策略授权参考
本章节介绍CSS策略授权场景下支持的策略授权项。
支持的授权项
策略包含系统策略和自定义策略,如果系统策略不满足授权要求,管理员可以创建自定义策略,并通过给用户组授予自定义策略来进行精细的访问控制。策略支持的操作与API相对应,授权项列表说明如下:
- 权限:允许或拒绝某项操作。
- 对应API接口:自定义策略实际调用的API接口。
- 授权项:自定义策略中支持的Action,在自定义策略中的Action中写入授权项,可以实现授权项对应的权限功能。
- 依赖的授权项:部分Action存在对其他Action的依赖,需要将依赖的Action同时写入授权项,才能实现对应的权限功能。
- IAM项目(Project)/企业项目(Enterprise Project):自定义策略的授权范围,包括IAM项目与企业项目。授权范围如果同时支持IAM项目和企业项目,表示此授权项对应的自定义策略,可以在IAM和企业管理两个服务中给用户组授权并生效。如果仅支持IAM项目,不支持企业项目,表示仅能在IAM中给用户组授权并生效,如果在企业管理中授权,则该自定义策略不生效。管理员可以在授权项列表中查看授权项是否支持IAM项目或企业项目,“√”表示支持,“×”表示暂不支持。关于IAM项目与企业项目的区别,详情请参见:IAM与企业管理的区别。
CSS的支持自定义策略授权项如下所示:
- 管理集群:包含CSS集群管理对应的授权项,如创建集群、扩容集群、查看集群详情、获取实例规格列表等接口。
- 自定义词库:包括CSS自定义词库功能对应的授权项,如加载自定义库、查询词库状态或删除自定义词库。
- Kibana公网访问:包括Kibana公网访问对应的授权项,如开启Kibana公网访问、关闭Kibana公网访问、修改Kibana公网访问等接口。
- 日志管理:包括CSS日志管理对应的授权项,如开启日志、关闭日志、修改日志、查询日志等接口。
- 公网访问:包括CSS公网访问对应的授权项,如开启公网访问、关闭公网访问、修改公网访问等接口。
- 快照管理:包括CSS快照功能对应的授权项,如数据备份与恢复,可以通过接口创建快照、恢复快照或者删除快照等接口。
- 终端节点:包括CSS终端节点服务对应的授权项,如开启终端节点服务、关闭终端节点服务、获取连接终端节点服务、更新终端节点服务连接等接口。
- 参数配置:包括CSS参数配置对应的授权项,如修改集群参数配置等接口。
管理集群
权限 | 对应API接口 | 授权项(Action) | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|
创建集群 | POST /v1.0/{project_id}/clusters | css:cluster:create | √ | √ |
查询集群列表 | GET /v1.0/{project_id}/clusters | css:cluster:list | √ | √ |
查询集群详情 | GET /v1.0/{project_id}/clusters/{cluster_id} | css:cluster:get | √ | √ |
删除集群 | DELETE /v1.0/{project_id}/clusters/{cluster_id} | css:cluster:delete | √ | √ |
按需集群转包周期 | POST /v1.0/{project_id}/cluster/{cluster_id}/period | css:cluster:create | √ | √ |
修改集群名称 | POST /v1.0/{project_id}/clusters/{cluster_id}/changename | css:cluster:modifyName | √ | √ |
修改密码 | POST /v1.0/{project_id}/clusters/{cluster_id}/password/reset | css:cluster:modifyPassword | √ | √ |
重启集群 | POST /v1.0/{project_id}/clusters/{cluster_id}/restart | css:cluster:restart | √ | √ |
扩容集群 | POST /v1.0/{project_id}/clusters/{cluster_id}/extend | css:cluster:scaleOut | √ | √ |
扩容实例的数量和存储容量 | POST /v1.0/{project_id}/clusters/{cluster_id}/role_extend | css:cluster:expand | √ | √ |
变更规格 | POST /v1.0/{project_id}/clusters/{cluster_id}/flavor | css:cluster:modifySpecifications | √ | √ |
获取实例规格列表 | GET /v1.0/{project_id}/es-flavors | css:cluster:listFlavors | √ | √ |
查询所有标签 | GET /v1.0/{project_id}/{resource_type}/tags | css:tag:list | √ | √ |
查询指定集群的标签 | GET /v1.0/{project_id}/{resource_type}/{cluster_id}/tags | css:tag:get | √ | √ |
添加指定集群标签 | POST /v1.0/{project_id}/{resource_type}/{cluster_id}/tags | css:tag:edit | √ | √ |
删除集群标签 | DELETE /v1.0/{project_id}/{resource_type}/{cluster_id}/tags/{key} | css:tag:delete | √ | √ |
批量添加或删除集群标签 | POST /v1.0/{project_id}/{resource_type}/{cluster_id}/tags/action | css:tag:addOrDelete | √ | √ |
指定节点类型规格变更 | POST /v1.0/{project_id}/clusters/{cluster_id}/{types}/flavor | css:cluster:modifySpecifications | √ | √ |
指定节点缩容 | POST /v1.0/{project_id}/clusters/{cluster_id}/node/offline | css:cluster:shrinkNodes | √ | √ |
指定节点类型缩容 | POST /v1.0/extend/{project_id}/clusters/{cluster_id}/role/shrink | css:cluster:scaleIn | √ | √ |
下载安全证书 | GET /v1.0/{project_id}/cer/download | css:cluster:downloadCert | √ | √ |
节点替换 | PUT /v1.0/{project_id}/clusters/{cluster_id}/instance/{instance_id}/replace | css:cluster:upgradeCluster | √ | √ |
安全模式修改 | POST /v1.0/{project_id}/clusters/{cluster_id}/mode/change | css:cluster:changeMode | √ | √ |
添加独立master、client | POST /v1.0/{project_id}/clusters/{cluster_id}/type/{type}/independent | css:cluster:addIndependenceNodes | √ | √ |
切换安全组 | POST /v1.0/{project_id}/clusters/{cluster_id}/sg/change | css:cluster:modifySecurityGroup | √ | √ |
创建集群V2 | POST /v2.0/{project_id}/clusters | css:cluster:create | √ | √ |
重启集群V2 | POST /v2.0/{project_id}/clusters/{cluster_id}/restart | css:cluster:restart | √ | √ |
滚动重启 | POST /v2.0/{project_id}/clusters/{cluster_id}/rolling_restart | css:cluster:rollingReboot | √ | √ |
自定义词库
权限 | 对应API接口 | 授权项(Action) | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|
加载自定义词库 | POST /v1.0/{project_id}/clusters/{cluster_id}/thesaurus | css:IKThesaurus:load | √ | √ |
查询自定义词库状态 | GET /v1.0/{project_id}/clusters/{cluster_id}/thesaurus | css:IKThesaurus:get | √ | √ |
删除自定义词库 | DELETE /v1.0/{project_id}/clusters/{cluster_id}/thesaurus | css:IKThesaurus:delete | √ | √ |
Kibana公网访问
权限 | 对应API接口 | 授权项(Action) | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|
开启Kibana公网访问 | POST /v1.0/{project_id}/clusters/{cluster_id}/publickibana/open | css:publicKibana:open | √ | √ |
关闭Kibana公网访问 | PUT /v1.0/{project_id}/clusters/{cluster_id}/publickibana/close | css:publicKibana:close | √ | √ |
修改Kibana公网带宽 | POST /v1.0/{project_id}/clusters/{cluster_id}/publickibana/bandwidth | css:publicIPAddress:modifyBandwidth | √ | √ |
修改Kibana公网访问控制 | POST /v1.0/{project_id}/clusters/{cluster_id}/publickibana/whitelist/update | ss:publicIPAddress:setAccessControl | √ | √ |
关闭Kibana公网访问控制 | PUT /v1.0/{project_id}/clusters/{cluster_id}/publickibana/whitelist/close | css:publicIPAddress:setAccessControl | √ | √ |
日志管理
权限 | 对应API接口 | 授权项(Action) | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|
开启日志功能 | POST /v1.0/{project_id}/clusters/{cluster_id}/logs/open | css:cluster:openLogSetting | √ | √ |
关闭日志功能 | PUT /v1.0/{project_id}/clusters/{cluster_id}/logs/close | css:log:enableOrDisableLogFunction | √ | √ |
查询作业列表 | GET /v1.0/{project_id}/clusters/{cluster_id}/logs/records | css:log:listJob | √ | √ |
查询日志基础配置 | GET /v1.0/{project_id}/clusters/{cluster_id}/logs/settings | css:log:getBasicConfigurations | √ | √ |
修改日志基础配置 | POST /v1.0/{project_id}/clusters/{cluster_id}/logs/settings | css:log:setBasicConfigurations | √ | √ |
开启日志自动备份策略 | POST /v1.0/{project_id}/clusters/{cluster_id}/logs/policy/update | css:log:updateBackupPolicy | √ | √ |
关闭日志自动备份策略 | PUT /v1.0/{project_id}/clusters/{cluster_id}/logs/policy/close | css:log:updateBackupPolicy | √ | √ |
备份日志 | POST /v1.0/{project_id}/clusters/{cluster_id}/logs/collect | css:log:backup | √ | √ |
查询日志 | POST /v1.0/{project_id}/clusters/{cluster_id}/logs/search | css:log:list | √ | √ |
公网访问
权限 | 对应API接口 | 授权项(Action) | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|
开启公网访问 | POST /v1.0/{project_id}/clusters/{cluster_id}/public/open | css:publicIPAddress:associates | √ | √ |
关闭公网访问 | PUT /v1.0/{project_id}/clusters/{cluster_id}/public/close | css:publicIPAddress:disassociates | √ | √ |
修改公网访问带宽 | POST /v1.0/{project_id}/clusters/{cluster_id}/public/bandwidth | css:publicIPAddress:modifyBandwidth | √ | √ |
开启公网访问控制白名单 | POST /v1.0/{project_id}/clusters/{cluster_id}/public/whitelist/update | css:publicIPAddress:setAccessControl | √ | √ |
关闭公网访问控制白名单 | PUT /v1.0/{project_id}/clusters/{cluster_id}/public/whitelist/close | css:publicIPAddress:setAccessControl | √ | √ |
快照管理
权限 | 对应API接口 | 授权项(Action) | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|
自动设置集群快照的基础配置(不推荐使用) | POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/auto_setting | css:snapshot:enableAtomaticSnapsot | √ | √ |
修改集群快照的基础配置 | POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/setting | css:snapshot:setSnapshotContiguration | √ | √ |
手动创建快照 | POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot | css:snapshot:create | √ | √ |
恢复快照 | POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/{snapshot_id}/restore | css:snapshot:restore | √ | √ |
删除快照 | DELETE /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/{snapshot_id} | css:snapshot:delete | √ | √ |
设置自动创建快照策略 | POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/policy | css:snapshot:setSnapshotPolicy | √ | √ |
查询自动创建快照的策略 | GET /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/policy | css:snapshot:getSnapshotPolicy | √ | √ |
查询快照列表 | GET /v1.0/{project_id}/clusters/{cluster_id}/index_snapshots | css:snapshot:list | √ | √ |
停用快照功能 | DELETE /v1.0/{project_id}/clusters/{cluster_id}/index_snapshots | css:snapshot:disableSnapshotFuction | √ | √ |
开启自动创建快照功能 | POST /v2.0/{project_id}/clusters/{cluster_id}/snapshots/policy/open | css:snapshot:setSnapshotPolicy | √ | √ |
关闭自动创建快照功能 | PUT /v2.0/{project_id}/clusters/{cluster_id}/snapshots/policy/close | css:snapshot:setSnapshotPolicy | √ | √ |
终端节点
权限 | 对应API接口 | 授权项(Action) | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|
开启终端节点服务 | POST /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/open | css:VPCEndpoint:enableOrDisable | √ | √ |
关闭终端节点服务 | PUT /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/close | css:VPCEndpoint:enableOrDisable | √ | √ |
获取终端节点连接 | GET /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/connections | css:VPCEndpoint:listConnection | √ | √ |
更新终端节点连接 | POST /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/connections | css:VPCEndpoint:manageConnection | √ | √ |
修改终端节点服务白名单 | POST /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/permissions | css:VPCEndpoint:updateWhitelist | √ | √ |
参数配置
权限 | 对应API接口 | 授权项(Action) | IAM项目 (Project) | 企业项目 (Enterprise Project) |
|---|---|---|---|---|
修改参数配置 | POST /v1.0/{project_id}/clusters/{cluster_id}/ymls/update | css:configurations:modify | √ | √ |
获取参数配置任务列表 | GET /v1.0/{project_id}/clusters/{cluster_id}/ymls/joblists | css:configurations:list | √ | √ |
获取参数配置列表 | GET /v1.0/{project_id}/clusters/{cluster_id}/ymls/template | css:configurations:get | √ | √ |
