样例说明
示例一
{ "Version": "2016-09-07", "Id": "__default_policy_ID", "Statement": [ { "Sid": "__user_pub_0", "Effect": "Allow", "Principal": { "CSP": [ "urn:csp:iam::123456789:root", "urn:csp:iam::987654321:root" ] }, "Action": [ "SMN:Publish", "SMN:QueryTopicDetail" ], "Resource": "urn:smn:region:cffe4fc4c9a54219b60dbaf7b586e132:Mytopic", "Condition": { "DateLessThan":{ "csp:CurrentTime":"2017-11-07T15:35:00Z" } } } ] }
代码说明:
该访问策略的ID为"__default_policy_ID",包含一个Statement语句。Statement语句的ID为“__user_pub_0”,授权给“帐号ID”为"123456789"和"987654321"的用户,允许对TopicUrn为"urn:smn:region:cffe4fc4c9a54219b60dbaf7b586e132:Mytopic"的主题,进行发布消息和查询主题详情的操作,该访问策略有效期截止到"2017-11-07T15:35:00Z"。
示例二
{ "Version": "2016-09-07", "Id": "__default_policy_ID", "Statement": [ { "Sid": "__user_pub_0", "Effect": "Allow", "Principal": { "CSP": [ "urn:csp:iam::123456789:root", "urn:csp:iam::987654321:root" ] }, "Action": [ "SMN:Subscribe" ], "Resource": "urn:smn:region:6558ed0a1485466897e962f38fdfdb88:helloworld", "Condition": { "DateLessThan":{ "csp:CurrentTime":"2017-11-07T15:35:00Z" } "StringLike": { "smn:Endpoint":["*@gmail.com","*@hotmail.com"] } } } ] }
代码说明:
该访问策略的ID为"__default_policy_ID",包含一个Statement语句。Statement语句的ID为“__user_pub_0”,授权给“帐号ID”为"123456789"和"987654321"的用户,允许对TopicUrn为"urn:smn:region:6558ed0a1485466897e962f38fdfdb88:helloworld"的主题,进行主题订阅的操作,但只允许订阅gmail邮箱或hotmail邮箱且该访问策略有效期截止到"2017-11-07T15:35:00Z"。
示例三
{ "Version": "2016-09-07", "Id": "__default_policy_ID", "Statement": [ { "Sid": "__user_pub_0", "Effect": "Allow", "Principal": { "CSP": [ "urn:csp:iam::123456789:root", "urn:csp:iam::987654321:root" ] }, "Action": [ "SMN:Publish", "SMN:QueryTopicDetail" ], "Resource": "urn:smn:regionId:e23bf08ebb924730b452426c60849564:ECM_BKS_Topic" }, { "Sid": "__user_pub_1", "Effect": "Deny", "Principal": { "CSP": [ "urn:csp:iam::987654321:root" ] }, "Action": [ "SMN:Publish", "SMN:QueryTopicDetail" ], "Resource": "urn:smn:regionId:e23bf08ebb924730b452426c60849564:ECM_BKS_Topic" }, { "Sid": "__service_pub_0", "Effect": "Allow", "Principal": { "Service": [ "obs" ] }, "Action": [ "SMN:Publish", "SMN:QueryTopicDetail" ], "Resource": "urn:smn:regionId:e23bf08ebb924730b452426c60849564:ECM_BKS_Topic" } ] }
代码说明:
该访问策略的ID为"__default_policy_ID",包含三个Statement语句,ID分别为“__user_pub_0”、“__user_pub_1”和“__service_pub_0”。
- ID为“__user_pub_0”的Statement语句,授权给“帐号ID”为"123456789"和"987654321"的用户,允许对TopicUrn为"urn:smn:regionId:e23bf08ebb924730b452426c60849564:ECM_BKS_Topic"的主题,进行发布消息和查询主题详情。
- ID为“__user_pub_1”的Statement语句,拒绝“帐号ID”为"987654321"的用户对TopicUrn为"urn:smn:regionId:e23bf08ebb924730b452426c60849564:ECM_BKS_Topic"的主题,进行发布消息和查询主题详情。
- ID 为"__service_pub_0"的Statement语句,允许云服务OBS操作TopicUrn为"urn:smn:regionId:e23bf08ebb924730b452426c60849564:ECM_BKS_Topic"的主题,进行发布消息和查询主题详情。
三个Statement语句的决定了该访问策略的作用。在使用过程中,判定过程如下:
- 如果“帐号ID”为"987654321"的用户向TopicUrn为"urn:smn:regionId:e23bf08ebb924730b452426c60849564:ECM_BKS_Topic"的主题发布消息,访问策略判定虽然ID为"__user_pub_0"的Statement语句允许该操作,但ID为"__user_pub_1"的Statement语句拒绝该操作,则操作判定为拒绝,不能发布消息。
- 如果“帐号ID”为"888888888"的用户向TopicUrn为"urn:smn:regionId:e23bf08ebb924730b452426c60849564:ECM_BKS_Topic"的主题发布消息,因访问策略未对该用户进行定义,即所有的Statement判定结束后,既没有"Deny"的Statement语句生效,也没有"Allow"Statement语句生效,则操作判定为拒绝,不能发布消息。
- 如果“帐号ID”为"123456789"的用户向TopicUrn为"urn:smn:regionId:e23bf08ebb924730b452426c60849564:ECM_BKS_Topic"的主题发布消息,访问策略判定ID为"__user_pub_0"的Statement语句允许该操作,且没有"Deny"的Statement生效,所以操作判定为允许,可以发布消息。