策略授权参考
本章节介绍EdgeSec策略授权场景下支持的策略授权项。
支持的授权项
策略包含系统策略和自定义策略,如果系统策略不满足授权要求,管理员可以创建自定义策略,并通过给用户组授予自定义策略来进行精细的访问控制。策略支持的操作与API相对应,授权项列表说明如下:
- 权限:允许或拒绝对指定资源在特定条件下进行某项操作。
- 对应API接口:自定义策略实际调用的API接口。
- 授权项:自定义策略中支持的Action,在自定义策略中的Action中写入授权项,可以实现授权项对应的权限功能。
- 依赖的授权项:部分Action存在对其他Action的依赖,需要将依赖的Action同时写入授权项,才能实现对应的权限功能。
- IAM项目(Project)/企业项目(Enterprise Project):自定义策略的授权范围,包括IAM项目与企业项目。授权范围如果同时支持IAM项目和企业项目,表示此授权项对应的自定义策略,可以在IAM和企业管理两个服务中给用户组授权并生效。如果仅支持IAM项目,不支持企业项目,表示仅能在IAM中给用户组授权并生效,如果在企业管理中授权,则该自定义策略不生效。管理员可以在授权项列表中查看授权项是否支持IAM项目或企业项目,“√”表示支持,“×”表示暂不支持。关于IAM项目与企业项目的区别,详情请参见:IAM与企业管理的区别。
EdgeSec的支持自定义策略授权项如表1所示:
生命周期管理
|
权限 |
对应API接口 |
授权项(Action) |
IAM项目 (Project) |
企业项目 (Enterprise Project) |
|---|---|---|---|---|
|
查询DDoS攻击日志列表 |
GET /v1/edgesec/log/ddos-attack-logs |
edgesec:log:get |
√ |
× |
|
查询防护域名列表 |
GET /v1/edgesec/configuration/domains |
edgesec:wafDomain:list |
√ |
√ |
|
创建防护域名 |
POST /v1/edgesec/configuration/domains |
edgesec:wafDomain:create |
√ |
√ |
|
更新防护域名 |
PUT /v1/edgesec/configuration/domains/{domain_id} |
edgesec:wafDomain:put |
√ |
√ |
|
删除防护域名 |
DELETE /v1/edgesec/configuration/domains/{domain_id} |
edgesec:wafDomain:delete |
√ |
√ |
|
查询防护域名详情 |
GET /v1/edgesec/configuration/domains/{domain_id} |
edgesec:wafDomain:get |
√ |
√ |
|
查询精准防护规则列表 |
GET /v1/edgesec/configuration/http/policies/{policy_id}/access-control-rule |
edgesec:wafCustomRule:list |
√ |
× |
|
创建精准防护规则 |
POST /v1/edgesec/configuration/http/policies/{policy_id}/access-control-rule |
edgesec:wafCustomRule:create |
√ |
× |
|
批量更新精准防护规则 |
PUT /v1/edgesec/configuration/http/policies/{policy_id}/access-control-rule/batch-update |
edgesec:wafCustomRule:put |
√ |
× |
|
查询精准防护规则 |
GET /v1/edgesec/configuration/http/policies/{policy_id}/access-control-rule/{rule_id} |
edgesec:wafCustomRule:get |
√ |
× |
|
更新精准防护规则 |
PUT /v1/edgesec/configuration/http/policies/{policy_id}/access-control-rule/{rule_id} |
edgesec:wafCustomRule:put |
√ |
× |
|
删除精准防护规则 |
DELETE /v1/edgesec/configuration/http/policies/{policy_id}/access-control-rule/{rule_id} |
edgesec:wafCustomRule:delete |
√ |
× |
|
查询IP黑白名单规则列表 |
GET /v1/edgesec/configuration/http/policies/{policy_id}/blocktrustip-rule |
edgesec:wafWhiteBlackIpRule:list |
√ |
× |
|
创建IP黑白名单规则 |
POST /v1/edgesec/configuration/http/policies/{policy_id}/blocktrustip-rule |
edgesec:wafWhiteBlackIpRule:create |
√ |
× |
|
查询IP黑白名单规则 |
GET /v1/edgesec/configuration/http/policies/{policy_id}/blocktrustip-rule/{rule_id} |
edgesec:wafWhiteBlackIpRule:get |
√ |
× |
|
更新IP黑白名单规则 |
PUT /v1/edgesec/configuration/http/policies/{policy_id}/blocktrustip-rule/{rule_id} |
edgesec:wafWhiteBlackIpRule:put |
√ |
× |
|
删除IP黑白名单规则 |
DELETE /v1/edgesec/configuration/http/policies/{policy_id}/blocktrustip-rule/{rule_id} |
edgesec:wafWhiteBlackIpRule:delete |
√ |
× |
|
查询cc规则列表 |
GET /v1/edgesec/configuration/http/policies/{policy_id}/cc-rule |
edgesec:wafCcRule:list |
√ |
× |
|
创建cc规则 |
POST /v1/edgesec/configuration/http/policies/{policy_id}/cc-rule |
edgesec:wafCcRule:create |
√ |
× |
|
批量更新cc规则 |
PUT /v1/edgesec/configuration/http/policies/{policy_id}/cc-rule/batch-update |
edgesec:wafCcRule:put |
√ |
× |
|
查询cc规则 |
GET /v1/edgesec/configuration/http/policies/{policy_id}/cc-rule/{rule_id} |
edgesec:wafCcRule:get |
√ |
× |
|
更新cc规则 |
PUT /v1/edgesec/configuration/http/policies/{policy_id}/cc-rule/{rule_id} |
edgesec:wafCcRule:put |
√ |
× |
|
删除cc规则 |
DELETE /v1/edgesec/configuration/http/policies/{policy_id}/cc-rule/{rule_id} |
edgesec:wafCcRule:delete |
√ |
× |
|
查询误报屏蔽规则列表 |
GET /v1/edgesec/configuration/http/policies/{policy_id}/ignore-rule |
edgesec:wafIgnoreRule:list |
√ |
× |
|
创建误报屏蔽规则 |
POST /v1/edgesec/configuration/http/policies/{policy_id}/ignore-rule |
edgesec:wafIgnoreRule:create |
√ |
× |
|
查询误报屏蔽规则 |
GET /v1/edgesec/configuration/http/policies/{policy_id}/ignore-rule/{rule_id} |
edgesec:wafIgnoreRule:get |
√ |
× |
|
更新误报屏蔽规则 |
PUT /v1/edgesec/configuration/http/policies/{policy_id}/ignore-rule/{rule_id} |
edgesec:wafIgnoreRule:put |
√ |
× |
|
删除误报屏蔽规则 |
DELETE /v1/edgesec/configuration/http/policies/{policy_id}/ignore-rule/{rule_id} |
edgesec:wafIgnoreRule:delete |
√ |
× |
|
重置误报屏蔽规则 |
POST /v1/edgesec/configuration/http/policies/{policy_id}/ignore-rule/{rule_id}/recount |
edgesec:wafIgnoreRule:recount |
√ |
× |
|
查询防护策略列表 |
GET /v1/edgesec/configuration/http/policies |
edgesec:wafPolicy:list |
√ |
× |
|
创建防护策略 |
POST /v1/edgesec/configuration/http/policies |
edgesec:wafPolicy:create |
√ |
× |
|
查询防护策略 |
GET /v1/edgesec/configuration/http/policies/{policy_id} |
edgesec:wafPolicy:get |
√ |
× |
|
更新防护策略 |
PUT /v1/edgesec/configuration/http/policies/{policy_id} |
edgesec:wafPolicy:put |
√ |
× |
|
删除防护策略 |
DELETE /v1/edgesec/configuration/http/policies/{policy_id} |
edgesec:wafPolicy:delete |
√ |
× |
|
更新防护策略的域名 |
POST /v1/edgesec/configuration/http/policies/{policy_id}/hosts |
edgesec:wafPolicyDomain:put |
√ |
× |
|
更新防护策略规则开关 |
PUT /v1/edgesec/configuration/http/policies/{policy_id}/{rule_type}/{rule_id}/status |
edgesec:wafPolicyRuleStatus:put |
√ |
× |
|
查询攻击惩罚规则列表 |
GET /v1/edgesec/configuration/http/policies/{policy_id}/punishment-rule |
edgesec:wafPunishmentRule:list |
√ |
× |
|
创建攻击惩罚规则 |
POST /v1/edgesec/configuration/http/policies/{policy_id}/punishment-rule |
edgesec:wafPunishmentRule:create |
√ |
× |
|
查询攻击惩罚规则 |
GET /v1/edgesec/configuration/http/policies/{policy_id}/punishment-rule/{rule_id} |
edgesec:wafPunishmentRule:get |
√ |
× |
|
更新攻击惩罚规则 |
PUT /v1/edgesec/configuration/http/policies/{policy_id}/punishment-rule/{rule_id} |
edgesec:wafPunishmentRule:put |
√ |
× |
|
删除攻击惩罚规则 |
DELETE /v1/edgesec/configuration/http/policies/{policy_id}/punishment-rule/{rule_id} |
edgesec:wafPunishmentRule:delete |
√ |
× |
|
查询IP地址组列表 |
GET /v1/edgesec/configuration/http/ip-groups |
edgesec:wafIpGroup:list |
√ |
× |
|
创建IP地址组 |
POST /v1/edgesec/configuration/http/ip-groups |
edgesec:wafIpGroup:create |
√ |
× |
|
查询IP地址组 |
GET /v1/edgesec/configuration/http/ip-groups/{ip_group_id} |
edgesec:wafIpGroup:get |
√ |
× |
|
更新IP地址组 |
PUT /v1/edgesec/configuration/http/ip-groups/{ip_group_id} |
edgesec:wafIpGroup:put |
√ |
× |
|
删除IP地址组 |
DELETE /v1/edgesec/configuration/http/ip-groups/{ip_group_id} |
edgesec:wafIpGroup:delete |
√ |
× |
|
查询引用表列表 |
GET /v1/edgesec/configuration/http/reference-table |
edgesec:wafValueList:list |
√ |
× |
|
创建引用表 |
POST /v1/edgesec/configuration/http/reference-table |
edgesec:wafValueList:create |
√ |
× |
|
查询引用表 |
GET /v1/edgesec/configuration/http/reference-table/{table_id} |
edgesec:wafValueList:get |
√ |
× |
|
更新引用表 |
PUT /v1/edgesec/configuration/http/reference-table/{table_id} |
edgesec:wafValueList:put |
√ |
× |
|
删除引用表 |
DELETE /v1/edgesec/configuration/http/reference-table/{table_id} |
edgesec:wafValueList:delete |
√ |
× |
|
查询http攻击分布 |
GET /v1/edgesec/stat/http-attack-distribution |
edgesec:statistics:get |
√ |
√ |
|
查询http攻击时间线 |
GET /v1/edgesec/stat/http-attack-timelines |
edgesec:statistics:get |
√ |
√ |
|
查询http topN统计 |
GET /v1/edgesec/stat/http-attack-top |
edgesec:statistics:get |
√ |
√ |
