Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Granting UCS Permissions to IAM Users

Updated on 2024-11-01 GMT+08:00

Application Scenarios

UCS allows you to grant cluster permissions to IAM users and user groups under your account, so that departments or projects can be isolated by permission policy or cluster group.

Assume that you have two project teams, each involving multiple members. Figure 1 shows how their permissions are granted.

  • During the development, project team A needs the Admin permission on fleets 1 and 2 and the Viewer permission on fleet 3.
  • During the development, project team B needs the Admin permission on fleets 1 and 3 and the Viewer permission on fleet 2.
Figure 1 Permission design

Solutions

To implement the preceding permission isolation, IAM system policies and UCS permission management must be used together. IAM system policies control the user operations allowed on the UCS console, and UCS permission management controls the fleet and cluster resources that allow for user operations.

As shown in Figure 2, authorization consists of the following steps:

  • Step 1: Authorization on the IAM console. The IAM administrator with the Tenant Administrator permission needs to create three user groups. One is the administrator user group, and the other two are user groups (group 1 and group 2) of two project teams (team A and team B). The UCS FullAccess and UCS CommonOperations permissions are granted to the user groups, respectively.
  • Step 2: Authorization on the UCS console. The UCS administrator with the UCS FullAccess permission creates the Admin and Viewer permission policies for user groups 1 and 2, and associates the permission policies with the fleet as follows:

    The Admin permission policy of user group 1 is associated with fleets 1 and 2, and the Viewer permission policy is associated with fleet 3. The Admin permission policy of user group 2 is associated with fleets 1 and 3, and the Viewer permission policy is associated with fleet 2.

Figure 2 Authorization scheme

Prerequisites

  • The account has subscribed to UCS and fleet and cluster resources have been available according to Figure 1.
  • The permission data is prepared according to Figure 2.
    Table 1 Data preparation on the IAM console

    User Group

    User

    Permission

    Administrator user group: UCS_Group_admin

    UCS_Group_admin_User1

    UCS FullAccess

    User group 1: UCS_Group_1

    UCS_Group_1_User1, UCS_Group_1_User2, ...

    UCS CommonOperations

    User group 2: UCS_Group_2

    UCS_Group_2_User1, UCS_Group_2_User2, ...

    UCS CommonOperations

    Table 2 Data preparation on the UCS console

    User Group

    User

    Permission Type

    Permission

    User group 1

    UCS_Group_1_User1, UCS_Group_1_User2, ...

    Admin

    ucs-group-1-admin

    Viewer

    ucs-group-1-readonly

    User group 2

    UCS_Group_2_User1, UCS_Group_2_User2, ...

    Admin

    ucs-group-2-admin

    Viewer

    ucs-group-2-readonly

Step 1: Authorizing the IAM Administrator

  1. Log in to the IAM console as the IAM administrator.
  2. In the navigation pane, choose User Groups. In the upper right corner, click Create User Group.
  3. In the displayed dialog box, enter the administrator user group name and description, and click OK.

    Figure 3 Creating a user group

  4. In the user group list, click Authorize in the row that contains the target user group.

    Figure 4 Granting permissions to the user group

  5. Search for and select the permission policy UCS FullAccess.

    Figure 5 Selecting the permission policy

  6. Click Next and select a scope.

    The default option All resources is selected, indicating that the IAM user will be able to use all resources, including those in enterprise projects, region-specific projects, and global services under your account based on granted permissions.

  7. Click OK.
  8. In the navigation pane, choose Users. In the upper right corner, click Create User.

    Enter the username and initial password. For details about other parameters, see Creating an IAM User.

  9. Click Next and select the user group authorized in 4.

    Figure 6 Adding the user to the user group

  10. Click Create.
  11. Repeat the preceding steps to create and authorize other user groups and users in Table 1.

Step 2: Authorizing the UCS Administrator

  1. Log in to the UCS console as the UCS administrator. In the navigation pane, choose Permissions.
  2. In the upper right corner, click Create Permission Policy.
  3. Configure the parameters as follows:

    • Policy Name: Enter a name, starting with a lowercase letter and not ending with a hyphen (-). Only lowercase letters, digits, and hyphens (-) are allowed.
    • User: Select the user associated with the permission policy, that is, the IAM user created in 8. In practice, a user group may contain multiple users. When creating a permission policy, you can select all users in the user group to grant permissions in batches.
    • Type: Select Admin. It indicates the read-write permissions on all cluster resource objects.

  4. Click OK.
  5. After the permission policy is created, go to the Fleets page and click in the upper right corner of the target fleet.

    Figure 7 Associating the permission policy with the fleet

  6. In the window that slides from the right, click Set Permissions. In Update Permissions, associate the permission policy created in 3 with all namespaces of the fleet.

    Figure 8 Updating permissions

  7. Click OK. The IAM user can now log in to the UCS console to use the functions allowed by the permission policy.
  8. Repeat the preceding steps to create other permission policies in Table 2 and associate them with the fleet.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback