权限和授权项
如果您需要对您所拥有的Workspace Application Streaming进行精细的权限管理,您可以使用统一身份认证服务(Identity and Access Management,简称IAM),如果账号已经能满足您的要求,不需要创建独立的IAM用户,您可以跳过本章节,不影响您使用AppStream服务的其它功能。
默认情况下,新建的IAM用户没有任何权限,您需要将其加入用户组,并给用户组授予策略或角色,才能使用户组中的用户获得相应的权限,这一过程称为授权。授权后,用户就可以基于已有权限对云服务进行操作。
权限根据授权的精细程度,分为角色和策略。角色以服务为粒度,是IAM最初提供的一种根据用户的工作职能定义权限的粗粒度授权机制。策略以API接口为粒度进行权限拆分,授权更加精细,可以精确到某个操作、资源和条件,能够满足企业对权限最小化的安全管控要求。
如果您要允许或是禁止某个接口的操作权限,请使用策略。
支持的授权项
策略包含系统策略和自定义策略,如果系统策略不满足授权要求,租户管理员可以创建自定义策略,并通过给用户组授予自定义策略来进行精细的访问控制。策略支持的操作与API相对应,授权项列表说明如下:
- 权限:允许或拒绝某项操作。
- 对应API接口:自定义策略实际调用的API接口。
- 授权项:自定义策略中支持的Action,在自定义策略中的Action中写入授权项,可以实现授权项对应的权限功能。
- 依赖的授权项:部分Action存在对其他Action的依赖,需要将依赖的Action同时写入授权项,才能实现对应的权限功能。
- IAM项目(Project)/企业项目(Enterprise Project):自定义策略的授权范围,包括IAM项目与企业项目。授权范围如果同时支持IAM项目和企业项目,表示此授权项对应的自定义策略,可以在IAM和企业管理两个服务中给用户组授权并生效。如果仅支持IAM项目,不支持企业项目,表示仅能在IAM中给用户组授权并生效,如果在企业管理中授权,则该自定义策略不生效。关于IAM项目与企业项目的区别,详情请参见:IAM与企业管理的区别
授权项(Action) |
API方法 |
对应API接口 |
授权项说明 |
IAM项目(Project) |
企业项目(Enterprise Project) |
|---|---|---|---|---|---|
workspace:appGroup:list |
GET |
/v1/{project_id}/app-groups |
查询应用组 |
√ |
x |
workspace:appGroup:create |
POST |
/v1/{project_id}/app-groups |
创建应用组 |
√ |
x |
workspace:appGroup:delete |
DELETE |
/v1/{project_id}/app-groups/{app_group_id} |
应用组删除 |
√ |
x |
workspace:appGroup:get |
GET |
/v1/{project_id}/app-groups/{app_group_id} |
查询应用组详情 |
√ |
x |
workspace:appGroup:update |
PATCH |
/v1/{project_id}/app-groups/{app_group_id} |
修改应用组 |
√ |
x |
workspace:app:listPublishedApp |
GET |
/v1/{project_id}/app-groups/{app_group_id}/apps |
查询已发布应用 |
√ |
x |
workspace:app:publish |
POST |
/v1/{project_id}/app-groups/{app_group_id}/apps |
发布应用 |
√ |
x |
workspace:app:get |
GET |
/v1/{project_id}/app-groups/{app_group_id}/apps/{app_id} |
查询应用详细信息 |
√ |
x |
workspace:app:update |
PATCH |
/v1/{project_id}/app-groups/{app_group_id}/apps/{app_id} |
修改应用信息 |
√ |
x |
workspace:app:deleteIcon |
DELETE |
/v1/{project_id}/app-groups/{app_group_id}/apps/{app_id}/icon |
删除自定义应用图标 |
√ |
x |
workspace:app:uploadIcon |
POST |
/v1/{project_id}/app-groups/{app_group_id}/apps/{app_id}/icon |
修改自定义应用图标 |
√ |
x |
workspace:app:check |
POST |
/v1/{project_id}/app-groups/{app_group_id}/apps/actions/check |
校验应用 |
√ |
x |
workspace:app:batchDisable |
POST |
/v1/{project_id}/app-groups/{app_group_id}/apps/actions/disable |
批量禁用应用 |
√ |
x |
workspace:app:batchEnable |
POST |
/v1/{project_id}/app-groups/{app_group_id}/apps/actions/enable |
批量启用应用 |
√ |
x |
workspace:app:unpublish |
POST |
/v1/{project_id}/app-groups/{app_group_id}/apps/batch-unpublish |
批量取消应用发布 |
√ |
x |
workspace:appGroup:listPublishableApp |
GET |
/v1/{project_id}/app-groups/{app_group_id}/publishable-app |
可发布应用列表 |
√ |
x |
workspace:appGroup:batchDeleteAuthorization |
POST |
/v1/{project_id}/app-groups/actions/batch-delete-authorization |
移除应用组授权 |
√ |
x |
workspace:appGroup:disassociate |
POST |
/v1/{project_id}/app-groups/actions/disassociate-app-group |
解除服务组关联的所有应用组 |
√ |
x |
workspace:appGroup:listAuthorization |
GET |
/v1/{project_id}/app-groups/actions/list-authorizations |
查询应用组授权记录 |
√ |
x |
workspace:appGroup:addAuthorization |
POST |
/v1/{project_id}/app-groups/authorizations |
增加应用组授权 |
√ |
x |
workspace:appGroup:batchDelete |
POST |
/v1/{project_id}/app-groups/batch-delete |
批量删除应用组 |
√ |
x |
workspace:appGroup:check |
POST |
/v1/{project_id}/app-groups/rules/validate |
校验应用组 |
√ |
x |
workspace:serverGroup:list |
GET |
/v1/{project_id}/app-server-groups |
查询服务器组列表 |
√ |
√ |
workspace:serverGroup:create |
POST |
/v1/{project_id}/app-server-groups |
创建服务器组 |
√ |
√ |
workspace:serverGroup:delete |
DELETE |
/v1/{project_id}/app-server-groups/{server_group_id} |
删除服务器组 |
√ |
√ |
workspace:serverGroup:get |
GET |
/v1/{project_id}/app-server-groups/{server_group_id} |
查询指定服务器组 |
√ |
√ |
workspace:serverGroup:update |
PATCH |
/v1/{project_id}/app-server-groups/{server_group_id} |
修改服务器组 |
√ |
√ |
workspace:serverGroup:getServerState |
GET |
/v1/{project_id}/app-server-groups/{server_group_id}/state |
查询指定服务器组内服务器状态 |
√ |
√ |
workspace:serverGroup:listDetail |
GET |
/v1/{project_id}/app-server-groups/actions/list |
查询租户服务器组基础信息列表 |
√ |
√ |
workspace:serverGroup:getRestrict |
GET |
/v1/{project_id}/app-server-groups/resources/restrict |
指定租户服务器组限制查询 |
√ |
x |
workspace:serverGroup:validate |
POST |
/v1/{project_id}/app-server-groups/rules/validate |
校验服务器组 |
√ |
x |
workspace:serverGroup:tagResource |
POST |
/v1/{project_id}/server-group/{server_group_id}/tags/create |
服务器组添加标签 |
√ |
√ |
workspace:serverGroup:unTagResource |
DELETE |
/v1/{project_id}/server-group/{server_group_id}/tags/delete |
服务器组删除标签 |
√ |
√ |
workspace:serverGroup:listTagsForResource |
GET |
/v1/{project_id}/server-group/{resource_id}/tags |
查询服务器组标签 |
√ |
√ |
workspace:serverGroup:listTags |
GET |
/v1/{project_id}/server-group/tags |
查询租户所有服务器上标签 |
√ |
√ |
workspace:serverGroup:batchCreateTags |
POST |
/v1/{project_id}/server-group/tags/batch-create |
批量添加服务器组标签 |
√ |
√ |
workspace:serverGroup:batchDeleteTags |
POST |
/v1/{project_id}/server-group/tags/batch-delete |
批量删除服务器组标签 |
√ |
√ |
workspace:server:list |
GET |
/v1/{project_id}/app-servers |
查询服务器列表 |
√ |
√ |
workspace:server:delete |
DELETE |
/v1/{project_id}/app-servers/{server_id} |
删除服务器 |
√ |
√ |
workspace:server:get |
GET |
/v1/{project_id}/app-servers/{server_id} |
查询指定服务器 |
√ |
√ |
workspace:server:update |
PATCH |
/v1/{project_id}/app-servers/{server_id} |
修改服务器 |
√ |
√ |
workspace:server:changeImage |
POST |
/v1/{project_id}/app-servers/{server_id}/actions/change-image |
修改服务器的镜像 |
√ |
√ |
workspace:server:reinstall |
POST |
/v1/{project_id}/app-servers/{server_id}/actions/reinstall |
重装服务器 |
√ |
√ |
workspace:server:getVncUrl |
GET |
/v1/{project_id}/app-servers/{server_id}/actions/vnc |
获取VNC远程登录地址 |
√ |
√ |
workspace:accessAgent:list |
GET |
/v1/{project_id}/app-servers/access-agent/actions/show-latest-version |
查询租户的所有HDA最新版本 |
√ |
x |
workspace:accessAgent:batchUpgrade |
PATCH |
/v1/{project_id}/app-servers/access-agent/actions/upgrade |
批量升级服务器HDA版本 |
√ |
√ |
workspace:accessAgent:listLatestVersion |
GET |
/v1/{project_id}/app-servers/access-agent/latest-version |
查询租户的HDA最新版本 |
√ |
x |
workspace:server:listAccessAgentDetails |
GET |
/v1/{project_id}/app-servers/access-agent/list |
查询服务器的HDA相关信息 |
√ |
√ |
workspace:accessAgent:getUpgradeFlag |
GET |
/v1/{project_id}/app-servers/access-agent/upgrade-flag |
查询HDA升级提醒标识 |
√ |
x |
workspace:accessAgent:updateUpgradeFlag |
PATCH |
/v1/{project_id}/app-servers/access-agent/upgrade-flag |
更新HDA升级通知标识 |
√ |
x |
workspace:accessAgent:listUpgradeRecords |
GET |
/v1/{project_id}/app-servers/access-agent/upgrade-record |
查询服务器的HDA升级跟踪记录 |
√ |
x |
workspace:server:batchDelete |
POST |
/v1/{project_id}/app-servers/actions/batch-delete |
批量删除服务器 |
√ |
√ |
workspace:server:batchChangeMaintainMode |
PATCH |
/v1/{project_id}/app-servers/actions/batch-maint |
标记服务器维护状态 |
√ |
√ |
workspace:server:batchReboot |
PATCH |
/v1/{project_id}/app-servers/actions/batch-reboot |
重启服务器 |
√ |
√ |
workspace:server:batchRejoinDomain |
PATCH |
/v1/{project_id}/app-servers/actions/batch-rejoin-domain |
批量服务器重新加域 |
√ |
√ |
workspace:server:batchStart |
PATCH |
/v1/{project_id}/app-servers/actions/batch-start |
启动服务器 |
√ |
√ |
workspace:server:batchStop |
PATCH |
/v1/{project_id}/app-servers/actions/batch-stop |
关闭服务器 |
√ |
√ |
workspace:server:batchUpdateTsvi |
PATCH |
/v1/{project_id}/app-servers/actions/batch-update-tsvi |
批量更新服务器虚拟会话IP配置 |
√ |
√ |
workspace:server:create |
POST |
/v1/{project_id}/app-servers/actions/create |
创建云服务器 |
√ |
√ |
workspace:server:batchMigrateHosts |
PATCH |
/v1/{project_id}/app-servers/hosts/batch-migrate |
迁移云办公主机下面的服务器到目标云办公主机 |
√ |
√ |
workspace:server:getMetricData |
GET |
/v1/{project_id}/app-servers/metric-data/{server_id} |
查询云应用服务器监控信息 |
√ |
√ |
workspace:jobs:listSubJobs |
GET |
/v1/{project_id}/app-server-sub-jobs |
子任务查询 |
√ |
x |
workspace:jobs:batchDeleteSubJobs |
POST |
/v1/{project_id}/app-server-sub-jobs/actions/batch-delete |
批量删除子任务 |
√ |
x |
workspace:jobs:countSubJobs |
GET |
/v1/{project_id}/app-server-sub-jobs/actions/count |
子任务数量查询 |
√ |
x |
workspace:appWarehouse:authorizeObs |
POST |
/v1/{project_id}/app-warehouse/action/authorize |
获取上传至OBS桶的ak/sk |
√ |
x |
workspace:appWarehouse:batchDeleteApp |
POST |
/v1/{project_id}/app-warehouse/actions/batch-delete |
批量删除应用仓库中的指定应用 |
√ |
x |
workspace:appWarehouse:ListWarehouseApps |
GET |
/v1/{project_id}/app-warehouse/apps |
查询租户应用仓库中的应用列表 |
√ |
x |
workspace:appWarehouse:createApp |
POST |
/v1/{project_id}/app-warehouse/apps |
在应用仓库中新增应用 |
√ |
x |
workspace:appWarehouse:deleteApp |
DELETE |
/v1/{project_id}/app-warehouse/apps/{id} |
删除应用仓库中的指定应用 |
√ |
x |
workspace:appWarehouse:uploadAppIcon |
POST |
/v1/{project_id}/app-warehouse/apps/icon |
在应用仓库中上传图标文件 |
√ |
x |
workspace:appWarehouse:createBucketOrAcl |
POST |
/v1/{project_id}/app-warehouse/bucket-and-acl/create |
添加桶或者桶授权 |
√ |
x |
workspace:orders:create |
POST |
/v1/{project_id}/bundles/subscribe/order |
创建订单 |
√ |
x |
workspace:quotas:get |
GET |
/v1/{project_id}/check/quota |
配额校验 |
√ |
x |
workspace:volumes:listDssPoolsDetail |
GET |
/v1/{project_id}/dss-pools/detail |
获取专属分布式存储池详情列表 |
√ |
x |
workspace:images:listImageJobs |
GET |
/v1/{project_id}/image-server-jobs |
查询租户的任务列表 |
√ |
x |
workspace:images:getImageJob |
GET |
/v1/{project_id}/image-server-jobs/{job_id} |
查询任务详情 |
√ |
x |
workspace:imageServer:list |
GET |
/v1/{project_id}/image-servers |
查询镜像实例列表 |
√ |
√ |
workspace:imageServer:create |
POST |
/v1/{project_id}/image-servers |
创建镜像实例 |
√ |
√ |
workspace:imageServer:get |
GET |
/v1/{project_id}/image-servers/{server_id} |
查询指定镜像实例 |
√ |
√ |
workspace:imageServer:update |
PATCH |
/v1/{project_id}/image-servers/{server_id} |
修改镜像实例 |
√ |
√ |
workspace:imageServer:attachApp |
POST |
/v1/{project_id}/image-servers/{server_id}/actions/attach-app |
分发软件信息至镜像实例 |
√ |
√ |
workspace:imageServer:listLatestAttachedApp |
GET |
/v1/{project_id}/image-servers/{server_id}/actions/latest-attached-app |
查询最近一次分发软件信息列表 |
√ |
x |
workspace:imageServer:recreate |
POST |
/v1/{project_id}/image-servers/{server_id}/actions/recreate-image |
构建云应用镜像 |
√ |
√ |
workspace:imageServer:batchDelete |
PATCH |
/v1/{project_id}/image-servers/actions/batch-delete |
批量删除镜像实例 |
√ |
√ |
workspace:imageServer:listImageSubJobs |
GET |
/v1/{project_id}/image-server-sub-jobs |
子任务查询 |
√ |
x |
workspace:imageServer:batchDeleteImageSubJobs |
PATCH |
/v1/{project_id}/image-server-sub-jobs/actions/batch-delete |
批量删除子任务 |
√ |
x |
workspace:imageServer:countImageSubJobs |
GET |
/v1/{project_id}/image-server-sub-jobs/actions/count |
子任务数量查询 |
√ |
x |
workspace:jobs:get |
GET |
/v1/{project_id}/job/{job_id} |
查询任务的执行状态 |
√ |
x |
workspace:appGroup:listMailRecord |
GET |
/v1/{project_id}/mails |
查询应用组授权邮件发送记录 |
√ |
x |
workspace:appGroup:resendMail |
POST |
/v1/{project_id}/mails/actions/send |
重发应用组授权邮件(根据授权邮件记录) |
√ |
x |
workspace:appGroup:resendMail |
POST |
/v1/{project_id}/mails/actions/send-by-authorization |
重发应用组授权邮件(根据授权记录) |
√ |
x |
workspace:storage:listPersistentStorage |
GET |
/v1/{project_id}/persistent-storages |
查询WKS存储 |
√ |
x |
workspace:storage:createPersistentStorage |
POST |
/v1/{project_id}/persistent-storages |
创建WKS存储 |
√ |
x |
workspace:storage:deletePersistentStorage |
DELETE |
/v1/{project_id}/persistent-storages/{storage_id} |
删除WKS存储 |
√ |
x |
workspace:storage:updateUserFolderAssignment |
POST |
/v1/{project_id}/persistent-storages/{storage_id}/actions/assign-folder |
创建个人存储目录 |
√ |
x |
workspace:storage:updateShareFolderAssignment |
POST |
/v1/{project_id}/persistent-storages/{storage_id}/actions/assign-share-folder |
修改共享目录成员 |
√ |
x |
workspace:storage:createShareFolder |
POST |
/v1/{project_id}/persistent-storages/{storage_id}/actions/create-share-folder |
创建共享存储目录 |
√ |
x |
workspace:storage:deleteStorageClaim |
POST |
/v1/{project_id}/persistent-storages/{storage_id}/actions/delete-storage-claim |
删除共享目录 |
√ |
x |
workspace:storage:deleteUserStorageAttachment |
POST |
/v1/{project_id}/persistent-storages/{storage_id}/actions/delete-user-attachment |
删除个人存储目录 |
√ |
x |
workspace:storage:batchDeletePersistentStorage |
POST |
/v1/{project_id}/persistent-storages/actions/batch-delete |
删除WKS存储 |
√ |
x |
workspace:storage:listStorageAssignment |
GET |
/v1/{project_id}/persistent-storages/actions/list-attachments |
查询个人存储目录 |
√ |
x |
workspace:storage:listShareFolder |
GET |
/v1/{project_id}/persistent-storages/actions/list-share-folders |
查询共享存储目录 |
√ |
x |
workspace:policyGroups:list |
GET |
/v1/{project_id}/policy-groups |
查询策略组列表 |
√ |
x |
workspace:policyGroups:create |
POST |
/v1/{project_id}/policy-groups |
新增策略组 |
√ |
x |
workspace:policyGroups:delete |
DELETE |
/v1/{project_id}/policy-groups/{policy_group_id} |
删除策略组 |
√ |
x |
workspace:policyGroups:get |
GET |
/v1/{project_id}/policy-groups/{policy_group_id} |
查询策略组详情 |
√ |
x |
workspace:policyGroups:update |
PATCH |
/v1/{project_id}/policy-groups/{policy_group_id} |
修改策略组 |
√ |
x |
workspace:policyGroups:listPolicies |
GET |
/v1/{project_id}/policy-groups/{policy_group_id}/policy |
查询策略组中的策略项 |
√ |
x |
workspace:policyGroups:listTargets |
GET |
/v1/{project_id}/policy-groups/{policy_group_id}/target |
查询策略组应用对象 |
√ |
x |
workspace:policyGroups:getOriginalPolicies |
GET |
/v1/{project_id}/policy-groups/actions/list-original-policy |
查询初始策略项 |
√ |
x |
workspace:policyGroups:listDetail |
GET |
/v1/{project_id}/policy-groups/show/detail |
查询策略组详情列表 |
√ |
x |
workspace:policyGroups:listTemplate |
GET |
/v1/{project_id}/policy-templates |
查询策略模板列表 |
√ |
x |
workspace:policyGroups:createTemplate |
POST |
/v1/{project_id}/policy-templates |
新增策略模板 |
√ |
x |
workspace:policyGroups:deleteTemplate |
DELETE |
/v1/{project_id}/policy-templates/{policy_template_id} |
删除策略模板 |
√ |
x |
workspace:policyGroups:updateTemplate |
PATCH |
/v1/{project_id}/policy-templates/{policy_template_id} |
修改策略模板 |
√ |
x |
workspace:privacystatements:get |
GET |
/v1/{project_id}/privacy-statement |
查询最新版本的隐私声明 |
√ |
x |
workspace:privacystatements:sign |
POST |
/v1/{project_id}/privacy-statement |
签署隐私声明 |
√ |
x |
workspace:scalingPolicy:delete |
DELETE |
/v1/{project_id}/scaling-policy |
删除弹性伸缩策略 |
√ |
x |
workspace:scalingPolicy:list |
GET |
/v1/{project_id}/scaling-policy |
查询服务器组弹性伸缩策略 |
√ |
x |
workspace:scalingPolicy:create |
PUT |
/v1/{project_id}/scaling-policy |
新增/修改弹性伸缩策略 |
√ |
x |
workspace:scheduledTasks:list |
GET |
/v1/{project_id}/schedule-task |
查询定时任务列表 |
√ |
x |
workspace:scheduledTasks:create |
POST |
/v1/{project_id}/schedule-task |
新增定时任务 |
√ |
x |
workspace:scheduledTasks:getRecord |
GET |
/v1/{project_id}/schedule-task/{execute_history_id}/execute-detail |
查询定时任务执行子任务列表 |
√ |
x |
workspace:scheduledTasks:delete |
DELETE |
/v1/{project_id}/schedule-task/{task_id} |
删除任务 |
√ |
x |
workspace:scheduledTasks:get |
GET |
/v1/{project_id}/schedule-task/{task_id} |
查询指定定时任务详情 |
√ |
x |
workspace:scheduledTasks:update |
PATCH |
/v1/{project_id}/schedule-task/{task_id} |
修改定时任务 |
√ |
x |
workspace:scheduledTasks:listRecords |
GET |
/v1/{project_id}/schedule-task/{task_id}/execute-history |
查询定时任务执行列表 |
√ |
x |
workspace:scheduledTasks:batchDelete |
POST |
/v1/{project_id}/schedule-task/actions/batch-delete |
批量删除定时任务 |
√ |
x |
workspace:scheduledTasks:getFuture |
POST |
/v1/{project_id}/schedule-task/future-executions |
未来执行的具体时间列表 |
√ |
x |
workspace:session:listAppConnection |
POST |
/v1/{project_id}/session/app-connection |
查询应用使用记录 |
√ |
x |
workspace:session:logoffUserSession |
POST |
/v1/{project_id}/session/logoff |
用户会话注销 |
√ |
x |
workspace:session:listUserConnection |
POST |
/v1/{project_id}/session/user-connection |
查询用户登录记录 |
√ |
x |
workspace:session:listSessionByUserName |
GET |
/v1/{project_id}/session/user-session-info |
根据用户名查询当前会话 |
√ |
x |
workspace:storagePolicy:create |
PUT |
/v1/{project_id}/storages-policy/actions/create-statements |
新增或更新存储目录访问权限自定义策略 |
√ |
x |
workspace:storagePolicy:list |
GET |
/v1/{project_id}/storages-policy/actions/list-statements |
查询存储目录访问权限策略 |
√ |
x |
workspace:users:list |
GET |
/v1/{project_id}/users |
查询用户(组) |
√ |
x |
workspace:storage:listSfs3Storage |
GET |
/v1/persistent-storages/actions/list-sfs-storages |
查询SFS3.0存储 |
√ |
x |
workspace:baseResource:list |
GET |
/v1/{project_id}/availability-zone |
查询可用分区列表 |
√ |
x |
workspace:tenants:listConfigInfo |
POST |
/v1/{project_id}/bundles/batch-query-config-info |
查询企业系统配置 |
√ |
x |
workspace:baseResource:list |
GET |
/v1/{project_id}/product |
查询云应用套餐 |
√ |
x |
workspace:baseResource:list |
GET |
/v1/{project_id}/session-type |
查询会话套餐列表 |
√ |
x |
workspace:tenants:active |
POST |
/v1/{project_id}/tenant/action/active |
租户服务激活、初始化 |
√ |
x |
workspace:tenants:listTenantProfile |
GET |
/v1/{project_id}/tenant/profile |
查询租户信息 |
√ |
x |
workspace:baseResource:list |
GET |
/v1/{project_id}/volume-type |
查询可用磁盘类型 |
√ |
x |
workspace:server:listServerMetricData |
GET |
/v1/{project_id}/app-servers/server-metric-data/{server_id} |
查询服务器的监控数据 |
√ |
x |
workspace:session:listSessions |
GET |
/v1/{project_id}/session/list-sessions |
查询企业会话列表 |
√ |
x |
