IAM-based Access Control
If you need to assign different permissions to employees in your enterprise to access your cloud resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely access cloud resources. If your account does not require IAM for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account.
With IAM, you can control access to specific Huawei Cloud resources. For example, if you want some software developers in your enterprise to use CCI resources but do not want them to delete resources or perform any other high-risk operations, you can grant permission to use CCI resources but not permission to delete them.
You can grant permissions by using roles and policies.
- Roles: A coarse-grained authorization strategy provided by IAM to assign permissions based on users' job responsibilities. Only a limited number of service-level roles are available for authorization. Huawei Cloud services depend on each other. When you grant permissions using roles, you also need to attach any existing role dependencies. Roles are not ideal for fine-grained authorization and least privilege access.
- Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access. For example, you can grant users only permission to manage ECSs of a certain type. A majority of fine-grained policies contain permissions for specific APIs, and permissions are defined using API actions. For the API actions supported by CCI, see Permissions Policies and Supported Actions.
IAM supports both role-based access control (RBAC) and attribute-based access control (ABAC).
RBAC is a role-based authorization model. By default, a new principal does not have any permissions. You need to assign a system-defined role, system-defined policy, or custom policy to the principal and select the authorization scope so that the principal can have the specified permissions.
ABAC is a policy-based authorization model, which offers more fine-grained, flexible access control. An administrator can tailor access control policies based on service requirements and then attach or grant the policies to a principal so that the principal can have the specified permissions The principal can then perform operations on specified cloud services.
The following table describes the differences between these two authorization models.
|
Authorization Model |
Authorization Using |
Permissions |
Authorization Method |
Scenario |
|---|---|---|---|---|
|
RBAC |
Roles |
|
Granting roles or policies to principals |
It offers a simple approach to access management but is not always flexible enough. For more granular permissions control, administrators need to constantly add more roles, which may lead to role explosion. This model can work well for small and medium-sized enterprises where there is not too much work involved in maintaining roles and permissions. |
|
ABAC |
Policies |
|
|
It gives you more granular, more flexible control of your resources. There is no need to modify existing rules to accommodate new users. All administrators need to do is assign relevant attributes to the new users. However, this model can be hard to set up. It requires a certain amount of expertise. ABAC is suitable for medium- and large-sized enterprises. |
Assume that you want to grant IAM users permission to create ECSs in CN North-Beijing4 and OBS buckets in CN South-Guangzhou. With RBAC, the administrator needs to create two custom policies and attach both to the IAM users. With ABAC, the administrator only needs to create one custom policy, configure the condition key g:RequestedRegion for the policy, and then attach the policy to the users or grant the users the access permissions to the specified regions. ABAC is more flexible than RBAC.
Policies and actions in the two authorization models are not interoperable. You are advised to use the ABAC authorization model. For details about system-defined permissions, see System-defined Permissions in RBAC and System-defined Permissions in ABAC.
For more information about IAM, see IAM Service Overview.
System-defined Permissions in RBAC
CCI supports RBAC. New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
CCI is a project-level service deployed for specific regions. When you set Scope to Region-specific projects and select the specified projects (for example, ap-southeast-2) in the specified regions (for example, AP-Bangkok), the users only have permissions for CCI resources in the selected projects. If you set Scope to All resources, the users have permissions for CCI resources in all region-specific projects. When accessing CCI, the users need to switch to the authorized region.
Table 2 lists all the system-defined permissions for CCI. System-defined policies in RBAC and ABAC are not interoperable.
|
Role/Policy Name |
Description |
Type |
|---|---|---|
|
CCI FullAccess |
Full permissions for CCI. Users granted these permissions can create, delete, query, and update all CCI resources. |
System-defined policy |
|
CCI ReadOnlyAccess |
Read-only permissions for CCI. Users granted these permissions can only view CCI resources. |
System-defined policy |
|
CCI CommonOperations |
Common user permissions for CCI. Users granted these permissions can perform all operations except creating, deleting, and modifying role-based access control (RBAC) policies, networks, and resources in the namespaces. |
System-defined policy |
|
CCI Administrator |
Administrator permissions for CCI. Users granted these permissions can create, delete, query, and update all CCI resources. |
System-defined role |
Table 3 lists the common operations supported by system-defined permissions for CCI.
|
Operation |
CCI FullAccess |
CCI ReadOnlyAccess |
CCI CommonOperations |
|---|---|---|---|
|
Creating a Deployment |
√ |
x |
√ |
|
Deleting a Deployment |
√ |
x |
√ |
|
Viewing a Deployment |
√ |
√ |
√ |
|
Upgrading a workload |
√ |
x |
√ |
|
Scaling a workload |
√ |
x |
√ |
|
Deleting a pod |
√ |
x |
√ |
|
Viewing a pod |
√ |
√ |
√ |
|
Creating a job |
√ |
x |
√ |
|
Deleting a job |
√ |
x |
√ |
|
Viewing a job |
√ |
√ |
√ |
|
Creating a cron job |
√ |
x |
√ |
|
Deleting a cron job |
√ |
x |
√ |
|
Viewing cron jobs |
√ |
√ |
√ |
|
Viewing the resource usage |
√ |
√ |
√ |
|
Adding an EVS volume |
√ |
x |
√ |
|
Deleting an EVS volume |
√ |
x |
√ |
|
Viewing an EVS volume |
√ |
√ |
√ |
|
Creating a ConfigMap |
√ |
x |
√ |
|
Deleting ConfigMaps |
√ |
x |
√ |
|
Viewing a ConfigMap |
√ |
√ |
√ |
|
Creating a secret |
√ |
x |
√ |
|
Deleting a secret |
√ |
x |
√ |
|
Viewing a secret |
√ |
√ |
√ |
|
Adding an SSL certificate |
√ |
x |
√ |
|
Deleting an SSL certificate |
√ |
x |
√ |
|
Viewing an SSL certificate |
√ |
√ |
√ |
|
Adding log storage |
√ |
x |
√ |
|
Viewing logs |
√ |
√ |
√ |
|
Installing an add-on |
√ |
x |
√ |
|
Deleting an add-on |
√ |
x |
√ |
|
Viewing an add-on |
√ |
√ |
√ |
|
Viewing permissions |
√ |
√ |
√ |
|
Granting permissions |
√ |
x |
x |
|
Canceling permissions |
√ |
x |
x |
|
Querying a specified namespace |
√ |
√ |
√ |
|
Creating a namespace |
√ |
x |
x |
|
Deleting a namespace |
√ |
x |
x |
|
Creating a network |
√ |
x |
x |
|
Deleting a network |
√ |
x |
x |
|
Listing all networks |
√ |
√ |
√ |
|
Viewing a network |
√ |
√ |
√ |
System-defined Permissions in ABAC
CCI supports ABAC. Table 4 lists all the system-defined policies for CCI with ABAC. System-defined policies in RBAC and ABAC are not interoperable.
|
Policy Name |
Description |
Type |
|---|---|---|
|
CCIFullAccessPolicy |
Full permissions for CCI |
System-defined policy |
|
CCIReadOnlyPolicy |
Read-only permissions for CCI |
System-defined policy |
Table 5 lists the common operations supported by system-defined policies for CCI.
|
Operation |
CCIFullAccessPolicy |
CCIReadOnlyPolicy |
|---|---|---|
|
Creating a pod |
√ |
x |
|
Deleting a pod |
√ |
x |
|
Viewing a pod |
√ |
√ |
|
Viewing the resource usage |
√ |
√ |
|
Creating a ConfigMap |
√ |
x |
|
Deleting a ConfigMap |
√ |
x |
|
Viewing a ConfigMap |
√ |
√ |
|
Creating a secret |
√ |
x |
|
Deleting a secret |
√ |
x |
|
Viewing a secret |
√ |
√ |
|
Viewing logs |
√ |
√ |
|
Querying a specified namespace |
√ |
√ |
|
Creating a namespace |
√ |
x |
|
Deleting a namespace |
√ |
x |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
