工作空间管理权限
场景级授权示例
| 策略名称 | 描述 | 类型 | 还需配置的IAM3.0的策略 |
|---|---|---|---|
| ModelArtsWorkspaceReadOnlyPolicy | ModelArts服务"系统配置-工作空间"的只读策略 | 系统身份策略 | {
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"modelarts:exemlProject:delete",
"modelarts:fusionJob:getWorkspacesCleanupTask",
"modelarts:fusionJob:workspacesCleanup",
"modelarts:model:delete",
"modelarts:workflow:delete",
"modelarts:workspace:delete",
"modelarts:workspace:get",
"modelarts:pool:list"
]
}
]
} |
| ModelArtsWorkspaceAllPolicy | ModelArts服务"系统配置-工作空间"的所有策略(读写) | 系统身份策略 | {
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"modelarts:exemlProject:delete",
"modelarts:fusionJob:getWorkspacesCleanupTask",
"modelarts:fusionJob:workspacesCleanup",
"modelarts:model:delete",
"modelarts:workflow:delete",
"modelarts:workspace:delete",
"modelarts:workspace:get",
"modelarts:pool:list"
]
}
]
} |
| 操作场景 | 示例 |
|---|---|
| 读写(IAM3.0) | ModelArts需要单独创建的策略: {
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"modelarts:authorization:create",
"modelarts:authorization:delete",
"modelarts:authorization:list",
"modelarts:exemlProject:delete",
"modelarts:fusionJob:getWorkspacesCleanupTask",
"modelarts:fusionJob:workspacesCleanup",
"modelarts:model:delete",
"modelarts:pool:list",
"modelarts:workflow:delete",
"modelarts:workspace:checkAuthorizations",
"modelarts:workspace:create",
"modelarts:workspace:delete",
"modelarts:workspace:get",
"modelarts:workspace:getAuthMode",
"modelarts:workspace:getQuotas",
"modelarts:workspace:getUserList",
"modelarts:workspace:getUserRoles",
"modelarts:workspace:list",
"modelarts:workspace:update",
"modelarts:workspace:updateAuthMode",
"modelarts:workspace:updateQuotas"
]
}
]
} IAM需要单独创建的策略: {
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:quotas:listQuotasForProject",
"iam:quotas:listQuotas",
"iam:agencies:createAgency",
"iam:agencies:listAgencies",
"iam:permissions:listRolesForAgency",
"iam:permissions:grantRoleToAgencyOnDomain",
"iam:permissions:grantRoleToAgency",
"iam:agencies:deleteAgency",
"iam:users:listUsers",
"iam:roles:listRoles",
"iam:roles:createRole",
"iam:roles:updateRole",
"iam:agencies:getAgency",
"iam:groups:listGroups",
"iam:permissions:listRolesForAgencyOnDomain",
"iam:permissions:listRolesForAgencyOnProject",
"iam:permissions:listRolesForAgency"
]
}
]
} |
接口级授权
| 权限 | 对应API接口 | 授权项(IAM3.0) | 授权项(IAM5.0) | 依赖的授权项 | IAM项目 | 企业项目 |
|---|---|---|---|---|---|---|
| 创建工作空间 | POST /v1/{project_id}/workspaces | modelarts:workspace:create | modelarts:workspace:create | eps:enterpriseProjects:list | √ | √ |
| 查询工作空间列表 | GET /v1/{project_id}/workspaces | modelarts:workspace:list | modelarts:workspace:list | eps:enterpriseProjects:list | √ | √ |
| 查询工作空间详情 | GET /v1/{project_id}/workspaces/{workspace_id} | modelarts:workspace:get | modelarts:workspace:get | eps:enterpriseProjects:list | √ | √ |
| 修改工作空间 | PUT /v1/{project_id}/workspaces/{workspace_id} | modelarts:workspace:update | modelarts:workspace:update | eps:enterpriseProjects:list | √ | √ |
| 删除工作空间 | DELETE /v1/{project_id}/workspaces/{workspace_id} | modelarts:workspace:delete modelarts:service:delete modelarts:model:delete modelarts:tensorboard:delete modelarts:trainJob:delete modelarts:exemlProject:deletemodelarts:notebook:delete modelarts:dataset:delete modelarts:notebook:delete | modelarts:workspace:delete modelarts:service:delete modelarts:model:delete modelarts:tensorboard:delete modelarts:trainJob:delete modelarts:exemlProject:deletemodelarts:notebook:delete modelarts:dataset:delete modelarts:notebook:delete | eps:enterpriseProjects:list | √ | √ |
| 查询工作空间配额 | GET /v1/{project_id}/workspaces/{workspace_id}/quotas | modelarts:workspace:getQuotas | modelarts:workspace:getQuotas | eps:enterpriseProjects:list | √ | √ |
| 修改工作空间配额 | PUT /v1/{project_id}/workspaces/{workspace_id}/quotas | modelarts:workspace:updateQuotas | modelarts:workspace:updateQuotas | eps:enterpriseProjects:list | √ | √ |