策略语法:细粒度策略
在实际业务中,您可能需要给不同角色的用户授予不同的资源操作权限。IAM服务为用户提供了细粒度访问控制功能。在IAM中,IAM管理员用户(即属于admin用户组的用户)通过创建自定义策略,可以自由搭配需要授予的权限集。通过给用户组授予策略,用户组中的用户就能获得策略中定义的权限。IAM通过策略定义的权限内容实现精细的权限管理。
为了更精细地控制GaussDB(DWS) 资源的使用权限,您可以使用IAM的用户管理功能,实现细粒度权限控制,授予不同角色的用户不同的资源操作权限。
策略结构
策略结构包括:Version(策略版本号)和Statement(策略权限语句),其中Statement可以有多个,表示不同的授权项。
策略语法
在IAM左侧导航窗格中,单击“策略”,单击策略名称,可以查看策略的详细内容,以“DWS ReadOnlyAccess”为例,说明细粒度策略的语法。
{ "Version": "1.1", "Depends": [], "Statement": [ { "Effect": "Allow", "Action": [ "dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "vpc:*:get*", "vpc:*:list*", "evs:*:get*", "evs:*:list*", "mrs:*:get*", "bss:*:list*", "bss:*:get*" ] } ] }
- Version:标识策略的版本号,主要用于区分Role-Based Access Control(RBAC)策略和细粒度策略。
- 1.0:RBAC策略。RBAC策略是将服务作为一个整体进行授权,授权后,用户可以拥有这个服务的所有权限。
- 1.1:经典细粒度策略。相比RBAC策略,细粒度策略基于服务的API接口进行权限拆分,授权更加精细。授权后,用户可以对这个服务执行特定的操作。细粒度策略包括系统预置和用户自定义两种。
- Depends:依赖项。
- Statement:策略授权语句,描述策略的详细信息,包含Effect(作用)和Action(授权项)。
- Effect(作用)
作用包含两种:Allow(允许)和Deny(拒绝),系统预置策略仅包含Allow(允许)的授权语句,自定义策略中可以同时包含Allow(允许)和Deny(拒绝)的授权语句,当策略中既有Allow(允许)又有Deny(拒绝)的授权语句时,遵循Deny(拒绝)优先的原则。
- Action(授权项)
对资源的具体操作权限,格式为:“服务名:资源类型:操作”,支持单个或多个操作权限,支持通配符号*,通配符号表示所有。
示例:"dws:cluster:create",其中dws为服务名,cluster为资源类型,create为操作,该授权项表示创建GaussDB(DWS) 集群的权限。
- Effect(作用)
授权项列表
在IAM中创建自定义策略时,您可以根据需求在策略授权语句的Action列表中添加GaussDB(DWS)资源操作或REST API所对应的“授权项”,使得该策略具有相应的操作权限。GaussDB(DWS) 细粒度策略的授权项列表如下:
- REST API
GaussDB(DWS) REST API的授权项列表,请参见权限策略和授权项。
- 管理控制台操作
GaussDB(DWS)资源操作及对应的授权项如表1所示。
- GaussDB(DWS)部分授权项依赖的授权项包括了ECS、VPC、EVS、ELB、MRS或OBS等服务的授权项,如果这些服务没有对接相应的服务授权项,则需要添加对应服务的Admin系统权限。
- 由于GaussDB(DWS)接口较多,以下列表仅列举了重点高频操作接口,剩余未展示接口仅支持project项目(即IAM鉴权),不支持企业项目鉴权,故如果要使用,请在IAM鉴权界面配置。
GaussDB(DWS) 资源操作 |
授权项 |
依赖的授权项 |
授权项作用域 |
---|---|---|---|
创建集群 |
"dws:cluster:create" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "vpc:securityGroupRules:delete", "vpc:ports:update", "evs:*:get*", "evs:*:list*", "evs:*:create*", |
|
获取集群列表 |
"dws:cluster:list" |
"dws:*:get*", "dws:*:list*", |
|
获取单个集群详情 |
"dws:cluster:getDetail" |
"dws:*:get*", "dws:*:list*", "vpc:vpcs:list", "vpc:securityGroups:get" |
|
设置自动快照 |
"dws:cluster:setAutomatedSnapshot" |
"dws:backupPolicy:list" |
|
设置安全参数/参数组 |
"dws:cluster:setSecuritySettings" |
"dws:*:get*", "dws:*:list*", |
|
重启集群 |
"dws:cluster:restart" |
"dws:*:get*", "dws:*:list*", |
|
扩容集群 |
"dws:cluster:scaleOut" |
"dws:*:get*", "dws:*:list*", "dws:cluster:scaleOutOrOpenAPIResize", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "vpc:*:update*", "evs:*:get*", "evs:*:list*", "evs:*:create*", |
|
使用API扩容集群或调整大小 |
"dws:cluster:scaleOutOrOpenAPIResize" |
"dws:*:get*", "dws:*:list*", "vpc:vpcs:list", "vpc:ports:create", "vpc:ports:get", "vpc:ports:update", "vpc:subnets:get", "vpc:subnets:update", "vpc:subnets:create", "vpc:routers:get", "vpc:routers:update", "vpc:networks:create", "vpc:networks:get", "vpc:networks:update", "ecs:serverInterfaces:use", "ecs:serverInterfaces:get", "ecs:cloudServerFlavors:get" |
|
重置密码 |
"dws:cluster:resetPassword" |
"dws:*:get*", "dws:*:list*", |
|
删除集群 |
"dws:cluster:delete" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:delete*", "vpc:*:get*", "vpc:*:list*", "vpc:*:delete*", "evs:*:get*", "evs:*:list*", "evs:*:delete*", |
|
设置可维护时间段 |
"dws:cluster:setMaintainceWindow" |
"dws:*:get*", "dws:*:list*", |
|
绑定EIP |
"dws:eip:operate" |
"dws:*:get*", "dws:*:list*", "eip:*:get*", "eip:*:list*" |
|
解绑EIP |
"dws:eip:operate" |
"dws:*:get*", "dws:*:list*", "eip:*:get*", "eip:*:list*" |
|
创建DNS域名 |
"dws:dns:create" |
"dws:*:get*", "dws:*:list*", |
|
释放DNS域名 |
"dws:dns:release" |
"dws:*:get*", "dws:*:list*", |
|
修改DNS域名 |
"dws:dns:edit" |
"dws:*:get*", "dws:*:list*", |
|
创建MRS连接 |
"dws:MRSConnection:create" |
"dws:*:get*", "dws:*:list*", "mrs:*:get*", "mrs:*:list*", "mrs:cluster:create", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "evs:*:get*", "evs:*:list*", "evs:*:create*" |
|
更新MRS连接 |
"dws:MRSConnection:update" |
"dws:*:get*", "dws:*:list*", "mrs:*:get*", "mrs:*:list*", "mrs:cluster:create", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "evs:*:get*", "evs:*:list*", "evs:*:create*" |
|
删除MRS连接 |
"dws:MRSConnection:delete" |
"dws:*:get*", "dws:*:list*", "mrs:*:get*", "mrs:*:list*", "mrs:cluster:create" "ecs:*:get*", "ecs:*:list*", "ecs:*:delete*", "vpc:*:get*", "vpc:*:list*", "vpc:*:delete*", "evs:*:get*", "evs:*:list*", "evs:*:delete*", |
|
MRS数据源列表 |
"dws:MRSSource:list" |
"mrs:cluster:list", "mrs:tag:listResource", "mrs:tag:list", "dws:*:get*", "dws:*:list*" |
|
添加/删除标签 |
"dws:tag:addAndDelete" |
"dws:*:get*", "dws:*:list*", "dws:openAPITag:update", "dws:openAPITag:getResourceTag", |
|
编辑标签 |
"dws:tag:edit" |
"dws:*:get*", "dws:*:list*", "dws:openAPITag:update", "dws:openAPITag:getResourceTag", |
|
创建快照 |
"dws:snapshot:create" |
"dws:*:get*", "dws:*:list*", |
|
获取快照列表 |
"dws:snapshot:list" |
-- |
|
查看单个集群快照列表 |
"dws:clusterSnapshot:list" |
"dws:cluster:list", "dws:openAPICluster:getDetail" |
|
删除快照 |
"dws:snapshot:delete" |
"dws:snapshot:list" |
|
复制快照 |
"dws:snapshot:copy" |
"dws:snapshot:list", "dws:snapshot:create" |
|
恢复到新集群 |
"dws:cluster:restore" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "evs:*:get*", "evs:*:list*", "evs:*:create*" |
|
集群调整大小 |
"dws:cluster:resize" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "ecs:*:delete*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "vpc:*:delete*", "evs:*:get*", "evs:*:list*", "evs:*:create*", "evs:*:delete*" |
|
主备恢复 |
"dws:cluster:switchover" |
"dws:*:get*", "dws:*:list*" |
|
查询弹性负载均衡列表 |
"dws:elb:list" |
"dws:*:get*", "dws:*:list*", "elb:*:get*", "elb:*:list*", |
|
绑定弹性负载均衡 |
"dws:elb:bind" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "vpc:*:get*", "vpc:*:list*", "evs:*:get*", "evs:*:list*", "elb:*:get*", "elb:*:list*", "elb:*:delete*", "elb:*:create*", |
|
解绑弹性负载均衡 |
"dws:elb:unbind" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "vpc:*:get*", "vpc:*:list*", "evs:*:get*", "evs:*:list*", "elb:*:get*", "elb:*:list*", "elb:*:delete*", |
|
查询快照配置参数 |
"dws:snapshotConfig:list" |
"dws:*:get*", "dws:*:list*", |
|
更新快照策略 |
"dws:backupPolicyDetail:update" |
"dws:*:get*", "dws:*:list*", |
|
删除快照策略 |
"dws:backupPolicy:delete" |
"dws:*:get*", "dws:*:list*", |
|
查询快照策略 |
"dws:backupPolicy:list" |
"dws:cluster:list" |
|
查询集群加密信息 |
"dws:clusterEncryptInfo:list" |
"dws:*:get*", "dws:*:list*", "KMS Administrator" |
|
创建代理 |
"dws:createAgency:create" |
"dws:*:get*", "dws:*:list*", "security administrator" |
|
查询obs桶信息 |
"dws:queryBuckets:list" |
"dws:*:get*", "dws:*:list*", |
|
扩容节点 |
"dws:expandWithExistedNodes:update" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "vpc:*:update*", "evs:*:get*", "evs:*:list*", "evs:*:create*", |
|
删除容灾备份 |
"dws:disasterRecovery:delete" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:delete*", "vpc:*:get*", "vpc:*:list*", "vpc:*:delete*", "evs:*:get*", "evs:*:list*", "evs:*:delete*" |
|
创建容灾备份 |
"dws:disasterRecovery:create" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "evs:*:get*", "evs:*:list*", "evs:*:create*", |
|
容灾备份其他操作 |
"dws:disasterRecovery:otherOperate" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "evs:*:get*", "evs:*:list*", "evs:*:create*" |
|
容灾备份查询操作 |
"dws:disasterRecovery:get" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "vpc:*:get*", "vpc:*:list*", "evs:*:get*", "evs:*:list*" |
|
增加CN节点 |
"dws:module:install" |
"dws:*:get*", "dws:*:list*", |
|
删除CN节点 |
"dws:module:uninstall" |
"dws:*:get*", "dws:*:list*", |
|
删除节点 |
"dws:clusterNodes:operate" |
"dws:*:get*", "dws:*:list*" |
|
更新节点别名 |
dws:instanceAliasName:update |
dws:cluster:list |
|
实施重分布 |
"dws:redistribution:operate" |
"dws:*:get*", "dws:*:list*", |
|
查询重分布 |
"dws:redistributionInfo:list" |
"dws:*:get*", "dws:*:list*", |
|
停止重分布 |
"dws:redistribution:suspend" |
"dws:*:get*", "dws:*:list*", |
|
恢复重分布 |
"dws:redistribution:recover" |
"dws:*:get*", "dws:*:list*", |
|
磁盘扩容 |
"dws:disk:expand" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "evs:*:get*", "evs:*:list*", "evs:*:create*", |
|
集群缩容 |
"dws:cluster:shrink" |
"dws:*:get*", "dws:*:list*", "dws:createAgency:create", "ecs:*:get*", "ecs:*:list*", "ecs:*:delete*", "vpc:*:get*", "vpc:*:list*", "vpc:*:delete*", "evs:*:get*", "evs:*:list*", "evs:*:delete*" |
|
查询规格产品信息 |
"dws:specProduct:list" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*" |
|
按需转包周期 |
"dws:ondemandToPeriod:operate" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "vpc:securityGroupRules:delete", "evs:*:get*", "evs:*:list*", "evs:*:create*", "bss:coupon:view", "bss:order:pay", "bss:order:view", "bss:contract:update", "bss:balance:view", "bss:renewal:view", "bss:unsubscribe:update", "bss:renewal:update", "bss:order:update" |
|
获取DWS资源 |
"dws:resources:list" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "evs:*:get*", "evs:*:list*", "evs:*:create*", "bss:coupon:view", "bss:order:pay", "bss:order:view", "bss:contract:update", "bss:balance:view", "bss:renewal:view", "bss:unsubscribe:update", "bss:renewal:update", "bss:order:update" |
|
修改包周期集群 |
"dws:periodCluster:modify" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:delete*", "vpc:*:get*", "vpc:*:list*", "vpc:*:delete*", "evs:*:get*", "evs:*:list*", "evs:*:delete*", "bss:coupon:view", "bss:order:pay", "bss:order:view", "bss:contract:update", "bss:balance:view", "bss:renewal:view", "bss:unsubscribe:update", "bss:renewal:update", "bss:order:update" |
|
创建包周期集群 |
"dws:periodCluster:create" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "evs:*:get*", "evs:*:list*", "evs:*:create*", "bss:coupon:view", "bss:order:pay", "bss:order:view", "bss:contract:update", "bss:balance:view", "bss:renewal:view", "bss:unsubscribe:update", "bss:renewal:update", "bss:order:update" |
|
创建集群前检查 |
"dws:checkCluster:create" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "evs:*:get*", "evs:*:list*", "evs:*:create*", |
|
包周期集群磁盘扩容前检查 |
"dws:periodExpandPrecheck:operate" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "evs:*:get*", "evs:*:list*", "evs:*:create*", |
|
绑定管理面IP |
"dws:bindManageIp:operate" |
"dws:*:get*", "dws:*:list*" |
|
获取用户授权 |
"dws:checkAuthorize:operate" |
"dws:*:get*", "dws:*:list*", "dws:checkSupport:operate" |
|
用户授权 |
"dws:authorize:operate" |
"dws:*:get*", "dws:*:list*", "dws:checkSupport:operate" |
|
获取用户数据库 |
"dws:userDatabase:list" |
"dws:*:get*", "dws:*:list*", "dws:checkSupport:operate" |
|
获取用户结构 |
"dws:schemas:list" |
"dws:*:get*", "dws:*:list*", "dws:checkSupport:operate" |
|
获取用户表 |
"dws:tables:list" |
"dws:*:get*", "dws:*:list*", |
|
表恢复 |
"dws:tableRestore:operate" |
"dws:*:get*", "dws:*:list*", |
|
用户恢复表名检测 |
"dws:tableRestoreCheck:operate" |
"dws:*:get*", "dws:*:list*", |
|
检测集群是否支持细粒度备份 |
"dws:checkSupport:operate" |
"dws:*:get*", "dws:*:list*", |
|
查询支持变更的规格列表 |
"dws:supportFlavors:list" |
"dws:*:get*", "dws:*:list*", |
|
执行弹性变更规格 |
"dws:specResize:operate" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*" |
|
停止快照 |
"dws:snapshot:stop" |
"dws:snapshot:list" |
|
终止会话 |
"dws:dmsSession:terminate" |
"dws:dmsGrpcOuter:operation" |
|
负荷诊断报告操作 |
"dws:dmsWorkloadDiagnosisReport:create" |
"dws:dmsGrpcOuter:operation" |
|
修改告警规则 |
"dws:dmsAlarmRule:update" |
"dws:dmsQuery:list" |
|
启用告警规则 |
"dws:dmsAlarmRule:enable" |
"dws:dmsQuery:list" |
|
启用集群告警 |
"dws:dmsClusterAlarm:enable" |
"dws:dmsQuery:list" |
|
禁用集群告警 |
"dws:dmsClusterAlarm:disable" |
"dws:dmsQuery:list" |
|
GRPC对外服务 |
"dws:dmsGrpcOuter:operation" |
"dws:dmsQuery:list", "dws:cluster:setSecuritySettings", "obs:bucket:ListAllMyBuckets" |
|
新增SQL探针 |
"dws:dmsProbe:add" |
"dws:dmsGrpcOuter:operation" |
|
修改SQL探针 |
"dws:dmsProbe:update" |
"dws:dmsGrpcOuter:operation" |
|
删除SQL探针 |
"dws:dmsProbe:delete" |
"dws:dmsGrpcOuter:operation" |
|
启用/禁用SQL探针 |
"dws:dmsProbe:enable" |
"dws:dmsGrpcOuter:operation" |
|
创建用户面板 |
"dws:dmsUserBoard:create" |
"dws:dmsQuery:list" |
|
修改用户面板 |
"dws:dmsUserBoard:update" |
"dws:dmsQuery:list" |
|
删除用户面板 |
"dws:dmsUserBoard:delete" |
"dws:dmsQuery:list" |
|
终止查询 |
"dws:dmsQuery:terminate" |
"dws:dmsGrpcOuter:operation" |
|
启停DMS监控服务 |
"dws:dmsService:enableOrDisable" |
"dws:dmsQuery:list" |
|
修改DMS存储配置 |
"dws:dmsStorageConfig:modify" |
"dws:dmsQuery:list" |
|
DDL审核创建获取 |
"dws:dmsDdlExamine:getOrCreate" |
"dws:dmsGrpcOuter:operation" |
|
负荷快照操作 |
"dws:dmsWorkloadDiagnosisSnapshot:create" |
"dws:dmsGrpcOuter:operation" |
|
创建告警规则 |
"dws:dmsAlarmRule:add" |
"dws:dmsQuery:list" |
|
删除告警规则 |
"dws:dmsAlarmRule:delete" |
"dws:dmsQuery:list" |
|
执行SQL探针 |
"dws:dmsProbe:execute" |
"dws:dmsGrpcOuter:operation" |
|
删除监控项 |
"dws:dmsPerformanceMonitor:delete" |
"dws:dmsQuery:list" |
|
启停DMS监控采集项 |
"dws:dmsCollectItem:enableOrDisable" |
"dws:dmsGrpcOuter:operation" |
|
修改DMS监控采集配置 |
"dws:dmsCollectConfig:modify" |
"dws:dmsGrpcOuter:operation" |
|
条件查询 |
"dws:dmsQuery:list" |
"dws:cluster:list" |
|
OPENAPI条件查询 |
"dws:dmsOpenapiQuery:list" |
"dws:cluster:list" |
|
禁用告警规则 |
"dws:dmsAlarmRule:disable" |
"dws:dmsQuery:list" |
|
删除告警记录 |
"dws:dmsAlarmRecord:delete" |
"dws:dmsQuery:list" |
|
检查SQL探针 |
"dws:dmsProbe:check" |
"dws:dmsGrpcOuter:operation" |
|
新增监控项 |
"dws:dmsPerformanceMonitor:add" |
"dws:dmsQuery:list" |
|
修改监控项 |
"dws:dmsPerformanceMonitor:update" |
"dws:dmsQuery:list" |
|
下载历史监控趋势 |
"dws:dmsTrendHistory:down" |
"dws:dmsQuery:list" |
|
获取集群ring环信息 |
"dws:ring:list" |
"dws:*:get*", "dws:*:list*" |
|
获取群进程拓扑 |
"dws:processTopo:list" |
"dws:*:get*", "dws:*:list*" |
|
查询智能运维信息 |
"dws:operationalTask:get" |
"dws:*:get*", "dws:*:list*" |
|
智能运维执行操作 |
"dws:operationalTask:operate" |
"dws:*:get*", "dws:*:list*" |
|
逻辑集群增删改操作 |
"dws:logicalCluster:operate" |
"dws:*:get*", "dws:*:list*" |
|
逻辑集群查询操作 |
"dws:logicalCluster:get" |
"dws:*:get*", "dws:*:list*" |
|
逻辑集群弹性计划操作 |
"dws:logicalClusterPlan:operate" |
"dws:*:get*", "dws:*:list*", "dws:logicalCluster:*", "dws:cluster:scaleOut", "iam:agencies:*", "iam:permissions:*Agency*" |
|
创建终端节点服务 |
"dws:vpcEndpointService:create" |
"dws:*:get*", "dws:*:list*" |
|
查询资源管理信息 |
"dws:workLoadManager:get" |
"dws:*:get*", "dws:*:list*" |
|
资源管理相关操作 |
"dws:workLoadManager:operate" |
"dws:*:get*", "dws:*:list*" |
|
云日志服务相关操作 |
"dws:ltsAccess:operate" |
"dws:*:get*", "dws:*:list*" |
|
查询云日志服务信息 |
"dws:ltsAccess:get" |
"dws:*:get*", "dws:*:list*" |
|
查询事件信息 |
"dws:event:list" |
"dws:*:get*", "dws:*:list*" |
|
查询事件规格信息 |
"dws:event:list" |
"dws:*:get*", "dws:*:list*" |
|
查询事件订阅信息 |
"dws:eventSub:list" |
"dws:*:get*", "dws:*:list*" |
|
创建事件订阅信息 |
"dws:eventSub:create" |
"dws:*:get*", "dws:*:list*", |
|
更新事件订阅信息 |
"dws:eventSub:update" |
"dws:*:get*", "dws:*:list*" |
|
删除事件订阅信息 |
"dws:eventSub:delete" |
"dws:*:get*", "dws:*:list*" |
|
查询告警统计信息 |
"dws:alarmStatistic:list" |
"dws:*:get*", "dws:*:list*" |
|
查询告警详情信息 |
"dws:alarmDetail:list" |
"dws:*:get*", "dws:*:list*" |
|
查询告警配置信息 |
"dws:alarmConfig:list" |
"dws:*:get*", "dws:*:list*" |
|
查询告警订阅信息 |
"dws:alarmSub:list" |
"dws:*:get*", "dws:*:list*" |
|
创建告警订阅信息 |
"dws:alarmSub:create" |
"dws:*:get*", "dws:*:list*", |
|
更新告警订阅信息 |
"dws:alarmSub:update" |
"dws:*:get*", "dws:*:list*" |
|
删除告警订阅信息 |
"dws:alarmSub:delete" |
"dws:*:get*", "dws:*:list*" |
|
下发集群升级相关操作(升级、回滚、提交、重试) |
"dws:cluster:doUpdate" |
"dws:*:get*", "dws:*:list*" |
|
查询集群可用的升级路径信息 |
"dws:cluster:getUpgradePaths" |
"dws:*:get*", "dws:*:list*" |
|
查询集群升级记录 |
"dws:cluster:getUpgradeRecords" |
"dws:*:get*", "dws:*:list*" |
|
启动集群 |
"dws:cluster:startCluster" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:start", "ecs:*:stop" |
|
停止集群 |
"dws:cluster:stopCluster" |
"dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:start", "ecs:*:stop" |
|
获取集群折扣节点 |
"dws:cluster:listDiscountNode" |
"dws:*:list*" |
|
获取标签 |
"dws:openAPItag:list" |
"dws:*:list*" |
|
服务eps列表 |
"dws:service:listEps" |
"dws:*:list*" |
|
容灾信息获取 |
"dws:disasterRecovery:get" |
"dws:*:*" |
|
集群恢复检查 |
"dws:cluster:checkRestore" |
"dws:*:*" |
|
告警静态列表 |
"dws:alarmStatistic:list" |
"dws:*:list*" |
|
获取资源静态信息 |
"dws:service:getResourceStatistics" |
"dws:*:*" |
|
告警细节列表 |
"dws:alarmDetail:list" |
"dws:*:list*" |
|
获取集群细节 |
"dws:openAPICluster:getDetail" |
"dws:*:*" |
|
集群事件规格列表 |
"dws:eventSpec:list" |
"dws:*:list*" |
|
集群容灾列表 |
"dws:cluster:listDisasterRecovery" |
"dws:*:list*", |
|
细粒度策略授权
- 登录IAM服务管理控制台,创建自定义策略。
具体操作,请参见《统一身份认证服务用户指南》中的创建自定义策略。
说明如下:
- 您必须使用IAM管理员用户,即属于admin用户组的用户,因为只有IAM管理员用户具备创建用户组及用户、修改用户组权限等操作权限。
- 由于GaussDB(DWS)服务属于项目级服务,“作用范围”必须选择“项目级服务”,如果需要该策略对多个项目生效,需要对多个项目分别授权。
- 在IAM中,预置了以下两种GaussDB(DWS)策略模板。在创建自定义策略时,您可以选择以下模板,然后基于模板修改策略授权语句。
- DWS Admin:拥有对数据仓库服务的所有执行权限。
- DWS Viewer:拥有对数据仓库服务的只读权限。
- 在策略授权语句中,您可以在Action列表中,添加如授权项列表所述的GaussDB(DWS)资源操作或REST API对应的“授权项”,从而使策略获得相应的操作权限。
例如,在策略语句的Action列表中,添加“dws:cluster:create”,那么该策略就拥有了创建/恢复集群的权限。
- 如果需要使用其他服务,您同时还需授予其他服务的相关操作权限,具体内容请查阅相关服务的帮助文档。
例如,创建GaussDB(DWS) 集群时,需要配置集群所属的虚拟私有云,为了能获取VPC列表,您需在策略语句中添加授权项“vpc:*:get*”。
- 创建用户组。
具体操作,请参见《统一身份认证服务用户指南》中的创建用户组。
- 将用户加入用户组,并将新创建的自定义策略授权给用户组,使用户组中的用户具有策略定义的权限。
具体操作,请参见《统一身份认证服务用户指南》中的查看或修改用户组。
检查规则
当用户被授予多个策略,或者一个策略中包含多个授权语句,这些策略中既有Allow又有Deny的授权语句时,遵循Deny优先的原则。在用户访问资源时,权限检查逻辑如下。
每条策略做评估时, Action之间是或(or)的关系。
- 用户访问系统,发起操作请求。
- 系统评估用户被授予的访问策略,鉴权开始。
- 在用户被授予的访问策略中,系统将优先寻找显式拒绝指令。如找到一个适用的显式拒绝,系统将返回Deny决定。
- 如果没有找到显式拒绝指令,系统将寻找适用于请求的任何Allow指令。如果找到一个显式允许指令,系统将返回Allow决定。
- 如果找不到显式允许,最终决定为Deny,鉴权结束。