Help Center> Ubiquitous Cloud Native Service> FAQs> Permissions> How Do I Configure the Access Permission for Each Function of the UCS Console?
Updated on 2022-11-07 GMT+08:00

How Do I Configure the Access Permission for Each Function of the UCS Console?

Background

IAM controls the permissions to use UCS console functions. You need to add cloud service permission policies to user groups on IAM. When an unauthorized user attempts to use the UCS console, an error message is displayed, indicating that the user does not have the access permission or permission authentication fails.

Huawei Cloud services often interact with each other for your applications to run. Some UCS functions are dependent on other services. By default, newly created IAM users do not have any permissions and cannot use any cloud service or function. Therefore, before they start using UCS, you need to grant them the required permissions listed in Table 1.

The following describes how to configure permissions for UCS console functions (such as CCE clusters, image repositories, and traffic distribution) for IAM users.

Table 1 Permissions on which the UCS function depends

Function

Permission

Dependent Permission

Description

Type

Connecting a cluster

-

Aavailable only to users in the IAM admin user group.

CCE clusters or other Kubernetes clusters can be connected on the UCS console for unified management.

-

Permission policies

Administrator permissions

Available only to users in the IAM admin user group.

You can create permission policies and templates.

-

Cluster groups

Administrator permissions

Available only to users in the IAM admin user group.

Cluster groups can be created and deleted, and permission policies can be associated with cluster groups.

-

Operation permissions

Members of the IAM admin user group need to associate permission policies with the cluster group.

The permission policy contains the resource permissions of container clusters. After a user group is associated with a permission policy, users in the user group can read clusters in the cluster group and add or remove clusters.

NOTE:

The private network access of the cluster depends on VPC Endpoint. Therefore, the IAM user group must have the VPC Endpoint Administrator permission.

UCS permission policy

Container cluster - CCE cluster

Administrator permissions

CCE Administrator

Read and write permissions for CCE clusters and all resources (including workloads, nodes, jobs, and Services) in the clusters.

IAM system roles

Operation permissions

CCE FullAccess

Common operation permissions on CCE cluster resources, excluding the namespace-level permissions for the clusters (with Kubernetes RBAC enabled) and the privileged administrator operations, such as agency configuration and cluster certificate generation

For common operation permissions, you also need to configure cluster RBAC authorization. For details, see Namespace Permissions (Kubernetes RBAC-based).

System-defined policies of IAM

Read-only permission

CCE ReadOnlyAccess

Permissions to view CCE cluster resources, excluding the namespace-level permissions of the clusters (with Kubernetes RBAC enabled)

For the read-only permission, you also need to configure RBAC authorization for the cluster. For details, see Namespace Permissions (Kubernetes RBAC-based).

System-defined policies of IAM

Container cluster - non-CCE cluster (For details about how to configure resource permissions, see Cluster Operation Permissions.)

Administrator permissions

Admin Permission Template

You need to grant permissions to the user group in the UCS policy center, and the user group must have any IAM permissions.

Has the read and write permissions on all resources, including cluster permission management.

UCS permission policy

Operation permissions

Developer Permission Template

You need to grant permissions to the user group in the UCS policy center, and the user group must have any IAM permissions.

Has the read and write permissions on resources except cluster permission management.

UCS permission policy

Read-only permission

ReadOnly Permission Template

You need to grant permissions to the user group in the UCS policy center, and the user group must have any IAM permissions.

Has the read-only permission on all resources.

UCS permission policy

Image Repository

Administrator permissions

SWR Admin

SWR administrator permissions, including all SWR permissions.

IAM system roles

Administrator permissions

SWR FullAccess

Full permissions for SWR.

System-defined policies of IAM

Operation permissions

SWR OperateAccess

Common operation permissions for SWR.

System-defined policies of IAM

Read-only permission

SWR ReadOnlyAccess

Read-only permissions for SWR.

System-defined policies of IAM

Traffic Distribution

Administrator permissions

DNS Administrator

Has all permissions except those for the DNS service.

IAM system roles

Read-only permission

Tenant Guest

Has read-only permissions on all services except IAM.

IAM system roles

Prerequisites

The IAM user has been added to a user group, and the user group has been associated with permission policies. For details, see Permissions Policies.

Procedure

  1. Log in to the IAM console as an administrator or a user in the admin user group.
  2. In the navigation pane, choose User Groups. In the user group list, click Authorize on the right of the target user group.
  3. Search for and select the permissions to be added, for example, CCE Administrator. Other permission policies on which the role depends are automatically selected. You can click View Selected or expand the policy details to learn about the dependencies. You can also scope the permissions an IAM user needs to the minimum for each function. For details, see Table 1.

    Figure 1 Selecting policies

  4. Click Next and select a scope.

    The default option All resources is selected, indicating that the IAM user will be able to use all resources, including those in enterprise projects, region-specific projects, and global services under your account based on assigned permissions.

  5. Click OK to complete the authorization. The authorization may take effect 15 to 30 minutes later.

Permissions FAQs

more