应用管理与运维平台 ServiceStage
云服务在IAM预置了常用授权项,称为系统身份策略。如果IAM系统身份策略无法满足授权要求,管理员可以根据各服务支持的授权项,创建IAM自定义身份策略来进行精细的访问控制,IAM自定义身份策略是对系统身份策略的扩展和补充。
除IAM服务外,Organizations服务中的服务控制策略(Service Control Policies,以下简称SCP)也可以使用这些授权项元素设置访问控制策略。
SCP不直接进行授权,只划定权限边界。将SCP绑定到组织单元或者成员账号时,并没有直接对组织单元或成员账号授予操作权限,而是规定了成员账号或组织单元包含的成员账号的授权范围。IAM策略授予权限的有效性受SCP限制,只有在SCP允许范围内的权限才能生效。
IAM服务与Organizations服务在使用这些元素进行访问控制时,存在着一些区别,详情请参考IAM服务与Organizations服务权限访问控制的区别。
本章节介绍IAM服务身份策略授权场景中自定义身份策略和组织服务中SCP使用的元素,这些元素包含了操作(Action)、资源(Resource)和条件(Condition)。
操作(Action)
操作(Action)即为身份策略中支持的授权项。
- “访问级别”列描述如何对操作进行分类(list、read和write等)。此分类可帮助您了解在身份策略中相应操作对应的访问级别。
- “资源类型”列指每个操作是否支持资源级权限。
- 资源类型支持通配符号*表示所有。如果此列没有值(-),则必须在策略语句的Resource元素中指定所有资源类型(“*”)。
- 如果该列包含资源类型,则必须在具有该操作的语句中指定该资源的URN。
- 资源类型列中必需资源在表中用星号(*)标识,表示使用此操作必须指定该资源类型。
关于ServiceStage定义的资源类型的详细信息请参见资源类型(Resource)。
- “条件键”列包括了可以在身份策略语句的Condition元素中支持指定的键值。
- 如果该授权项资源类型列存在值,则表示条件键仅对列举的资源类型生效。
- 如果该授权项资源类型列没有值(-),则表示条件键对整个授权项生效。
- 如果此列条件键没有值(-),表示此操作不支持指定条件键。
关于ServiceStage定义的条件键的详细信息请参见条件(Condition)。
- “别名”列包括了可以在身份策略中配置的策略授权项。通过这些授权项,可以控制支持策略授权的API访问。详细信息请参见身份策略兼容性说明。
您可以在身份策略语句的Action元素中指定以下ServiceStage的相关操作。
授权项 | 描述 | 访问级别 | 资源类型(*为必须) | 条件键 | 别名 |
|---|---|---|---|---|---|
servicestage:app:getApplication | 授予用户查看指定应用权限 | read | app * | servicestage:app:get | |
servicestage:app:createApplication | 授予用户创建应用权限 | write | - | servicestage:app:create | |
app * | - | ||||
servicestage:app:modifyApplication | 授予用户更新应用权限 | write | - | servicestage:app:modify | |
app * | |||||
servicestage:app:deleteApplication | 授予用户删除应用权限 | write | app * | servicestage:app:delete | |
servicestage:app:listApplication | 授予用户查看应用列表权限 | list | - | - | servicestage:app:list |
servicestage:app:getConfiguration | 授予用户查看应用配置权限 | read | app * | servicestage:app:get | |
servicestage:app:deleteConfiguration | 授予用户删除应用配置权限 | write | app * | servicestage:app:modify | |
servicestage:app:modifyConfiguration | 授予用户更新应用配置权限 | write | app * | servicestage:app:modify | |
servicestage:app:getComponent | 授予用户查看指定应用组件权限 | read | app * | servicestage:app:get | |
servicestage:app:createComponent | 授予用户创建应用组件权限 | write | app * | servicestage:app:create | |
servicestage:app:modifyComponent | 授予用户更新应用组件权限 | write | app * | servicestage:app:modify | |
servicestage:app:deleteComponent | 授予用户删除应用组件权限 | write | app * | servicestage:app:delete | |
servicestage:app:listComponent | 授予用户查看应用组件列表权限 | list | - | - | servicestage:app:list |
servicestage::approveContract | 授予用户审批合同的权限 | write | - | - | servicestage:app:approve |
servicestage::createEventReport | 授予用户创建事件上报权限 | write | - | - | servicestage:app:create |
servicestage:app:createGovernanceRule | 授予用户创建治理规则权限 | write | app * | - | servicestage:app:create |
servicestage:app:deleteGovernanceRule | 授予用户删除治理规则权限 | write | app * | - | servicestage:app:delete |
servicestage:app:getGovernanceRule | 授予用户获取治理规则权限 | read | app * | - | servicestage:app:get |
servicestage:app:listGovernanceRule | 授予用户获取治理规则列表权限 | list | app * | - | servicestage:app:list |
servicestage:app:modifyGovernanceRule | 授予用户修改治理规则权限 | write | app * | - | servicestage:app:modify |
servicestage:app:createRoute | 授予用户创建组件路由权限 | write | app * | - | servicestage:app:create |
servicestage:app:deleteRoute | 授予用户删除组件路由权限 | write | app * | - | servicestage:app:delete |
servicestage:app:modifyRoute | 授予用户修改组件路由权限 | write | app * | - | servicestage:app:modify |
servicestage:environment:create | 授予用户创建环境权限 | write | - | - | |
environment * | - | ||||
servicestage:environment:get | 授予用户查看环境信息权限 | read | environment * | servicestage:app:get | |
servicestage:environment:list | 授予用户查看环境列表权限 | list | - | - | servicestage:app:list |
servicestage:environment:modify | 授予用户更新环境权限 | write | - | - | |
environment * | |||||
servicestage:environment:delete | 授予用户删除环境权限 | write | environment * | - | |
servicestage:environment:refresh | 授予用户刷新环境权限 | write | environment * | - | |
servicestage:environment:tag | 授予TMS用户创建环境标签权限 | tagging | - | servicestage:environment:modify | |
environment * | |||||
servicestage:app:tag | 授予TMS用户创建应用标签权限 | tagging | - | servicestage:app:modify | |
app * | |||||
servicestage:environment:listResourcesByTag | 授予TMS用户通过标签查询环境资源权限 | read | - | servicestage:app:list | |
environment * | - | ||||
servicestage:app:listResourcesByTag | 授予TMS用户通过标签查询应用资源权限 | read | - | servicestage:app:list | |
app * | - | ||||
servicestage:environment:unTagResource | 授予TMS用户删除环境资源标签权限 | tagging | - | servicestage:environment:modify | |
environment * | |||||
servicestage:app:unTagResource | 授予TMS用户删除应用资源标签权限 | tagging | - | servicestage:app:modify | |
app * | |||||
servicestage:environment:listTags | 授予TMS用户查询环境资源标签列表权限 | read | - | - | servicestage:app:list |
servicestage:app:listTags | 授予TMS用户查询应用资源标签列表权限 | read | - | - | servicestage:app:list |
servicestage:environment:createAddon | 授予用户创建插件权限 | write | environment * | - | servicestage:app:create |
servicestage:environment:listAddon | 授予用户查询插件列表权限 | list | environment * | - | servicestage:app:list |
servicestage:environment:getAddon | 授予用户查询插件详情权限 | read | environment * | - | servicestage:app:get |
servicestage:environment:modifyAddon | 授予用户修改插件权限 | write | environment * | - | servicestage:app:modify |
servicestage:environment:deleteAddon | 授予用户删除插件权限 | write | environment * | - | servicestage:app:delete |
servicestage:environment:createCell | 授予用户创建部署单元权限 | write | environment * | - | servicestage:app:create |
servicestage:environment:deleteCell | 授予用户删除部署单元权限 | write | environment * | - | servicestage:app:delete |
servicestage:environment:listCell | 授予用户获取部署单元列表权限 | list | environment * | - | servicestage:app:list |
servicestage:environment:modifyCell | 授予用户修改部署单元权限 | write | environment * | - | servicestage:app:modify |
servicestage:environment:provisionResources | 授予用户开通环境资源权限 | write | environment * | - | |
servicestage:environment:rollback | 授予用户回滚环境权限 | write | environment * | - | |
servicestage::createLaneGroup | 授予用户创建泳道组权限 | write | - | - | servicestage:app:create |
servicestage::getLaneGroup | 授予用户查询泳道组权限 | read | - | - | servicestage:app:get |
servicestage::listLaneGroup | 授予用户获取所有泳道组权限 | list | - | - | servicestage:app:list |
servicestage::modifyLaneGroup | 授予用户根据泳道组ID修改泳道组权限 | write | - | - | servicestage:app:modify |
servicestage::deleteLaneGroup | 授予用户根据泳道组ID删除泳道组权限 | write | - | - | servicestage:app:delete |
servicestage::createLane | 授予用户泳道组下创建泳道权限 | write | - | - | servicestage:app:create |
servicestage::getLane | 授予用户根据泳道ID获取泳道信息权限 | read | - | - | servicestage:app:get |
servicestage::listLane | 授予用户获取泳道组下所有泳道权限 | list | - | - | servicestage:app:list |
servicestage::modifyLane | 授予用户根据泳道ID修改泳道信息权限 | write | - | - | servicestage:app:modify |
servicestage::deleteLane | 授予用户根据泳道ID删除泳道权限 | write | - | - | servicestage:app:delete |
servicestage:config:createGroup | 授予用户创建配置分组权限 | write | - | - | |
configGroup * | - | ||||
servicestage:config:getGroup | 授予用户根据配置分组ID获取分组详情权限 | read | configGroup * | - | |
servicestage:config:modifyGroup | 授予用户修改配置分组权限 | write | - | - | |
configGroup * | |||||
servicestage:config:listGroup | 授予用户获取配置分组权限 | list | - | - | - |
servicestage:config:deleteGroup | 授予用户根据配置分组ID删除分组权限 | write | configGroup * | - | |
servicestage:configGroup:listResourcesByTag | 授予TMS用户通过标签查询配置分组资源权限 | list | - | servicestage:configGroup:list | |
configGroup * | - | ||||
servicestage:configGroup:listTags | 授予TMS用户查询配置分组资源标签列表权限 | read | - | - | servicestage:configGroup:list |
servicestage:configGroup:listTagsForResource | 授予eps用户查询配置分组资源标签列表权限 | read | configGroup * | servicestage:configGroup:list | |
servicestage:configGroup:tag | 授予TMS用户创建配置分组标签权限 | tagging | - | servicestage:configGroup:modify | |
configGroup * | |||||
servicestage:configGroup:unTagResource | 授予TMS用户删除配置分组资源标签权限 | tagging | - | servicestage:configGroup:modify | |
configGroup * | |||||
servicestage:config:get | 授予用户根据配置文件ID获取配置文件信息权限 | read | config * | - | |
servicestage:config:list | 授予用户获取配置文件信息权限 | list | - | - | - |
servicestage:config:create | 授予用户创建配置文件权限 | write | config * | - | |
servicestage:config:modify | 授予用户根据配置文件ID修改配置文件权限 | write | config * | - | |
servicestage:config:delete | 授予用户根据配置文件ID删除配置文件权限 | write | config * | - | |
servicestage:config:import | 授予用户导入配置文件权限 | write | - | - | - |
servicestage:config:listHistories | 授予用户根据配置文件ID获取配置文件历史权限 | list | config * | - | |
servicestage:config:getHistory | 授予用户根据配置文件历史ID获取配置文件历史信息权限 | read | config * | - | |
servicestage:config:deleteHistory | 授予用户根据配置文件历史ID删除配置文件历史权限 | write | config * | - | |
servicestage::getRuntimeStack | 授予用户根据技术栈ID查询技术栈权限 | read | - | - | servicestage:runtimestack:get |
servicestage::createRuntimeStack | 授予用户创建技术栈权限 | write | - | - | servicestage:runtimestack:create |
servicestage::modifyRuntimeStack | 授予用户根据技术栈ID修改技术栈权限 | write | - | - | servicestage:runtimestack:modify |
servicestage::deleteRuntimeStack | 授予用户根据技术栈ID删除技术栈权限 | write | - | - | servicestage:runtimestack:delete |
servicestage::switchRuntimeStackStatus | 授予用户发布和取消发布技术栈权限 | write | - | - | servicestage:runtimestack:switchStatus |
servicestage::createReleasePlan | 授予用户创建发布单权限 | write | - | - | servicestage:app:create |
servicestage::getReleasePlan | 授予用户根据发布单ID获取发布单信息权限 | read | - | - | servicestage:app:get |
servicestage::listReleasePlan | 授予用户获取发布单列表权限 | list | - | - | servicestage:app:list |
servicestage::modifyReleasePlan | 授予用户根据发布单ID编辑发布单权限 | write | - | - | servicestage:app:modify |
servicestage::deleteReleasePlan | 授予用户根据发布单ID删除发布单权限 | write | - | - | servicestage:app:delete |
servicestage:pipeline:get | 授予用户查看流水线权限 | read | pipeline * | - | - |
servicestage:pipeline:create | 授予用户创建流水线权限 | write | pipeline * | - | - |
servicestage:pipeline:modify | 授予用户更新流水线权限 | write | pipeline * | - | servicestage:pipeline:execute |
servicestage:pipeline:delete | 授予用户删除流水线权限 | write | pipeline * | - | - |
servicestage:pipeline:list | 授予用户查看流水线列表权限 | list | - | - | - |
servicestage:assembling:runtimeList | 授予用户查看技术栈列表权限 | read | - | - | servicestage:assembling:get |
servicestage:assembling:getInfo | 授予用户查看构建信息权限 | read | assembling * | - | servicestage:assembling:get |
servicestage:assembling:create | 授予用户创建构建任务权限 | write | assembling * | - | - |
servicestage:assembling:modify | 授予用户更新构建任务权限 | write | assembling * | - | - |
servicestage:assembling:delete | 授予用户删除构建任务权限 | write | assembling * | - | - |
servicestage:assembling:list | 授予用户查看构建任务列表权限 | list | - | - | - |
servicestage:repositoryAuth:list | 授予用户获取仓库授权列表权限 | list | - | - | servicestage:app:list |
servicestage:repositoryAuth:get | 授予用户获取仓库授权权限 | read | repositoryAuth * | - | servicestage:app:get |
servicestage:repositoryAuth:create | 授予用户创建仓库授权权限 | write | repositoryAuth * | - | servicestage:app:create |
servicestage:repositoryAuth:delete | 授予用户删除仓库授权权限 | write | repositoryAuth * | - | servicestage:app:delete |
servicestage:environment:listTagsForResource | 授予eps用户查询环境资源标签列表权限 | read | environment * | servicestage:app:list | |
servicestage:app:listTagsForResource | 授予eps用户查询应用资源标签列表权限 | read | app * | servicestage:app:list |
ServiceStage的API通常对应着一个或多个授权项。表2展示了API与授权项的关系,以及该API需要依赖的授权项。
API | 对应的授权项 | 依赖的授权项 |
|---|---|---|
POST /v3/{project_id}/cas/environments | servicestage:environment:create | - |
GET /v3/{project_id}/cas/environments | servicestage:environment:list | - |
PUT /v3/{project_id}/cas/environments/{environment_id} | servicestage:environment:modify | - |
DELETE /v3/{project_id}/cas/environments/{environment_id} | servicestage:environment:delete | - |
GET /v3/{project_id}/cas/environments/{environment_id} | servicestage:environment:get | - |
PUT /v3/{project_id}/cas/environments/{environment_id}/resources | servicestage:environment:modify | - |
GET /v3/{project_id}/cas/environments/{environment_id}/resources | servicestage:environment:list | - |
GET /v3/{project_id}/cas/environments/resources | servicestage:environment:list | - |
POST /v3/{project_id}/cas/environments/{environment_id}/refresh | servicestage:environment:refresh | - |
POST /v3/{project_id}/cas/applications | servicestage:app:createApplication | - |
GET /v3/{project_id}/cas/applications | servicestage:app:listApplication | - |
PUT /v3/{project_id}/cas/applications/{application_id} | servicestage:app:modifyApplication | - |
GET /v3/{project_id}/cas/applications/{application_id} | servicestage:app:getApplication | - |
DELETE /v3/{project_id}/cas/applications/{application_id} | servicestage:app:deleteApplication | - |
POST /v3/{project_id}/cas/applications/{application_id}/action | servicestage:app:modifyApplication | - |
GET /v3/{project_id}/cas/applications/{application_id}/configuration | servicestage:app:getConfiguration | - |
PUT /v3/{project_id}/cas/applications/{application_id}/configuration | servicestage:app:modifyConfiguration | - |
DELETE /v3/{project_id}/cas/applications/{application_id}/configuration | servicestage:app:deleteConfiguration | - |
POST /v3/{project_id}/cas/applications/{application_id}/components | servicestage:app:createComponent |
|
GET /v3/{project_id}/cas/applications/{application_id}/components | servicestage:app:listComponent | - |
GET /v3/{project_id}/cas/components | servicestage:app:listComponent | - |
PUT /v3/{project_id}/cas/applications/{application_id}/components/{component_id} | servicestage:app:modifyComponent |
|
DELETE /v3/{project_id}/cas/applications/{application_id}/components/{component_id} | servicestage:app:deleteComponent |
|
GET /v3/{project_id}/cas/applications/{application_id}/components/{component_id} | servicestage:app:getComponent | - |
POST /v3/{project_id}/cas/applications/{application_id}/components/{component_id}/action | servicestage:app:modifyComponent |
|
GET /v3/{project_id}/cas/applications/{application_id}/components/{component_id}/records | servicestage:app:listComponent | - |
PUT /v3/{project_id}/cas/applications/{application_id}/components/{component_id}/refresh | servicestage:app:modifyComponent |
|
GET /v3/{project_id}/cas/components/filterOptions | servicestage:app:listComponent | - |
POST /v3/{project_id}/cas/components/action | servicestage:app:modifyComponent |
|
POST /v3/{project_id}/cas/components | servicestage:app:createComponent |
|
POST /v3/{project_id}/cas/components/parse-template-package | servicestage:app:getComponent | - |
PUT /v3/{project_id}/cas/applications/{application_id}/components/{component_id}/redeployment | servicestage:app:modifyComponent |
|
GET /v3/{project_id}/cas/jobs/{job_id} | servicestage:app:listApplication | - |
POST /v3/{project_id}/cas/config-groups | servicestage:config:createGroup | - |
GET /v3/{project_id}/cas/config-groups | servicestage:config:listGroup | - |
POST /v3/{project_id}/cas/configs | servicestage:config:create | - |
POST /v3/{project_id}/cas/configs/import | servicestage:config:import | - |
GET /v3/{project_id}/cas/configs | servicestage:config:list | - |
GET /v3/{project_id}/cas/configs/{config_id} | servicestage:config:get | - |
DELETE /v3/{project_id}/cas/configs/{config_id} | servicestage:config:delete | - |
PUT /v3/{project_id}/cas/configs/{config_id} | servicestage:config:modify | - |
GET /v3/{project_id}/cas/configs/{config_id}/histories | servicestage:config:listHistories | - |
GET /v3/{project_id}/cas//configs/{config_id}/histories/{config_history_id} | servicestage:config:getHistory | - |
DELETE /v3/{project_id}/cas/configs/{config_id}/histories/{config_history_id} | servicestage:config:deleteHistory | - |
GET /v3/{project_id}/cas/config-groups/{config_group_id} | servicestage:config:getGroup | - |
DELETE /v3/{project_id}/cas/config-groups/{config_group_id} | servicestage:config:deleteGroup | - |
POST /v3/{project_id}/cas/swimlane-group | servicestage::createLaneGroup | - |
GET /v3/{project_id}/cas/swimlane-group | servicestage::listLaneGroup | - |
GET /v3/{project_id}/cas/swimlane-group/{lane_group_id} | servicestage::getLaneGroup | - |
PUT /v3/{project_id}/cas/swimlane-group/{lane_group_id} | servicestage::modifyLaneGroup | - |
DELETE /v3/{project_id}/cas/swimlane-group/{lane_group_id} | servicestage::deleteLaneGroup | - |
GET /v3/{project_id}/cas/swimlane-group/target-services | servicestage::listLaneGroup | - |
PUT /v3/{project_id}/cas/swimlane-group/{lane_group_id}/route | servicestage::modifyLaneGroup | - |
GET /v3/{project_id}/cas/swimlane-group/{lane_group_id}/view | servicestage::getLaneGroup | - |
PUT /v3/{project_id}/cas/swimlane-group/{lane_group_id}/view | servicestage::modifyLaneGroup | - |
POST /v3/{project_id}/cas/swimlane-group/{lane_group_id}/swimlanes-action | servicestage::modifyLaneGroup | - |
POST /v3/{project_id}/cas/swimlane-group/{lane_group_id}/swimlane | servicestage::createLane | - |
GET /v3/{project_id}/cas/swimlane | servicestage::listLaneGroup | - |
GET /v3/{project_id}/cas/swimlane-group/{lane_group_id}/swimlane | servicestage::listLane | - |
GET /v3/{project_id}/cas/swimlane-group/{lane_group_id}/swimlane/{lane_id} | servicestage::getLane | - |
PUT /v3/{project_id}/cas/swimlane-group/{lane_group_id}/swimlane/{lane_id} | servicestage::modifyLane | - |
DELETE /v3/{project_id}/cas/swimlane-group/{lane_group_id}/swimlane/{lane_id} | servicestage::deleteLane | - |
POST /v3/{project_id}/cas/swimlane-group/{lane_group_id}/swimlane/{lane_id}/action | servicestage::modifyLane | - |
POST /v3/{project_id}/cas/swimlane-group/{lane_group_id}/swimlane/{lane_id}/components-action | servicestage::modifyLane | - |
PUT /v3/{project_id}/cas/swimlane-group/{lane_group_id}/swimlane/{lane_id}/component-instances | servicestage::modifyLane | - |
GET /v3/{project_id}/cas/swim_lans/{swimlan_id}/records | servicestage::getLane | - |
PUT /v3/{project_id}/cas/swimlane-group/{lane_group_id}/swimlane/{lane_id}/instances | servicestage::modifyLane | - |
POST /v3/{project_id}/cas/environments/{environment_id}/addons | servicestage:environment:createAddon | - |
GET /v3/{project_id}/cas/environments/{environment_id}/addons | servicestage:environment:listAddon | - |
GET /v3/{project_id}/cas/environments/{environment_id}/addons-metadata | servicestage:environment:listAddon | - |
GET /v3/{project_id}/cas/environments/{environment_id}/addons/{addon_id} | servicestage:environment:getAddon | - |
POST /v3/{project_id}/cas/environments/{environment_id}/addons/{addon_id}/action | servicestage:environment:modifyAddon | - |
DELETE /v3/{project_id}/cas/environments/{environment_id}/addons/{addon_id} | servicestage:environment:deleteAddon | - |
GET /v3/{project_id}/assembling/base-images | servicestage:assembling:list | - |
POST /v3/{project_id}/cas/release-plans | servicestage::createReleasePlan | - |
PUT /v3/{project_id}/cas/release-plans/{release_plan_id} | servicestage::modifyReleasePlan | - |
DELETE /v3/{project_id}/cas/release-plans/{release_plan_id} | servicestage::deleteReleasePlan | - |
GET /v3/{project_id}/cas/release-plans | servicestage::listReleasePlan | - |
GET /v3/{project_id}/cas/release-plans/{release_plan_id} | servicestage::getReleasePlan | - |
GET /v3/{project_id}/cas/release-plans/{release_plan_id}/deploy-info | servicestage::getReleasePlan | - |
POST /v3/{project_id}/cas/release-plans/{release_plan_id}/execute | servicestage::createReleasePlan | - |
POST /v3/{project_id}/cas/release-plans/{release_plan_id}/rollback | servicestage::createReleasePlan | - |
POST /v3/{project_id}/cas/release-plans/{release_plan_id}/abort | servicestage::createReleasePlan | - |
POST /v3/{project_id}/pipeline/pipelines | servicestage:pipeline:create | - |
GET /v3/{project_id}/pipeline/pipelines | servicestage:pipeline:list |
|
PUT /v3/{project_id}/pipeline/pipelines/{pipeline_id} | servicestage:pipeline:modify | - |
POST /v3/{project_id}/pipeline/pipelines/{pipeline_id}/action | servicestage:pipeline:modify | - |
GET /v3/{project_id}/pipeline/pipelines/{pipeline_id} | servicestage:pipeline:get | - |
GET /v3/{project_id}/pipeline/pipelines/{id}/records | servicestage:pipeline:get | - |
POST /v3/{project_id}/pipeline/pipelines/{pipeline_id}/hooks | servicestage:pipeline:create | - |
PUT /v3/{project_id}/pipeline/pipelines/{pipeline_id}/hooks | servicestage:pipeline:modify | - |
GET /v3/{project_id}/pipeline/pipelines/{pipeline_id}/hooks | servicestage:pipeline:list |
|
POST /v3/{project_id}/pipeline/pipelines/parse-template-package | servicestage:pipeline:get | - |
POST /v3/{project_id}/cas/runtimestacks | servicestage::createRuntimeStack | - |
GET /v3/{project_id}/cas/runtimestacks | servicestage:app:listApplication | - |
GET /v3/{project_id}/cas/runtimestacks/{runtimestack_id} | servicestage::getRuntimeStack | - |
PUT /v3/{project_id}/cas/runtimestacks/{runtimestack_id} | servicestage::modifyRuntimeStack | - |
DELETE /v3/{project_id}/cas/runtimestacks/{runtimestack_id} | servicestage::deleteRuntimeStack | - |
POST /v3/{project_id}/cas/runtimestacks/action | servicestage::switchRuntimeStackStatus | - |
GET /v3/{project_id}/cas/innerimages | servicestage:app:listApplication | - |
GET /v1/{project_id}/git/auths | servicestage:repositoryAuth:list | - |
GET /v1/{project_id}/git/auths/{repo_type}/redirect | servicestage:repositoryAuth:get | - |
POST /v1/{project_id}/git/auths/{repo_type}/oauth | servicestage:repositoryAuth:create | - |
POST /v1/{project_id}/git/auths/{repo_type}/personal | servicestage:repositoryAuth:create | - |
POST /v1/{project_id}/git/auths/{repo_type}/password | servicestage:repositoryAuth:create | - |
DELETE /v1/{project_id}/git/auths/{name} | servicestage:repositoryAuth:delete | - |
GET /v1/{project_id}/git/auths/{repo_type}/password/valid | servicestage:repositoryAuth:get | - |
POST /v1/{project851_id}/kie/file | cse:config:upload | - |
POST /v1/{project_id}/kie/download | cse:config:download | - |
GET /v2/{project_id}/enginemgr/engines | cse:engine:list | - |
POST /v2/{project_id}/enginemgr/engines | cse:engine:create | - |
GET /v2/{project_id}/enginemgr/engines/{engine_id} | cse:engine:get | - |
DELETE /v2/{project_id}/enginemgr/engines/{engine_id} | cse:engine:delete | - |
GET /v2/{project_id}/enginemgr/engines/{engine_id}/jobs/{job_id} | cse:engine:get | - |
POST /v1/{project_id}/kie/kv | cse:namespace:update | - |
PUT /v1/{project_id}/kie/kv/{kv_id} | cse:namespace:update | - |
GET /v1/{project_id}/kie/kv | cse:namespace:get | - |
DELETE /v1/{project_id}/kie/kv/{kv_id} | cse:namespace:update | - |
DELETE /v1/{project_id}/kie/kv | cse:namespace:update | - |
资源类型(Resource)
资源类型(Resource)表示身份策略所作用的资源。如表3中的某些操作指定了可以在该操作指定的资源类型,则必须在具有该操作的身份策略语句中指定该资源的URN,策略仅作用于此资源;如未指定,Resource默认为“*”,则策略将应用到所有资源。您也可以在身份策略中设置条件,从而指定资源类型。
ServiceStage定义了以下可以在身份策略的Resource元素中使用的资源类型。
资源类型 | URN |
|---|---|
app | servicestage:<region>:<account-id>:app:<app-id> |
environment | servicestage:<region>:<account-id>:environment:<environment-id> |
pipeline | servicestage:<region>:<account-id>:pipeline:<pipeline-id> |
assembling | servicestage:<region>:<account-id>:assembling:<assembling-id> |
repositoryAuth | servicestage:<region>:<account-id>:repositoryAuth:<repositoryAuth-id> |
configGroup | servicestage:<region>:<account-id>:configGroup:<config-group-id> |
config | servicestage:<region>:<account-id>:config:<config-group-id>/<config-id> |
