云搜索服务 CSS
Organizations服务中的服务控制策略(Service Control Policy,以下简称SCP)可以使用以下授权项元素设置访问控制策略。
SCP不直接进行授权,只划定权限边界。将SCP绑定到组织单元或者成员账号时,并没有直接对组织单元或成员账号授予操作权限,而是规定了成员账号或组织单元包含的成员账号的授权范围。
本章节介绍组织服务中SCP使用的元素,这些元素包含了操作(Action)、资源(Resource)和条件(Condition)。
如何使用这些元素编辑SCP自定义策略,请参考创建SCP。
操作(Action)
操作(Action)即为SCP中支持的授权项。
- “访问级别”列描述如何对操作进行分类(list、read和write等)。此分类可帮助您了解在SCP中相应操作对应的访问级别。
- “资源类型”列指每个操作是否支持资源级权限。
- 资源类型支持通配符号*表示所有。如果此列没有值(-),则必须在SCP语句的Resource元素中指定所有资源类型(“*”)。
- 如果该列包含资源类型,则必须在具有该操作的语句中指定该资源的URN。
- 资源类型列中必需资源在表中用星号(*)标识,表示使用此操作必须指定该资源类型。
关于CSS定义的资源类型的详细信息请参见资源类型(Resource)。
- “条件键”列包括了可以在SCP语句的Condition元素中支持指定的键值。
- 如果该授权项资源类型列存在值,则表示条件键仅对列举的资源类型生效。
- 如果该授权项资源类型列没有值(-),则表示条件键对整个授权项生效。
- 如果此列条件键没有值(-),表示此操作不支持指定条件键。
关于CSS定义的条件键的详细信息请参见条件(Condition)。
您可以在SCP语句的Action元素中指定以下CSS的相关操作。
|
授权项 |
描述 |
访问级别 |
资源类型(*为必须) |
条件键 |
|---|---|---|---|---|
|
css:VPCEndpoint:updateWhitelist |
授予权限更新已存在的终端节点白名单。 |
write |
cluster * |
|
|
css:log:updateBackupPolicy |
授予权限日志备份修改或删除。 |
write |
cluster * |
|
|
css:snapshot:setSnapshotPolicy |
授予权限操作备份策略。 |
write |
cluster * |
|
|
css:snapshot:getSnapshotPolicy |
授予权限查询备份策略。 |
read |
cluster * |
|
|
css:snapshot:restore |
授予权限恢复快照。 |
write |
cluster * |
|
|
css:snapshot:create |
授予权限创建快照。 |
write |
cluster * |
|
|
css:publicIPAddress:associates |
授予权限开启或关闭公网访问。 |
write |
cluster * |
|
|
css:publicIPAddress:setAccessControl |
授予权限对白名单列表进行操作。 |
write |
cluster * |
|
|
css:tag:get |
授予权限查询资源标签。 |
read |
cluster * |
|
|
css:publicIPAddress:modifyBandwidth |
授予权限修改带宽大小。 |
write |
cluster * |
|
|
css:VPCEndpoint:enableOrDisable |
授予权限创建或删除VPCEP。 |
write |
cluster * |
|
|
css:log:getBasicConfigurations |
授予权限日志基础配置查询。 |
read |
cluster * |
|
|
css:snapshot:list |
授予权限查看快照列表。 |
list |
cluster * |
|
|
css:log:list |
授予权限查看日志。 |
list |
cluster * |
|
|
css:snapshot:setSnapshotContiguration |
授予权限设置快照基础配置。 |
write |
cluster * |
|
|
css:cluster:listFlavors |
授予权限查询规格ID列表。 |
list |
- |
- |
|
css:cluster:listDiskType |
授予权限列举可用磁盘类型。 |
list |
- |
- |
|
css:tag:list |
授予权限查询项目标签。 |
list |
cluster * |
- |
|
css:VPCEndpoint:manageConnection |
授予权限操作终端节点的连接。 |
write |
cluster * |
|
|
css:log:listJob |
授予权限查询作业列表。 |
list |
cluster * |
|
|
css:cluster:downloadCert |
授予权限获取证书内容。 |
read |
- |
- |
|
css:cluster:get |
授予权限查询集群详情。 |
read |
cluster * |
|
|
css:snapshot:enableAtomaticSnapsot |
授予权限设置快照自动备份的基础配置。 |
write |
cluster * |
|
|
css:snapshot:delete |
授予权限删除指定快照。 |
write |
cluster * |
|
|
css:IKThesaurus:get |
授予权限查看自定义词库配置。 |
read |
cluster * |
|
|
css:cluster:restart |
授予权限重启ElasticSearch集群。 |
write |
cluster * |
|
|
css:cluster:modifySecurityGroup |
授予权限修改集群安全组。 |
write |
cluster * |
|
|
css:configurations:list |
授予权限查询获取参数配置的任务操作列表。 |
list |
cluster * |
|
|
css:cluster:delete |
授予权限删除集群。 |
write |
cluster * |
|
|
css:cluster:modifySpecifications |
授予权限修改集群规格。 |
write |
cluster * |
|
|
css:cluster:list |
授予权限列举集群信息。 |
list |
cluster * |
- |
|
css:cluster:scaleOut |
授予权限扩容集群。 |
write |
cluster * |
|
|
css:IKThesaurus:load |
授予权限加载自定义词库。 |
write |
cluster * |
|
|
css:configurations:modify |
授予权限更新参数配置。 |
write |
cluster * |
|
|
css:configurations:get |
授予权限列举参数配置列表。 |
list |
cluster * |
|
|
css:IKThesaurus:delete |
授予权限删除词库。 |
write |
cluster * |
|
|
css:cluster:expand |
授予权限扩容实例的数量和存储容量。 |
write |
cluster * |
|
|
css:snapshot:disableSnapshotFuction |
授予权限关闭集群快照功能。 |
write |
cluster * |
|
|
css:cluster:upgradeCluster |
授予权限升级集群或节点替换。 |
write |
cluster * |
|
|
css:VPCEndpoint:listConnection |
授予权限查询VPCEP的连接。 |
list |
cluster * |
|
|
css:cluster:scaleIn |
授予权限对集群缩容。 |
write |
cluster * |
|
|
css:log:setBasicConfigurations |
授予权限日志基础配置设置。 |
write |
cluster * |
|
|
css:tag:addOrDelete |
授予权限批量添加删除资源标签。 |
tagging |
cluster * |
|
|
- |
|
|||
|
css:publicKibana:close |
授予权限关闭公网访问。 |
write |
cluster * |
|
|
css:tag:edit |
授予权限修改集群标签。 |
tagging |
cluster * |
|
|
- |
|
|||
|
css:cluster:create |
授予权限创建集群。 |
write |
cluster * |
- |
|
- |
|
|||
|
css:cluster:toPeriod |
授予权限对集群转包周期。 |
write |
cluster * |
|
|
css:cluster:modifyName |
授予权限修改集群名称。 |
write |
cluster * |
|
|
css:log:backup |
授予权限对日志备份。 |
write |
cluster * |
|
|
css:cluster:closeLogSetting |
授予权限关闭日志功能。 |
write |
cluster * |
|
|
css:cluster:openLogSetting |
授予权限开启日志功能。 |
write |
cluster * |
|
|
css:cluster:modifyPassword |
授予权限修改集群密码。 |
write |
cluster * |
|
|
css:publicIPAddress:disassociates |
授予权限解绑公网。 |
write |
cluster * |
|
|
css:publicKibana:open |
授予权限绑定公网。 |
write |
cluster * |
|
|
css:tag:delete |
授予权限删除标签。 |
tagging |
cluster * |
|
|
- |
g:TagKeys |
|||
|
css:cluster:shrinkNodes |
授予权限指定节点缩容。 |
write |
cluster * |
|
|
css:cluster:changeMode |
授予权限修改安全模式。 |
write |
cluster * |
|
|
css:cluster:addIndependenceNodes |
授予权限添加独立master,client。 |
write |
cluster * |
|
|
css:cluster:rollingReboot |
授予权限滚动重启ElasticSearch集群。 |
write |
cluster * |
|
|
css:logstash:listActions |
授予权限查询操作记录。 |
read |
cluster * |
|
|
css:cluster:uploadCerts |
授予权限上传证书。 |
write |
cluster * |
|
|
css:cluster:deleteCerts |
授予权限删除证书。 |
write |
cluster * |
|
|
css:cluster:listCerts |
授予权限查询证书列表。 |
list |
cluster * |
|
|
css:cluster:getCertsDetail |
授予权限查询证书详情。 |
read |
cluster * |
|
|
css:logstash:deleteConfTemplate |
授予权限删除自定义模板。 |
write |
cluster * |
|
|
css:logstash:listConfigTemplate |
授予权限查询模板列表。 |
list |
- |
- |
|
css:logstash:confStop |
授予权限停止或热停止pipeline迁移数据。 |
write |
cluster * |
|
|
css:logstash:checkConnection |
授予权限连通性测试。 |
write |
cluster * |
|
|
css:logstash:confDelete |
授予权限删除配置文件。 |
write |
cluster * |
|
|
css:logstash:confStart |
授予权限启动或热启动pipeline迁移数据。 |
write |
cluster * |
|
|
css:logstash:getConfDetail |
授予权限用于查询配置文件内容。 |
read |
cluster * |
|
|
css:cluster:azmigrate |
授予权限进行可用区切换。 |
write |
cluster * |
|
|
css:logstash:confUpdate |
授予权限更新配置文件。 |
write |
cluster * |
|
|
css:logstash:listPipelines |
授予权限查询pipeline列表。 |
list |
cluster * |
|
|
css:cluster:retryAction |
授予权限重试该任务或终止该任务的影响。 |
write |
cluster * |
|
|
css:logstash:listConfs |
授予权限查询配置文件列表。 |
list |
cluster * |
|
|
css:logstash:configFavorites |
授予权限添加到自定义模板。 |
write |
cluster * |
|
|
css:cluster:listUpgradeCluster |
授予权限获取升级镜像id及升级详情。 |
list |
cluster * |
|
|
css:logstash:submitConf |
授予权限创建配置文件。 |
write |
cluster * |
|
|
css:plugin:list |
授予权限查询集群插件列表。 |
list |
cluster * |
|
|
css:plugin:getOperationRecords |
授予权限查询插件的操作记录。 |
read |
cluster * |
|
|
css:plugin:delete |
授予权限删除插件。 |
write |
cluster * |
|
|
css:plugin:installOrUninstall |
授予权限安装或卸载插件。 |
write |
cluster * |
|
|
css:plugin:upload |
授予权限上传插件。 |
write |
cluster * |
|
|
css:plugin:getDefault |
授予权限查询默认插件。 |
read |
cluster * |
|
|
css:cluster:getAgencies |
授予权限获取代理。 |
read |
- |
- |
|
css:cluster:modifyRoute |
授予权限修改集群路由。 |
write |
cluster * |
|
|
css:cluster:getRoutes |
授予权限获取集群路由。 |
read |
cluster * |
|
|
css:logstash:actionList |
授予权限查询集群任务列表。 |
list |
cluster * |
|
|
css:cluster:createUserInfo |
授予权限查创建用户信息。 |
write |
cluster * |
- |
|
css:VPCEndpoint:modifyConnections |
授予权限修改连接大小。 |
write |
cluster * |
|
|
css:cluster:queryNeedDeleteInstances |
授予权限查询需要删除的节点。 |
write |
cluster * |
|
|
css:cluster:queryKey |
授予权限获得密钥。 |
read |
- |
- |
|
css:cluster:queryKeys |
授予权限获得密钥列表。 |
list |
- |
- |
|
css:cluster:getPubliczonePice |
授予权限获取带宽价格。 |
read |
cluster * |
- |
|
css:datastore:get |
授予权限获取数据引擎。 |
read |
cluster * |
- |
|
css:datastore:list |
授予权限获取数据引擎列表。 |
list |
cluster * |
- |
|
css:cluster:getDiskUsage |
授予权限获取集群存储容量状态。 |
read |
cluster * |
- |
|
css:snapshot:showDetail |
授予权限获得快照详情。 |
read |
cluster * |
- |
|
css:cluster:getAvailableBuckets |
授予权限获取可用OBS桶。 |
list |
- |
- |
|
css:cluster:checkCssName |
授予权限检查集群名称。 |
write |
cluster * |
- |
|
css:snapshot:deleteAllFailedTask |
授予权限删除所有的失败任务。 |
write |
- |
- |
|
css:snapshot:deleteSingleFailedTask |
授予权限删除指定失败任务。 |
write |
- |
- |
|
css:snapshot:getAllFailedTask |
授予权限查看备份失败任务。 |
list |
- |
- |
|
css::createServiceAgency |
授予权限创建委托。 |
write |
- |
- |
|
css:cluster:createAiOps |
授予权限创建检测任务。 |
write |
cluster * |
|
|
css:cluster:listAiOps |
授予权限获取检测任务列表。 |
list |
cluster * |
|
|
css:cluster:deleteAiOps |
授予权限删除检测任务。 |
write |
cluster * |
|
|
css:cluster:listSmnTopics |
授予权限获取SMN主题列表。 |
list |
cluster * |
|
|
css:cluster:listElbs |
授予权限下获取当前集群可用的负载均衡器列表。 |
list |
cluster * |
|
|
css:cluster:elbSwitch |
授予权限打开或关闭负载均衡功能。 |
write |
cluster * |
|
|
css:cluster:createElbListener |
授予权限为当前集群创建监听器。 |
write |
cluster * |
|
|
css:cluster:updateElbListener |
授予权限修改当前集群的监听器。 |
write |
cluster * |
|
|
css:cluster:getElbDetail |
授予权限查询当前集群使用的负载均衡器信息。 |
read |
cluster * |
|
|
css:cluster:listElbCerts |
授予权限获取负载均衡器证书列表。 |
list |
cluster * |
|
CSS的API通常对应着一个或多个授权项。表2展示了API与授权项的关系,以及该API需要依赖的授权项。
|
API |
对应的授权项 |
依赖的授权项 |
|---|---|---|
|
POST /v1.0/{project_id}/clusters |
css:cluster:create |
|
|
POST /v2.0/{project_id}/clusters |
css:cluster:create |
|
|
POST /v1.0/{project_id}/clusters/{cluster_id}/sg/change |
css:cluster:modifySecurityGroup |
|
|
GET /v1.0/{project_id}/clusters |
css:cluster:list |
- |
|
GET /v1.0/{project_id}/clusters/{cluster_id} |
css:cluster:get |
- |
|
DELETE /v1.0/{project_id}/clusters/{cluster_id} |
css:cluster:delete |
- |
|
POST /v1.0/{project_id}/cluster/{cluster_id}/period |
css:cluster:toPeriod |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/changename |
css:cluster:modifyName |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/password/reset |
css:cluster:modifyPassword |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/restart |
css:cluster:restart |
- |
|
POST /v2.0/{project_id}/clusters/{cluster_id}/restart |
css:cluster:restart |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/extend |
css:cluster:scaleOut |
|
|
POST /v1.0/{project_id}/clusters/{cluster_id}/role_extend |
css:cluster:expand |
|
|
POST /v1.0/{project_id}/clusters/{cluster_id}/flavor |
css:cluster:modifySpecifications |
ecs:cloudServerFlavors:get |
|
GET /v1.0/{project_id}/es-flavors |
css:cluster:listFlavors |
ecs:cloudServerFlavors:get |
|
GET /v1.0/{project_id}/{resource_type}/tags |
css:tag:list |
- |
|
GET /v1.0/{project_id}/{resource_type}/{cluster_id}/tags |
css:tag:get |
- |
|
POST /v1.0/{project_id}/{resource_type}/{cluster_id}/tags |
css:tag:edit |
- |
|
DELETE /v1.0/{project_id}/{resource_type}/{cluster_id}/tags/{key} |
css:tag:delete |
- |
|
POST /v1.0/{project_id}/{resource_type}/{cluster_id}/tags/action |
css:tag:addOrDelete |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/{types}/flavor |
css:cluster:modifySpecifications |
ecs:cloudServerFlavors:get |
|
POST /v1.0/extend/{project_id}/clusters/{cluster_id}/role/shrink |
css:cluster:scaleIn |
|
|
GET /v1.0/{project_id}/cer/download |
css:cluster:downloadCert |
- |
|
PUT /v1.0/{project_id}/clusters/{cluster_id}/instance/{instance_id}/replace |
css:cluster:upgradeCluster |
|
|
POST /v1.0/{project_id}/clusters/{cluster_id}/node/offline |
css:cluster:shrinkNodes |
|
|
POST /v1.0/{project_id}/clusters/{cluster_id}/mode/change |
css:cluster:changeMode |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/type/{type}/independent |
css:cluster:addIndependenceNodes |
|
|
POST /v1.0/{project_id}/clusters/{cluster_id}/inst-type/{inst_type}/image/upgrade |
css:cluster:upgradeCluster |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/inst-type/{inst_type}/azmigrate |
css:cluster:azmigrate |
|
|
GET /v1.0/{project_id}/clusters/{cluster_id}/upgrade/detail |
css:cluster:listUpgradeCluster |
- |
|
GET /v1.0/{project_id}/clusters/{cluster_id}/target/{upgrade_type}/images |
css:cluster:listUpgradeCluster |
- |
|
PUT /v1.0/{project_id}/clusters/{cluster_id}/upgrade/{action_id}/retry |
css:cluster:retryAction |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/thesaurus |
css:IKThesaurus:load |
|
|
GET /v1.0/{project_id}/clusters/{cluster_id}/thesaurus |
css:IKThesaurus:get |
- |
|
DELETE /v1.0/{project_id}/clusters/{cluster_id}/thesaurus |
css:IKThesaurus:delete |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/publickibana/open |
css:publicKibana:open |
- |
|
PUT /v1.0/{project_id}/clusters/{cluster_id}/publickibana/close |
css:publicKibana:close |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/publickibana/bandwidth |
css:publicIPAddress:modifyBandwidth |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/publickibana/whitelist/update |
css:publicIPAddress:setAccessControl |
- |
|
PUT /v1.0/{project_id}/clusters/{cluster_id}/publickibana/whitelist/close |
css:publicIPAddress:setAccessControl |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/logs/open |
css:cluster:openLogSetting |
|
|
PUT /v1.0/{project_id}/clusters/{cluster_id}/logs/close |
css:cluster:closeLogSetting |
- |
|
GET /v1.0/{project_id}/clusters/{cluster_id}/logs/records |
css:log:listJob |
- |
|
GET /v1.0/{project_id}/clusters/{cluster_id}/logs/settings |
css:log:getBasicConfigurations |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/logs/settings |
css:log:setBasicConfigurations |
|
|
POST /v1.0/{project_id}/clusters/{cluster_id}/logs/policy/update |
css:log:updateBackupPolicy |
- |
|
PUT /v1.0/{project_id}/clusters/{cluster_id}/logs/policy/close |
css:log:updateBackupPolicy |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/logs/collect |
css:log:backup |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/logs/search |
css:log:list |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/public/open |
css:publicIPAddress:associates |
- |
|
PUT /v1.0/{project_id}/clusters/{cluster_id}/public/close |
css:publicIPAddress:disassociates |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/public/bandwidth |
css:publicIPAddress:modifyBandwidth |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/public/whitelist/update |
css:publicIPAddress:setAccessControl |
- |
|
PUT /v1.0/{project_id}/clusters/{cluster_id}/public/whitelist/close |
css:publicIPAddress:setAccessControl |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/auto_setting |
css:snapshot:enableAtomaticSnapsot |
|
|
POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/setting |
css:snapshot:setSnapshotContiguration |
|
|
POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot |
css:snapshot:create |
iam:agencies:pass |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/{snapshot_id}/restore |
css:snapshot:restore |
- |
|
DELETE /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/{snapshot_id} |
css:snapshot:delete |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/policy |
css:snapshot:setSnapshotPolicy |
- |
|
GET /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/policy |
css:snapshot:getSnapshotPolicy |
- |
|
GET /v1.0/{project_id}/clusters/{cluster_id}/index_snapshots |
css:snapshot:list |
- |
|
DELETE /v1.0/{project_id}/clusters/{cluster_id}/index_snapshots |
css:snapshot:disableSnapshotFuction |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/open |
css:VPCEndpoint:enableOrDisable |
|
|
PUT /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/close |
css:VPCEndpoint:enableOrDisable |
|
|
GET /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/connections |
css:VPCEndpoint:listConnection |
vpcep:endpoints:get |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/connections |
css:VPCEndpoint:manageConnection |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/permissions |
css:VPCEndpoint:updateWhitelist |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/ymls/update |
css:configurations:modify |
- |
|
GET /v1.0/{project_id}/clusters/{cluster_id}/ymls/joblists |
css:configurations:list |
- |
|
GET /v1.0/{project_id}/clusters/{cluster_id}/ymls/template |
css:configurations:get |
- |
|
POST /v2.0/{project_id}/clusters/{cluster_id}/snapshots/policy/open |
css:snapshot:setSnapshotPolicy |
- |
|
PUT /v2.0/{project_id}/clusters/{cluster_id}/snapshots/policy/close |
css:snapshot:setSnapshotPolicy |
- |
|
POST /v2.0/{project_id}/clusters/{cluster_id}/rolling_restart |
css:cluster:rollingReboot |
- |
|
GET /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/listactions |
css:logstash:listActions |
- |
|
DELETE /v1.0/{project_id}/lgsconf/deletetemplate |
css:logstash:deleteConfTemplate |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/stop |
css:logstash:confStop |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/hot-stop |
css:logstash:confStop |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/checkconnection |
css:logstash:checkConnection |
- |
|
DELETE /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/delete |
css:logstash:confDelete |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/start |
css:logstash:confStart |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/hot-start |
css:logstash:confStart |
- |
|
GET /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/confdetail |
css:logstash:getConfDetail |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/update |
css:logstash:confUpdate |
- |
|
GET /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/listpipelines |
css:logstash:listPipelines |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/submit |
css:logstash:submitConf |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/favorite |
css:logstash:configFavorites |
- |
|
GET /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/listconfs |
css:logstash:listConfs |
- |
|
GET /v1.0/{project_id}/lgsconf/template |
css:logstash:listConfigTemplate |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/certs/upload |
css:cluster:uploadCerts |
- |
|
DELETE /v1.0/{project_id}/clusters/{cluster_id}/certs/{cert_id}/delete |
css:cluster:deleteCerts |
- |
|
GET /v1.0/{project_id}/clusters/{cluster_id}/certs |
css:cluster:listCerts |
- |
|
GET /v1.0/{project_id}/clusters/{cluster_id}/certs/{cert_id} |
css:cluster:getCertsDetail |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/route |
css:cluster:modifyRoute |
- |
|
GET /v1.0/{project_id}/clusters/{cluster_id}/route |
css:cluster:getRoutes |
- |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/ai-ops |
css:cluster:createAiOps |
- |
|
GET /v1.0/{project_id}/clusters/{cluster_id}/ai-ops |
css:cluster:listAiOps |
- |
|
DELETE /v1.0/{project_id}/clusters/{cluster_id}/ai-ops/{aiops_id} |
css:cluster:deleteAiOps |
- |
|
GET /v1.0/{project_id}/domains/{domain_id}/ai-ops/smn-topics |
css:cluster:listSmnTopics |
|
|
GET /v1.0/{project_id}/clusters/{cluster_id}/loadbalancers |
css:cluster:listElbs |
elb:loadbalancers:list |
|
POST /v1.0/{project_id}/clusters/{cluster_id}/loadbalancers/es-switch |
css:cluster:elbSwitch |
|
|
POST /v1.0/{project_id}/clusters/{cluster_id}/es-listeners |
css:cluster:createElbListener |
- |
|
GET /v1.0/{project_id}/clusters/{cluster_id}/es-listeners |
css:cluster:getElbDetail |
- |
|
GET /v1.0/{project_id}/clusters/{cluster_id}/elb/certificates |
css:cluster:listElbCerts |
- |
|
PUT /v1.0/{project_id}/clusters/{cluster_id}/es-listeners/{listener_id} |
css:cluster:updateElbListener |
- |
资源类型(Resource)
资源类型(Resource)表示SCP所作用的资源。如表3中的某些操作指定了可以在该操作指定的资源类型,则必须在具有该操作的SCP语句中指定该资源的URN,SCP仅作用于此资源;如未指定,Resource默认为“*”,则SCP将应用到所有资源。您也可以在SCP中设置条件,从而指定资源类型。
CSS定义了以下可以在SCP的Resource元素中使用的资源类型。
条件(Condition)
条件键概述
条件(Condition)是SCP生效的特定条件,包括条件键和运算符。
- 条件键表示SCP语句的Condition元素中的键值。根据适用范围,分为全局级条件键和服务级条件键。
- 全局级条件键(前缀为g:)适用于所有操作,在鉴权过程中,云服务不需要提供用户身份信息,系统将自动获取并鉴权。详情请参见:全局条件键。
- 服务级条件键(前缀通常为服务缩写,如css:)仅适用于对应服务的操作,详情请参见表4。
- 单值/多值表示API调用时请求中与条件关联的值数。单值条件键在API调用时的请求中最多包含一个值,多值条件键在API调用时请求可以包含多个值。例如:g:SourceVpce是单值条件键,表示仅允许通过某个VPC终端节点发起请求访问某资源,一个请求最多包含一个VPC终端节点ID值。g:TagKeys是多值条件键,表示请求中携带的所有标签的key组成的列表,当用户在调用API请求时传入标签可以传入多个值。
- 运算符与条件键、条件值一起构成完整的条件判断语句,当请求信息满足该条件时,SCP才能生效。支持的运算符请参见:运算符。
CSS支持的服务级条件键
CSS定义了以下可以在SCP的Condition元素中使用的条件键,您可以使用这些条件键进一步细化SCP语句应用的条件。
条件键示例
- css:AssociatePublicIp
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": [ "css:cluster:create" ], "Condition": { "Bool": { "css:AssociatePublicIp": [ "true" ] } } } ] }示例:禁止给CSS集群绑定EIP
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": [ "css:publicIPAddress:associates", "css:publicKibana:open" ] } ] }
