文档首页/ 组织 Organizations/ 用户指南/ 服务控制策略管理/ SCP授权参考/ 大数据/ 云搜索服务 CSS
更新时间:2024-08-16 GMT+08:00
查看PDF
分享

云搜索服务 CSS

Organizations服务中的服务控制策略(Service Control Policy,以下简称SCP)可以使用以下授权项元素设置访问控制策略。

SCP不直接进行授权,只划定权限边界。将SCP绑定到组织单元或者成员账号时,并没有直接对组织单元或成员账号授予操作权限,而是规定了成员账号或组织单元包含的成员账号的授权范围。

本章节介绍组织服务中SCP使用的元素,这些元素包含了操作(Action)、资源(Resource)和条件(Condition)。

如何使用这些元素编辑SCP自定义策略,请参考创建SCP

操作(Action)

操作(Action)即为SCP中支持的授权项。

  • “访问级别”列描述如何对操作进行分类(list、read和write等)。此分类可帮助您了解在SCP中相应操作对应的访问级别。
  • “资源类型”列指每个操作是否支持资源级权限。
    • 资源类型支持通配符号*表示所有。如果此列没有值(-),则必须在SCP语句的Resource元素中指定所有资源类型(“*”)。
    • 如果该列包含资源类型,则必须在具有该操作的语句中指定该资源的URN。
    • 资源类型列中必需资源在表中用星号(*)标识,表示使用此操作必须指定该资源类型。

    关于CSS定义的资源类型的详细信息请参见资源类型(Resource)

  • “条件键”列包括了可以在SCP语句的Condition元素中支持指定的键值。
    • 如果该授权项资源类型列存在值,则表示条件键仅对列举的资源类型生效。
    • 如果该授权项资源类型列没有值(-),则表示条件键对整个授权项生效。
    • 如果此列条件键没有值(-),表示此操作不支持指定条件键。

    关于CSS定义的条件键的详细信息请参见条件(Condition)

您可以在SCP语句的Action元素中指定以下CSS的相关操作。

表1 CSS支持的授权项

授权项

描述

访问级别

资源类型(*为必须)

条件键

css:VPCEndpoint:updateWhitelist

授予权限更新已存在的终端节点白名单。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:log:updateBackupPolicy

授予权限日志备份修改或删除。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:snapshot:setSnapshotPolicy

授予权限操作备份策略。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:snapshot:getSnapshotPolicy

授予权限查询备份策略。

read

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:snapshot:restore

授予权限恢复快照。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:snapshot:create

授予权限创建快照。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:publicIPAddress:associates

授予权限开启或关闭公网访问。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:publicIPAddress:setAccessControl

授予权限对白名单列表进行操作。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:tag:get

授予权限查询资源标签。

read

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:publicIPAddress:modifyBandwidth

授予权限修改带宽大小。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:VPCEndpoint:enableOrDisable

授予权限创建或删除VPCEP。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:log:getBasicConfigurations

授予权限日志基础配置查询。

read

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:snapshot:list

授予权限查看快照列表。

list

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:log:list

授予权限查看日志。

list

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:snapshot:setSnapshotContiguration

授予权限设置快照基础配置。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:listFlavors

授予权限查询规格ID列表。

list

-

-

css:cluster:listDiskType

授予权限列举可用磁盘类型。

list

-

-

css:tag:list

授予权限查询项目标签。

list

cluster *

-

css:VPCEndpoint:manageConnection

授予权限操作终端节点的连接。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:log:listJob

授予权限查询作业列表。

list

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:downloadCert

授予权限获取证书内容。

read

-

-

css:cluster:get

授予权限查询集群详情。

read

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:snapshot:enableAtomaticSnapsot

授予权限设置快照自动备份的基础配置。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:snapshot:delete

授予权限删除指定快照。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:IKThesaurus:get

授予权限查看自定义词库配置。

read

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:restart

授予权限重启ElasticSearch集群。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:modifySecurityGroup

授予权限修改集群安全组。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:configurations:list

授予权限查询获取参数配置的任务操作列表。

list

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:delete

授予权限删除集群。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:modifySpecifications

授予权限修改集群规格。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:list

授予权限列举集群信息。

list

cluster *

-

css:cluster:scaleOut

授予权限扩容集群。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:IKThesaurus:load

授予权限加载自定义词库。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:configurations:modify

授予权限更新参数配置。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:configurations:get

授予权限列举参数配置列表。

list

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:IKThesaurus:delete

授予权限删除词库。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:expand

授予权限扩容实例的数量和存储容量。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:snapshot:disableSnapshotFuction

授予权限关闭集群快照功能。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:upgradeCluster

授予权限升级集群或节点替换。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:VPCEndpoint:listConnection

授予权限查询VPCEP的连接。

list

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:scaleIn

授予权限对集群缩容。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:log:setBasicConfigurations

授予权限日志基础配置设置。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:tag:addOrDelete

授予权限批量添加删除资源标签。

tagging

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

-
  • g:RequestTag/<tag-key>
  • g:TagKeys

css:publicKibana:close

授予权限关闭公网访问。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:tag:edit

授予权限修改集群标签。

tagging

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

-
  • g:RequestTag/<tag-key>
  • g:TagKeys

css:cluster:create

授予权限创建集群。

write

cluster *

-

-
  • g:EnterpriseProjectId
  • g:RequestTag/<tag-key>
  • g:TagKeys

css:cluster:toPeriod

授予权限对集群转包周期。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:modifyName

授予权限修改集群名称。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:log:backup

授予权限对日志备份。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:closeLogSetting

授予权限关闭日志功能。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:openLogSetting

授予权限开启日志功能。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:modifyPassword

授予权限修改集群密码。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:publicIPAddress:disassociates

授予权限解绑公网。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:publicKibana:open

授予权限绑定公网。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:tag:delete

授予权限删除标签。

tagging

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

-

g:TagKeys

css:cluster:shrinkNodes

授予权限指定节点缩容。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:changeMode

授予权限修改安全模式。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:addIndependenceNodes

授予权限添加独立master,client。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:rollingReboot

授予权限滚动重启ElasticSearch集群。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:logstash:listActions

授予权限查询操作记录。

read

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:uploadCerts

授予权限上传证书。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:deleteCerts

授予权限删除证书。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:listCerts

授予权限查询证书列表。

list

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:getCertsDetail

授予权限查询证书详情。

read

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:logstash:deleteConfTemplate

授予权限删除自定义模板。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:logstash:listConfigTemplate

授予权限查询模板列表。

list

-

-

css:logstash:confStop

授予权限停止或热停止pipeline迁移数据。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:logstash:checkConnection

授予权限连通性测试。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:logstash:confDelete

授予权限删除配置文件。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:logstash:confStart

授予权限启动或热启动pipeline迁移数据。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:logstash:getConfDetail

授予权限用于查询配置文件内容。

read

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:azmigrate

授予权限进行可用区切换。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:logstash:confUpdate

授予权限更新配置文件。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:logstash:listPipelines

授予权限查询pipeline列表。

list

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:retryAction

授予权限重试该任务或终止该任务的影响。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:logstash:listConfs

授予权限查询配置文件列表。

list

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:logstash:configFavorites

授予权限添加到自定义模板。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:listUpgradeCluster

授予权限获取升级镜像id及升级详情。

list

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:logstash:submitConf

授予权限创建配置文件。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:plugin:list

授予权限查询集群插件列表。

list

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:plugin:getOperationRecords

授予权限查询插件的操作记录。

read

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:plugin:delete

授予权限删除插件。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:plugin:installOrUninstall

授予权限安装或卸载插件。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:plugin:upload

授予权限上传插件。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:plugin:getDefault

授予权限查询默认插件。

read

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:getAgencies

授予权限获取代理。

read

-

-

css:cluster:modifyRoute

授予权限修改集群路由。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:getRoutes

授予权限获取集群路由。

read

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:logstash:actionList

授予权限查询集群任务列表。

list

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:createUserInfo

授予权限查创建用户信息。

write

cluster *

-

css:VPCEndpoint:modifyConnections

授予权限修改连接大小。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:queryNeedDeleteInstances

授予权限查询需要删除的节点。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:queryKey

授予权限获得密钥。

read

-

-

css:cluster:queryKeys

授予权限获得密钥列表。

list

-

-

css:cluster:getPubliczonePice

授予权限获取带宽价格。

read

cluster *

-

css:datastore:get

授予权限获取数据引擎。

read

cluster *

-

css:datastore:list

授予权限获取数据引擎列表。

list

cluster *

-

css:cluster:getDiskUsage

授予权限获取集群存储容量状态。

read

cluster *

-

css:snapshot:showDetail

授予权限获得快照详情。

read

cluster *

-

css:cluster:getAvailableBuckets

授予权限获取可用OBS桶。

list

-

-

css:cluster:checkCssName

授予权限检查集群名称。

write

cluster *

-

css:snapshot:deleteAllFailedTask

授予权限删除所有的失败任务。

write

-

-

css:snapshot:deleteSingleFailedTask

授予权限删除指定失败任务。

write

-

-

css:snapshot:getAllFailedTask

授予权限查看备份失败任务。

list

-

-

css::createServiceAgency

授予权限创建委托。

write

-

-

css:cluster:createAiOps

授予权限创建检测任务。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:listAiOps

授予权限获取检测任务列表。

list

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:deleteAiOps

授予权限删除检测任务。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:listSmnTopics

授予权限获取SMN主题列表。

list

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:listElbs

授予权限下获取当前集群可用的负载均衡器列表。

list

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:elbSwitch

授予权限打开或关闭负载均衡功能。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:createElbListener

授予权限为当前集群创建监听器。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:updateElbListener

授予权限修改当前集群的监听器。

write

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:getElbDetail

授予权限查询当前集群使用的负载均衡器信息。

read

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

css:cluster:listElbCerts

授予权限获取负载均衡器证书列表。

list

cluster *
  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>

CSS的API通常对应着一个或多个授权项。表2展示了API与授权项的关系,以及该API需要依赖的授权项。

表2 API与授权项的关系

API

对应的授权项

依赖的授权项

POST /v1.0/{project_id}/clusters

css:cluster:create
  • ecs:cloudServerFlavors:get
  • evs:types:get
  • vpc:vpcs:list
  • vpc:securityGroups:list
  • vpc:securityGroups:get
  • vpc:subnets:list
  • vpc:subnets:get
  • vpc:ports:create
  • vpc:ports:update
  • vpc:ports:delete
  • vpc:ports:get
  • css:cluster:getAgencies
  • iam:agencies:listAgencies
  • iam:permissions:listRolesForAgency
  • iam:permissions:listRolesForAgencyOnProject
  • iam:agencies:pass

POST /v2.0/{project_id}/clusters

css:cluster:create
  • ecs:cloudServerFlavors:get
  • evs:types:get
  • vpc:vpcs:list
  • vpc:securityGroups:list
  • vpc:securityGroups:get
  • vpc:subnets:list
  • vpc:subnets:get
  • vpc:ports:create
  • vpc:ports:update
  • vpc:ports:delete
  • vpc:ports:get
  • css:cluster:getAgencies
  • iam:agencies:listAgencies
  • iam:permissions:listRolesForAgency
  • iam:permissions:listRolesForAgencyOnProject
  • iam:agencies:pass

POST /v1.0/{project_id}/clusters/{cluster_id}/sg/change

css:cluster:modifySecurityGroup
  • vpc:securityGroups:list
  • vpc:ports:update

GET /v1.0/{project_id}/clusters

css:cluster:list

-

GET /v1.0/{project_id}/clusters/{cluster_id}

css:cluster:get

-

DELETE /v1.0/{project_id}/clusters/{cluster_id}

css:cluster:delete

-

POST /v1.0/{project_id}/cluster/{cluster_id}/period

css:cluster:toPeriod

-

POST /v1.0/{project_id}/clusters/{cluster_id}/changename

css:cluster:modifyName

-

POST /v1.0/{project_id}/clusters/{cluster_id}/password/reset

css:cluster:modifyPassword

-

POST /v1.0/{project_id}/clusters/{cluster_id}/restart

css:cluster:restart

-

POST /v2.0/{project_id}/clusters/{cluster_id}/restart

css:cluster:restart

-

POST /v1.0/{project_id}/clusters/{cluster_id}/extend

css:cluster:scaleOut
  • ecs:cloudServerFlavors:get
  • evs:types:get
  • vpc:vpcs:list
  • vpc:subnets:list
  • vpc:subnets:get
  • vpc:ports:create
  • vpc:ports:update
  • vpc:ports:delete
  • vpc:ports:get

POST /v1.0/{project_id}/clusters/{cluster_id}/role_extend

css:cluster:expand
  • ecs:cloudServerFlavors:get
  • evs:types:get
  • vpc:vpcs:list
  • vpc:subnets:list
  • vpc:subnets:get
  • vpc:ports:create
  • vpc:ports:update
  • vpc:ports:delete
  • vpc:ports:get

POST /v1.0/{project_id}/clusters/{cluster_id}/flavor

css:cluster:modifySpecifications

ecs:cloudServerFlavors:get

GET /v1.0/{project_id}/es-flavors

css:cluster:listFlavors

ecs:cloudServerFlavors:get

GET /v1.0/{project_id}/{resource_type}/tags

css:tag:list

-

GET /v1.0/{project_id}/{resource_type}/{cluster_id}/tags

css:tag:get

-

POST /v1.0/{project_id}/{resource_type}/{cluster_id}/tags

css:tag:edit

-

DELETE /v1.0/{project_id}/{resource_type}/{cluster_id}/tags/{key}

css:tag:delete

-

POST /v1.0/{project_id}/{resource_type}/{cluster_id}/tags/action

css:tag:addOrDelete

-

POST /v1.0/{project_id}/clusters/{cluster_id}/{types}/flavor

css:cluster:modifySpecifications

ecs:cloudServerFlavors:get

POST /v1.0/extend/{project_id}/clusters/{cluster_id}/role/shrink

css:cluster:scaleIn
  • iam:agencies:listAgencies
  • iam:permissions:listRolesForAgency
  • iam:permissions:listRolesForAgencyOnProject

GET /v1.0/{project_id}/cer/download

css:cluster:downloadCert

-

PUT /v1.0/{project_id}/clusters/{cluster_id}/instance/{instance_id}/replace

css:cluster:upgradeCluster
  • iam:agencies:listAgencies
  • iam:permissions:listRolesForAgency
  • iam:permissions:listRolesForAgencyOnProject

POST /v1.0/{project_id}/clusters/{cluster_id}/node/offline

css:cluster:shrinkNodes
  • iam:agencies:listAgencies
  • iam:permissions:listRolesForAgency
  • iam:permissions:listRolesForAgencyOnProject

POST /v1.0/{project_id}/clusters/{cluster_id}/mode/change

css:cluster:changeMode

-

POST /v1.0/{project_id}/clusters/{cluster_id}/type/{type}/independent

css:cluster:addIndependenceNodes
  • ecs:cloudServerFlavors:get
  • evs:types:get
  • vpc:vpcs:list
  • vpc:subnets:list
  • vpc:subnets:get
  • vpc:ports:create
  • vpc:ports:update
  • vpc:ports:delete
  • vpc:ports:get

POST /v1.0/{project_id}/clusters/{cluster_id}/inst-type/{inst_type}/image/upgrade

css:cluster:upgradeCluster

-

POST /v1.0/{project_id}/clusters/{cluster_id}/inst-type/{inst_type}/azmigrate

css:cluster:azmigrate
  • iam:agencies:listAgencies
  • iam:permissions:listRolesForAgency
  • iam:permissions:listRolesForAgencyOnProject

GET /v1.0/{project_id}/clusters/{cluster_id}/upgrade/detail

css:cluster:listUpgradeCluster

-

GET /v1.0/{project_id}/clusters/{cluster_id}/target/{upgrade_type}/images

css:cluster:listUpgradeCluster

-

PUT /v1.0/{project_id}/clusters/{cluster_id}/upgrade/{action_id}/retry

css:cluster:retryAction

-

POST /v1.0/{project_id}/clusters/{cluster_id}/thesaurus

css:IKThesaurus:load
  • obs:bucket:listAllMyBuckets
  • obs:bucket:getBucketLocation
  • obs:bucket:getBucketStoragePolicy
  • obs:object:getObject

GET /v1.0/{project_id}/clusters/{cluster_id}/thesaurus

css:IKThesaurus:get

-

DELETE /v1.0/{project_id}/clusters/{cluster_id}/thesaurus

css:IKThesaurus:delete

-

POST /v1.0/{project_id}/clusters/{cluster_id}/publickibana/open

css:publicKibana:open

-

PUT /v1.0/{project_id}/clusters/{cluster_id}/publickibana/close

css:publicKibana:close

-

POST /v1.0/{project_id}/clusters/{cluster_id}/publickibana/bandwidth

css:publicIPAddress:modifyBandwidth

-

POST /v1.0/{project_id}/clusters/{cluster_id}/publickibana/whitelist/update

css:publicIPAddress:setAccessControl

-

PUT /v1.0/{project_id}/clusters/{cluster_id}/publickibana/whitelist/close

css:publicIPAddress:setAccessControl

-

POST /v1.0/{project_id}/clusters/{cluster_id}/logs/open

css:cluster:openLogSetting
  • iam:agencies:pass
  • obs:bucket:listAllMyBuckets
  • obs:bucket:getBucketLocation
  • obs:bucket:getBucketStoragePolicy
  • iam:agencies:listAgencies

PUT /v1.0/{project_id}/clusters/{cluster_id}/logs/close

css:cluster:closeLogSetting

-

GET /v1.0/{project_id}/clusters/{cluster_id}/logs/records

css:log:listJob

-

GET /v1.0/{project_id}/clusters/{cluster_id}/logs/settings

css:log:getBasicConfigurations

-

POST /v1.0/{project_id}/clusters/{cluster_id}/logs/settings

css:log:setBasicConfigurations
  • obs:bucket:listAllMyBuckets
  • obs:bucket:getBucketLocation
  • obs:bucket:getBucketStoragePolicy
  • iam:agencies:listAgencies
  • iam:agencies:pass

POST /v1.0/{project_id}/clusters/{cluster_id}/logs/policy/update

css:log:updateBackupPolicy

-

PUT /v1.0/{project_id}/clusters/{cluster_id}/logs/policy/close

css:log:updateBackupPolicy

-

POST /v1.0/{project_id}/clusters/{cluster_id}/logs/collect

css:log:backup

-

POST /v1.0/{project_id}/clusters/{cluster_id}/logs/search

css:log:list

-

POST /v1.0/{project_id}/clusters/{cluster_id}/public/open

css:publicIPAddress:associates

-

PUT /v1.0/{project_id}/clusters/{cluster_id}/public/close

css:publicIPAddress:disassociates

-

POST /v1.0/{project_id}/clusters/{cluster_id}/public/bandwidth

css:publicIPAddress:modifyBandwidth

-

POST /v1.0/{project_id}/clusters/{cluster_id}/public/whitelist/update

css:publicIPAddress:setAccessControl

-

PUT /v1.0/{project_id}/clusters/{cluster_id}/public/whitelist/close

css:publicIPAddress:setAccessControl

-

POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/auto_setting

css:snapshot:enableAtomaticSnapsot
  • obs:bucket:createBucket
  • obs:bucket:headBucket
  • iam:agencies:listAgencies
  • iam:agencies:createAgency
  • iam:permissions:grantRoleToAgency

POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/setting

css:snapshot:setSnapshotContiguration
  • obs:bucket:listAllMyBuckets
  • obs:bucket:getBucketLocation
  • obs:bucket:getBucketStoragePolicy
  • iam:agencies:listAgencies
  • iam:agencies:pass

POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot

css:snapshot:create

iam:agencies:pass

POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/{snapshot_id}/restore

css:snapshot:restore

-

DELETE /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/{snapshot_id}

css:snapshot:delete

-

POST /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/policy

css:snapshot:setSnapshotPolicy

-

GET /v1.0/{project_id}/clusters/{cluster_id}/index_snapshot/policy

css:snapshot:getSnapshotPolicy

-

GET /v1.0/{project_id}/clusters/{cluster_id}/index_snapshots

css:snapshot:list

-

DELETE /v1.0/{project_id}/clusters/{cluster_id}/index_snapshots

css:snapshot:disableSnapshotFuction

-

POST /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/open

css:VPCEndpoint:enableOrDisable
  • vpcep:endpoints:create
  • vpcep:endpoints:list
  • vpcep:endpoints:get
  • vpcep:endpoints:delete
  • vpcep:endpoints:update

PUT /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/close

css:VPCEndpoint:enableOrDisable
  • vpcep::listQuotas
  • vpcep:endpoints:create
  • vpcep:endpoints:list
  • vpcep:endpoints:get
  • vpcep:endpoints:delete
  • vpcep:endpoints:update

GET /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/connections

css:VPCEndpoint:listConnection

vpcep:endpoints:get

POST /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/connections

css:VPCEndpoint:manageConnection

-

POST /v1.0/{project_id}/clusters/{cluster_id}/vpcepservice/permissions

css:VPCEndpoint:updateWhitelist

-

POST /v1.0/{project_id}/clusters/{cluster_id}/ymls/update

css:configurations:modify

-

GET /v1.0/{project_id}/clusters/{cluster_id}/ymls/joblists

css:configurations:list

-

GET /v1.0/{project_id}/clusters/{cluster_id}/ymls/template

css:configurations:get

-

POST /v2.0/{project_id}/clusters/{cluster_id}/snapshots/policy/open

css:snapshot:setSnapshotPolicy

-

PUT /v2.0/{project_id}/clusters/{cluster_id}/snapshots/policy/close

css:snapshot:setSnapshotPolicy

-

POST /v2.0/{project_id}/clusters/{cluster_id}/rolling_restart

css:cluster:rollingReboot

-

GET /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/listactions

css:logstash:listActions

-

DELETE /v1.0/{project_id}/lgsconf/deletetemplate

css:logstash:deleteConfTemplate

-

POST /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/stop

css:logstash:confStop

-

POST /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/hot-stop

css:logstash:confStop

-

POST /v1.0/{project_id}/clusters/{cluster_id}/checkconnection

css:logstash:checkConnection

-

DELETE /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/delete

css:logstash:confDelete

-

POST /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/start

css:logstash:confStart

-

POST /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/hot-start

css:logstash:confStart

-

GET /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/confdetail

css:logstash:getConfDetail

-

POST /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/update

css:logstash:confUpdate

-

GET /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/listpipelines

css:logstash:listPipelines

-

POST /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/submit

css:logstash:submitConf

-

POST /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/favorite

css:logstash:configFavorites

-

GET /v1.0/{project_id}/clusters/{cluster_id}/lgsconf/listconfs

css:logstash:listConfs

-

GET /v1.0/{project_id}/lgsconf/template

css:logstash:listConfigTemplate

-

POST /v1.0/{project_id}/clusters/{cluster_id}/certs/upload

css:cluster:uploadCerts

-

DELETE /v1.0/{project_id}/clusters/{cluster_id}/certs/{cert_id}/delete

css:cluster:deleteCerts

-

GET /v1.0/{project_id}/clusters/{cluster_id}/certs

css:cluster:listCerts

-

GET /v1.0/{project_id}/clusters/{cluster_id}/certs/{cert_id}

css:cluster:getCertsDetail

-

POST /v1.0/{project_id}/clusters/{cluster_id}/route

css:cluster:modifyRoute

-

GET /v1.0/{project_id}/clusters/{cluster_id}/route

css:cluster:getRoutes

-

POST /v1.0/{project_id}/clusters/{cluster_id}/ai-ops

css:cluster:createAiOps

-

GET /v1.0/{project_id}/clusters/{cluster_id}/ai-ops

css:cluster:listAiOps

-

DELETE /v1.0/{project_id}/clusters/{cluster_id}/ai-ops/{aiops_id}

css:cluster:deleteAiOps

-

GET /v1.0/{project_id}/domains/{domain_id}/ai-ops/smn-topics

css:cluster:listSmnTopics
  • css:cluster:getAgencies
  • iam:agencies:list
  • iam:agencies:listAgencies
  • iam:agencies:listAttachedPolicies
  • iam:agencies:pass

GET /v1.0/{project_id}/clusters/{cluster_id}/loadbalancers

css:cluster:listElbs

elb:loadbalancers:list

POST /v1.0/{project_id}/clusters/{cluster_id}/loadbalancers/es-switch

css:cluster:elbSwitch
  • elb:loadbalancers:list
  • iam:agencies:listAgencies
  • iam:permissions:listRolesForAgency
  • iam:permissions:listRolesForAgencyOnProject
  • iam:agencies:pass

POST /v1.0/{project_id}/clusters/{cluster_id}/es-listeners

css:cluster:createElbListener

-

GET /v1.0/{project_id}/clusters/{cluster_id}/es-listeners

css:cluster:getElbDetail

-

GET /v1.0/{project_id}/clusters/{cluster_id}/elb/certificates

css:cluster:listElbCerts

-

PUT /v1.0/{project_id}/clusters/{cluster_id}/es-listeners/{listener_id}

css:cluster:updateElbListener

-

资源类型(Resource)

资源类型(Resource)表示SCP所作用的资源。如表3中的某些操作指定了可以在该操作指定的资源类型,则必须在具有该操作的SCP语句中指定该资源的URN,SCP仅作用于此资源;如未指定,Resource默认为“*”,则SCP将应用到所有资源。您也可以在SCP中设置条件,从而指定资源类型。

CSS定义了以下可以在SCP的Resource元素中使用的资源类型。

表3 CSS支持的资源类型

资源类型

URN

cluster

css:<region>:<account-id>:cluster:<cluster-id>

条件(Condition)

CSS服务不支持在SCP中的条件键中配置服务级的条件键。

CSS可以使用适用于所有服务的全局条件键,请参考全局条件键

父主题: 大数据