授权管理权限
场景级授权示例
- IAM新版控制台:提供基于IAM5.0版本的系统身份策略。用户可以在IAM服务新版控制台创建新的自定义策略,将创建的自定义策略授权给用户所在的用户组。由于部分模块未完全对接IAM5.0,目前还需在IAM服务旧版控制台创建新的自定义策略,配置以下IAM3.0的策略,将创建的自定义策略授权给用户所在的用户组。详情可参照下表配置。
表1 IAM新版控制台授权管理操作场景的授权 策略名称
描述
类型
还需配置的IAM3.0的策略
ModelArtsPermissionManagementReadOnlyPolicy
ModelArts服务"系统配置-权限管理"的只读策略
系统身份策略
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "iam:permissions:listRolesForAgencyOnDomain", "iam:permissions:listRolesForAgencyOnProject", "iam:permissions:listRolesForAgency" ] } ] }ModelArtsPermissionManagementAllPolicy
ModelArts服务"系统配置-权限管理"的所有策略(读写)
系统身份策略
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "iam:permissions:listRolesForAgencyOnDomain", "iam:permissions:listRolesForAgencyOnProject", "iam:permissions:listRolesForAgency" ] } ] } - IAM旧版控制台,不提供基于IAM3.0版本的系统身份策略,用户需要在IAM服务旧版控制台自定义身份策略来进行场景级授权配置。详情参考下表进行配置。
表2 IAM旧版控制台授权管理操作场景的授权 操作场景
示例
读写(IAM3.0)
{"Version":"1.1","Statement":[{"Action":[ "modelarts:authorization:list", "modelarts:authorization:create", "modelarts:authorization:delete", "iam:quotas:listQuotasForProject", "iam:quotas:listQuotas", "iam:agencies:createAgency", "iam:agencies:listAgencies", "iam:permissions:listRolesForAgency", "iam:permissions:grantRoleToAgencyOnDomain", "iam:permissions:grantRoleToAgency", "iam:agencies:delete", "iam:users:listUsers", "iam:roles:listRoles", "iam:roles:createRole", "iam:roles:updateRole", "iam:agencies:getAgency", "iam:groups:listGroups", "iam:permissions:listRolesForAgencyOnDomain", "iam:permissions:listRolesForAgencyOnProject", "iam:permissions:listRolesForAgency" ], "Effect":"Allow"}只读(IAM3.0)
{"Version":"1.1","Statement":[{"Action":[ "modelarts:authorization:list", "iam:quotas:listQuotasForProject", "iam:quotas:listQuotas", "iam:agencies:listAgencies", "iam:permissions:listRolesForAgency", "iam:users:listUsers", "iam:roles:listRoles", "iam:agencies:getAgency", "iam:groups:listGroups", "iam:permissions:listRolesForAgencyOnDomain", "iam:permissions:listRolesForAgencyOnProject", "iam:permissions:listRolesForAgency" ], "Effect":"Allow"}]}
接口级授权
| 权限 | 对应API接口 | 授权项 | 依赖的授权项 | IAM项目 | 企业项目 |
|---|---|---|---|---|---|
| 新增授权 | POST /v1/{project_id}/atelier/authorizations | modelarts:authorization:create | iam:agencies:listAgencies iam:groups:list iam:users:list iam:agencies:getAgency | √ | √ |
| 删除授权 | DELETE /v1/{project_id}/atelier/authorizations | modelarts:authorization:delete | 无 | √ | √ |
| 查询授权 | GET /v1/{project_id}/atelier/authorizations | modelarts:authorization:list | 无 | √ | √ |
| 创建委托 | POST /v1/{project_id}/atelier/agency | 无 | iam:quotas:list iam:agencies:createAgency iam:roles:listRoles iam:permissions:grantRoleToAgency iam:roles:createRole | √ | √ |
| 查询委托 | GET /v1/{project_id}/atelier/agency | 无 | iam:agencies:listAgencies | √ | √ |
| 查询委托对应的权限列表 | GET /v1/{project_id}/atelier/agency/{agency_name}/grants | 无 | iam:agencies:listAgencies | √ | √ |
| 无 | iam:permissions:listRolesForAgencyOnDomain iam:permissions:listRolesForAgencyOnProject iam:permissions:listRolesForAgency | √ | √ | ||
| 查询委托对应的权限列表 | GET /v2/{project_id}/atelier/agency/{agency_id}/grants | 无 | iam:permissions:listRolesForAgencyOnDomain iam:permissions:listRolesForAgencyOnProject iam:permissions:listRolesForAgency | √ | √ |
| 更新委托对应的权限列表 | POST /v1/{project_id}/atelier/agency/{agency_name}/grants | 无 | iam:quotas:list iam:roles:listRoles iam:roles:createRole iam:permissions:grantRoleToAgency | √ | √ |
| 查询服务配置的默认委托权限列表 | GET /v1/{project_id}/atelier/agency/default-grants | 无 | iam:permissions:grantRoleToAgency | √ | √ |
| 查询委托配额 | GET /v1/{project_id}/atelier/agency/quotas | 无 | iam:quotas:list | √ | √ |
| 删除委托 | DELETE /v1/{project_id}/atelier/agency/{agency_id} | 无 | iam:agencies:deleteAgency | √ | √ |
| 根据委托名称查询委托id | GET /v1/{project_id}/atelier/agency/info | 无 | iam:agencies:listAgencies | √ | √ |
| 查询users | GET /v1/{project_id}/atelier/users | 无 | iam:users:list | √ | √ |