Information Before Expanding a Kafka Instance | GET /v2/{project_id}/kafka/instances/{instance_id}/extend-check | dms:instance:get | √ | √ |
Topic Management
| Permission | API | Action | IAM Project | Enterprise Project |
|---|---|---|---|---|
| Configuring Automatic Topic Creation | POST /v2/{project_id}/instances/{instance_id}/autotopic | dms:instance:modify | √ | √ |
| Producing Messages to Kafka | POST /v2/{project_id}/instances/{instance_id}/messages/action | dms:instance:modify | √ | √ |
| Creating a Topic in a Kafka Instance | POST /v2/{project_id}/instances/{instance_id}/topics | dms:instance:modify | √ | √ |
| Querying a topic in a Kafka instance | GET /v2/{project_id}/instances/{instance_id}/topics | dms:instance:get | √ | √ |
| Modifying topics of a Kafka instance | PUT /v2/{project_id}/instances/{instance_id}/topics | dms:instance:modify | √ | √ |
| Obtaining Kafka Topic Details | GET /v2/kafka/{project_id}/instances/{instance_id}/topics-detail/{topic} | dms:instance:get | √ | √ |
| Deleting topics in a Kafka instance in batches | POST /v2/{project_id}/instances/{instance_id}/topics/delete | dms:instance:modify | √ | √ |
| Querying the Partition List of a Topic | GET /v2/{project_id}/kafka/instances/{instance_id}/topics/{topic}/partitions | dms:instance:get | √ | √ |
| Querying the Current Producer List of a Topic | GET /v2/{project_id}/kafka/instances/{instance_id}/topics/{topic}/producers | dms:instance:get | √ | √ |
| Deleting Topic Quotas | DELETE /v2/kafka/{project_id}/instances/{instance_id}/kafka-topic-quota | dms:instance:modify | √ | √ |
| Creating a Topic Quota | POST /v2/kafka/{project_id}/instances/{instance_id}/kafka-topic-quota | dms:instance:modify | √ | √ |
| Modifying Topic Quotas | PUT /v2/kafka/{project_id}/instances/{instance_id}/kafka-topic-quota | dms:instance:modify | √ | √ |
| Querying Topic Quotas | GET /v2/kafka/{project_id}/instances/{instance_id}/kafka-topic-quota | dms:instance:get | √ | √ |
| Initiating Partition Reassignment for a Kafka Instance | POST /v2/{project_id}/kafka/instances/{instance_id}/reassign | dms:instance:modify | √ | √ |
Managing Consumer Groups
| Permission | API | Action | IAM Project | Enterprise Project |
|---|---|---|---|---|
| Querying Consumer Group Details | GET /v2/{project_id}/instances/{instance_id}/management/groups/{group} | dms:instance:get | √ | √ |
| Querying All Consumer Groups | GET /v2/{project_id}/instances/{instance_id}/groups | dms:instance:get | √ | √ |
| Deleting Consumer Groups of a Kafka Instance in Batches | POST /v2/{project_id}/instances/{instance_id}/groups/batch-delete | dms:instance:modify | √ | √ |
| Creating a Consumer Group | POST /v2/{project_id}/kafka/instances/{instance_id}/group | dms:instance:modify | √ | √ |
| API for resetting consumer group offset to the specified position | PUT /v2/kafka/{project_id}/instances/{instance_id}/groups/{group}/reset-message-offset | dms:instance:modify | √ | √ |
| Querying the Offset of a Consumer Group | GET /v2/{engine}/{project_id}/instances/{instance_id}/groups/{group}/message-offset | dms:instance:get | √ | √ |
| Modifying All Consumer Groups | PUT /v2/{engine}/{project_id}/instances/{instance_id}/groups | dms:instance:modify | √ | √ |
| Querying a Specified Consumer Group | GET /v2/{engine}/{project_id}/instances/{instance_id}/groups/{group} | dms:instance:get | √ | √ |
| Deleting a Specified Consumer Group | DELETE /v2/{engine}/{project_id}/instances/{instance_id}/groups/{group} | dms:instance:modify | √ | √ |
| Modifying a Specified Consumer Group | PUT /v2/{engine}/{project_id}/instances/{instance_id}/groups/{group} | dms:instance:modify | √ | √ |
| Querying Topics of a Specified Consumer Group | GET /v2/{engine}/{project_id}/instances/{instance_id}/groups/{group}/topics | dms:instance:get | √ | √ |
| Deleting Consumer Offset in a Specified Topic | POST /v2/kafka/{project_id}/instances/{instance_id}/groups/{group}/delete-offset | dms:instance:modify | √ | √ |
| Querying Consumers in a Specified Consumer Group | GET /v2/{engine}/{project_id}/instances/{instance_id}/groups/{group}/members | dms:instance:get | √ | √ |
User Management
| Permission | API | Action | IAM Project | Enterprise Project |
|---|---|---|---|---|
| Deleting a User or Client Quota | DELETE /v2/kafka/{project_id}/instances/{instance_id}/kafka-user-client-quota | dms:instance:modify | √ | √ |
| Querying User or Client Quotas | GET /v2/kafka/{project_id}/instances/{instance_id}/kafka-user-client-quota | dms:instance:get | √ | √ |
| Creating User or Client Quotas | POST /v2/kafka/{project_id}/instances/{instance_id}/kafka-user-client-quota | dms:instance:modify | √ | √ |
| Modifying User or Client Quotas | PUT /v2/kafka/{project_id}/instances/{instance_id}/kafka-user-client-quota | dms:instance:modify | √ | √ |
| Querying the user list | GET /v2/{project_id}/instances/{instance_id}/users | dms:instance:get | √ | √ |
| Creating a user | POST /v2/{project_id}/instances/{instance_id}/users | dms:instance:modify | √ | √ |
| Deleting users in batches | PUT /v2/{project_id}/instances/{instance_id}/users | dms:instance:modify | √ | √ |
| Resetting a user password | PUT /v2/{project_id}/instances/{instance_id}/users/{user_name} | dms:instance:get | √ | √ |
| Modifying User Parameters | PUT /v2/{engine}/{project_id}/instances/{instance_id}/users/{user_name} | dms:instance:modify | √ | √ |
| Querying user permissions | GET /v1/{project_id}/instances/{instance_id}/topics/{topic_name}/accesspolicy | dms:instance:get | √ | √ |
| Granting user permissions | POST /v1/{project_id}/instances/{instance_id}/topics/accesspolicy | dms:instance:modify | √ | √ |
Message Management
| Permission | API | Action | IAM Project | Enterprise Project |
|---|---|---|---|---|
| Querying messages | GET /v2/{project_id}/instances/{instance_id}/messages | dms:instance:get | √ | √ |
| Querying a Message with the Specified Offset | GET /v2/{project_id}/instances/{instance_id}/management/topics/{topic}/partitions/{partition}/message | dms:instance:get | √ | √ |
| Querying a Message with the Specified Time Period | GET /v2/{project_id}/instances/{instance_id}/management/topics/{topic}/messages | dms:instance:get | √ | √ |
| Querying the Offset of the Earliest Message in a Partition | GET /v2/{project_id}/instances/{instance_id}/management/topics/{topic}/partitions/{partition}/beginning-message | dms:instance:get | √ | √ |
| Querying the Offset of the Latest Message in a Partition | GET /v2/{project_id}/instances/{instance_id}/management/topics/{topic}/partitions/{partition}/end-message | dms:instance:get | √ | √ |
| Deleting Kafka Messages | POST /v2/{project_id}/kafka/instances/{instance_id}/topics/{topic}/messages/delete | dms:instance:modify | √ | √ |
Background Task Management
| Permission | API | Action | IAM Project | Enterprise Project |
|---|---|---|---|---|
| Listing background tasks | GET /v2/{project_id}/instances/{instance_id}/tasks | dms:instance:getBackgroundTask | √ | √ |
| Querying a background task | GET /v2/{project_id}/instances/{instance_id}/tasks/{task_id} | dms:instance:getBackgroundTask | √ | √ |
| Deleting a background task | DELETE /v2/{project_id}/instances/{instance_id}/tasks/{task_id} | dms:instance:deleteBackgroundTask | √ | √ |
| Querying the Scheduled Task List of an Instance | GET /v2/{project_id}/instances/{instance_id}/scheduled-tasks | dms:instance:get | √ | √ |
| Querying the Change Progress of a Specified Instance in a Background Task | GET /v2/{project_id}/instances/{instance_id}/tasks/{task_id}/progress | dms:instance:getBackgroundTask | √ | √ |
| Deleting a Specified Scheduled Task | DELETE /v2/{project_id}/instances/{instance_id}/scheduled-tasks/{task_id} | dms:instance:modify | √ | √ |
| Modifying a Specified Scheduled Task | PUT /v2/{project_id}/instances/{instance_id}/scheduled-tasks/{task_id} | dms:instance:modify | √ | √ |
Tag Management
| Permission | API | Action | IAM Project | Enterprise Project |
|---|---|---|---|---|
| Batch adding or deleting tags | POST /v2/{project_id}/kafka/{instance_id}/tags/action | dms:instance:modify | √ | √ |
| Listing tags of an instance | GET /v2/{project_id}/kafka/{instance_id}/tags | dms:instance:get | √ | √ |
| Listing tags of a project | GET /v2/{project_id}/kafka/tags | dms:instance:get | √ | √ |
Diagnosis Management
| Permission | API | Action | IAM Project | Enterprise Project |
|---|---|---|---|---|
| Pre-check Before Diagnosing Message Stack | GET /v2/{project_id}/kafka/instances/{instance_id}/diagnosis-check | dms:instance:modify | √ | √ |
| Creating a Message Stack Diagnosis Task | POST /v2/{project_id}/kafka/instances/{instance_id}/message-diagnosis-tasks | dms:instance:modify | √ | √ |
| Querying the Message Stack Diagnosis Report List | GET /v2/{project_id}/kafka/instances/{instance_id}/message-diagnosis-tasks | dms:instance:get | √ | √ |
| Batch Deleting Message Stack Diagnosis Reports | DELETE /v2/{project_id}/kafka/instances/{instance_id}/message-diagnosis-tasks | dms:instance:modify | √ | √ |
| Querying Diagnosis Report Details | GET /v2/{project_id}/kafka/instances/{instance_id}/message-diagnosis/{report_id} | dms:instance:get | √ | √ |
Other APIs
| Permission | API | Action | IAM Project | Enterprise Project |
|---|---|---|---|---|
| Querying Maintenance Time Windows | GET /v2/instances/maintain-windows | dms:instance:get | √ | √ |
| Querying AZ Information | GET /v2/available-zones | dms:instance:get | √ | √ |
| Querying Product Specifications | GET /v2/{engine}/products | dms:instance:get | √ | √ |
| Querying Kafka Instance Monitoring Dimensions | GET /v2/{project_id}/instances/{instance_id}/ces-hierarchy | dms:instance:get | √ | √ |
| Querying vCPUs of a Kafka Flavor | GET /v2/kafka/products/cores | dms:instance:get | √ | √ |
| Querying the Feature Switch List | GET /v2/config/features | dms:instance:get | √ | √ |
Table 13 shows fine-grained permission dependencies of DMS for Kafka.
| Permission | Description | Dependency |
|---|---|---|
| dms:instance:list | Viewing the instance list | None. |
| dms:instance:get | Viewing instance details | None. |
| dms:instance:create | Creating an instance |
|
| dms:instance:getBackgroundTask | Viewing background task details | None. |
| dms:instance:deleteBackgroundTask | Deleting a background task | None. |
| dms:instance:modifyStatus | Restarting an instance | None. |
| dms:instance:resetAuthInfo | Resetting an instance password | None. |
| dms:instance:modifyAuthInfo | Changing an instance password | None. |
| dms:instance:modify | Modifying an instance |
|
| dms:instance:scale | Enabling instance scale-up |
|
| dms:instance:delete | Deleting an instance | None. |
| dms:instance:connector | Enabling dumping |
|
| dms:instance:createConnectorSinkTask | Creating a dumping task | None. |
| dms:instance:getConnectorSinkTask | Viewing dumping task details | None. |
| dms:instance:listConnectorSinkTask | Viewing the dumping task list | None. |
| dms:instance:deleteConnectorSinkTask | Deleting a dumping task | None. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot