Actions Supported by Role/Policy-based Authorization
This section describes the actions supported by DNS in role/policy-based authorization.
Supported Actions
DNS provides system-defined policies that can be directly used in IAM. You can also create custom policies to supplement system-defined policies for more refined access control. Operations supported by policies are specific to APIs. The following are common concepts related to policies:
- Permissions: statements in a policy that allow or deny certain operations
- APIs: REST APIs that can be called by a user who has been granted specific permissions
- Actions: specific operations that are allowed or denied in a custom policy
- Dependent actions: actions which a specific action depends on. When allowing an action for a user, you also need to allow its dependent actions for that user.
- IAM projects/Enterprise projects: the authorization scope of a custom policy. A custom policy can be applied to IAM projects or enterprise projects or both. Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only. Administrators can check whether an action supports IAM projects or enterprise projects in the action list. For details about the differences between IAM and enterprise management, see What Are the Differences Between IAM and Enterprise Management?
DNS supports the following actions in custom policies:
- Zone Management: includes all the actions supported by zone management APIs, such as the API for creating a zone.
- Record Set Management: includes all the actions supported by record set management APIs, such as the API for creating a record set.
- PTR Record Management: includes all the actions supported by PTR record management APIs, such as the API for creating a PTR record.
- Tag Management: includes all the actions supported by tag management APIs, such as the API for adding a resource tag.
- Record Set Importing: includes all the actions supported by record set importing management APIs, such as the API for creating a task for importing public zone record sets.
Zone Management
|
Permission |
API |
Action |
Dependent Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|---|
|
Creating a zone |
POST /v2/zones |
dns:zone:create |
vpc:*:get* vpc:*:list* |
Supported |
√ |
|
Querying a zone |
GET /v2/zones/{zone_id} |
dns:zone:get |
- |
Supported |
√ |
|
Querying zones |
GET /v2/zones |
dns:zone:list |
- |
Supported |
The following filter criteria are supported:
|
|
Modifying a zone |
PATCH /v2/zones/{zone_id} |
dns:zone:update |
- |
Supported |
√ |
|
Setting the zone status |
PUT /v2/zones/{zone_id}/statuses |
dns:zone:setStatus |
- |
Supported |
√ |
|
Deleting a zone |
DELETE /v2/zones/{zone_id} |
dns:zone:delete |
ces:remoteChecks:list ces:siteMonitorHealthCheck:get ces:siteMonitorHealthCheck:create ces:siteMonitorRule:delete ces:siteMonitorRule:put |
Supported |
√ |
|
Deleting zones |
DELETE /v2.1/zones |
dns:zone:delete |
ces:remoteChecks:list ces:siteMonitorHealthCheck:get ces:siteMonitorHealthCheck:create ces:siteMonitorRule:delete ces:siteMonitorRule:put |
Supported |
√ |
|
Associating a private zone with a VPC |
POST /v2/zones/{zone_id}/associaterouter |
dns:zone:associaterouter |
vpc:*:get* vpc:*:list* |
Supported |
√
NOTE:
Shared private zones are not included. |
|
Disassociating a VPC from a private zone |
POST /v2/zones/{zone_id}/disassociaterouter |
dns:zone:disassociaterouter |
vpc:*:get* vpc:*:list* |
Supported |
√
NOTE:
Shared private zones are not included. |
|
Retrieving a public zone |
POST /v2/retrieval |
dns:zone:createRetrieval |
- |
Supported |
Not supported |
|
Requesting immediate verification of public zone retrieval |
POST /v2/retrieval/verification/{id} |
||||
|
Querying the public zone retrieval request |
GET /v2/retrieval |
dns:zone:getRetrieval |
- |
Supported |
Not supported |
|
Querying the retrieval result of a public zone |
GET /v2/retrieval/verification/{id} |
||||
|
Exporting zones |
GET /v2/zones/{zone_id}/export |
dns:zone:getExport |
- |
Supported |
√ |
Record Set Management
|
Permission |
API |
Action |
Dependent Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|---|
|
Creating a record set |
POST /v2/zones/{zone_id}/recordsets |
dns:recordset:create |
- |
Supported |
√ |
|
Creating a record set |
POST /v2.1/zones/{zone_id}/recordsets |
dns:recordset:create |
- |
Supported |
√ |
|
Querying a record set |
GET /v2/zones/{zone_id}/recordsets/{recordset_id} |
dns:recordset:get |
- |
Supported |
√ |
|
Querying a record set |
GET /v2.1/zones/{zone_id}/recordsets/{recordset_id} |
dns:recordset:get |
- |
Supported |
√ |
|
Querying record sets |
GET /v2/zones/{zone_id}/recordsets |
dns:recordset:list |
- |
Supported |
This API is used to list record sets. The zone ID can be used as a filter criterion. |
|
GET /v2/recordsets |
|||||
|
Querying record sets |
GET /v2.1/zones/{zone_id}/recordsets |
dns:recordset:list |
- |
Supported |
This API is used to list record sets. The zone ID can be used as a filter criterion. |
|
GET /v2.1/recordsets |
|||||
|
Modifying a record set |
PUT /v2/zones/{zone_id}/recordsets/{recordset_id} |
dns:recordset:update |
- |
Supported |
√ |
|
Modifying a record set |
PUT /v2.1/zones/{zone_id}/recordsets/{recordset_id} |
dns:recordset:update |
- |
Supported |
√ |
|
Deleting a record set |
DELETE /v2/zones/{zone_id}/recordsets/{recordset_id} |
dns:recordset:delete |
ces:remoteChecks:list ces:siteMonitorHealthCheck:get ces:siteMonitorHealthCheck:create ces:siteMonitorRule:delete ces:siteMonitorRule:put |
Supported |
√ |
|
Deleting a record set |
DELETE /v2.1/zones/{zone_id}/recordsets/{recordset_id} |
dns:recordset:delete |
ces:remoteChecks:list ces:siteMonitorHealthCheck:get ces:siteMonitorHealthCheck:create ces:siteMonitorRule:delete ces:siteMonitorRule:put |
Supported |
√ |
|
Deleting record sets |
DELETE /v2.1/zones/{zone_id}/recordsets |
dns:recordset:delete |
ces:remoteChecks:list ces:siteMonitorHealthCheck:get ces:siteMonitorHealthCheck:create ces:siteMonitorRule:delete ces:siteMonitorRule:put |
Supported |
√ |
|
Setting record set status |
PUT /v2.1/recordsets/{recordset_id}/statuses/set |
dns:recordset:setStatus |
- |
Supported |
√ |
PTR Record Management
|
Permission |
API |
Action |
Dependent Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|---|
|
Creating a PTR record |
PATCH /v2/reverse/floatingips/{region}:{floatingip_id} |
dns:ptr:set |
vpc:*:get* vpc:*:list* |
Supported |
√ |
|
Modifying a PTR record |
PATCH /v2/reverse/floatingips/{region}:{floatingip_id} |
||||
|
Restoring a PTR record |
PATCH /v2/reverse/floatingips/{region}:{floatingip_id} |
||||
|
Restoring PTR records |
DELETE /v2.1/reverse/floatingips |
||||
|
Querying a PTR record |
GET /v2/reverse/floatingips/{region}:{floatingip_id} |
dns:ptr:get |
- |
Supported |
√ |
|
Querying PTR records |
GET /v2/reverse/floatingips |
dns:ptr:list |
- |
Supported |
× This API is used to list PTR records. |
Tag Management
|
Permission |
API |
Action |
Dependent Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|---|
|
Adding a resource tag |
POST /v2/{project_id}/{resource_type}/{resource_id}/tags |
dns:tag:set |
- |
Supported |
√ |
|
Adding or deleting resource tags |
POST /v2/{project_id}/{resource_type}/{resource_id}/tags/action |
||||
|
Deleting a resource tag |
DELETE /v2/{project_id}/{resource_type}/{resource_id}/tags/{key} |
dns:tag:get |
|||
|
Querying tags of a resource |
GET /v2/{project_id}/{resource_type}/{resource_id}/tags |
dns:tag:get |
- |
Supported |
√ |
|
Querying project tags |
GET /v2/{project_id}/{resource_type}/tags |
dns:tag:get |
- |
Supported |
× |
|
Querying resources by tag |
POST /v2/{project_id}/{resource_type}/resource_instances/action |
dns:tag:get |
- |
Supported |
× |
Record Set Importing
|
Permission |
API |
Action |
Dependent Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|---|
|
Creating a task to import public zone record sets |
POST /v2/zones/{zone_id}/import/recordsets |
dns:publicRecordset:createImport |
- |
Supported |
√ |
|
Querying a task for importing public zone record sets |
GET /v2/zones/{zone_id}/import/recordsets |
dns:publicRecordset:getImport |
- |
Supported |
√ |
|
Deleting a task for importing public zone record sets |
DELETE /v2/zones/{zone_id}/import/tasks/{task_id} |
dns:publicRecordset:deleteImport |
- |
Supported |
√ |
|
Creating a task to import private zone record sets |
POST /v2/zones/{zone_id}/import/private/recordsets |
dns:privateRecordset:createImport |
- |
Supported |
√ |
|
Querying a task for importing private zone record sets |
GET /v2/zones/{zone_id}/import/private/recordsets |
dns:privateRecordset:getImport |
- |
Supported |
√ |
|
Deleting a task for importing private zone record sets |
DELETE /v2/zones/{zone_id}/import/private/tasks/{task_id} |
dns:privateRecordset:deleteImport |
- |
Supported |
√ |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
