策略语法:细粒度策略
在实际业务中,您可能需要给不同角色的用户授予不同的资源操作权限。IAM服务为用户提供了细粒度访问控制功能。在IAM中,IAM管理员用户(即属于admin用户组的用户)通过创建自定义策略,可以自由搭配需要授予的权限集。通过给用户组授予策略,用户组中的用户就能获得策略中定义的权限。IAM通过策略定义的权限内容实现精细的权限管理。
为了更精细地控制DWS资源的使用权限,您可以使用IAM的用户管理功能,实现细粒度权限控制,授予不同角色的用户不同的资源操作权限。
策略结构
策略结构包括:Version(策略版本号)和Statement(策略权限语句),其中Statement可以有多个,表示不同的授权项。
策略语法
在IAM左侧导航窗格中,单击“策略”,单击策略名称,可以查看策略的详细内容,以“DWS ReadOnlyAccess”为例,说明细粒度策略的语法。
{
"Version": "1.1",
"Depends": [],
"Statement": [
{
"Effect": "Allow",
"Action": [
"dws:*:get*",
"dws:*:list*",
"ecs:*:get*",
"ecs:*:list*",
"vpc:*:get*",
"vpc:*:list*",
"evs:*:get*",
"evs:*:list*",
"mrs:*:get*",
"bss:*:list*",
"bss:*:get*"
]
}
]
} - Version:标识策略的版本号,主要用于区分Role-Based Access Control(RBAC)策略和细粒度策略。
- 1.0:RBAC策略。RBAC策略是将服务作为一个整体进行授权,授权后,用户可以拥有这个服务的所有权限。
- 1.1:经典细粒度策略。相比RBAC策略,细粒度策略基于服务的API接口进行权限拆分,授权更加精细。授权后,用户可以对这个服务执行特定的操作。细粒度策略包括系统预置和用户自定义两种。
- Depends:依赖项。
- Statement:策略授权语句,描述策略的详细信息,包含Effect(作用)和Action(授权项)。
授权项列表
在IAM中创建自定义策略时,您可以根据需求在策略授权语句的Action列表中添加DWS资源操作或REST API所对应的“授权项”,使得该策略具有相应的操作权限。DWS细粒度策略的授权项列表如下:
- REST API
DWS REST API的授权项列表,请参见权限策略和授权项。
- 管理控制台操作
DWS资源操作及对应的授权项如表1所示。
- DWS部分授权项依赖的授权项包括了ECS、VPC、EVS、ELB、MRS或OBS等服务的授权项,如果这些服务没有对接相应的服务授权项,则需要添加对应服务的Admin系统权限。
- 由于DWS接口较多,以下列表仅列举了重点高频操作接口,剩余未展示接口仅支持project项目(即IAM鉴权),不支持企业项目鉴权,故如果要使用,请在IAM鉴权界面配置。
| DWS资源操作 | 授权项 | 依赖的授权项 | 授权项作用域 |
|---|---|---|---|
| 创建集群 | "dws:cluster:create" | "dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "vpc:securityGroupRules:delete", "vpc:ports:update", "evs:*:get*", "evs:*:list*", "evs:*:create*", |
|
| 获取集群列表 | "dws:cluster:list" | -- |
|
| 获取单个集群详情 | "dws:cluster:getDetail" | "dws:*:get*", "dws:*:list*", "vpc:vpcs:list", "vpc:securityGroups:get" |
|
| 设置自动快照 | "dws:cluster:setAutomatedSnapshot" | "dws:backupPolicy:list" |
|
| 设置安全参数/参数组 | "dws:cluster:setSecuritySettings" | "dws:*:get*", "dws:*:list*", |
|
| 重启集群 | "dws:cluster:restart" | "dws:*:get*", "dws:*:list*", |
|
| 扩容集群 | "dws:cluster:scaleOut" | "dws:*:get*", "dws:*:list*", "dws:cluster:scaleOutOrOpenAPIResize", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "vpc:*:update*", "evs:*:get*", "evs:*:list*", "evs:*:create*", |
|
| 使用API扩容集群或调整大小 | "dws:cluster:scaleOutOrOpenAPIResize" | "dws:*:get*", "dws:*:list*", "vpc:vpcs:list", "vpc:ports:create", "vpc:ports:get", "vpc:ports:update", "vpc:subnets:get", "vpc:subnets:update", "vpc:subnets:create", "vpc:routers:get", "vpc:routers:update", "vpc:networks:create", "vpc:networks:get", "vpc:networks:update", "ecs:serverInterfaces:use", "ecs:serverInterfaces:get", "ecs:cloudServerFlavors:get" |
|
| 重置密码 | "dws:cluster:resetPassword" | "dws:*:get*", "dws:*:list*", |
|
| 删除集群 | "dws:cluster:delete" | "dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:delete*", "vpc:*:get*", "vpc:*:list*", "vpc:*:delete*", "evs:*:get*", "evs:*:list*", "evs:*:delete*", |
|
| 设置可维护时间段 | "dws:cluster:setMaintainceWindow" | "dws:*:get*", "dws:*:list*", |
|
| 绑定EIP | "dws:eip:operate" | "dws:*:get*", "dws:*:list*", "eip:*:get*", "eip:*:list*" |
|
| 解绑EIP | "dws:eip:operate" | "dws:*:get*", "dws:*:list*", "eip:*:get*", "eip:*:list*" |
|
| 创建DNS域名 | "dws:dns:create" | "dws:*:get*", "dws:*:list*", |
|
| 释放DNS域名 | "dws:dns:release" | "dws:*:get*", "dws:*:list*", |
|
| 修改DNS域名 | "dws:dns:edit" | "dws:*:get*", "dws:*:list*", |
|
| 创建MRS连接 | "dws:MRSConnection:create" | "dws:*:get*", "dws:*:list*", "mrs:*:get*", "mrs:*:list*", "mrs:cluster:create", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "evs:*:get*", "evs:*:list*", "evs:*:create*" |
|
| 更新MRS连接 | "dws:MRSConnection:update" | "dws:*:get*", "dws:*:list*", "mrs:*:get*", "mrs:*:list*", "mrs:cluster:create", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "evs:*:get*", "evs:*:list*", "evs:*:create*" |
|
| 删除MRS连接 | "dws:MRSConnection:delete" | "dws:*:get*", "dws:*:list*", "mrs:*:get*", "mrs:*:list*", "mrs:cluster:create" "ecs:*:get*", "ecs:*:list*", "ecs:*:delete*", "vpc:*:get*", "vpc:*:list*", "vpc:*:delete*", "evs:*:get*", "evs:*:list*", "evs:*:delete*", |
|
| MRS数据源列表 | "dws:MRSSource:list" | "mrs:cluster:list", "mrs:tag:listResource", "mrs:tag:list", "dws:*:get*", "dws:*:list*" |
|
| 添加/删除标签 | "dws:tag:addAndDelete" | "dws:*:get*", "dws:*:list*", "dws:openAPITag:update", "dws:openAPITag:getResourceTag", |
|
| 编辑标签 | "dws:tag:edit" | "dws:*:get*", "dws:*:list*", "dws:openAPITag:update", "dws:openAPITag:getResourceTag", |
|
| 创建快照 | "dws:snapshot:create" | "dws:*:get*", "dws:*:list*", |
|
| 获取快照列表 | "dws:snapshot:list" | -- |
|
| 查看单个集群快照列表 | "dws:clusterSnapshot:list" | "dws:cluster:list", "dws:openAPICluster:getDetail" |
|
| 删除快照 | "dws:snapshot:delete" | "dws:snapshot:list" |
|
| 复制快照 | "dws:snapshot:copy" | "dws:snapshot:list", "dws:snapshot:create" |
|
| 恢复到新集群 | "dws:cluster:restore" | "dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "evs:*:get*", "evs:*:list*", "evs:*:create*" |
|
| 集群调整大小 | "dws:cluster:resize" | "dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "ecs:*:delete*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "vpc:*:delete*", "evs:*:get*", "evs:*:list*", "evs:*:create*", "evs:*:delete*" |
|
| 主备恢复 | "dws:cluster:switchover" | "dws:*:get*", "dws:*:list*" |
|
| 查询弹性负载均衡列表 | "dws:elb:list" | "dws:*:get*", "dws:*:list*", "elb:*:get*", "elb:*:list*", |
|
| 绑定弹性负载均衡 | "dws:elb:bind" | "dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "vpc:*:get*", "vpc:*:list*", "evs:*:get*", "evs:*:list*", "elb:*:get*", "elb:*:list*", "elb:*:delete*", "elb:*:create*", |
|
| 解绑弹性负载均衡 | "dws:elb:unbind" | "dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "vpc:*:get*", "vpc:*:list*", "evs:*:get*", "evs:*:list*", "elb:*:get*", "elb:*:list*", "elb:*:delete*", |
|
| 查询快照配置参数 | "dws:snapshotConfig:list" | "dws:*:get*", "dws:*:list*", |
|
| 更新快照策略 | "dws:backupPolicyDetail:update" | "dws:*:get*", "dws:*:list*", |
|
| 删除快照策略 | "dws:backupPolicy:delete" | "dws:*:get*", "dws:*:list*", |
|
| 查询快照策略 | "dws:backupPolicy:list" | "dws:cluster:list" |
|
| 查询集群加密信息 | "dws:clusterEncryptInfo:list" | "dws:*:get*", "dws:*:list*", "KMS Administrator" |
|
| 创建代理 | "dws:createAgency:create" | "dws:*:get*", "dws:*:list*", "security administrator" |
|
| 查询obs桶信息 | "dws:queryBuckets:list" | "dws:*:get*", "dws:*:list*", |
|
| 扩容节点 | "dws:expandWithExistedNodes:update" | "dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "vpc:*:update*", "evs:*:get*", "evs:*:list*", "evs:*:create*", |
|
| 删除容灾备份 | "dws:disasterRecovery:delete" | "dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:delete*", "vpc:*:get*", "vpc:*:list*", "vpc:*:delete*", "evs:*:get*", "evs:*:list*", "evs:*:delete*" |
|
| 创建容灾备份 | "dws:disasterRecovery:create" | "dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "evs:*:get*", "evs:*:list*", "evs:*:create*", |
|
| 容灾备份其他操作 | "dws:disasterRecovery:otherOperate" | "dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "evs:*:get*", "evs:*:list*", "evs:*:create*" |
|
| 容灾备份查询操作 | "dws:disasterRecovery:get" | "dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "vpc:*:get*", "vpc:*:list*", "evs:*:get*", "evs:*:list*" |
|
| 增加CN节点 | "dws:module:install" | "dws:*:get*", "dws:*:list*", |
|
| 删除CN节点 | "dws:module:uninstall" | "dws:*:get*", "dws:*:list*", |
|
| 删除节点 | "dws:clusterNodes:operate" | "dws:*:get*", "dws:*:list*" |
|
| 更新节点别名 | dws:instanceAliasName:update | dws:cluster:list |
|
| 实施重分布 | "dws:redistribution:operate" | "dws:*:get*", "dws:*:list*", |
|
| 查询重分布 | "dws:redistributionInfo:list" | "dws:*:get*", "dws:*:list*", |
|
| 停止重分布 | "dws:redistribution:suspend" | "dws:*:get*", "dws:*:list*", |
|
| 恢复重分布 | "dws:redistribution:recover" | "dws:*:get*", "dws:*:list*", |
|
| 磁盘扩容 | "dws:disk:expand" | "dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "evs:*:get*", "evs:*:list*", "evs:*:create*", |
|
| 集群缩容 | "dws:cluster:shrink" | "dws:*:get*", "dws:*:list*", "dws:createAgency:create", "ecs:*:get*", "ecs:*:list*", "ecs:*:delete*", "vpc:*:get*", "vpc:*:list*", "vpc:*:delete*", "evs:*:get*", "evs:*:list*", "evs:*:delete*" |
|
| 查询规格产品信息 | "dws:specProduct:list" | "dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*" |
|
| 按需转包周期 | "dws:ondemandToPeriod:operate" | "dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "vpc:securityGroupRules:delete", "evs:*:get*", "evs:*:list*", "evs:*:create*", "bss:coupon:view", "bss:order:pay", "bss:order:view", "bss:contract:update", "bss:balance:view", "bss:renewal:view", "bss:unsubscribe:update", "bss:renewal:update", "bss:order:update" |
|
| 获取DWS资源 | "dws:resources:list" | "dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "evs:*:get*", "evs:*:list*", "evs:*:create*", "bss:coupon:view", "bss:order:pay", "bss:order:view", "bss:contract:update", "bss:balance:view", "bss:renewal:view", "bss:unsubscribe:update", "bss:renewal:update", "bss:order:update" |
|
| 修改包周期集群 | "dws:periodCluster:modify" | "dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:delete*", "vpc:*:get*", "vpc:*:list*", "vpc:*:delete*", "evs:*:get*", "evs:*:list*", "evs:*:delete*", "bss:coupon:view", "bss:order:pay", "bss:order:view", "bss:contract:update", "bss:balance:view", "bss:renewal:view", "bss:unsubscribe:update", "bss:renewal:update", "bss:order:update" |
|
| 创建包周期集群 | "dws:periodCluster:create" | "dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "evs:*:get*", "evs:*:list*", "evs:*:create*", "bss:coupon:view", "bss:order:pay", "bss:order:view", "bss:contract:update", "bss:balance:view", "bss:renewal:view", "bss:unsubscribe:update", "bss:renewal:update", "bss:order:update" |
|
| 创建集群前检查 | "dws:checkCluster:create" | "dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "evs:*:get*", "evs:*:list*", "evs:*:create*", |
|
| 包周期集群磁盘扩容前检查 | "dws:periodExpandPrecheck:operate" | "dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*", "vpc:*:get*", "vpc:*:list*", "vpc:*:create*", "evs:*:get*", "evs:*:list*", "evs:*:create*", |
|
| 绑定管理面IP | "dws:bindManageIp:operate" | "dws:*:get*", "dws:*:list*" |
|
| 获取用户授权 | "dws:checkAuthorize:operate" | "dws:*:get*", "dws:*:list*", "dws:checkSupport:operate" |
|
| 用户授权 | "dws:authorize:operate" | "dws:*:get*", "dws:*:list*", "dws:checkSupport:operate" |
|
| 获取用户数据库 | "dws:userDatabase:list" | "dws:*:get*", "dws:*:list*", "dws:checkSupport:operate" |
|
| 获取用户结构 | "dws:schemas:list" | "dws:*:get*", "dws:*:list*", "dws:checkSupport:operate" |
|
| 获取用户表 | "dws:tables:list" | "dws:*:get*", "dws:*:list*", |
|
| 表恢复 | "dws:tableRestore:operate" | "dws:*:get*", "dws:*:list*", |
|
| 用户恢复表名检测 | "dws:tableRestoreCheck:operate" | "dws:*:get*", "dws:*:list*", |
|
| 检测集群是否支持细粒度备份 | "dws:checkSupport:operate" | "dws:*:get*", "dws:*:list*", |
|
| 查询支持变更的规格列表 | "dws:supportFlavors:list" | "dws:*:get*", "dws:*:list*", |
|
| 执行弹性变更规格 | "dws:specResize:operate" | "dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:create*" |
|
| 停止快照 | "dws:snapshot:stop" | "dws:snapshot:list" |
|
| 终止会话 | "dws:dmsSession:terminate" | "dws:dmsGrpcOuter:operation" |
|
| 负荷诊断报告操作 | "dws:dmsWorkloadDiagnosisReport:create" | "dws:dmsGrpcOuter:operation" |
|
| 修改告警规则 | "dws:dmsAlarmRule:update" | "dws:dmsQuery:list" |
|
| 启用告警规则 | "dws:dmsAlarmRule:enable" | "dws:dmsQuery:list" |
|
| 启用集群告警 | "dws:dmsClusterAlarm:enable" | "dws:dmsQuery:list" |
|
| 禁用集群告警 | "dws:dmsClusterAlarm:disable" | "dws:dmsQuery:list" |
|
| GRPC对外服务 | "dws:dmsGrpcOuter:operation" | "dws:dmsQuery:list", "dws:cluster:setSecuritySettings", "obs:bucket:ListAllMyBuckets" |
|
| 新增SQL探针 | "dws:dmsProbe:add" | "dws:dmsGrpcOuter:operation" |
|
| 修改SQL探针 | "dws:dmsProbe:update" | "dws:dmsGrpcOuter:operation" |
|
| 删除SQL探针 | "dws:dmsProbe:delete" | "dws:dmsGrpcOuter:operation" |
|
| 启用/禁用SQL探针 | "dws:dmsProbe:enable" | "dws:dmsGrpcOuter:operation" |
|
| 创建用户面板 | "dws:dmsUserBoard:create" | "dws:dmsQuery:list" |
|
| 修改用户面板 | "dws:dmsUserBoard:update" | "dws:dmsQuery:list" |
|
| 删除用户面板 | "dws:dmsUserBoard:delete" | "dws:dmsQuery:list" |
|
| 终止查询 | "dws:dmsQuery:terminate" | "dws:dmsGrpcOuter:operation" |
|
| 启停DMS监控服务 | "dws:dmsService:enableOrDisable" | "dws:dmsQuery:list" |
|
| 修改DMS存储配置 | "dws:dmsStorageConfig:modify" | "dws:dmsQuery:list" |
|
| DDL审核创建获取 | "dws:dmsDdlExamine:getOrCreate" | "dws:dmsGrpcOuter:operation" |
|
| 负荷快照操作 | "dws:dmsWorkloadDiagnosisSnapshot:create" | "dws:dmsGrpcOuter:operation" |
|
| 创建告警规则 | "dws:dmsAlarmRule:add" | "dws:dmsQuery:list" |
|
| 删除告警规则 | "dws:dmsAlarmRule:delete" | "dws:dmsQuery:list" |
|
| 执行SQL探针 | "dws:dmsProbe:execute" | "dws:dmsGrpcOuter:operation" |
|
| 删除监控项 | "dws:dmsPerformanceMonitor:delete" | "dws:dmsQuery:list" |
|
| 启停DMS监控采集项 | "dws:dmsCollectItem:enableOrDisable" | "dws:dmsGrpcOuter:operation" |
|
| 修改DMS监控采集配置 | "dws:dmsCollectConfig:modify" | "dws:dmsGrpcOuter:operation" |
|
| 条件查询 | "dws:dmsQuery:list" | "dws:cluster:list" |
|
| OPENAPI条件查询 | "dws:dmsOpenapiQuery:list" | "dws:cluster:list" |
|
| 禁用告警规则 | "dws:dmsAlarmRule:disable" | "dws:dmsQuery:list" |
|
| 删除告警记录 | "dws:dmsAlarmRecord:delete" | "dws:dmsQuery:list" |
|
| 检查SQL探针 | "dws:dmsProbe:check" | "dws:dmsGrpcOuter:operation" |
|
| 新增监控项 | "dws:dmsPerformanceMonitor:add" | "dws:dmsQuery:list" |
|
| 修改监控项 | "dws:dmsPerformanceMonitor:update" | "dws:dmsQuery:list" |
|
| 下载历史监控趋势 | "dws:dmsTrendHistory:down" | "dws:dmsQuery:list" |
|
| 获取集群ring环信息 | "dws:ring:list" | "dws:*:get*", "dws:*:list*" |
|
| 获取集群进程拓扑 | "dws:processTopo:list" | "dws:*:get*", "dws:*:list*" |
|
| 查询智能运维信息 | "dws:operationalTask:get" | "dws:*:get*", "dws:*:list*" |
|
| 智能运维执行操作 | "dws:operationalTask:operate" | "dws:*:get*", "dws:*:list*" |
|
| 逻辑集群增删改操作 | "dws:logicalCluster:operate" | "dws:*:get*", "dws:*:list*" |
|
| 逻辑集群查询操作 | "dws:logicalCluster:get" | "dws:*:get*", "dws:*:list*" |
|
| 逻辑集群弹性计划操作 | "dws:logicalClusterPlan:operate" | "dws:*:get*", "dws:*:list*", "dws:logicalCluster:*", "dws:cluster:scaleOut", "iam:agencies:*", "iam:permissions:*Agency*" |
|
| 创建终端节点服务 | "dws:vpcEndpointService:create" | "dws:*:get*", "dws:*:list*" |
|
| 查询资源管理信息 | "dws:workLoadManager:get" | "dws:*:get*", "dws:*:list*" |
|
| 资源管理相关操作 | "dws:workLoadManager:operate" | "dws:*:get*", "dws:*:list*" |
|
| 云日志服务相关操作 | "dws:ltsAccess:operate" | "dws:*:get*", "dws:*:list*" |
|
| 查询云日志服务信息 | "dws:ltsAccess:get" | "dws:*:get*", "dws:*:list*" |
|
| 查询事件信息 | "dws:event:list" | "dws:*:get*", "dws:*:list*" |
|
| 查询事件规格信息 | "dws:event:list" | "dws:*:get*", "dws:*:list*" |
|
| 查询事件订阅信息 | "dws:eventSub:list" | "dws:*:get*", "dws:*:list*" |
|
| 创建事件订阅信息 | "dws:eventSub:create" | "dws:*:get*", "dws:*:list*", |
|
| 更新事件订阅信息 | "dws:eventSub:update" | "dws:*:get*", "dws:*:list*" |
|
| 删除事件订阅信息 | "dws:eventSub:delete" | "dws:*:get*", "dws:*:list*" |
|
| 查询告警统计信息 | "dws:alarmStatistic:list" | "dws:*:get*", "dws:*:list*" |
|
| 查询告警详情信息 | "dws:alarmDetail:list" | "dws:*:get*", "dws:*:list*" |
|
| 查询告警配置信息 | "dws:alarmConfig:list" | "dws:*:get*", "dws:*:list*" |
|
| 查询告警订阅信息 | "dws:alarmSub:list" | "dws:*:get*", "dws:*:list*" |
|
| 创建告警订阅信息 | "dws:alarmSub:create" | "dws:*:get*", "dws:*:list*", |
|
| 更新告警订阅信息 | "dws:alarmSub:update" | "dws:*:get*", "dws:*:list*" |
|
| 删除告警订阅信息 | "dws:alarmSub:delete" | "dws:*:get*", "dws:*:list*" |
|
| 下发集群升级相关操作(升级、回滚、提交、重试) | "dws:cluster:doUpdate" | "dws:*:get*", "dws:*:list*" |
|
| 查询集群可用的升级路径信息 | "dws:cluster:getUpgradePaths" | "dws:*:get*", "dws:*:list*" |
|
| 查询集群升级记录 | "dws:cluster:getUpgradeRecords" | "dws:*:get*", "dws:*:list*" |
|
| 启动集群 | "dws:cluster:startCluster" | "dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:start", "ecs:*:stop" |
|
| 停止集群 | "dws:cluster:stopCluster" | "dws:*:get*", "dws:*:list*", "ecs:*:get*", "ecs:*:list*", "ecs:*:start", "ecs:*:stop" |
|
| 获取集群折扣节点 | "dws:cluster:listDiscountNode" | "dws:*:list*" |
|
| 获取标签 | "dws:openAPItag:list" | "dws:*:list*" |
|
| 服务eps列表 | "dws:service:listEps" | "dws:*:list*" |
|
| 容灾信息获取 | "dws:disasterRecovery:get" | "dws:*:*" |
|
| 集群恢复检查 | "dws:cluster:checkRestore" | "dws:*:*" |
|
| 告警静态列表 | "dws:alarmStatistic:list" | "dws:*:list*" |
|
| 获取资源静态信息 | "dws:service:getResourceStatistics" | "dws:*:*" |
|
| 告警细节列表 | "dws:alarmDetail:list" | "dws:*:list*" |
|
| 获取集群细节 | "dws:openAPICluster:getDetail" | "dws:*:*" |
|
| 集群事件规格列表 | "dws:eventSpec:list" | "dws:*:list*" |
|
| 集群容灾列表 | "dws:cluster:listDisasterRecovery" | "dws:*:list*", |
|
| 告警数据总览 | "dws:alarm:listStatistics" | "dws:*:list*", |
|
| 查询DWS集群中Schema | "dws:monitor:listClusterOverview" | "dws:*:get*", "dws:*:list*" |
|
| 查询历史监控数据 | "dws:monitor:getHistoryMetrics" | "dws:*:get*", "dws:*:list*" |
|
| 查询列表展示列配置 | "dws:cluster:listQueryForDMS" | "dws:*:get*", "dws:*:list*" |
|
| 新增或修改列表展示列 | "dws:cluster:listQueryForDMS" | "dws:*:get*", "dws:*:list*" |
|
细粒度策略授权
- 登录IAM服务管理控制台,创建自定义策略。
具体操作,请参见《统一身份认证服务用户指南》中的创建自定义策略。
说明如下:
- 您必须使用IAM管理员用户,即属于admin用户组的用户,因为只有IAM管理员用户具备创建用户组及用户、修改用户组权限等操作权限。
- 由于DWS服务属于项目级服务,“作用范围”必须选择“项目级服务”,如果需要该策略对多个项目生效,需要对多个项目分别授权。
- 在IAM中,预置了以下两种DWS策略模板。在创建自定义策略时,您可以选择以下模板,然后基于模板修改策略授权语句。
- DWS Admin:拥有对数据仓库服务的所有执行权限。
- DWS Viewer:拥有对数据仓库服务的只读权限。
- 在策略授权语句中,您可以在Action列表中,添加如授权项列表所述的DWS资源操作或REST API对应的“授权项”,从而使策略获得相应的操作权限。
例如,在策略语句的Action列表中,添加“dws:cluster:create”,那么该策略就拥有了创建集群的权限。
- 如果需要使用其他服务,您同时还需授予其他服务的相关操作权限,具体内容请查阅相关服务的帮助文档。
例如,创建DWS集群时,需要配置集群所属的虚拟私有云,为了能获取VPC列表,您需在策略语句中添加授权项“vpc:*:get*”。
- 创建用户组。
具体操作,请参见《统一身份认证服务用户指南》中的创建用户组。
- 将用户加入用户组,并将新创建的自定义策略授权给用户组,使用户组中的用户具有策略定义的权限。
具体操作,请参见《统一身份认证服务用户指南》中的查看或修改用户组。
检查规则
当用户被授予多个策略,或者一个策略中包含多个授权语句,这些策略中既有Allow又有Deny的授权语句时,遵循Deny优先的原则。每条策略做评估时, Action之间是或(or)的关系。在用户访问资源时,权限检查逻辑如下所示:
- 用户访问系统,发起操作请求。
- 系统评估用户被授予的访问策略,鉴权开始。
- 在用户被授予的访问策略中,系统将优先寻找显式拒绝指令。如找到一个适用的显式拒绝,系统将返回Deny决定。
- 如果没有找到显式拒绝指令,系统将寻找适用于请求的任何Allow指令。如果找到一个显式允许指令,系统将返回Allow决定。
- 如果找不到显式允许,最终决定为Deny,鉴权结束。
