Permissions
If you need to grant your enterprise personnel permission to access your SWR resources, use Identity and Access Management (IAM). IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your Huawei Cloud resources.
With IAM, you can create IAM users and grant them permission to access only specific resources. For example, if you want some software developers in your enterprise to be able to use SWR resources but not be able to delete the resources or perform any other high-risk operations, you can create IAM users and grant permission to use SWR resources but not permission to delete them.
If your Huawei Cloud account does not require individual IAM users for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account.
IAM supports role/policy-based authorization and identity policy-based authorization.
The following table describes the differences between the two authorization models.
|
Authorization Model |
Core Relationship |
Permissions |
Authorization Method |
Description |
|---|---|---|---|---|
|
Role/Policy |
User-permission-authorization scope |
|
Assigning roles or policies to principals |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It is hard to provide fine-grained permissions control using authorization by user groups and a limited number of condition keys. This method is suitable for small- and medium-sized enterprises. |
|
Identity policy |
User-policy |
|
|
You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises. |
Assume that you want to grant IAM users permission to use SWR in CN North-Beijing4 and CN South-Guangzhou. With role/policy-based authorization, the administrator needs to create two custom policies and assign both to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom identity policy, configure the condition key g:RequestedRegion for the policy, and then attach the policy to the users or grant the users the access permissions to the specified regions. Identity policy-based authorization is more flexible than role/policy-based authorization.
Policies/identity policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model. For details about system-defined permissions, see System-defined Permissions in Role/Policy-based Authorization and System-defined Permissions in Identity Policy-based Authorization.
For more information about IAM, see IAM Service Overview.
System-defined Permissions in Role/Policy-based Authorization
SWR supports role/policy-based authorization. New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
SWR is a project-level service deployed for specific regions. To assign SWR permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing SWR, the users need to switch to a region where they have been authorized to use this service.
Table 1 lists all the system-defined permissions for SWR. System-defined policies in role/policy-based authorization are not interoperable with those in identity policy-based authorization.
SWR provides two editions: Basic Edition and Enterprise Edition. Specific permissions are described in the following tables.
Permissions for SWR Basic Edition
|
Policy |
Description |
Type |
|---|---|---|
|
SWR FullAccess |
Full permissions for SWR |
System-defined policy |
|
SWR OperateAccess |
Operation permissions for SWR |
System-defined policy |
|
SWR ReadOnlyAccess |
Read-only permission for SWR |
System-defined policy |
|
Role/Policy Name |
Description |
Type |
|---|---|---|
|
SWR Admin |
SWR administrator permissions, including all SWR permissions. |
System-defined role |
|
Tenant Administrator |
Administrator permissions for all services except IAM, including all SWR permissions. |
System-defined role |
|
ServiceStage Developer |
ServiceStage developer permissions, including permissions such as image pull. |
System-defined role |
You can grant permissions (read, write, and manage) to different users for them to access either a specific image or images of a specific organization.
System-defined Permissions for SWR (Enterprise Edition)
SWR Enterprise Edition only supports policy-based authorization. Table 4 describes all the system-defined policies supported by SWR Enterprise Edition.
|
Role/Policy Name |
Description |
Type |
|---|---|---|
|
SWR FullAccess |
Full permissions for SWR Enterprise Edition. |
System-defined policy |
|
SWR OperateAccess |
Operation permissions for SWR Enterprise Edition. Users with these permissions can query Enterprise Edition instances, perform operations on artifact repositories and organizations, create temporary credentials, and upload and download artifacts. |
System-defined policy |
|
SWR ReadOnlyAccess |
Read-only permissions for SWR Enterprise Edition. Users with these permissions can query artifact repositories and charts, create temporary credentials, and download artifacts. |
System-defined policy |
SWR FullAccess policy details
{
"Version": "1.1",
"Statement": [
{
"Action": [
"swr:*:*"
],
"Effect": "Allow"
}
]
}
SWR OperateAccess policy details
{
"Version": "1.1",
"Statement": [
{
"Action": [
"swr:repository:*",
"swr:chart:*",
"swr:instance:get*",
"swr:instance:list*",
"swr:instance:execute*",
"swr:instance:createTempCredential"
],
"Effect": "Allow"
}
]
}
SWR ReadOnlyAccess policy details
{
"Version": "1.1",
"Statement": [
{
"Action": [
"swr:*:get*",
"swr:*:list*",
"swr:*:download*",
"swr:instance:createTempCredential"
],
"Effect": "Allow"
}
]
}
System-defined Permissions in Identity Policy-based Authorization
SWR supports authorization with identity policies. Table 5 lists all the system-defined identity policies for SWR. System-defined policies in identity policy-based authorization are not interoperable with those in role/policy-based authorization.
|
Identity Policy Name |
Description |
Type |
|---|---|---|
|
SWRFullAccess |
Full permissions for SWR Enterprise Edition. |
System-defined identity policy |
|
SWROperateAccess |
Operation permissions for SWR Enterprise Edition. Users with these permissions can query Enterprise Edition instances, perform operations on artifact repositories and organizations, create temporary credentials, and upload and download artifacts. |
System-defined identity policy |
|
SWRReadOnlyAccess |
Read-only permissions for SWR Enterprise Edition. Users with these permissions can query artifact repositories and charts, create temporary credentials, and download artifacts. |
System-defined identity policy |
|
SWRAdmin |
Administrator permissions for SWR. Users with these permissions can perform all operations on SWR resources. |
System-defined identity policy |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
