云应用引擎 CAE
云服务在IAM预置了常用授权项,称为系统身份策略。如果IAM系统身份策略无法满足授权要求,管理员可以根据各服务支持的授权项,创建IAM自定义身份策略来进行精细的访问控制,IAM自定义身份策略是对系统身份策略的扩展和补充。
除IAM服务外,Organizations服务中的服务控制策略(Service Control Policy,以下简称SCP)也可以使用这些授权项元素设置访问控制策略。
SCP不直接进行授权,只划定权限边界。将SCP绑定到组织单元或者成员账号时,并没有直接对组织单元或成员账号授予操作权限,而是规定了成员账号或组织单元包含的成员账号的授权范围。IAM身份策略授予权限的有效性受SCP限制,只有在SCP允许范围内的权限才能生效。
IAM服务与Organizations服务在使用这些元素进行访问控制时,存在着一些区别,详情请参见:IAM服务与Organizations服务权限访问控制的区别。
本章节介绍IAM服务身份策略授权场景中自定义身份策略和组织服务中SCP使用的元素,这些元素包含了操作(Action)、资源(Resource)和条件(Condition)。
操作(Action)
操作(Action)即为身份策略中支持的授权项。
- “访问级别”列描述如何对操作进行分类(List、Read和Write等)。此分类可帮助您了解在身份策略中相应操作对应的访问级别。
- “资源类型”列指每个操作是否支持资源级权限。
- 资源类型支持通配符号*表示所有。如果此列没有值(-),则必须在身份策略语句的Resource元素中指定所有资源类型(“*”)。
- 如果该列包含资源类型,则必须在具有该操作的语句中指定该资源的URN。
- 资源类型列中必需资源在表中用星号(*)标识,表示使用此操作必须指定该资源类型。
关于cae定义的资源类型的详细信息请参见资源类型(Resource)。
- “条件键”列包括了可以在身份策略语句的Condition元素中支持指定的键值。
- 如果该授权项资源类型列存在值,则表示条件键仅对列举的资源类型生效。
- 如果该授权项资源类型列没有值(-),则表示条件键对整个授权项生效。
- 如果此列条件键没有值(-),表示此操作不支持指定条件键。
关于cae定义的条件键的详细信息请参见条件(Condition)。
- “别名”列包括了可以在身份策略中配置的策略授权项。通过这些授权项,可以控制支持策略授权的API访问。详细信息请参见身份策略兼容性说明。
您可以在身份策略语句的Action元素中指定以下cae的相关操作。
授权项 | 描述 | 访问级别 | 资源类型(*为必须) | 条件键 | 别名 |
|---|---|---|---|---|---|
cae:environment:listEnvironments | 授予查询所有环境的权限。 | List | environment * | - |
|
cae:environment:createEnvironment | 授予创建环境的权限。 | Write | environment * | - |
|
- | |||||
cae:environment:deleteEnvironment | 授予删除环境的权限。 | Write | environment * | - |
|
- | |||||
cae:environment:getEnvironment | 授予查询环境的权限。 | Read | environment * | - |
|
- | |||||
cae:environment:listCloudVolumes | 授予查询所有云存储的权限。 | List | environment * | - |
|
- | |||||
cae:environment:createCloudVolume | 授予授权云存储的权限。 | Write | environment * | - |
|
- | |||||
cae:environment:deleteCloudVolume | 授予解绑云存储的权限。 | Write | environment * | - |
|
- | |||||
cae:environment:listDomains | 授予查询所有域名的权限。 | List | environment * | - |
|
- | |||||
cae:environment:createDomain | 授予创建域名的权限。 | Write | environment * | - |
|
- | |||||
cae:environment:deleteDomain | 授予删除域名的权限。 | Write | environment * | - |
|
- | |||||
cae:environment:listCertificates | 授予查询所有证书的权限。 | List | environment * | - |
|
- | |||||
cae:environment:createCertificate | 授予创建证书的权限。 | Write | environment * | - |
|
- | |||||
cae:environment:deleteCertificate | 授予删除证书的权限。 | Write | environment * | - |
|
- | |||||
cae:environment:updateCertificate | 授予更新证书的权限。 | Write | environment * | - |
|
- | |||||
cae:environment:listTimerRules | 授予查询所有启停规则的权限。 | List | environment * | - |
|
- | |||||
cae:environment:createTimerRule | 授予创建启停规则的权限。 | Write | environment * | - |
|
- | |||||
cae:environment:deleteTimerRule | 授予删除启停规则的权限。 | Write | environment * | - |
|
- | |||||
cae:environment:updateTimerRule | 授予更新启停规则的权限。 | Write | environment * | - |
|
- | |||||
cae:environment:getTimerRule | 授予查询启停规则的权限。 | Read | environment * | - |
|
- | |||||
cae:environment:listEips | 授予查看所有EIP(环境与公网互相访问)的权限。 | List | environment * | - |
|
- | |||||
cae:environment:updateEip | 授予更新EIP(环境与公网互相访问)的权限。 | Write | environment * | - |
|
- | |||||
cae:environment:listVpcEgresses | 授予查看所有VpcEgress(环境访问VPC)的权限。 | List | environment * | - |
|
- | |||||
cae:environment:createVpcEgress | 授予创建VpcEgress(环境访问VPC)的权限。 | Write | environment * | - |
|
- | |||||
cae:environment:deleteVpcEgress | 授予删除VpcEgress(环境访问VPC)的权限。 | Write | environment * | - |
|
- | |||||
cae:environment:listVpcIngresses | 授予查看所有VpcIngress(VPC访问环境)的权限。 | List | environment * | - |
|
- | |||||
cae:environment:createVpcIngress | 授予创建VpcIngress(VPC访问环境)的权限。 | Write | environment * | - |
|
- | |||||
cae:environment:deleteVpcIngress | 授予删除VpcIngress(VPC访问环境)的权限。 | Write | environment * | - |
|
- | |||||
cae:environment:createMonitorSystem | 授予创建监控系统的权限。 | Write | environment * | - |
|
- | |||||
cae:environment:updateMonitorSystem | 授予更新监控系统的权限。 | Write | environment * | - |
|
- | |||||
cae:environment:getMonitorSystem | 授予查询监控系统的权限。 | Read | environment * | - |
|
- | |||||
cae:environment:listIngressConfigs | 授予查看所有入网配置的权限。 | List | environment * | - |
|
- | |||||
cae:environment:createIngressConfig | 授予创建入网配置的权限。 | Write | environment * | - |
|
- | |||||
cae:environment:deleteIngressConfig | 授予删除入网配置的权限。 | Write | environment * | - |
|
- | |||||
cae:environment:updateIngressConfig | 授予更新入网配置的权限。 | Write | environment * | - |
|
- | |||||
cae:environment:getEgressConfig | 授予查询出网配置的权限。 | Read | environment * | - |
|
- | |||||
cae:environment:updateEgressConfig | 授予更新出网配置的权限。 | Write | environment * | - |
|
- | |||||
cae:environment:getUrlMonitorConfig | 授予查询URL监控配置的权限。 | Read | environment * | - |
|
- | |||||
cae:environment:updateUrlMonitorConfig | 授予更新URL监控配置的权限。 | Write | environment * | - |
|
- | |||||
cae:application:listApplications | 授予查询所有应用的权限。 | List | application * | - |
|
cae:application:createApplication | 授予创建应用的权限。 | Write | application * | - |
|
- | |||||
cae:application:deleteApplication | 授予删除应用的权限。 | Write | application * | - |
|
- | |||||
cae:component:listComponents | 授予查询所有组件的权限。 | List | component * | - |
|
- | |||||
cae:component:createComponent | 授予创建组件的权限。 | Write | component * | - |
|
- | |||||
cae:component:deleteComponent | 授予删除组件的权限。 | Write | component * | - |
|
- | |||||
cae:component:updateComponent | 授予更新组件的权限。 | Write | component * | - |
|
- | |||||
cae:component:getComponent | 授予查询组件的权限。 | Read | component * | - |
|
- | |||||
cae:component:createWithConfigComponent | 授予创建、生效配置并部署组件的权限。 | Write | component * | - |
|
- | |||||
cae:component:operateComponent | 授予操作(deploy|scale|upgrade|rollback|start|stop|restart|configure)组件的权限。 | Write | component * | - |
|
- | |||||
cae:component:deployComponent | 授予部署组件的权限(元戎共享版)。 | Write | component * | - | - |
- | |||||
cae:component:scaleComponent | 授予修改组件实例个数的权限(元戎共享版)。 | Write | component * | - | - |
- | |||||
cae:component:upgradeComponent | 授予升级组件的权限(元戎共享版)。 | Write | component * | - | - |
- | |||||
cae:component:rollbackComponent | 授予回退组件的权限(元戎共享版)。 | Write | component * | - | - |
- | |||||
cae:component:startComponent | 授予启动组件的权限(元戎共享版)。 | Write | component * | - | - |
- | |||||
cae:component:stopComponent | 授予停止组件的权限(元戎共享版)。 | Write | component * | - | - |
- | |||||
cae:component:restartComponent | 授予重启组件的权限(元戎共享版)。 | Write | component * | - | - |
- | |||||
cae:component:labelComponent | 授予标记组件的权限(元戎共享版)。 | Write | component * | - | - |
- | |||||
cae:component:configureComponent | 授予生效组件配置的权限(元戎共享版)。 | Write | component * | - | - |
- | |||||
cae:component:listConfigurations | 授予查询组件所有配置的权限。 | List | component * | - |
|
- | |||||
cae:component:createConfiguration | 授予创建(更新)组件配置的权限。 | Write | component * | - |
|
- | |||||
cae:component:deleteConfiguration | 授予删除(取消)组件配置的权限。 | Write | component * | - |
|
- | |||||
cae:component:getConfiguration | 授予查询组件配置的权限。 | Read | component * | - |
|
- | |||||
cae:component:createInstanceWebShell | 授予创建远程登录的权限。 | Write | component * | - |
|
- | |||||
cae:component:listConfigItems | 授予查询所有配置项的权限(元戎共享版)。 | List | component * | - | - |
- | |||||
cae:component:createConfigItem | 授予创建配置项的权限(元戎共享版)。 | Write | component * | - | - |
- | |||||
cae:component:deleteConfigItem | 授予删除配置项的权限(元戎共享版)。 | Write | component * | - | - |
- | |||||
cae::listNoticeRules | 授予查询所有事件通知规则的权限。 | List | - |
| |
cae::createNoticeRule | 授予创建事件通知规则的权限。 | Write | - |
| |
cae::deleteNoticeRule | 授予删除事件通知规则的权限。 | Write | - |
| |
cae::updateNoticeRule | 授予更新事件通知规则的权限。 | Write | - |
| |
cae::getNoticeRule | 授予查询事件通知规则的权限。 | Read | - |
| |
cae::listDewSecrets | 授予查询所有凭据的权限。 | List | - |
| |
cae::createDewSecret | 授予创建凭据的权限。 | Write | - |
| |
cae::deleteDewSecret | 授予删除凭据的权限。 | Write | - |
| |
cae::updateDewSecret | 授予更新凭据的权限。 | Write | - |
| |
cae::getDewSecret | 授予查询凭据的权限。 | Read | - |
| |
cae::listImageSecrets | 授予查询所有镜像访问凭据的权限(元戎共享版)。 | List | - |
| |
cae::createImageSecret | 授予创建镜像访问凭据的权限(元戎共享版)。 | Write | - |
| |
cae::deleteImageSecret | 授予删除镜像访问凭据的权限(元戎共享版)。 | Write | - |
| |
cae::listComponentSpecificationWhiteLists | 授予查询所有组件规格白名单的权限(元戎共享版)。 | List | - |
| |
cae::createComponentSpecificationWhiteList | 授予创建组件规格白名单的权限(元戎共享版)。 | Write | - |
| |
cae::updateComponentSpecificationWhiteList | 授予更新组件规格白名单的权限。 | Write | - |
| |
cae::deleteComponentSpecificationWhiteList | 授予删除组件规格白名单的权限(元戎共享版)。 | Write | - |
| |
cae::listMaintenanceConfigs | 授予查询所有运维配置的权限(元戎共享版)。 | List | - |
| |
cae::createMaintenanceConfig | 授予创建运维配置的权限(元戎共享版)。 | Write | - |
| |
cae::deleteMaintenanceConfig | 授予删除运维配置的权限(元戎共享版)。 | Write | - |
| |
cae::buyPackage | 授予购买套餐包的权限。 | Write | - |
|
cae的API通常对应着一个或多个授权项。表2展示了API与授权项的关系,以及该API需要依赖的授权项。
API | 对应的授权项 | 依赖的授权项 |
|---|---|---|
GET /v1/{project_id}/cae/environments | cae:environment:listEnvironments | - |
POST /v1/{project_id}/cae/environments | cae:environment:createEnvironment | - |
DELETE /v1/{project_id}/cae/environments/{environment_id} | cae:environment:deleteEnvironment | - |
POST /v1/{project_id}/cae/environments/{environment_id}/wakeup | cae:environment:createEnvironment | - |
GET /v1/{project_id}/cae/collections | cae:environment:getEnvironment | - |
GET /v1/{project_id}/cae/applications/comb | cae:environment:getEnvironment | - |
GET /v1/{project_id}/cae/volumes | cae:environment:listCloudVolumes | - |
POST /v1/{project_id}/cae/volumes | cae:environment:createCloudVolume | - |
DELETE /v1/{project_id}/cae/volumes/{id} | cae:environment:deleteCloudVolume | - |
GET /v1/{project_id}/cae/domains | cae:environment:listDomains | - |
POST /v1/{project_id}/cae/domains | cae:environment:createDomain | - |
DELETE /v1/{project_id}/cae/domains/{domain_id} | cae:environment:deleteDomain | - |
GET /v1/{project_id}/cae/certificates | cae:environment:listCertificates | - |
POST /v1/{project_id}/cae/certificates | cae:environment:createCertificate | - |
PUT /v1/{project_id}/cae/certificates/{certificate_id} | cae:environment:updateCertificate | - |
DELETE /v1/{project_id}/cae/certificates/{certificate_id} | cae:environment:deleteCertificate | - |
GET /v1/{project_id}/cae/timer-rules | cae:environment:listTimerRules | - |
POST /v1/{project_id}/cae/timer-rules | cae:environment:createTimerRule | - |
DELETE /v1/{project_id}/cae/timer-rules/{timer_rule_id} | cae:environment:deleteTimerRule | - |
PUT /v1/{project_id}/cae/timer-rules/{timer_rule_id} | cae:environment:updateTimerRule | - |
GET /v1/{project_id}/cae/timer-rules/{timer_rule_id}/execution-results | cae:environment:getTimerRule | - |
GET /v1/{project_id}/cae/eips | cae:environment:listEips | - |
PUT /v1/{project_id}/cae/eips | cae:environment:updateEip | - |
GET /v1/{project_id}/cae/vpc-egress | cae:environment:listVpcEgresses | - |
POST /v1/{project_id}/cae/vpc-egress | cae:environment:createVpcEgress | - |
DELETE /v1/{project_id}/cae/vpc-egress/{vpc_egress_id} | cae:environment:deleteVpcEgress | - |
GET /v1/{project_id}/cae/vpc-ingress | cae:environment:listVpcIngresses | - |
POST /v1/{project_id}/cae/vpc-ingress | cae:environment:createVpcIngress | - |
DELETE /v1/{project_id}/cae/vpc-ingress/{vpc_ingress_id} | cae:environment:deleteVpcIngress | - |
GET /v1/{project_id}/cae/monitor-system | cae:environment:getMonitorSystem | - |
POST /v1/{project_id}/cae/monitor-system | cae:environment:createMonitorSystem | - |
PUT /v1/{project_id}/cae/monitor-system/{monitor_system_id} | cae:environment:updateMonitorSystem | - |
GET /v1/{project_id}/cae/applications | cae:application:listApplications | - |
POST /v1/{project_id}/cae/applications | cae:application:createApplication | - |
DELETE /v1/{project_id}/cae/applications/{application_id} | cae:application:deleteApplication | - |
GET /v1/{project_id}/cae/applications/{application_id} | cae:application:listApplications | - |
POST /v1/{project_id}/cae/applications/{application_id}/components | cae:component:createComponent | - |
GET /v1/{project_id}/cae/applications/{application_id}/components | cae:component:listComponents | - |
GET /v1/{project_id}/cae/applications/{application_id}/components/{component_id} | cae:component:getComponent | - |
PUT /v1/{project_id}/cae/applications/{application_id}/components/{component_id} | cae:component:updateComponent | - |
DELETE /v1/{project_id}/cae/applications/{application_id}/components/{component_id} | cae:component:deleteComponent | - |
POST /v1/{project_id}/cae/applications/{application_id}/components/{component_id}/action | cae:component:operateComponent | - |
GET /v1/{project_id}/cae/applications/{application_id}/components/{component_id}/configurations | cae:component:listConfigurations | - |
POST /v1/{project_id}/cae/applications/{application_id}/components/{component_id}/configurations | cae:component:createConfiguration | - |
DELETE /v1/{project_id}/cae/applications/{application_id}/components/{component_id}/configurations | cae:component:deleteConfiguration | - |
GET /v1/{project_id}/cae/applications/{application_id}/components/{component_id}/configuration-history-time | cae:component:getConfiguration | - |
GET /v1/{project_id}/cae/applications/{application_id}/components/{component_id}/configuration-history | cae:component:getConfiguration | - |
GET /v1/{project_id}/cae/applications/{application_id}/components/{component_id}/instances | cae:component:getComponent | - |
DELETE /v1/{project_id}/cae/applications/{application_id}/components/{component_id}/instances/{instance_name} | cae:component:deleteComponent | - |
POST /v1/{project_id}/cae/remote-console/{instance_id} | cae:component:createInstanceWebShell | - |
GET /v1/{project_id}/cae/jobs/{job_id} | cae:environment:getEnvironment | - |
POST /v1/{project_id}/cae/jobs/{job_id} | cae:environment:createEnvironment | - |
POST /v1/{project_id}/cae/notice-rules | cae::createNoticeRule | - |
GET /v1/{project_id}/cae/notice-rules | cae::listNoticeRules | - |
PUT /v1/{project_id}/cae/notice-rules/{rule_id} | cae::updateNoticeRule | - |
GET /v1/{project_id}/cae/notice-rules/{rule_id} | cae::getNoticeRule | - |
DELETE /v1/{project_id}/cae/notice-rules/{rule_id} | cae::deleteNoticeRule | - |
POST /v1/{project_id}/cae/dew-secrets | cae::createDewSecret | - |
GET /v1/{project_id}/cae/dew-secrets | cae::listDewSecrets | - |
PUT /v1/{project_id}/cae/dew-secrets/{secret_id} | cae::updateDewSecret | - |
DELETE /v1/{project_id}/cae/dew-secrets/{secret_id} | cae::deleteDewSecret | - |
GET /v1/{project_id}/cae/dew-secrets/{secret_id}/effective-components | cae::getDewSecret | - |
GET /v1/{project_id}/cae/demo | cae:component:getComponent | - |
POST /v1/{project_id}/cae/demo/install | cae:component:createComponent | - |
POST /v1/{project_id}/cae/orders | cae::buyPackage | - |
资源类型(Resource)
资源类型(Resource)表示身份策略所作用的资源。如表3中的某些操作指定了可以在该操作指定的资源类型,则必须在具有该操作的身份策略语句中指定该资源的URN,身份策略仅作用于此资源;如未指定,Resource默认为“*”,则身份策略将应用到所有资源。您也可以在身份策略中设置条件,从而指定资源类型。
cae定义了以下可以在自定义身份策略的Resource元素中使用的资源类型。
