Permissions and Supported Actions
You can use Identity and Access Management (IAM) for fine-grained permissions management of your CCE clusters. If your account does not need individual IAM users, you can skip this section.
New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specific operations on cloud services based on the assigned permissions.
You can grant users permissions by using roles and policies. Roles are provided by IAM to define service-based permissions that match users' job responsibilities. Policies define API-based permissions for operations on specific resources under certain conditions, allowing for more fine-grained, secure access control of cloud resources.
If you want to allow or deny the access to an API, fine-grained authorization is a good choice.
If you use IAM users in your account to call an API, the IAM users must be granted the required permissions. The permissions required for calling an API are determined by the actions supported by the API. Only users who have been granted permissions can call the API successfully. For example, if an IAM user wants to query ECSs using an API, the user must have been granted permissions that allow the ecs:servers:list action.
Supported Actions
CCE provides system-defined policies that can be directly used in IAM. You can also create custom policies to supplement system-defined policies for more refined access control. Operations supported by policies are specific to APIs. The following are common concepts related to policies:
- Permissions: statements in a policy that allow or deny certain operations.
- APIs: REST APIs that can be called by a user who has been granted specific permissions.
- Actions: specific operations that are allowed or denied in a custom policy.
- Dependencies: actions which a specific action depends on. When allowing an action for a user, you also need to allow existing action dependencies for that user.
- IAM projects: the authorization scope of a custom policy. A custom policy can be applied to IAM projects.
The check mark (√) and cross symbol (x) respectively indicate that an action takes effect or does not take effect for the corresponding type of projects.
CCE supports the following actions in custom policies.
|
Permission |
API |
Action |
IAM Project |
|---|---|---|---|
|
Obtaining clusters in a project |
GET /api/v3/projects/{project_id}/clusters |
cce:cluster:list |
√ |
|
Obtaining a cluster |
GET /api/v3/projects/{project_id}/clusters/{cluster_id} |
cce:cluster:get |
√ |
|
Creating a cluster |
POST /api/v3/projects/{project_id}/clusters |
cce:cluster:create |
√ |
|
Updating a cluster |
PUT /api/v3/projects/{project_id}/clusters/{cluster_id} |
cce:cluster:update |
√ |
|
Deleting a cluster |
DELETE /api/v3/projects/{project_id}/clusters/{cluster_id} |
cce:cluster:delete |
√ |
|
Upgrading a cluster |
POST /api/v2/projects/:projectid/clusters/:clusterid/upgrade |
cce:cluster:upgrade |
√ |
|
Waking up a cluster |
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/awake |
cce:cluster:start |
√ |
|
Hibernating a cluster |
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/hibernate |
cce:cluster:stop |
√ |
|
Changing the specifications of a cluster |
POST /api/v2/projects/{project_id}/clusters/:clusterid/resize |
cce:cluster:resize |
√ |
|
Obtaining the certificate of a cluster |
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/clustercert |
cce:cluster:get |
√ |
|
Permission |
API |
Action |
IAM Project |
|---|---|---|---|
|
Obtaining all nodes in a cluster |
GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes |
cce:node:list |
√ |
|
Obtaining a node |
GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/{node_id} |
cce:node:get |
√ |
|
Creating a node |
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes |
cce:node:create |
√ |
|
Updating a node |
PUT /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/{node_id} |
cce:node:update |
√ |
|
Deleting a node |
DELETE /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/{node_id} |
cce:node:delete |
√ |
|
Permission |
API |
Action |
IAM Project |
|---|---|---|---|
|
Obtaining information about a job |
GET /api/v3/projects/{project_id}/jobs/{job_id} |
cce:job:get |
√ |
|
Listing all jobs |
GET /api/v2/projects/{project_id}/jobs |
cce:job:list |
√ |
|
Deleting one or all jobs |
DELETE /api/v2/projects/{project_id}/jobs DELETE /api/v2/projects/{project_id}/jobs/{job_id} |
cce:job:delete |
√ |
|
Permission |
API |
Action |
IAM Project |
|---|---|---|---|
|
Obtaining all node pools in a cluster |
GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools |
cce:nodepool:list |
√ |
|
Obtaining a node pool |
GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/{nodepool_id} |
cce:nodepool:get |
√ |
|
Creating a node pool |
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools |
cce:nodepool:create |
√ |
|
Updating a node pool |
PUT /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/{nodepool_id} |
cce:nodepool:update |
√ |
|
Deleting a node pool |
DELETE /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/{nodepool_id} |
cce:nodepool:delete |
√ |
|
Permission |
API |
Action |
IAM Project |
|---|---|---|---|
|
Updating a chart |
PUT /v2/charts/{id} |
cce:chart:update |
√ |
|
Uploading a chart |
POST /v2/charts |
cce:chart:upload |
√ |
|
Listing all charts |
GET /v2/charts |
cce:chart:list |
√ |
|
Obtaining information about a chart |
GET /v2/charts/{id} |
cce:chart:get |
√ |
|
Deleting a chart |
DELETE /v2/charts/{id} |
cce:chart:delete |
√ |
|
Permission |
API |
Action |
IAM Project |
|---|---|---|---|
|
Updating a release |
PUT /v2/releases/{name} |
cce:release:update |
√ |
|
Listing all releases |
GET /v2/releases |
cce:release:list |
√ |
|
Creating a release |
POST /v2/releases |
cce:release:create |
√ |
|
Obtaining information about a release |
GET /v2/releases/{name} |
cce:release:get |
√ |
|
Deleting a release |
DELETE /v2/releases/{name} |
cce:release:delete |
√ |
|
Permission |
API |
Action |
IAM Project |
|---|---|---|---|
|
Creating a PersistentVolumeClaim |
POST /api/v1/namespaces/{namespace}/cloudpersistentvolumeclaims |
cce:storage:create |
√ |
|
Deleting a PersistentVolumeClaim |
DELETE /api/v1/namespaces/{namespace}/cloudpersistentvolumeclaims/{name} |
cce:storage:delete |
√ |
|
Listing all volumes |
GET /storage/api/v1/namespaces/{namespace}/listvolumes |
cce:storage:list |
√ |
|
Permission |
API |
Action |
IAM Project |
|---|---|---|---|
|
Creating an add-on instance |
POST /api/v3/addons |
cce:addonInstance:create |
√ |
|
Obtaining an add-on instance |
GET /api/v3/addons/{id}?cluster_id={cluster_id} |
cce:addonInstance:get |
√ |
|
Listing all add-on instances |
GET /api/v3/addons?cluster_id={cluster_id} |
cce:addonInstance:list |
√ |
|
Deleting an add-on instance |
DELETE /api/v3/addons/{id}?cluster_id={cluster_id} |
cce:addonInstance:delete |
√ |
|
Updating an add-on instance |
PUT /api/v3/addons/{id} |
cce:addonInstance:update |
√ |
|
Permission |
API |
Action |
IAM Project |
|---|---|---|---|
|
Obtaining quota details |
GET /api/v3/projects/{project_id}/quotas |
cce:quota:get |
√ |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
