角色与策略授权参考
本章节介绍ASM策略授权场景下支持的策略授权项。
支持的授权项
策略包含系统策略和自定义策略,如果系统策略不满足授权要求,管理员可以创建自定义策略,并通过给用户组授予自定义策略来进行精细的访问控制。策略支持的操作与API相对应,授权项列表说明如下:
- 权限:允许或拒绝某项操作。
- 对应API接口:自定义策略实际调用的API接口。
- 授权项:自定义策略中支持的Action,在自定义策略中的Action中写入授权项,可以实现授权项对应的权限功能。
- 依赖的授权项:部分Action存在对其他Action的依赖,需要将依赖的Action同时写入授权项,才能实现对应的权限功能。
“√”表示支持,“x”表示暂不支持。
应用服务网格(ASM)支持的自定义策略授权项如下所示:
| 权限 | 对应API接口 | 授权项(Action) | IAM项目(Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|
| 创建网格 | POST /v1/{project_id}/meshes | asm:mesh:create | √ | √ |
| 删除网格 | DELETE /v1/{project_id}/meshes/{id} | asm:mesh:delete | √ | √ |
| 查询网格列表 | GET /v1/{project_id}/meshes | asm:mesh:get | √ | √ |
| 查询网格详情 | GET /v1/{project_id}/meshes/{id} | asm:mesh:list | √ | √ |
| 网格升级 | POST /v1/{project_id}/mesh-upgrade GET /v1/{project_id}/mesh-upgrade/{id} PUT /v1/{project_id}/mesh-upgrade/{id} DELETE /v1/{project_id}/mesh-upgrade/{id} | asm:mesh:upgrade | √ | √ |
| 查询网格升级任务 | GET /v1/{project_id}/mesh-job/{id} | asm:mesh:getUpgradeJob | √ | √ |
| 更新网格 | PUT /v2/projects/:project_id/meshes/:mesh_id | asm:mesh:update | √ | √ |
| 获取候选集群 | GET /v3/projects/:project_id/clusters-to-be-added | asm:mesh:getAvailableClusters | √ | × |
| 查询网格服务列表 | GET /v3/meshes/:mesh_id/namespaces/:namespace/services | asm:mesh:listServices | √ | √ |
| 查询网格服务 | GET /v3/meshes/:mesh_id/namespaces/:namespace/services/:service | asm:mesh:getService | √ | √ |
| 校验网格服务 | POST /v2/meshes/:mesh_id/namespaces/:namespace/services/validate | asm:mesh:getService | √ | √ |
| 一键修复网格服务 | POST /v2/meshes/:mesh_id/namespaces/:namespace/services/format | asm:mesh:updateService | √ | √ |
| 查询网格服务访问鉴权 | GET /v3/meshes/:mesh_id/authorizations | asm:mesh:getServiceGovernance | √ | √ |
| 创建网格服务访问鉴权 | POST /v3/meshes/:mesh_id/authorizations | asm:mesh:updateServiceGovernance | √ | √ |
| 删除网格服务访问鉴权 | DELETE /v3/meshes/:mesh_id/authorizations | asm:mesh:updateServiceGovernance | √ | √ |
| 更新命名空间注入配置 | PUT /v2/meshes/:mesh_id/injection | asm:mesh:updateNamespace | √ | √ |
| 获取命名空间注入配置 | GET /v2/meshes/:mesh_id/injection | asm:mesh:getNamespace | √ | √ |
| 获取命名空间 | GET /v2/meshes/:mesh_id/namespaces | asm:mesh:listNamespaces | √ | √ |
| 获取灰度发布流量策略 | GET /v2/meshes/:mesh_id/namespaces/:namespace/services/:service/virtualroutes | asm:mesh:getRelease | √ | √ |
| 更新灰度发布流量策略 | PUT /v2/meshes/:mesh_id/namespaces/:namespace/services/:service/virtualroutes | asm:mesh:updateRelease | √ | √ |
| 创建灰度发布任务 | POST /v2/meshes/:mesh_id/namespaces/:namespace/releases | asm:mesh:createRelease | √ | √ |
| 获取灰度发布任务详情 | GET /v2/meshes/:mesh_id/namespaces/:namespace/releases/:release_id | asm:mesh:getRelease | √ | √ |
| 获取灰度发布任务列表 | GET /v2/meshes/:mesh_id/releases | asm:mesh:listReleases | √ | √ |
| 更新灰度发布任务 | PUT /v2/meshes/:mesh_id/namespaces/:namespace/releases/:release_id | asm:mesh:updateRelease | √ | √ |
| 删除灰度发布任务 | DELETE /v2/meshes/:mesh_id/namespaces/:namespace/releases/:release_id | asm:mesh:deleteRelease | √ | √ |
| 创建网关 | POST /v2/meshes/:mesh_id/gateways | asm:mesh:createGateway | √ | √ |
| 获取网关列表 | GET /v3/meshes/:mesh_id/gateways | asm:mesh:listGateways | √ | √ |
| 删除网关 | POST /v2/meshes/:mesh_id/gateways/:gateway | asm:mesh:deleteGateway | √ | √ |
| 网关添加路由 | POST /v3/meshes/:mesh_id/gateways/:gateway/addroute | asm:mesh:createGatewayRoute | √ | √ |
| 网关获取路由列表 | POST /v2/meshes/:mesh_id/gateways/:gateway/routes | asm:mesh:listGatewayRoutes | √ | √ |
| 网关移除路由 | POST /v3/meshes/:mesh_id/gateways/:gateway/removeroute | asm:mesh:deleteGatewayRoute | √ | √ |
| 创建一键体验 | POST /v2/meshes/:mesh_id/workshops | asm:mesh:createWorkshop | √ | √ |
| 删除一键体验 | DELETE /v2/meshes/:mesh_id/workshops/:workshop | asm:mesh:deleteWorkshop | √ | √ |
| 获取一键体验列表 | GET /v2/meshes/:mesh_id/workshops | asm:mesh:listWorkshops | √ | √ |
| 转发istio查询请求 | GET /apis/*.istio.io/* | asm:mesh:getServiceGovernance | √ | √ |
| 转发istio创建请求 | POST /apis/*.istio.io/* | asm:mesh:updateServiceGovernance | √ | √ |
| 转发istio删除请求 | DELETE /apis/*.istio.io/* | asm:mesh:updateServiceGovernance | √ | √ |
| 转发istio更新请求 | PUT/apis/*.istio.io/* | asm:mesh:updateServiceGovernance | √ | √ |
| 查询资源实例列表 | POST /v2/:project_id/:resourcetype/resource-instances/filter | asm:mesh:listResourcesByTag | √ | × |
| 查询资源实例数量 | POST /v2/:project_id/:resourcetype/resource-instances/count | asm:mesh:listResourcesByTag | √ | × |
| 批量创建资源标签 | POST /v2/:project_id/:resourcetype/:resourceid/tags/create | asm:mesh:tagResource | √ | √ |
| 批量删除资源标签 | DELETE /v2/:project_id/:resourcetype/:resourceid/tags/delete | asm:mesh:unTagResource | √ | √ |
| 查询资源标签 | GET /v2/:project_id/:resourcetype/:resourceid/tags | asm:mesh:listTagsForResource | √ | √ |
| 查询项目标签 | GET /v2/:project_id/:resourcetype/tags | asm:mesh:listTags | √ | × |
| 查看服务拓扑 | GET /api/namespaces/:namespace/services/:service/graph GET /api/graph | asm:mesh:getTopology | √ | √ |
