策略授权参考
本章节介绍云备份(Cloud Backup and Recovery, CBR)基于策略授权场景下支持的策略授权项。
支持的授权项
策略包含系统策略和自定义策略,如果系统策略不满足授权要求,管理员可以创建自定义策略,并通过给用户组授予自定义策略来进行精细的访问控制。策略支持的操作与API相对应,授权项列表说明如下:
- 权限:允许或拒绝某项操作。
- 对应API接口:自定义策略实际调用的API接口。
- 授权项:自定义策略中支持的Action,在自定义策略中的Action中写入授权项,可以实现授权项对应的权限功能。
- 依赖的授权项:部分Action存在对其他Action的依赖,需要将依赖的Action同时写入授权项,才能实现对应的权限功能。
- IAM项目(Project)/企业项目(Enterprise Project):自定义策略的授权范围,包括IAM项目与企业项目。授权范围如果同时支持IAM项目和企业项目,表示此授权项对应的自定义策略,可以在IAM和企业管理两个服务中给用户组授权并生效。如果仅支持IAM项目,不支持企业项目,表示仅能在IAM中给用户组授权并生效,如果在企业管理中授权,则该自定义策略不生效。管理员可以在授权项列表中查看授权项是否支持IAM项目或企业项目,“√”表示支持,“×”表示暂不支持。关于IAM项目与企业项目的区别,详情请参见:IAM与企业管理的区别。
CBR的支持自定义策略授权项如下所示:
任务
权限 | 对应API接口 | 授权项 | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|
查询任务列表 | GET /v3/{project_id}/operation-logs | cbr:tasks:list | √ | √ |
查询单个任务 | GET /v3/{project_id}/operation-logs/{operation_log_id} | cbr:tasks:get | √ | √ |
可保护性
权限 | 对应API接口 | 授权项 | 依赖的授权项 | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|---|
查询可保护资源 | GET /v3/{project_id}/protectables/{protectable_type}/instances | cbr:vaults:listProtectables | ecs:cloudServers:list evs:volumes:list | √ | √ |
查询指定可保护资源 | GET /v3/{project_id}/protectables/{protectable_type}/instances/{instance_id} | cbr:vaults:getProtectables | ecs:cloudServers:list evs:volumes:list | √ | × |
查询agent状态 | POST /v3/{project_id}/agent/check | cbr:backups:checkAgent | ecs:cloudServers:list | √ | × |
查询复制能力 | GET /v3/{project_id}/replication-capabilities | cbr:backups:queryReplicationCapability | - | √ | × |
存储库
权限 | 对应API接口 | 授权项 | 依赖的授权项 | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|---|
设置存储库策略 | POST /v3/{project_id}/vaults/{vault_id}/associatepolicy | cbr:vaults:associatePolicy | - | √ | √ |
查询指定存储库 | GET /v3/{project_id}/vaults/{vault_id} | cbr:vaults:get | - | √ | √ |
修改存储库 | PUT /v3/{project_id}/vaults/{vault_id} | cbr:vaults:update | - | √ | √ |
删除存储库 | DELETE /v3/{project_id}/vaults/{vault_id} | cbr:vaults:delete | - | √ | √ |
移除资源 | POST /v3/{project_id}/vaults/{vault_id}/removeresources | cbr:vaults:removeResources | - | √ | √ |
添加资源 | POST /v3/{project_id}/vaults/{vault_id}/addresources | cbr:vaults:addResources | ecs:cloudServers:list evs:volumes:list | √ | √ |
查询存储库列表 | GET /v3/{project_id}/vaults | cbr:vaults:list | - | √ | √ |
创建存储库 | POST /v3/{project_id}/vaults | cbr:vaults:create | ecs:cloudServers:list evs:volumes:list | √ | √ |
查询其他区域存储库列表 | GET /v3/{project_id}/external_vaults | cbr:vaults:listExternalVaults | cbr:vaults:listVaults | √ | √ |
解除存储库策略 | POST /v3/{project_id}/vaults/{vault_id}/dissociatepolicy | cbr:vaults:dissociatePolicy | - | √ | √ |
迁移资源 | POST /v3/{project_id}/vaults/{vault_id}/migrateresources | cbr:vaults:migrateResources | cbr:vaults:addResources | √ | √ |
还原点
权限 | 对应API接口 | 授权项 | 依赖的授权项 | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|---|
同步备份还原点 | POST /v3/{project_id}/checkpoints/sync | cbr:vaults:sync | - | √ | √ |
复制备份还原点 | POST /v3/{project_id}/checkpoints/replicate | cbr:vaults:replicate | - | √ | √ |
创建备份还原点 | POST /v3/{project_id}/checkpoints | cbr:vaults:backup | ecs:cloudServers:list evs:volumes:list | √ | √ |
备份共享
权限 | 对应API接口 | 授权项 | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|
添加备份成员 | POST /v3/{project_id}/backups/{backup_id}/members | cbr:member:create | √ | √ |
更新备份成员状态 | PUT /v3/{project_id}/backups/{backup_id}/members/{member_id} | cbr:member:update | √ | √ |
获取备份成员详情 | GET /v3/{project_id}/backups/{backup_id}/members/{member_id} | cbr:member:get | √ | √ |
获取备份成员列表 | GET /v3/{project_id}/backups/{backup_id}/members | cbr:member:list | √ | √ |
删除指定的备份成员 | DELETE /v3/{project_id}/backups/{backup_id}/members/{member_id} | cbr:member:delete | √ | √ |
备份
权限 | 对应API接口 | 授权项 | 依赖的授权项 | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|---|
查询备份列表 | GET /v3/{project_id}/backups | cbr:backups:list | - | √ | √ |
查询指定备份 | GET /v3/{project_id}/backups/{backup_id} | cbr:backups:get | - | √ | √ |
删除备份 | DELETE /v3/{project_id}/backups/{backup_id} | cbr:backups:delete | - | √ | √ |
同步备份 | POST /v3/{project_id}/backups/sync | cbr:backups:sync | - | √ | √ |
恢复备份 | POST /v3/{project_id}/backups/{backup_id}/restore | cbr:backups:restore | ecs:cloudServers:list evs:volumes:list | √ | √ |
复制备份 | POST /v3/{project_id}/backups/{backup_id}/replicate | cbr:backups:replicate | - | √ | √ |
更新备份 | PUT /v3/{project_id}/backups/{backup_id} | cbr:backups:update | - | √ | √ |
查询备份元数据 | GET /v3/{project_id}/backups/{backup_id}/metadata | cbr:backups:getMetadata | - | √ | √ |
策略
权限 | 对应API接口 | 授权项 | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|
查询策略列表 | GET /v3/{project_id}/policies | cbr:policies:list | √ | × |
创建策略 | POST /v3/{project_id}/policies | cbr:policies:create | √ | × |
查询指定策略 | GET /v3/{project_id}/policies/{policy_id} | cbr:policies:get | √ | × |
更新策略 | PUT /v3/{project_id}/policies/{policy_id} | cbr:policies:update | √ | × |
删除策略 | DELETE /v3/{project_id}/policies/{policy_id} | cbr:policies:delete | √ | × |
组织策略
权限 | 对应API接口 | 授权项 | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|
创建组织策略 | POST /v3/{project_id}/organization-policies | cbr:organizationPolicies:create | √ | × |
查询组织策略列表 | GET /v3/{project_id}/organization-policies | cbr:organizationPolicies:list | √ | × |
查询指定组织策略 | GET /v3/{project_id}/organization-policies/{organization_policy_id} | cbr:organizationPolicies:get | √ | × |
删除组织策略 | DELETE /v3/{project_id}/organization-policies/{organization_policy_id} | cbr:organizationPolicies:delete | √ | × |
更新组织策略 | PUT /v3/{project_id}/organization-policies/{organization_policy_id} | cbr:organizationPolicies:update | √ | × |
标签
权限 | 对应API接口 | 授权项 | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|
查询存储库资源实例 | POST /v3/{project_id}/vault/resource_instances/action | cbr:vaults:listResourceInstances | √ | √ |
批量添加删除存储库资源标签 | POST /v3/{project_id}/vault/{vault_id}/tags/action | cbr:vaults:bulkCreateOrDeleteTags | √ | √ |
添加存储库资源标签 | POST /v3/{project_id}/vault/{vault_id}/tags | cbr:vaults:setTags | √ | √ |
删除存储库资源标签 | DELETE /v3/{project_id}/vault/{vault_id}/tags/{key} | cbr:vaults:deleteTags | √ | √ |
查询存储库资源标签 | GET /v3/{project_id}/vault/{vault_id}/tags | cbr:vaults:getTags | √ | √ |
查询存储库项目标签 | GET /v3/{project_id}/vault/tags | cbr:vaults:listProjectTags | √ | √ |
客户端
权限 | 对应API接口 | 授权项 | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|
注册客户端 | POST /v3/{project_id}/agents | cbr:agents:register | √ | × |
查询单个客户端 | GET /v3/{project_id}/agents/{agent_id} | cbr:agents:get | √ | × |
列举客户端 | GET /v3/{project_id}/agents | cbr:agents:list | √ | × |
移除客户端 | DELETE /v3/{project_id}/agents/{agent_id} | cbr:agents:delete | √ | × |
更新客户端 | PUT /v3/{project_id}/agents/{agent_id} | cbr:agents:update | √ | × |
移除备份路径 | POST /v3/{project_id}/agents/{agent_id}/remove-path | cbr:agents:removePath | √ | × |
新增备份路径 | POST /v3/{project_id}/agents/{agent_id}/add-path | cbr:agents:addPath | √ | × |
计量
权限 | 对应API接口 | 授权项 | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|
查询容量统计 | GET /v3/{project_id}/storage_usage | cbr:backups:listStorageUsage | √ | √ |
运营
权限 | 对应API接口 | 授权项 | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|
变更存储库 | PUT /v3/{project_id}/orders/{order_id} | cbr:vaults:updateOrder | √ | √ |
