Help Center/ Cloud Bastion Host/ User Guide/ Instances/ Permissions Management/ Managing CBH Instance Permissions and Supported Actions
Updated on 2024-12-03 GMT+08:00

Managing CBH Instance Permissions and Supported Actions

This section describes fine-grained permissions management for your CBH. If your account does not need individual IAM users, then you may skip over this section.

By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign permissions policies to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

Permissions are classified into roles and policies based on the authorization granularity. Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions.

Supported Actions

CBH provides system-defined policies that can be directly used in IAM. You can also create custom policies and use them to supplement system-defined policies, implementing more refined access control.

  • Permission: A statement in a policy that allows or denies certain operations.
  • Action: Specific operations that are allowed or denied.
Table 1 Supported Actions (IAM 3.0)

Permission

API

Action

IAM Project

Enterprise Project

Querying total ECS quota

GET /v2/{project_id}/cbs/instance/ecs-quota

cbh:instance:getEcsQuota

×

Querying the AZ of a CBH instance

GET /v2/{project_id}/cbs/available-zone

cbh:instance:getAvailableZones

×

Logging in to a CBH instance

POST /v2/{project_id}/cbs/instance/login

cbh:instance:login

×

Stopping a CBH instance

POST /v2/{project_id}/cbs/instance/stop

cbh:instance:stop

×

Restarting a CBH instance

POST /v2/{project_id}/cbs/instance/reboot

cbh:instance:reboot

×

Upgrading the CBH system version

POST /v2/{project_id}/cbs/instance/upgrade

cbh:instance:upgrade

×

Changing the password of the admin user for a CBH instance

PUT /v2/{project_id}/cbs/instance/password

cbh:instance:resetPassword

×

Starting a CBH instance

POST /v2/{project_id}/cbs/instance/start

cbh:instance:start

×

Expanding a CBH instance edition

PUT /v2/{project_id}/cbs/instance

cbh:instance:alterSpec

×

Creating a CBH instance

POST /v2/{project_id}/cbs/instance

cbh:instance:create

Binding or unbinding an EIP

  • POST /v2/{project_id}/cbs/instance/{server_id}/eip/bind
  • POST /v2/{project_id}/cbs/instance/{server_id}/eip/unbind

cbh:instance:eipOperate

×

Creating a CBH agency

POST /v2/{project_id}/cbs/agency/authorization

cbh:agency:authorize

×

Querying the CBH instance list

GET /v2/{project_id}/cbs/instance/list

cbh:instance:list

×

Changing the VPC a bastion host instance belongs to

PUT /v2/{project_id}/cbs/instance/vpc

cbh:instance:switchInstanceVpc

×

Logging in to a bastion host instance as user admin

GET /v2/{project_id}/cbs/instances/{server_id}/admin-url

cbh:instance:loginInstanceAdmin

×

Changing the type of a single-node CBH instance

PUT /v2/{project_id}/cbs/instance/type

cbh:instance:changeInstanceType

×

Obtaining the operation link for an asset managed by the bastion host

GET /v2/{project_id}/cbs/instance/get-om-url

cbh:instance:getOmUrl

×

Table 2 Supported Actions (IAM 5.0)

Permission

API

Action

Permission Dependency

IAM Project

Enterprise Project

Grants the permission to obtain the ECS quota.

GET /v2/{project_id}/cbs/instance/ecs-quota

cbh::getEcsQuota

ecs:cloudServerFlavors:get

×

Grants the permission to query the CBH instance quotas.

GET /v2/{project_id}/cbs/instance/quota

cbh::getQuota

-

×

Grants the permission to query the CBH status.

GET /v2/{project_id}/cbs/instance/{server_id}/status

cbh:instance:getInstanceStatus

-

×

Grants the permission to obtain the URLs for O&M of assets managed in CBH.

GET /v2/{project_id}/cbs/instance/get-om-url

cbh:instance:getOmUrl

-

×

Grants the permission to obtain the authorization information of the CBH service from the tenant.

GET /v2/{project_id}/cbs/agency/authorization

cbh::getAuthorization

  • iam:agencies:listAgencies
  • iam:permissions:listRolesForAgencyOnProject

×

Grants the permission to query tags of CBH instances.

GET /v2/{project_id}/cbs/instance/{resource_id}/tags

cbh:instance:getInstanceTags

-

×

Grants the permission to start a CBH instance.

POST /v2/{project_id}/cbs/instance/start

cbh:instance:startInstance

-

×

Grants the permission to disable a CBH instance.

POST /v2/{project_id}/cbs/instance/stop

cbh:instance:stopInstance

-

×

Grants the permission to restart a CBH instance.

POST /v2/{project_id}/cbs/instance/reboot

cbh:instance:rebootInstance

-

×

Grants the permission to upgrade a CBH instance.

POST /v2/{project_id}/cbs/instance/upgrade

cbh:instance:upgradeInstance

-

×

Grants the permission to roll back a CBH instance.

POST /v2/{project_id}/cbs/instance/rollback

cbh:instance:rollbackInstance

-

×

Grants the permission to log in to a CBH instance as an IAM user.

POST /v2/{project_id}/cbs/instance/login

cbh:instance:loginInstance

-

×

Grants the permission to reset a password for logging in to a CBH.

PUT /v2/{project_id}/cbs/instance/password

cbh:instance:resetInstancePassword

-

×

Grant the permission to switch the VPC of the bastion host instance.

PUT /v2/{project_id}/cbs/instance/vpc

cbh:instance:switchInstanceVpc

vpc:subnets:get

×

Grants the permission to reset the CBH instance login mode.

PUT /v2/{project_id}/cbs/instance/login-method

cbh:instance:resetInstanceLoginMethod

-

×

Grants the permission to delete a faulty CBH instance.

DELETE /v2/{project_id}/cbs/instance

cbh:instance:deleteInstance

-

×

Grants the permission to change a CBH instance.

PUT /v2/{project_id}/cbs/instance

cbh:instance:alterInstance

-

×

Grants the permission to create a CBH instance.

POST /v2/{project_id}/cbs/instance

cbh:instance:createInstance

  • vpc:quotas:list
  • vpc:subnets:list
  • vpc:subnets:get
  • vpc:securityGroups:get
  • ecs:cloudServerFlavors:get

Grants the permission to bind an EIP to a CBH instance.

POST /v2/{project_id}/cbs/instance/{server_id}/eip/bind

cbh:instance:bindInstanceEip

  • eip:publicIps:list
  • eip:publicIps:update
  • eip:publicIps:get
  • eip:publicIps:associateInstance

×

Grants the permission to unbind an EIP from a CBH instance.

POST /v2/{project_id}/cbs/instance/{server_id}/eip/unbind

cbh:instance:unbindInstanceEip

  • eip:publicIps:list
  • eip:publicIps:update
  • eip:publicIps:disassociateInstance

×

Grants the permission to update the security group of a CBH instance.

PUT /v2/{project_id}/cbs/instance/{server_id}/security-groups

cbh:instance:updateInstanceSecurityGroup

  • vpc:ports:update
  • vpc:securityGroups:list

×

Grants the permission to create or cancel the agency authorization for the CBH service.

POST /v2/{project_id}/cbs/agency/authorization

cbh::operateAuthorization

  • iam:agencies:listAgencies
  • iam:permissions:listRolesForAgencyOnProject
  • iam:agencies:createAgency
  • iam:agencies:deleteAgency
  • iam:permissions:grantRoleToAgencyOnProject
  • iam:permissions:revokeRoleFromAgencyOnProject

×

Grants the permission to log in to a CBH instance as user admin.

GET /v2/{project_id}/cbs/instances/{server_id}/admin-url

cbh:instance:loginInstanceAdmin

-

×

Grants the permission to modify the type of single-node CBH instances.

PUT /v2/{project_id}/cbs/instance/type

cbh:instance:changeInstanceType

  • vpc:quotas:list
  • vpc:subnets:list
  • vpc:subnets:get
  • vpc:securityGroups:get
  • ecs:cloudServerFlavors:get

×

Grants the permission to query all AZs.

GET /v2/{project_id}/cbs/available-zone

cbh::listAvailableZones

-

×

Grants the permission to query the CBH specifications.

GET /v2/{project_id}/cbs/instance/specification

cbh::listSpecifications

-

×

Grants the permission to list CBH instances.

GET /v2/{project_id}/cbs/instance/list

cbh:instance:listInstances

eps:enterpriseProjects:list

×

Grants the permission to query all tags.

GET /v2/{project_id}/cbs/instance/tags

cbh::listTags

-

×

Grants the permission to search for instances by tag.

POST /v2/{project_id}/cbs/instance/filter

cbh:instance:listInstancesByTag

-

×

Grants the permission to count the number of instances that meet the tag conditions.

POST /v2/{project_id}/cbs/instance/count

cbh:instance:countInstancesByTag

-

×

Grants the permission to operate the resource tags of the CBH instance.

POST /v2/{project_id}/cbs/instance/{resource_id}/tags/action

cbh:instance:operateInstanceTags

-

×