Authorization Policy Reference
This section describes the actions supported policy-based authorization for CBH.
Supported Actions
CBH provides system-defined policies that can be directly used in IAM. You can also create custom policies to supplement system-defined policies for more refined access control. Operations supported by policies are specific to APIs. The following table describes the actions supported by policies.
- Permission: A statement in a policy that allows or denies certain operations.
- APIs: REST APIs that can be called in a custom policy
- Actions: specific operations that are allowed or denied.
- Dependencies: actions which a specific action depends on. When allowing an action for a user, you also need to allow any existing action dependencies for that user.
- IAM projects/Enterprise projects: the authorization scope of a custom policy. A custom policy can be applied to IAM projects or enterprise projects or both. Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only. Administrators can check whether an action supports IAM projects or enterprise projects in the action list. For details about the differences between IAM projects and enterprise projects, see What Are the Differences Between IAM and Enterprise Management?
Table 1 lists the API actions supported by CBH.
|
Permission |
API |
Action |
Dependencies |
IAM Project |
Enterprise Project |
|---|---|---|---|---|---|
|
Grants the permission to obtain the ECS quota. |
GET /v2/{project_id}/cbs/instance/ecs-quota |
cbh::getEcsQuota |
ecs:cloudServerFlavors:get |
√ |
× |
|
Grants the permission to query the CBH instance quotas. |
GET /v2/{project_id}/cbs/instance/quota |
cbh::getQuota |
- |
√ |
× |
|
Grants the permission to query the CBH status. |
GET /v2/{project_id}/cbs/instance/{server_id}/status |
cbh:instance:getInstanceStatus |
- |
√ |
× |
|
Grants the permission to obtain the URLs for O&M of assets managed in CBH. |
GET /v2/{project_id}/cbs/instance/get-om-url |
cbh:instance:getOmUrl |
- |
√ |
× |
|
Grants the permission to obtain the authorization information of the CBH service from the tenant. |
GET /v2/{project_id}/cbs/agency/authorization |
cbh::getAuthorization |
|
√ |
× |
|
Grants the permission to query tags of CBH instances. |
GET /v2/{project_id}/cbs/instance/{resource_id}/tags |
cbh:instance:getInstanceTags |
- |
√ |
× |
|
Grants the permission to start a CBH instance. |
POST /v2/{project_id}/cbs/instance/start |
cbh:instance:startInstance |
- |
√ |
× |
|
Grants the permission to disable a CBH instance. |
POST /v2/{project_id}/cbs/instance/stop |
cbh:instance:stopInstance |
- |
√ |
× |
|
Grants the permission to restart a CBH instance. |
POST /v2/{project_id}/cbs/instance/reboot |
cbh:instance:rebootInstance |
- |
√ |
× |
|
Grants the permission to upgrade a CBH instance. |
POST /v2/{project_id}/cbs/instance/upgrade |
cbh:instance:upgradeInstance |
- |
√ |
× |
|
Grants the permission to roll back a CBH instance. |
POST /v2/{project_id}/cbs/instance/rollback |
cbh:instance:rollbackInstance |
- |
√ |
× |
|
Grants the permission to log in to a CBH instance as an IAM user. |
POST /v2/{project_id}/cbs/instance/login |
cbh:instance:loginInstance |
- |
√ |
× |
|
Grants the permission to reset a password for logging in to a CBH. |
PUT /v2/{project_id}/cbs/instance/password |
cbh:instance:resetInstancePassword |
- |
√ |
× |
|
Grant the permission to switch the VPC of the bastion host instance. |
PUT /v2/{project_id}/cbs/instance/vpc |
cbh:instance:switchInstanceVpc |
vpc:subnets:get |
√ |
× |
|
Grants the permission to reset the CBH instance login mode. |
PUT /v2/{project_id}/cbs/instance/login-method |
cbh:instance:resetInstanceLoginMethod |
- |
√ |
× |
|
Grants the permission to delete a faulty CBH instance. |
DELETE /v2/{project_id}/cbs/instance |
cbh:instance:deleteInstance |
- |
√ |
× |
|
Grants the permission to change a CBH instance. |
PUT /v2/{project_id}/cbs/instance |
cbh:instance:alterInstance |
- |
√ |
× |
|
Grants the permission to create a CBH instance. |
POST /v2/{project_id}/cbs/instance |
cbh:instance:createInstance |
|
√ |
√ |
|
Grants the permission to bind an EIP to a CBH instance. |
POST /v2/{project_id}/cbs/instance/{server_id}/eip/bind |
cbh:instance:bindInstanceEip |
|
√ |
× |
|
Grants the permission to unbind an EIP from a CBH instance. |
POST /v2/{project_id}/cbs/instance/{server_id}/eip/unbind |
cbh:instance:unbindInstanceEip |
|
√ |
× |
|
Grants the permission to update the security group of a CBH instance. |
PUT /v2/{project_id}/cbs/instance/{server_id}/security-groups |
cbh:instance:updateInstanceSecurityGroup |
|
√ |
× |
|
Grants the permission to create or cancel the agency authorization for the CBH service. |
POST /v2/{project_id}/cbs/agency/authorization |
cbh::operateAuthorization |
|
√ |
× |
|
Grants the permission to log in to a CBH instance as user admin. |
GET /v2/{project_id}/cbs/instances/{server_id}/admin-url |
cbh:instance:loginInstanceAdmin |
- |
√ |
× |
|
Grants the permission to modify the type of single-node CBH instances. |
PUT /v2/{project_id}/cbs/instance/type |
cbh:instance:changeInstanceType |
|
√ |
× |
|
Grants the permission to query all AZs. |
GET /v2/{project_id}/cbs/available-zone |
cbh::listAvailableZones |
- |
√ |
× |
|
Grants the permission to query the CBH specifications. |
GET /v2/{project_id}/cbs/instance/specification |
cbh::listSpecifications |
- |
√ |
× |
|
Grants the permission to list CBH instances. |
GET /v2/{project_id}/cbs/instance/list |
cbh:instance:listInstances |
eps:enterpriseProjects:list |
√ |
× |
|
Grants the permission to query all tags. |
GET /v2/{project_id}/cbs/instance/tags |
cbh::listTags |
- |
√ |
× |
|
Grants the permission to search for instances by tag. |
POST /v2/{project_id}/cbs/instance/filter |
cbh:instance:listInstancesByTag |
- |
√ |
× |
|
Grants the permission to count the number of instances that meet the tag conditions. |
POST /v2/{project_id}/cbs/instance/count |
cbh:instance:countInstancesByTag |
- |
√ |
× |
|
Grants the permission to operate the resource tags of the CBH instance. |
POST /v2/{project_id}/cbs/instance/{resource_id}/tags/action |
cbh:instance:operateInstanceTags |
- |
√ |
× |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
