更新时间:2022-02-21 GMT+08:00

样例说明

示例一

{
    "Version": "2016-09-07", 
    "Id": "__default_policy_ID", 
    "Statement": [
        {
            "Sid": "__user_pub_0", 
            "Effect": "Allow", 
            "Principal": {
                "CSP": [
                    "urn:csp:iam::123456789:root",
                    "urn:csp:iam::987654321:root"
                ]
            }, 
            "Action": [
                "SMN:Publish", 
                "SMN:QueryTopicDetail"
            ], 
            "Resource": "urn:smn:region:cffe4fc4c9a54219b60dbaf7b586e132:Mytopic",
            "Condition": {
                "DateLessThan":{
                     "csp:CurrentTime":"2017-11-07T15:35:00Z"
                }
            }
        }
    ]
}

代码说明:

该访问策略的ID为"__default_policy_ID",包含一个Statement语句。Statement语句的ID为“__user_pub_0”,授权给“帐号ID”为"123456789"和"987654321"的用户,允许对TopicUrn为"urn:smn:region:cffe4fc4c9a54219b60dbaf7b586e132:Mytopic"的主题,进行发布消息和查询主题详情的操作,该访问策略有效期截止到"2017-11-07T15:35:00Z"。

示例二

{
    "Version": "2016-09-07", 
    "Id": "__default_policy_ID", 
    "Statement": [
        {
            "Sid": "__user_pub_0", 
            "Effect": "Allow", 
            "Principal": {
                "CSP": [
                    "urn:csp:iam::123456789:root",
                    "urn:csp:iam::987654321:root"
                ]
            }, 
            "Action": [
                "SMN:Subscribe" 
            ], 
            "Resource": "urn:smn:region:6558ed0a1485466897e962f38fdfdb88:helloworld",
            "Condition": {
                "DateLessThan":{
                     "csp:CurrentTime":"2017-11-07T15:35:00Z"
                }
                "StringLike": {
                     "smn:Endpoint":["*@gmail.com","*@hotmail.com"]
                }
            }
        }
    ]
}

代码说明:

该访问策略的ID为"__default_policy_ID",包含一个Statement语句。Statement语句的ID为“__user_pub_0”,授权给“帐号ID”为"123456789"和"987654321"的用户,允许对TopicUrn为"urn:smn:region:6558ed0a1485466897e962f38fdfdb88:helloworld"的主题,进行主题订阅的操作,但只允许订阅gmail邮箱或hotmail邮箱且该访问策略有效期截止到"2017-11-07T15:35:00Z"。

示例三

{
    "Version": "2016-09-07", 
    "Id": "__default_policy_ID", 
    "Statement": [
        {
            "Sid": "__user_pub_0", 
            "Effect": "Allow", 
            "Principal": {
                "CSP": [
                    "urn:csp:iam::123456789:root",
                    "urn:csp:iam::987654321:root"
                ]
            }, 
            "Action": [
                "SMN:Publish", 
                "SMN:QueryTopicDetail"
            ], 
            "Resource": "urn:smn:regionId:e23bf08ebb924730b452426c60849564:ECM_BKS_Topic"
        }, 
        {
            "Sid": "__user_pub_1", 
            "Effect": "Deny", 
            "Principal": {
                "CSP": [
                    "urn:csp:iam::987654321:root"
                ]
            }, 
            "Action": [
                "SMN:Publish", 
                "SMN:QueryTopicDetail"
            ], 
            "Resource": "urn:smn:regionId:e23bf08ebb924730b452426c60849564:ECM_BKS_Topic"
        }, 
        {
            "Sid": "__service_pub_0", 
            "Effect": "Allow", 
            "Principal": {
                "Service": [
                    "obs"
                ]
            }, 
            "Action": [
                "SMN:Publish", 
                "SMN:QueryTopicDetail"
            ], 
            "Resource": "urn:smn:regionId:e23bf08ebb924730b452426c60849564:ECM_BKS_Topic"
        }
    ]
}

代码说明:

该访问策略的ID为"__default_policy_ID",包含三个Statement语句,ID分别为“__user_pub_0”、“__user_pub_1”和“__service_pub_0”。

  • ID为“__user_pub_0”的Statement语句,授权给“帐号ID”为"123456789"和"987654321"的用户,允许对TopicUrn为"urn:smn:regionId:e23bf08ebb924730b452426c60849564:ECM_BKS_Topic"的主题,进行发布消息和查询主题详情。
  • ID为“__user_pub_1”的Statement语句,拒绝“帐号ID”为"987654321"的用户对TopicUrn为"urn:smn:regionId:e23bf08ebb924730b452426c60849564:ECM_BKS_Topic"的主题,进行发布消息和查询主题详情。
  • ID 为"__service_pub_0"的Statement语句,允许云服务OBS操作TopicUrn为"urn:smn:regionId:e23bf08ebb924730b452426c60849564:ECM_BKS_Topic"的主题,进行发布消息和查询主题详情。

三个Statement语句的决定了该访问策略的作用。在使用过程中,判定过程如下:

  • 如果“帐号ID”为"987654321"的用户向TopicUrn为"urn:smn:regionId:e23bf08ebb924730b452426c60849564:ECM_BKS_Topic"的主题发布消息,访问策略判定虽然ID为"__user_pub_0"的Statement语句允许该操作,但ID为"__user_pub_1"的Statement语句拒绝该操作,则操作判定为拒绝,不能发布消息。
  • 如果“帐号ID”为"888888888"的用户向TopicUrn为"urn:smn:regionId:e23bf08ebb924730b452426c60849564:ECM_BKS_Topic"的主题发布消息,因访问策略未对该用户进行定义,即所有的Statement判定结束后,既没有"Deny"的Statement语句生效,也没有"Allow"Statement语句生效,则操作判定为拒绝,不能发布消息。
  • 如果“帐号ID”为"123456789"的用户向TopicUrn为"urn:smn:regionId:e23bf08ebb924730b452426c60849564:ECM_BKS_Topic"的主题发布消息,访问策略判定ID为"__user_pub_0"的Statement语句允许该操作,且没有"Deny"的Statement生效,所以操作判定为允许,可以发布消息。