授权项
Token管理
|
权限 |
对应API接口 |
授权项(Action) |
IAM项目 (Project) |
企业项目 (Enterprise Project) |
|---|---|---|---|---|
|
获取委托Token |
iam:tokens:assume |
- |
- |
访问密钥管理
|
权限 |
对应API接口 |
授权项 |
IAM项目 (Project) |
企业项目 (Enterprise Project) |
|---|---|---|---|---|
|
查询所有永久访问密钥 |
iam:credentials:listCredentials |
- |
- |
|
|
查询指定永久访问密钥 |
iam:credentials:getCredential |
- |
- |
|
|
创建永久访问密钥 |
iam:credentials:createCredential |
- |
- |
|
|
修改指定永久访问密钥 |
iam:credentials:updateCredential |
- |
- |
|
|
删除指定永久访问密钥 |
iam:credentials:deleteCredential |
- |
- |
虚拟MFA管理
|
权限 |
对应API接口 |
授权项 |
IAM项目 (Project) |
企业项目 (Enterprise Project) |
|---|---|---|---|---|
|
解绑MFA设备 |
× |
iam:mfa:unbindMFADevice |
- |
- |
|
绑定MFA设备 |
× |
iam:mfa:bindMFADevice |
- |
- |
|
创建MFA设备 |
× |
iam:mfa:createVirtualMFADevice |
- |
- |
|
删除MFA设备 |
× |
iam:mfa:deleteVirtualMFADevice |
- |
- |
项目管理
|
权限 |
对应API接口 |
授权项 |
IAM项目 (Project) |
企业项目 (Enterprise Project) |
|---|---|---|---|---|
|
创建项目 |
iam:projects:createProject |
- |
- |
|
|
修改项目 |
iam:projects:updateProject |
- |
- |
|
|
设置指定项目的状态 |
iam:projects:updateProject |
- |
- |
|
|
查询用户的项目列表 |
iam:projects:listProjectsForUser |
- |
- |
|
|
删除项目 |
× |
iam:projects:deleteProject |
- |
- |
租户管理
|
权限 |
对应API接口 |
授权项 |
IAM项目 (Project) |
企业项目 (Enterprise Project) |
|---|---|---|---|---|
|
查询租户配额 |
iam:quotas:listQuotas |
- |
- |
用户管理
|
权限 |
对应API接口 |
授权项 |
IAM项目 (Project) |
企业项目 (Enterprise Project) |
|---|---|---|---|---|
|
查询用户列表 |
iam:users:listUsers |
- |
- |
|
|
查询用户详情 |
iam:users:getUser |
- |
- |
|
|
查询用户详情(推荐) |
iam:users:getUser |
- |
- |
|
|
查询用户所属用户组 |
iam:groups:listGroupsForUser |
- |
- |
|
|
查询用户组所包含的用户 |
iam:users:listUsersForGroup |
- |
- |
|
|
创建用户 |
iam:users:createUser |
- |
- |
|
|
修改密码 |
iam:users:updateUserPassword |
- |
- |
|
|
修改用户信息 |
iam:users:updateUser |
- |
- |
|
|
删除用户 |
iam:users:deleteUser |
- |
- |
|
|
管理员重置IAM用户密码 |
× |
iam:users:resetUserPassword |
- |
- |
|
设置登录保护 |
× |
iam:users:setUserLoginProtect |
- |
- |
|
查询指定项目上有权限的用户列表 |
× |
iam:users:listUsersForProject |
- |
- |
|
删除用户组中用户 |
iam:permissions:removeUserFromGroup |
- |
- |
|
|
查询IAM用户的MFA绑定信息列表 |
iam:mfa:listVirtualMFADevices |
- |
- |
|
|
查询指定IAM用户的MFA绑定信息 |
iam:mfa:getVirtualMFADevice |
- |
- |
|
|
查询IAM用户的登录保护状态信息列表 |
iam:users:listUserLoginProtects |
- |
- |
|
|
查询指定IAM用户的登录保护状态信息 |
iam:users:getUserLoginProtect |
- |
- |
用户组管理
|
权限 |
对应API接口 |
授权项 |
IAM项目 (Project) |
企业项目 (Enterprise Project) |
|---|---|---|---|---|
|
管理员查询用户组所包含的IAM用户 |
iam:users:listUsersForGroup |
- |
- |
|
|
查询用户组列表 |
iam:groups:listGroups |
- |
- |
|
|
查询用户组详情 |
iam:groups:getGroup |
- |
- |
|
|
创建用户组 |
iam:groups:createGroup |
- |
- |
|
|
添加用户到用户组 |
iam:permissions:addUserToGroup |
- |
- |
|
|
更新用户组 |
iam:groups:updateGroup |
- |
- |
|
|
删除用户组 |
|
- |
- |
|
|
查询用户是否在用户组中 |
iam:permissions:checkUserInGroup |
- |
- |
权限管理
|
权限 |
对应API接口 |
授权项 |
IAM项目 (Project) |
企业项目 (Enterprise Project) |
|---|---|---|---|---|
|
查询角色列表 |
iam:roles:listRoles |
- |
- |
|
|
查询角色的详细信息 |
iam:roles:getRole |
- |
- |
|
|
查询租户中用户组的权限 |
iam:permissions:listRolesForGroupOnDomain |
- |
- |
|
|
查询项目对应的用户组的权限 |
iam:permissions:listRolesForGroupOnProject |
- |
- |
|
|
为租户所属用户组授权 |
PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} |
iam:permissions:grantRoleToGroupOnDomain |
- |
- |
|
为项目对应的用户组授权 |
PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} |
iam:permissions:grantRoleToGroupOnProject |
- |
- |
|
删除项目对应的用户组的权限 |
DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} |
iam:permissions:revokeRoleFromGroupOnProject |
- |
- |
|
删除租户所属用户组的权限 |
DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} |
iam:permissions:revokeRoleFromGroupOnDomain |
- |
- |
|
查询租户中用户组是否包含权限 |
HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} |
iam:permissions:checkRoleForGroupOnDomain |
- |
- |
|
查询项目对应的用户组是否包含权限 |
HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} |
iam:permissions:checkRoleForGroupOnProject |
- |
- |
|
为用户组授予指定权限 |
PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} |
iam:permissions:grantRoleToGroup |
- |
- |
|
查询用户在指定项目上拥有的权限 |
× |
iam:permissions:listRolesForUserOnProject |
- |
- |
|
查询用户组的所有权限 |
× |
iam:permissions:listRolesForGroup |
- |
- |
|
查询用户组是否拥有指定权限 |
× |
iam:permissions:checkRoleForGroup |
- |
- |
|
移除用户组的指定权限 |
× |
iam:permissions:revokeRoleFromGroup |
- |
- |
|
查询租户配额 |
GET /v3.0/OS-QUOTA/domains/{domain_id}?type={user, group, idp, agency, policy} |
iam:quotas:listQuotas |
- |
- |
自定义策略管理
|
权限 |
对应API接口 |
授权项 |
IAM项目 (Project) |
企业项目 (Enterprise Project) |
|---|---|---|---|---|
|
查询自定义策略列表 |
iam:roles:listRoles |
- |
- |
|
|
查询自定义策略详情 |
iam:roles:getRole |
- |
- |
|
|
创建云服务自定义策略 |
iam:roles:createRole |
- |
- |
|
|
修改云服务自定义策略 |
iam:roles:updateRole |
- |
- |
|
|
删除自定义策略 |
iam:roles:deleteRole |
- |
- |
委托管理
|
权限 |
对应API接口 |
授权项 |
IAM项目 (Project) |
企业项目 (Enterprise Project) |
|---|---|---|---|---|
|
创建委托 |
iam:agencies:createAgency |
- |
- |
|
|
查询指定条件下的委托列表 |
iam:agencies:listAgencies |
- |
- |
|
|
获取指定委托的详细信息 |
iam:agencies:getAgency |
- |
- |
|
|
修改委托 |
iam:agencies:updateAgency |
- |
- |
|
|
删除委托 |
iam:agencies:deleteAgency |
- |
- |
|
|
通过项目给委托赋予权限 |
PUT /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id} |
iam:permissions:grantRoleToAgencyOnProject |
- |
- |
|
检查委托在项目上是否有指定权限 |
HEAD /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id} |
iam:permissions:checkRoleForAgencyOnProject |
- |
- |
|
查询委托在项目上具有的权限列表 |
GET /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles |
iam:permissions:listRolesForAgencyOnProject |
- |
- |
|
通过项目删除委托的权限 |
DELETE /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id} |
iam:permissions:revokeRoleFromAgencyOnProject |
- |
- |
|
通过租户给委托赋予权限 |
PUT /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id} |
iam:permissions:grantRoleToAgencyOnDomain |
- |
- |
|
检查委托在租户上是否有指定权限 |
HEAD /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id} |
iam:permissions:checkRoleForAgencyOnDomain |
- |
- |
|
查询委托在租户上具有的权限列表 |
GET /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles |
iam:permissions:listRolesForAgencyOnDomain |
- |
- |
|
通过租户删除委托的权限 |
DELETE /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id} |
iam:permissions:revokeRoleFromAgencyOnDomain |
- |
- |
|
查询委托下的所有项目服务权限列表 |
GET /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/inherited_to_projects |
iam:permissions:listRolesForAgency |
- |
- |
|
为委托授予所有项目服务权限 |
PUT /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects |
iam:permissions:grantRoleToAgency |
- |
- |
|
检查委托下是否具有所有项目服务权限 |
HEAD /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects |
iam:permissions:checkRoleForAgency |
- |
- |
|
移除委托下的所有项目服务权限 |
iam:permissions:revokeRoleFromAgency |
- |
- |
安全设置
|
权限 |
对应API接口 |
授权项 |
IAM项目 (Project) |
企业项目 (Enterprise Project) |
|---|---|---|---|---|
|
查询账号操作保护策略 |
GET v3.0/OS-SECURITYPOLICY/domains/{domain_id}/protect-policy |
iam:securitypolicies:getProtectPolicy |
- |
- |
|
查询账号密码策略 |
GET v3.0/OS-SECURITYPOLICY/domains/{domain_id}/password-policy |
iam:securitypolicies:getPasswordPolicy |
- |
- |
|
查询账号登录策略 |
iam:securitypolicies:getLoginPolicy |
- |
- |
|
|
查询账号控制台访问策略 |
GET v3.0/OS-SECURITYPOLICY/domains/{domain_id}/console-acl-policy |
iam:securitypolicies:getConsoleAclPolicy |
- |
- |
|
查询账号接口访问策略 |
GET v3.0/OS-SECURITYPOLICY/domains/{domain_id}/api-acl-policy |
iam:securitypolicies:getApiAclPolicy |
- |
- |
联邦身份认证管理
|
权限 |
对应API接口 |
授权项 |
IAM项目 (Project) |
企业项目 (Enterprise Project) |
|---|---|---|---|---|
|
查询身份提供商列表 |
iam:identityProviders:listIdentityProviders |
- |
- |
|
|
查询身份提供商 |
iam:identityProviders:getIdentityProvider |
- |
- |
|
|
创建身份提供商 |
iam:identityProviders:createIdentityProvider |
- |
- |
|
|
更新身份提供商 |
iam:identityProviders:updateIdentityProvider |
- |
- |
|
|
删除身份提供商 |
iam:identityProviders:deleteIdentityProvider |
- |
- |
|
|
查询映射列表 |
iam:identityProviders:listMappings |
- |
- |
|
|
查询映射详情 |
iam:identityProviders:getMapping |
- |
- |
|
|
注册映射 |
iam:identityProviders:createMapping |
- |
- |
|
|
更新映射 |
iam:identityProviders:updateMapping |
- |
- |
|
|
删除映射 |
iam:identityProviders:deleteMapping |
- |
- |
|
|
查询协议列表 |
iam:identityProviders:listProtocols |
- |
- |
|
|
查询协议 |
GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} |
iam:identityProviders:getProtocol |
- |
- |
|
注册协议 |
PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} |
iam:identityProviders:createProtocol |
- |
- |
|
更新协议 |
PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} |
iam:identityProviders:updateProtocol |
- |
- |
|
删除协议 |
DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} |
iam:identityProviders:deleteProtocol |
- |
- |
|
查询Metadata文件 |
GET /v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/metadata |
iam:identityProviders:getIDPMetadata |
- |
- |
|
导入Metadata文件 |
POST /v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/metadata |
iam:identityProviders:createIDPMetadata |
- |
- |
