策略授权参考
本章节介绍CSS策略授权场景下支持的策略授权项。
支持的授权项
策略包含系统策略和自定义策略,如果系统策略不满足授权要求,管理员可以创建自定义策略,并通过给用户组授予自定义策略来进行精细的访问控制。策略支持的操作与API相对应,授权项列表说明如下:
- 权限:允许或拒绝某项操作。
- 对应API接口:自定义策略实际调用的API接口。
- 授权项:自定义策略中支持的Action,在自定义策略中的Action中写入授权项,可以实现授权项对应的权限功能。
- 依赖的授权项:部分Action存在对其他Action的依赖,需要将依赖的Action同时写入授权项,才能实现对应的权限功能。
- IAM项目(Project)/企业项目(Enterprise Project):自定义策略的授权范围,包括IAM项目与企业项目。授权范围如果同时支持IAM项目和企业项目,表示此授权项对应的自定义策略,可以在IAM和企业管理两个服务中给用户组授权并生效。如果仅支持IAM项目,不支持企业项目,表示仅能在IAM中给用户组授权并生效,如果在企业管理中授权,则该自定义策略不生效。管理员可以在授权项列表中查看授权项是否支持IAM项目或企业项目,“√”表示支持,“×”表示暂不支持。关于IAM项目与企业项目的区别,详情请参见:IAM与企业管理的区别。
CSS的支持自定义策略授权项如下所示:
- 管理集群:包含CSS集群管理对应的授权项,如创建集群、扩容集群、查看集群详情、获取实例规格列表等接口。
- 自定义词库:包括CSS自定义词库功能对应的授权项,如加载自定义库、查询词库状态或删除自定义词库。
- Kibana公网访问:包括Kibana公网访问对应的授权项,如开启Kibana公网访问、关闭Kibana公网访问、修改Kibana公网访问等接口。
- 日志管理:包括CSS日志管理对应的授权项,如开启日志、关闭日志、修改日志、查询日志等接口。
- 公网访问:包括CSS公网访问对应的授权项,如开启公网访问、关闭公网访问、修改公网访问等接口。
- 快照管理:包括CSS快照功能对应的授权项,如数据备份与恢复,可以通过接口创建快照、恢复快照或者删除快照等接口。
- 终端节点:包括CSS终端节点服务对应的授权项,如开启终端节点服务、关闭终端节点服务、获取连接终端节点服务、更新终端节点服务连接等接口。
- 参数配置:包括CSS参数配置对应的授权项,如修改集群参数配置等接口。
管理集群
|
权限 |
对应API接口 |
授权项(Action) |
IAM项目 (Project) |
企业项目 (Enterprise Project) |
|---|---|---|---|---|
|
创建集群 |
POST /v1.0/{project_id}/clusters |
css:cluster:create |
√ |
√ |
|
查询集群列表 |
GET /v1.0/{project_id}/clusters |
css:cluster:list |
√ |
√ |
|
查询集群详情 |
GET /v1.0/{project_id}/clusters/{cluster_id} |
css:cluster:get |
√ |
√ |
|
删除集群 |
DELETE /v1.0/{project_id}/clusters/{cluster_id} |
css:cluster:delete |
√ |
√ |
|
按需集群转包周期 |
POST /v1.0/{project_id}/cluster/{cluster_id}/period |
css:cluster:create |
√ |
√ |
|
修改集群名称 |
POST /v1.0/{project_id}/clusters/{cluster_id}/changename |
css:cluster:modifyName |
√ |
√ |
|
修改密码 |
POST /v1.0/{project_id}/clusters/{cluster_id}/password/reset |
css:cluster:modifyPassword |
√ |
√ |
|
重启集群 |
POST /v1.0/{project_id}/clusters/{cluster_id}/restart |
css:cluster:restart |
√ |
√ |
|
扩容集群 |
POST /v1.0/{project_id}/clusters/{cluster_id}/extend |
css:cluster:scaleOut |
√ |
√ |
|
扩容实例的数量和存储容量 |
POST /v1.0/{project_id}/clusters/{cluster_id}/role_extend |
css:cluster:expand |
√ |
√ |
|
变更规格 |
POST /v1.0/{project_id}/clusters/{cluster_id}/flavor |
css:cluster:modifySpecifications |
√ |
√ |
|
获取实例规格列表 |
GET /v1.0/{project_id}/es-flavors |
css:cluster:listFlavors |
√ |
√ |
|
查询所有标签 |
GET /v1.0/{project_id}/{resource_type}/tags |
css:tag:list |
√ |
√ |
|
查询指定集群的标签 |
GET /v1.0/{project_id}/{resource_type}/{cluster_id}/tags |
css:tag:get |
√ |
√ |
|
添加指定集群标签 |
POST /v1.0/{project_id}/{resource_type}/{cluster_id}/tags |
css:tag:edit |
√ |
√ |
|
删除集群标签 |
DELETE /v1.0/{project_id}/{resource_type}/{cluster_id}/tags/{key} |
css:tag:delete |
√ |
√ |
|
批量添加或删除集群标签 |
POST /v1.0/{project_id}/{resource_type}/{cluster_id}/tags/action |
css:tag:addOrDelete |
√ |
√ |
|
指定节点类型规格变更 |
POST /v1.0/{project_id}/clusters/{cluster_id}/{types}/flavor |
css:cluster:modifySpecifications |
√ |
√ |
|
指定节点缩容 |
POST /v1.0/{project_id}/clusters/{cluster_id}/node/offline |
css:cluster:shrinkNodes |
√ |
√ |
|
指定节点类型缩容 |
POST /v1.0/extend/{project_id}/clusters/{cluster_id}/role/shrink |
css:cluster:scaleIn |
√ |
√ |
|
下载安全证书 |
GET /v1.0/{project_id}/cer/download |
css:cluster:downloadCert |
√ |
√ |
|
节点替换 |
PUT /v1.0/{project_id}/clusters/{cluster_id}/instance/{instance_id}/replace |
css:cluster:upgradeCluster |
√ |
√ |
|
安全模式修改 |
POST /v1.0/{project_id}/clusters/{cluster_id}/mode/change |
css:cluster:changeMode |
√ |
√ |
|
添加独立master、client |
POST /v1.0/{project_id}/clusters/{cluster_id}/type/{type}/independent |
css:cluster:addIndependenceNodes |
√ |
√ |
|
切换安全组 |
POST /v1.0/{project_id}/clusters/{cluster_id}/sg/change |
css:cluster:modifySecurityGroup |
√ |
√ |
|
创建集群V2 |
POST /v2.0/{project_id}/clusters |
css:cluster:create |
√ |
√ |
|
重启集群V2 |
POST /v2.0/{project_id}/clusters/{cluster_id}/restart |
css:cluster:restart |
√ |
√ |
|
滚动重启 |
POST /v2.0/{project_id}/clusters/{cluster_id}/rolling_restart |
css:cluster:rollingReboot |
√ |
√ |
自定义词库
|
权限 |
对应API接口 |
授权项(Action) |
IAM项目 (Project) |
企业项目 (Enterprise Project) |
|---|---|---|---|---|
|
加载自定义词库 |
POST /v1.0/{project_id}/clusters/{cluster_id}/thesaurus |
css:IKThesaurus:load |
√ |
√ |
|
查询自定义词库状态 |
GET /v1.0/{project_id}/clusters/{cluster_id}/thesaurus |
css:IKThesaurus:get |
√ |
√ |
|
删除自定义词库 |
DELETE /v1.0/{project_id}/clusters/{cluster_id}/thesaurus |
css:IKThesaurus:delete |
√ |
√ |
Kibana公网访问
|
权限 |
对应API接口 |
授权项(Action) |
IAM项目 (Project) |
企业项目 (Enterprise Project) |
|---|---|---|---|---|
|
开启Kibana公网访问 |
POST /v1.0/{project_id}/clusters/{cluster_id}/publickibana/open |
css:publicKibana:open |
√ |
√ |
|
关闭Kibana公网访问 |
PUT /v1.0/{project_id}/clusters/{cluster_id}/publickibana/close |
css:publicKibana:close |
√ |
√ |
|
修改Kibana公网带宽 |
POST /v1.0/{project_id}/clusters/{cluster_id}/publickibana/bandwidth |
css:publicIPAddress:modifyBandwidth |
√ |
√ |
|
修改Kibana公网访问控制 |
POST /v1.0/{project_id}/clusters/{cluster_id}/publickibana/whitelist/update |
ss:publicIPAddress:setAccessControl |
√ |
√ |
|
关闭Kibana公网访问控制 |
PUT /v1.0/{project_id}/clusters/{cluster_id}/publickibana/whitelist/close |
css:publicIPAddress:setAccessControl |
√ |
√ |
日志管理
|
权限 |
对应API接口 |
授权项(Action) |
IAM项目 (Project) |
企业项目 (Enterprise Project) |
|---|---|---|---|---|
|
开启日志功能 |
POST /v1.0/{project_id}/clusters/{cluster_id}/logs/open |
css:cluster:openLogSetting |
√ |
√ |
|
关闭日志功能 |
PUT /v1.0/{project_id}/clusters/{cluster_id}/logs/close |
css:log:enableOrDisableLogFunction |
√ |
√ |
|
查询作业列表 |
GET /v1.0/{project_id}/clusters/{cluster_id}/logs/records |
css:log:listJob |
√ |
√ |
|
查询日志基础配置 |
GET /v1.0/{project_id}/clusters/{cluster_id}/logs/settings |
css:log:getBasicConfigurations |
√ |
√ |
|
修改日志基础配置 |
POST /v1.0/{project_id}/clusters/{cluster_id}/logs/settings |
css:log:setBasicConfigurations |
√ |
√ |
|
开启日志自动备份策略 |
POST /v1.0/{project_id}/clusters/{cluster_id}/logs/policy/update |
css:log:updateBackupPolicy |
√ |
√ |
|
关闭日志自动备份策略 |
PUT /v1.0/{project_id}/clusters/{cluster_id}/logs/policy/close |
css:log:updateBackupPolicy |
√ |
√ |
|
备份日志 |
POST /v1.0/{project_id}/clusters/{cluster_id}/logs/collect |
css:log:backup |
√ |
√ |
|
查询日志 |
OST /v1.0/{project_id}/clusters/{cluster_id}/logs/search |
css:log:list |
√ |
√ |
公网访问
|
权限 |
对应API接口 |
授权项(Action) |
IAM项目 (Project) |
企业项目 (Enterprise Project) |
|---|---|---|---|---|
|
开启公网访问 |
POST /v1.0/{project_id}/clusters/{cluster_id}/public/open |
css:publicIPAddress:associates |
√ |
√ |
|
关闭公网访问 |
PUT /v1.0/{project_id}/clusters/{cluster_id}/public/close |
css:publicIPAddress:disassociates |
√ |
√ |
|
修改公网访问带宽 |
POST /v1.0/{project_id}/clusters/{cluster_id}/public/bandwidth |
css:publicIPAddress:modifyBandwidth |
√ |
√ |
|
开启公网访问控制白名单 |
POST /v1.0/{project_id}/clusters/{cluster_id}/public/whitelist/update |
css:publicIPAddress:setAccessControl |
√ |
√ |
|
关闭公网访问控制白名单 |
PUT /v1.0/{project_id}/clusters/{cluster_id}/public/whitelist/close |
css:publicIPAddress:setAccessControl |
√ |
√ |
快照管理
|
权限 |
对应API接口 |
授权项(Action) |
IAM项目 (Project) |
企业项目 (Enterprise Project) |
|---|---|---|---|---|
|
自动设置集群快照的基础配置(不推荐使用) |
POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/auto_setting |
css:snapshot:enableAtomaticSnapsot |
√ |
√ |
|
修改集群快照的基础配置 |
POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/setting |
css:snapshot:setSnapshotContiguration |
√ |
√ |
|
手动创建快照 |
POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot |
css:snapshot:create |
√ |
√ |
|
恢复快照 |
POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/{snapshot_id}/restore |
css:snapshot:restore |
√ |
√ |
|
删除快照 |
DELETE /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/{snapshot_id} |
css:snapshot:delete |
√ |
√ |
|
设置自动创建快照策略 |
POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/policy |
css:snapshot:setSnapshotPolicy |
√ |
√ |
|
查询自动创建快照的策略 |
GET /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/policy |
css:snapshot:getSnapshotPolicy |
√ |
√ |
|
查询快照列表 |
GET /v1.0/{project_id}/clusters/{cluster_id}/index_snapshots |
css:snapshot:list |
√ |
√ |
|
停用快照功能 |
DELETE /v1.0/{project_id}/clusters/{cluster_id}/index_snapshots |
css:snapshot:disableSnapshotFuction |
√ |
√ |
|
开启自动创建快照功能 |
POST /v2.0/{project_id}/clusters/{cluster_id}/snapshots/policy/open |
css:snapshot:setSnapshotPolicy |
√ |
√ |
|
关闭自动创建快照功能 |
PUT /v2.0/{project_id}/clusters/{cluster_id}/snapshots/policy/close |
css:snapshot:setSnapshotPolicy |
√ |
√ |
终端节点
|
权限 |
对应API接口 |
授权项(Action) |
IAM项目 (Project) |
企业项目 (Enterprise Project) |
|---|---|---|---|---|
|
开启终端节点服务 |
POST /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/open |
css:VPCEndpoint:enableOrDisable |
√ |
√ |
|
关闭终端节点服务 |
PUT /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/close |
css:VPCEndpoint:enableOrDisable |
√ |
√ |
|
获取终端节点连接 |
GET /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/connections |
css:VPCEndpoint:listConnection |
√ |
√ |
|
更新终端节点连接 |
POST /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/connections |
css:VPCEndpoint:manageConnection |
√ |
√ |
|
修改终端节点服务白名单 |
POST /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/permissions |
css:VPCEndpoint:updateWhitelist |
√ |
√ |
参数配置
|
权限 |
对应API接口 |
授权项(Action) |
IAM项目 (Project) |
企业项目 (Enterprise Project) |
|---|---|---|---|---|
|
修改参数配置 |
POST /v1.0/{project_id}/clusters/{cluster_id}/ymls/update |
css:configurations:modify |
√ |
√ |
|
获取参数配置任务列表 |
GET /v1.0/{project_id}/clusters/{cluster_id}/ymls/joblists |
css:configurations:list |
√ |
√ |
|
获取参数配置列表 |
GET /v1.0/{project_id}/clusters/{cluster_id}/ymls/template |
css:configurations:get |
√ |
√ |
