更新时间:2024-09-09 GMT+08:00

设备接入 IoTDA

Organizations服务中的服务控制策略(Service Control Policy,以下简称SCP)可以使用以下授权项元素设置访问控制策略。

SCP不直接进行授权,只划定权限边界。将SCP绑定到组织单元或者成员账号时,并没有直接对组织单元或成员账号授予操作权限,而是规定了成员账号或组织单元包含的成员账号的授权范围。

本章节介绍组织服务中SCP使用的元素,这些元素包含了操作(Action)、资源(Resource)和条件(Condition)。

如何使用这些元素编辑SCP自定义策略,请参考创建SCP

操作(Action)

操作(Action)即为SCP中支持的授权项。

  • “访问级别”列描述如何对操作进行分类(list、read和write等)。此分类可帮助您了解在SCP中相应操作对应的访问级别。
  • “资源类型”列指每个操作是否支持资源级权限。
    • 资源类型支持通配符号*表示所有。如果此列没有值(-),则必须在SCP语句的Resource元素中指定所有资源类型(“*”)。
    • 如果该列包含资源类型,则必须在具有该操作的语句中指定该资源的URN。
    • 资源类型列中必需资源在表中用星号(*)标识,表示使用此操作必须指定该资源类型。

    关于IoTDA定义的资源类型的详细信息请参见资源类型(Resource)

  • “条件键”列包括了可以在SCP语句的Condition元素中支持指定的键值。
    • 如果该授权项资源类型列存在值,则表示条件键仅对列举的资源类型生效。
    • 如果该授权项资源类型列没有值(-),则表示条件键对整个授权项生效。
    • 如果此列条件键没有值(-),表示此操作不支持指定条件键。

    关于IoTDA定义的条件键的详细信息请参见条件(Condition)

您可以在SCP语句的Action元素中指定以下IoTDA的相关操作。

表1 IoTDA支持的授权项

授权项

描述

访问级别

资源类型

条件键

iotda:products:create

创建产品

write

app

g:EnterpriseProjectId

iotda:products:queryList

查询产品列表

list

app

g:EnterpriseProjectId

iotda:products:query

查询产品

read

app

g:EnterpriseProjectId

iotda:products:modify

修改产品

write

app

g:EnterpriseProjectId

iotda:products:delete

删除产品

write

app

g:EnterpriseProjectId

iotda:devices:register

创建设备

write

app

g:EnterpriseProjectId

iotda:devices:queryList

查询设备列表

list

app

g:EnterpriseProjectId

iotda:devices:query

查询设备

read

app

g:EnterpriseProjectId

iotda:devices:modify

修改设备

write

app

g:EnterpriseProjectId

iotda:devices:delete

删除设备

write

app

g:EnterpriseProjectId

iotda:devices:resetSecret

重置设备密钥

write

app

g:EnterpriseProjectId

iotda:devices:freeze

冻结设备

write

app

g:EnterpriseProjectId

iotda:devices:unfreeze

解冻设备

write

app

g:EnterpriseProjectId

iotda:devices:resetFingerprint

重置设备指纹

write

app

g:EnterpriseProjectId

iotda:devices:queryList

灵活搜索设备列表

list

app

g:EnterpriseProjectId

iotda:messages:send

下发设备消息

write

app

g:EnterpriseProjectId

iotda:messages:queryList

查询设备消息

list

app

g:EnterpriseProjectId

iotda:messages:query

查询指定消息id的消息

read

app

g:EnterpriseProjectId

iotda:message:broadcast

下发广播消息

write

app

g:EnterpriseProjectId

iotda:commands:send

下发设备命令

write

app

g:EnterpriseProjectId

iotda:asynccommands:send

下发异步设备命令

write

app

g:EnterpriseProjectId

iotda:asynccommands:query

查询指定id的命令

read

app

g:EnterpriseProjectId

iotda:properties:modify

修改设备属性

write

app

g:EnterpriseProjectId

iotda:properties:query

查询设备属性

read

app

g:EnterpriseProjectId

iotda:shadow:query

查询设备影子数据

read

app

g:EnterpriseProjectId

iotda:shadow:config

配置设备影子预期数据

write

app

g:EnterpriseProjectId

iotda:amqpqueue:create

创建AMQP队列

write

-

g:EnterpriseProjectId

iotda:amqpqueue:queryList

查询AMQP列表

list

-

g:EnterpriseProjectId

iotda:amqpqueue:query

查询单个AMQP队列

read

-

g:EnterpriseProjectId

iotda:amqpqueue:delete

删除AMQP队列

write

-

g:EnterpriseProjectId

iotda:accesscode:create

生成接入凭证

write

-

g:EnterpriseProjectId

iotda:routingrules:create

创建规则触发条件

write

app

g:EnterpriseProjectId

iotda:routingrules:queryList

查询规则条件列表

list

app

g:EnterpriseProjectId

iotda:routingrules:query

查询规则条件

read

app

g:EnterpriseProjectId

iotda:routingrules:modify

修改规则触发条件

write

app

g:EnterpriseProjectId

iotda:routingrules:delete

删除规则触发条件

write

app

g:EnterpriseProjectId

iotda:routingactions:create

创建规则动作

write

app

  • g:EnterpriseProjectId
  • iotda:HttpForwardingEnableSSL
  • iotda:HttpForwardingEnableAuthentication
  • iotda:DMSKafkaForwardingEnableAuthentication
  • iotda:DMSKafkaForwardingEnableSSL
  • iotda:MysqlForwardingEnableSSL
  • iotda:MRSKafkaForwardingEnableAuthentication
  • iotda:DMSRocketMQForwardingEnableSSL
  • iotda:MongoDBForwardingEnableSSL

iotda:routingactions:queryList

查询规则动作列表

list

app

g:EnterpriseProjectId

iotda:routingactions:query

查询规则动作

read

app

g:EnterpriseProjectId

iotda:routingactions:modify

修改规则动作

write

app

  • g:EnterpriseProjectId
  • iotda:HttpForwardingEnableSSL
  • iotda:HttpForwardingEnableAuthentication
  • iotda:DMSKafkaForwardingEnableAuthentication
  • iotda:DMSKafkaForwardingEnableSSL
  • iotda:MysqlForwardingEnableSSL
  • iotda:MRSKafkaForwardingEnableAuthentication
  • iotda:DMSRocketMQForwardingEnableSSL
  • iotda:MongoDBForwardingEnableSSL

iotda:routingactions:delete

删除规则动作

write

app

g:EnterpriseProjectId

iotda:rules:create

创建规则

write

-

g:EnterpriseProjectId

iotda:rules:queryList

查询规则列表

list

-

g:EnterpriseProjectId

iotda:rules:modify

修改规则

write

-

g:EnterpriseProjectId

iotda:rules:query

查询规则

read

-

g:EnterpriseProjectId

iotda:rules:delete

删除规则

write

-

g:EnterpriseProjectId

iotda:rules:modifyStatus

修改规则状态

write

-

g:EnterpriseProjectId

iotda:group:create

添加设备组

write

app

g:EnterpriseProjectId

iotda:group:queryList

查询设备组列表

list

app

g:EnterpriseProjectId

iotda:group:query

查询设备组

read

app

g:EnterpriseProjectId

iotda:group:modify

修改设备组

write

app

g:EnterpriseProjectId

iotda:group:delete

删除设备组

write

app

g:EnterpriseProjectId

iotda:group:addDevice

管理设备组中的设备

write

app

g:EnterpriseProjectId

iotda:group:queryDeviceList

查询设备组设备列表

list

app

g:EnterpriseProjectId

iotda:tags:bind

绑定标签

tagging

-

  • g:EnterpriseProjectId
  • g:RequestTag/<tag-key>
  • g:TagKeys

iotda:tags:unbind

解绑标签

tagging

-

  • g:EnterpriseProjectId
  • g:RequestTag/<tag-key>
  • g:TagKeys

iotda:tags:queryResourceList

按标签查询资源

list

-

  • g:EnterpriseProjectId
  • g:RequestTag/<tag-key>
  • g:TagKeys

iotda:apps:queryList

查询资源空间列表

list

app

g:EnterpriseProjectId

iotda:app:create

创建资源空间

write

app

g:EnterpriseProjectId

iotda:apps:query

查询资源空间

read

app

g:EnterpriseProjectId

iotda:apps:delete

删除资源空间

write

app

g:EnterpriseProjectId

iotda:batchtasks:create

创建批量任务

write

-

g:EnterpriseProjectId

iotda:batchtasks:queryList

查询批量任务列表

list

-

g:EnterpriseProjectId

iotda:batchtasks:query

查询批量任务

read

-

g:EnterpriseProjectId

iotda:batchtasks:retry

批量任务重试

write

-

g:EnterpriseProjectId

iotda:batchtasks:stop

批量任务停止

write

-

g:EnterpriseProjectId

iotda:batchtasks:delete

删除批量任务

write

-

g:EnterpriseProjectId

iotda:batchtaskfiles:create

上传批量任务文件

write

-

g:EnterpriseProjectId

iotda:batchtaskfiles:queryList

查询批量任务文件列表

list

-

g:EnterpriseProjectId

iotda:batchtaskfiles:delete

删除批量任务文件

write

-

g:EnterpriseProjectId

iotda:certificates:upload

上传设备CA证书

write

app

g:EnterpriseProjectId

iotda:certificates:queryList

获取设备CA证书列表

list

app

g:EnterpriseProjectId

iotda:certificates:delete

删除设备CA证书

write

app

g:EnterpriseProjectId

iotda:certificates:check

验证设备CA证书

write

app

g:EnterpriseProjectId

iotda:otapackages:create

创建OTA升级包

write

-

g:EnterpriseProjectId

iotda:otapackages:queryList

查询OTA升级包列表

list

-

g:EnterpriseProjectId

iotda:otapackages:query

获取OTA升级包详情

read

-

g:EnterpriseProjectId

iotda:otapackages:delete

删除OTA升级包

write

-

g:EnterpriseProjectId

iotda:tunnel:queryList

查询隧道列表

list

-

g:EnterpriseProjectId

iotda:tunnel:create

创建设备隧道

write

-

  • g:EnterpriseProjectId
  • iotda:DeviceGroupId

iotda:tunnel:delete

删除设备隧道

write

-

g:EnterpriseProjectId

iotda:tunnel:query

查询隧道详情

read

-

g:EnterpriseProjectId

iotda:tunnel:update

修改设备隧道

write

-

g:EnterpriseProjectId

iotda:instance:create

创建实例

write

-

  • g:EnterpriseProjectId
  • g:TagKeys
  • g:RequestTag/<tag-key>

iotda:instance:update

修改实例

write

-

  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>
  • iotda:AllowPublicAccess
  • iotda:AllowPublicForwarding
  • iotda:DomainConfiguration

iotda:instance:query

查询实例详情

read

instance

  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

iotda:instance:queryList

查询实例列表

read

-

-

iotda:instance:delete

删除实例

write

instance

  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

iotda:instance:operateTag

操作实例标签

write

instance

  • g:EnterpriseProjectId
  • g:TagKeys
  • g:RequestTag/<tag-key>

IoTDA的API通常对应着一个或多个授权项。表2 API与授权项的关系展示了API与授权项的关系,以及该API需要依赖的授权项。

表2 API与授权项的关系

API

对应的授权项

依赖的授权项

POST /v5/iot/{project_id}/products

iotda:products:create

-

GET /v5/iot/{project_id}/products

iotda:products:queryList

-

GET /v5/iot/{project_id}/products/{product_id}

iotda:products:query

-

PUT /v5/iot/{project_id}/products/{product_id}

iotda:products:modify

-

DELETE /v5/iot/{project_id}/products/{product_id}

iotda:products:delete

-

POST /v5/iot/{project_id}/devices

iotda:devices:register

-

GET /v5/iot/{project_id}/devices

iotda:devices:queryList

-

GET /v5/iot/{project_id}/devices/{device_id}

iotda:devices:query

-

PUT /v5/iot/{project_id}/devices/{device_id}

iotda:devices:modify

-

DELETE /v5/iot/{project_id}/devices/{device_id}

iotda:devices:delete

-

POST /v5/iot/{project_id}/devices/{device_id}/action

iotda:devices:resetSecret

-

POST /v5/iot/{project_id}/devices/{device_id}/freeze

iotda:devices:freeze

-

POST /v5/iot/{project_id}/devices/{device_id}/unfreeze

iotda:devices:unfreeze

-

POST /v5/iot/{project_id}/devices/{device_id}/reset-fingerprint

iotda:devices:resetFingerprint

-

POST /v5/iot/{project_id}/search/query-devices

iotda:devices:queryList

-

POST /v5/iot/{project_id}/devices/{device_id}/messages

iotda:messages:send

-

GET /v5/iot/{project_id}/devices/{device_id}/messages

iotda:messages:queryList

-

GET /v5/iot/{project_id}/devices/{device_id}/messages/{message_id}

iotda:messages:query

-

POST /v5/iot/{project_id}/broadcast-messages

iotda:message:broadcast

-

POST /v5/iot/{project_id}/devices/{device_id}/commands

iotda:commands:send

-

POST /v5/iot/{project_id}/devices/{device_id}/async-commands

iotda:asynccommands:send

-

GET /v5/iot/{project_id}/devices/{device_id}/async-commands/{command_id}

iotda:asynccommands:query

-

PUT /v5/iot/{project_id}/devices/{device_id}/properties

iotda:properties:modify

-

GET /v5/iot/{project_id}/devices/{device_id}/properties

iotda:properties:query

-

GET /v5/iot/{project_id}/devices/{device_id}/shadow

iotda:shadow:query

-

PUT /v5/iot/{project_id}/devices/{device_id}/shadow

iotda:shadow:config

-

POST /v5/iot/{project_id}/amqp-queues

iotda:amqpqueue:create

-

GET /v5/iot/{project_id}/amqp-queues

iotda:amqpqueue:queryList

-

GET /v5/iot/{project_id}/amqp-queues/{queue_id}

iotda:amqpqueue:query

-

DELETE /v5/iot/{project_id}/amqp-queues/{queue_id}

iotda:amqpqueue:delete

-

POST /v5/iot/{project_id}/auth/accesscode

iotda:accesscode:create

-

POST /v5/iot/{project_id}/routing-rule/rules

iotda:routingrules:create

-

GET /v5/iot/{project_id}/routing-rule/rules

iotda:routingrules:queryList

-

GET /v5/iot/{project_id}/routing-rule/rules/{rule_id}

iotda:routingrules:query

-

PUT /v5/iot/{project_id}/routing-rule/rules/{rule_id}

iotda:routingrules:modify

-

DELETE /v5/iot/{project_id}/routing-rule/rules/{rule_id}

iotda:routingrules:delete

-

POST /v5/iot/{project_id}/routing-rule/actions

iotda:routingactions:create

-

GET /v5/iot/{project_id}/routing-rule/actions

iotda:routingactions:queryList

-

GET /v5/iot/{project_id}/routing-rule/actions/{action_id}

iotda:routingactions:query

-

PUT /v5/iot/{project_id}/routing-rule/actions/{action_id}

iotda:routingactions:modify

-

DELETE /v5/iot/{project_id}/routing-rule/actions/{action_id}

iotda:routingactions:delete

-

POST /v5/iot/{project_id}/rules

iotda:rules:create

-

GET /v5/iot/{project_id}/rules

iotda:rules:queryList

-

PUT /v5/iot/{project_id}/rules/{rule_id}

iotda:rules:modify

-

GET /v5/iot/{project_id}/rules/{rule_id}

iotda:rules:query

-

DELETE /v5/iot/{project_id}/rules/{rule_id}

iotda:rules:delete

-

PUT /v5/iot/{project_id}/rules/{rule_id}/status

iotda:rules:modifyStatus

-

POST /v5/iot/{project_id}/device-group

iotda:group:create

-

GET /v5/iot/{project_id}/device-group

iotda:group:queryList

-

GET /v5/iot/{project_id}/device-group/{group_id}

iotda:group:query

-

PUT /v5/iot/{project_id}/device-group/{group_id}

iotda:group:modify

-

DELETE /v5/iot/{project_id}/device-group/{group_id}

iotda:group:delete

-

POST /v5/iot/{project_id}/device-group/{group_id}/action

iotda:group:addDevice

-

GET /v5/iot/{project_id}/device-group/{group_id}/devices

iotda:group:queryDeviceList

-

POST /v5/iot/{project_id}/tags/bind-resource

iotda:tags:bind

-

POST /v5/iot/{project_id}/tags/unbind-resource

iotda:tags:unbind

-

POST /v5/iot/{project_id}/tags/query-resources

iotda:tags:queryResourceList

-

GET /v5/iot/{project_id}/apps

iotda:apps:queryList

-

POST /v5/iot/{project_id}/apps

iotda:app:create

-

GET /v5/iot/{project_id}/apps/{app_id}

iotda:apps:query

-

DELETE /v5/iot/{project_id}/apps/{app_id}

iotda:apps:delete

-

POST /v5/iot/{project_id}/batchtasks

iotda:batchtasks:create

-

GET /v5/iot/{project_id}/batchtasks

iotda:batchtasks:queryList

-

GET /v5/iot/{project_id}/batchtasks/{task_id}

iotda:batchtasks:query

-

POST /v5/iot/{project_id}/batchtasks/{task_id}/retry

iotda:batchtasks:retry

-

POST /v5/iot/{project_id}/batchtasks/{task_id}/stop

iotda:batchtasks:stop

-

DELETE /v5/iot/{project_id}/batchtasks/{task_id}

iotda:batchtasks:delete

-

POST /v5/iot/{project_id}/batchtask-files

iotda:batchtaskfiles:create

-

GET /v5/iot/{project_id}/batchtask-files

iotda:batchtaskfiles:queryList

-

DELETE /v5/iot/{project_id}/batchtask-files/{file_id}

iotda:batchtaskfiles:delete

-

POST /v5/iot/{project_id}/certificates

iotda:certificates:upload

-

GET /v5/iot/{project_id}/certificates

iotda:certificates:queryList

-

DELETE /v5/iot/{project_id}/certificates/{certificate_id}

iotda:certificates:delete

-

POST /v5/iot/{project_id}/certificates/{certificate_id}/action

iotda:certificates:check

-

POST /v5/iot/{project_id}/ota-upgrades/packages

iotda:otapackages:create

-

GET /v5/iot/{project_id}/ota-upgrades/packages

iotda:otapackages:queryList

-

GET /v5/iot/{project_id}/ota-upgrades/packages/{package_id}

iotda:otapackages:query

-

DELETE /v5/iot/{project_id}/ota-upgrades/packages/{package_id}

iotda:otapackages:delete

-

GET /v5/iot/{project_id}/tunnels

iotda:tunnel:queryList

-

POST /v5/iot/{project_id}/tunnels

iotda:tunnel:create

-

DELETE /v5/iot/{project_id}/tunnels/{id}

iotda:tunnel:delete

-

GET /v5/iot/{project_id}/tunnels/{id}

iotda:tunnel:query

-

PUT /v5/iot/{project_id}/tunnels/{id}

iotda:tunnel:update

-

POST /v5/iot/{project_id}/iotda-instances

iotda:instance:create

-

PUT /v5/iot/{project_id}/iotda-instances/{instance_id}

iotda:instance:update

-

GET /v5/iot/{project_id}/iotda-instances/{instance_id}

iotda:instance:query

-

GET /v5/iot/{project_id}/iotda-instances

iotda:instance:queryList

-

DELETE /v5/iot/{project_id}/iotda-instances/{instance_id}

iotda:instance:delete

-

POST

/v5/iot/{project_id}/iotda-instances/{instance_id}/bind-tags

iotda:instance:operateTag

-

POST

/v5/iot/{project_id}/iotda-instances/{instance_id}/unbind-tags

iotda:instance:operateTag

-

资源类型(Resource)

资源类型(Resource)表示SCP所作用的资源。如表3中的某些操作指定了可以在该操作指定的资源类型,则必须在具有该操作的SCP语句中指定该资源的URN,SCP仅作用于此资源;如未指定,Resource默认为“*”,则SCP将应用到所有资源。您也可以在SCP中设置条件,从而指定资源类型。

表3 IoTDA支持的资源类型

资源类型

URN

app

iotda:<region>:<account-id>:app:<app-id>

instance

iotda:<region>:<account-id>:instance:<instance-id>

条件(Condition)

条件(Condition)是SCP生效的特定条件,包括条件键运算符

  • 条件键表示SCP语句的Condition元素中的键值。根据适用范围,分为全局级条件键和服务级条件键。
    • 全局级条件键(前缀为g:)适用于所有操作,在鉴权过程中,云服务不需要提供用户身份信息,系统将自动获取并鉴权。详情请参见:全局条件键
    • 服务级条件键(前缀通常为服务缩写,如IoTDA:)仅适用于对应服务的操作,详情请参见表4
    • 单值/多值表示API调用时请求中与条件关联的值数。单值条件键在API调用时的请求中最多包含一个值,多值条件键在API调用时请求可以包含多个值。例如:g:SourceVpce是单值条件键,表示仅允许通过某个VPC终端节点发起请求访问某资源,一个请求最多包含一个VPC终端节点ID值。g:TagKeys是多值条件键,表示请求中携带的所有标签的key组成的列表,当用户在调用API请求时传入标签可以传入多个值。
  • 运算符与条件键、条件值一起构成完整的条件判断语句,当请求信息满足该条件时,SCP才能生效。支持的运算符请参见:运算符

IoTDA云服务定义了以下可以在SCP的Condition元素中使用的条件键,您可以使用这些条件键进一步细化SCP语句应用的条件。

表4 IoTDA支持的条件键

服务级条件键

类型

单值/多值

说明

iotda:AllowPublicAccess

布尔型

单值

根据修改实例时设置的允许公网访问的配置过滤请求

iotda:AllowPublicForwarding

布尔型

单值

根据修改实例时设置的允许公网转发的配置过滤请求

iotda:DomainConfiguration

布尔型

单值

根据修改实例时是否配置接入域名过滤请求

iotda:DeviceGroupId

字符串

单值

根据创建隧道时设置的设备所属的群组过滤请求

iotda:HttpForwardingEnableSSL

布尔型

单值

根据创建/修改规则动作时设置的Http通道开启TLS协议的配置过滤请求

iotda:HttpForwardingEnableAuthentication

布尔型

单值

根据创建/修改规则动作时设置的Http通道启用Token认证的配置过滤请求

iotda:DMSKafkaForwardingEnableAuthentication

布尔型

单值

根据创建/修改规则动作时设置的DMSKafka通道启用mechanism为SCRAM-SHA-512的配置过滤请求

iotda:DMSKafkaForwardingEnableSSL

布尔型

单值

根据创建/修改规则动作时设置的DMSKafka通道开启TLS协议的配置过滤请求

iotda:MysqlForwardingEnableSSL

布尔型

单值

根据创建/修改规则动作时设置的Mysql协议通道开启TLS协议的配置过滤请求

iotda:MRSKafkaForwardingEnableAuthentication

布尔型

单值

根据创建/修改规则动作时设置的MRSKafka通道启用Kerberos认证的配置过滤请求

iotda:DMSRocketMQForwardingEnableSSL

布尔型

单值

根据创建/修改规则动作时设置的RocketMQ通道开启TLS协议的配置过滤请求

iotda:MongoDBForwardingEnableSSL

布尔型

单值

根据创建/修改规则动作时设置的MongoDB通道开启TLS协议的配置过滤请求