权限和授权项
如果您需要对您所拥有的Workspace Application Streaming进行精细的权限管理,您可以使用统一身份认证服务(Identity and Access Management,简称IAM),如果账号已经能满足您的要求,不需要创建独立的IAM用户,您可以跳过本章节,不影响您使用AppStream服务的其它功能。
默认情况下,新建的IAM用户没有任何权限,您需要将其加入用户组,并给用户组授予策略或角色,才能使用户组中的用户获得相应的权限,这一过程称为授权。授权后,用户就可以基于已有权限对云服务进行操作。
权限根据授权的精细程度,分为角色和策略。角色以服务为粒度,是IAM最初提供的一种根据用户的工作职能定义权限的粗粒度授权机制。策略以API接口为粒度进行权限拆分,授权更加精细,可以精确到某个操作、资源和条件,能够满足企业对权限最小化的安全管控要求。
如果您要允许或是禁止某个接口的操作权限,请使用策略。
支持的授权项
策略包含系统策略和自定义策略,如果系统策略不满足授权要求,租户管理员可以创建自定义策略,并通过给用户组授予自定义策略来进行精细的访问控制。策略支持的操作与API相对应,授权项列表说明如下:
- 权限:允许或拒绝某项操作。
- 对应API接口:自定义策略实际调用的API接口。
- 授权项:自定义策略中支持的Action,在自定义策略中的Action中写入授权项,可以实现授权项对应的权限功能。
- 依赖的授权项:部分Action存在对其他Action的依赖,需要将依赖的Action同时写入授权项,才能实现对应的权限功能。
- IAM项目(Project)/企业项目(Enterprise Project):自定义策略的授权范围,包括IAM项目与企业项目。授权范围如果同时支持IAM项目和企业项目,表示此授权项对应的自定义策略,可以在IAM和企业管理两个服务中给用户组授权并生效。如果仅支持IAM项目,不支持企业项目,表示仅能在IAM中给用户组授权并生效,如果在企业管理中授权,则该自定义策略不生效。关于IAM项目与企业项目的区别,详情请参见:IAM与企业管理的区别。
授权项(Action) | API方法 | 对应API接口 | 授权项说明 | IAM项目(Project) | 企业项目(Enterprise Project) |
|---|---|---|---|---|---|
workspace:appGroup:list | GET | /v1/{project_id}/app-groups | 查询应用组 | √ | x |
workspace:appGroup:create | POST | /v1/{project_id}/app-groups | 创建应用组 | √ | x |
workspace:appGroup:delete | DELETE | /v1/{project_id}/app-groups/{app_group_id} | 应用组删除 | √ | x |
workspace:appGroup:get | GET | /v1/{project_id}/app-groups/{app_group_id} | 查询应用组详情 | √ | x |
workspace:appGroup:update | PATCH | /v1/{project_id}/app-groups/{app_group_id} | 修改应用组 | √ | x |
workspace:app:listPublishedApp | GET | /v1/{project_id}/app-groups/{app_group_id}/apps | 查询已发布应用 | √ | x |
workspace:app:publish | POST | /v1/{project_id}/app-groups/{app_group_id}/apps | 发布应用 | √ | x |
workspace:app:get | GET | /v1/{project_id}/app-groups/{app_group_id}/apps/{app_id} | 查询应用详细信息 | √ | x |
workspace:app:update | PATCH | /v1/{project_id}/app-groups/{app_group_id}/apps/{app_id} | 修改应用信息 | √ | x |
workspace:app:deleteIcon | DELETE | /v1/{project_id}/app-groups/{app_group_id}/apps/{app_id}/icon | 删除自定义应用图标 | √ | x |
workspace:app:uploadIcon | POST | /v1/{project_id}/app-groups/{app_group_id}/apps/{app_id}/icon | 修改自定义应用图标 | √ | x |
workspace:app:check | POST | /v1/{project_id}/app-groups/{app_group_id}/apps/actions/check | 校验应用 | √ | x |
workspace:app:batchDisable | POST | /v1/{project_id}/app-groups/{app_group_id}/apps/actions/disable | 批量禁用应用 | √ | x |
workspace:app:batchEnable | POST | /v1/{project_id}/app-groups/{app_group_id}/apps/actions/enable | 批量启用应用 | √ | x |
workspace:app:unpublish | POST | /v1/{project_id}/app-groups/{app_group_id}/apps/batch-unpublish | 批量取消应用发布 | √ | x |
workspace:appGroup:listPublishableApp | GET | /v1/{project_id}/app-groups/{app_group_id}/publishable-app | 可发布应用列表 | √ | x |
workspace:appGroup:batchDeleteAuthorization | POST | /v1/{project_id}/app-groups/actions/batch-delete-authorization | 移除应用组授权 | √ | x |
workspace:appGroup:disassociate | POST | /v1/{project_id}/app-groups/actions/disassociate-app-group | 解除服务组关联的所有应用组 | √ | x |
workspace:appGroup:listAuthorization | GET | /v1/{project_id}/app-groups/actions/list-authorizations | 查询应用组授权记录 | √ | x |
workspace:appGroup:addAuthorization | POST | /v1/{project_id}/app-groups/authorizations | 增加应用组授权 | √ | x |
workspace:appGroup:batchDelete | POST | /v1/{project_id}/app-groups/batch-delete | 批量删除应用组 | √ | x |
workspace:appGroup:check | POST | /v1/{project_id}/app-groups/rules/validate | 校验应用组 | √ | x |
workspace:serverGroup:list | GET | /v1/{project_id}/app-server-groups | 查询服务器组列表 | √ | √ |
workspace:serverGroup:create | POST | /v1/{project_id}/app-server-groups | 创建服务器组 | √ | √ |
workspace:serverGroup:delete | DELETE | /v1/{project_id}/app-server-groups/{server_group_id} | 删除服务器组 | √ | √ |
workspace:serverGroup:get | GET | /v1/{project_id}/app-server-groups/{server_group_id} | 查询指定服务器组 | √ | √ |
workspace:serverGroup:update | PATCH | /v1/{project_id}/app-server-groups/{server_group_id} | 修改服务器组 | √ | √ |
workspace:serverGroup:getServerState | GET | /v1/{project_id}/app-server-groups/{server_group_id}/state | 查询指定服务器组内服务器状态 | √ | √ |
workspace:serverGroup:listDetail | GET | /v1/{project_id}/app-server-groups/actions/list | 查询租户服务器组基础信息列表 | √ | √ |
workspace:serverGroup:getRestrict | GET | /v1/{project_id}/app-server-groups/resources/restrict | 指定租户服务器组限制查询 | √ | x |
workspace:serverGroup:validate | POST | /v1/{project_id}/app-server-groups/rules/validate | 校验服务器组 | √ | x |
workspace:serverGroup:tagResource | POST | /v1/{project_id}/server-group/{server_group_id}/tags/create | 服务器组添加标签 | √ | √ |
workspace:serverGroup:unTagResource | DELETE | /v1/{project_id}/server-group/{server_group_id}/tags/delete | 服务器组删除标签 | √ | √ |
workspace:serverGroup:listTagsForResource | GET | /v1/{project_id}/server-group/{resource_id}/tags | 查询服务器组标签 | √ | √ |
workspace:serverGroup:listTags | GET | /v1/{project_id}/server-group/tags | 查询租户所有服务器上标签 | √ | √ |
workspace:serverGroup:batchCreateTags | POST | /v1/{project_id}/server-group/tags/batch-create | 批量添加服务器组标签 | √ | √ |
workspace:serverGroup:batchDeleteTags | POST | /v1/{project_id}/server-group/tags/batch-delete | 批量删除服务器组标签 | √ | √ |
workspace:server:list | GET | /v1/{project_id}/app-servers | 查询服务器列表 | √ | √ |
workspace:server:delete | DELETE | /v1/{project_id}/app-servers/{server_id} | 删除服务器 | √ | √ |
workspace:server:get | GET | /v1/{project_id}/app-servers/{server_id} | 查询指定服务器 | √ | √ |
workspace:server:update | PATCH | /v1/{project_id}/app-servers/{server_id} | 修改服务器 | √ | √ |
workspace:server:changeImage | POST | /v1/{project_id}/app-servers/{server_id}/actions/change-image | 修改服务器的镜像 | √ | √ |
workspace:server:reinstall | POST | /v1/{project_id}/app-servers/{server_id}/actions/reinstall | 重装服务器 | √ | √ |
workspace:server:getVncUrl | GET | /v1/{project_id}/app-servers/{server_id}/actions/vnc | 获取VNC远程登录地址 | √ | √ |
workspace:accessAgent:list | GET | /v1/{project_id}/app-servers/access-agent/actions/show-latest-version | 查询租户的所有HDA最新版本 | √ | x |
workspace:accessAgent:batchUpgrade | PATCH | /v1/{project_id}/app-servers/access-agent/actions/upgrade | 批量升级服务器HDA版本 | √ | √ |
workspace:accessAgent:listLatestVersion | GET | /v1/{project_id}/app-servers/access-agent/latest-version | 查询租户的HDA最新版本 | √ | x |
workspace:server:listAccessAgentDetails | GET | /v1/{project_id}/app-servers/access-agent/list | 查询服务器的HDA相关信息 | √ | √ |
workspace:accessAgent:getUpgradeFlag | GET | /v1/{project_id}/app-servers/access-agent/upgrade-flag | 查询HDA升级提醒标识 | √ | x |
workspace:accessAgent:updateUpgradeFlag | PATCH | /v1/{project_id}/app-servers/access-agent/upgrade-flag | 更新HDA升级通知标识 | √ | x |
workspace:accessAgent:listUpgradeRecords | GET | /v1/{project_id}/app-servers/access-agent/upgrade-record | 查询服务器的HDA升级跟踪记录 | √ | x |
workspace:server:batchDelete | POST | /v1/{project_id}/app-servers/actions/batch-delete | 批量删除服务器 | √ | √ |
workspace:server:batchChangeMaintainMode | PATCH | /v1/{project_id}/app-servers/actions/batch-maint | 标记服务器维护状态 | √ | √ |
workspace:server:batchReboot | PATCH | /v1/{project_id}/app-servers/actions/batch-reboot | 重启服务器 | √ | √ |
workspace:server:batchRejoinDomain | PATCH | /v1/{project_id}/app-servers/actions/batch-rejoin-domain | 批量服务器重新加域 | √ | √ |
workspace:server:batchStart | PATCH | /v1/{project_id}/app-servers/actions/batch-start | 启动服务器 | √ | √ |
workspace:server:batchStop | PATCH | /v1/{project_id}/app-servers/actions/batch-stop | 关闭服务器 | √ | √ |
workspace:server:batchUpdateTsvi | PATCH | /v1/{project_id}/app-servers/actions/batch-update-tsvi | 批量更新服务器虚拟会话IP配置 | √ | √ |
workspace:server:create | POST | /v1/{project_id}/app-servers/actions/create | 创建云服务器 | √ | √ |
workspace:server:batchMigrateHosts | PATCH | /v1/{project_id}/app-servers/hosts/batch-migrate | 迁移云办公主机下面的服务器到目标云办公主机 | √ | √ |
workspace:server:getMetricData | GET | /v1/{project_id}/app-servers/metric-data/{server_id} | 查询云应用服务器监控信息 | √ | √ |
workspace:jobs:listSubJobs | GET | /v1/{project_id}/app-server-sub-jobs | 子任务查询 | √ | x |
workspace:jobs:batchDeleteSubJobs | POST | /v1/{project_id}/app-server-sub-jobs/actions/batch-delete | 批量删除子任务 | √ | x |
workspace:jobs:countSubJobs | GET | /v1/{project_id}/app-server-sub-jobs/actions/count | 子任务数量查询 | √ | x |
workspace:appWarehouse:authorizeObs | POST | /v1/{project_id}/app-warehouse/action/authorize | 获取上传至OBS桶的ak/sk | √ | x |
workspace:appWarehouse:batchDeleteApp | POST | /v1/{project_id}/app-warehouse/actions/batch-delete | 批量删除应用仓库中的指定应用 | √ | x |
workspace:appWarehouse:ListWarehouseApps | GET | /v1/{project_id}/app-warehouse/apps | 查询租户应用仓库中的应用列表 | √ | x |
workspace:appWarehouse:createApp | POST | /v1/{project_id}/app-warehouse/apps | 在应用仓库中新增应用 | √ | x |
workspace:appWarehouse:deleteApp | DELETE | /v1/{project_id}/app-warehouse/apps/{id} | 删除应用仓库中的指定应用 | √ | x |
workspace:appWarehouse:uploadAppIcon | POST | /v1/{project_id}/app-warehouse/apps/icon | 在应用仓库中上传图标文件 | √ | x |
workspace:appWarehouse:createBucketOrAcl | POST | /v1/{project_id}/app-warehouse/bucket-and-acl/create | 添加桶或者桶授权 | √ | x |
workspace:orders:create | POST | /v1/{project_id}/bundles/subscribe/order | 创建订单 | √ | x |
workspace:quotas:get | GET | /v1/{project_id}/check/quota | 配额校验 | √ | x |
workspace:volumes:listDssPoolsDetail | GET | /v1/{project_id}/dss-pools/detail | 获取专属分布式存储池详情列表 | √ | x |
workspace:images:listImageJobs | GET | /v1/{project_id}/image-server-jobs | 查询租户的任务列表 | √ | x |
workspace:images:getImageJob | GET | /v1/{project_id}/image-server-jobs/{job_id} | 查询任务详情 | √ | x |
workspace:imageServer:list | GET | /v1/{project_id}/image-servers | 查询镜像实例列表 | √ | √ |
workspace:imageServer:create | POST | /v1/{project_id}/image-servers | 创建镜像实例 | √ | √ |
workspace:imageServer:get | GET | /v1/{project_id}/image-servers/{server_id} | 查询指定镜像实例 | √ | √ |
workspace:imageServer:update | PATCH | /v1/{project_id}/image-servers/{server_id} | 修改镜像实例 | √ | √ |
workspace:imageServer:attachApp | POST | /v1/{project_id}/image-servers/{server_id}/actions/attach-app | 分发软件信息至镜像实例 | √ | √ |
workspace:imageServer:listLatestAttachedApp | GET | /v1/{project_id}/image-servers/{server_id}/actions/latest-attached-app | 查询最近一次分发软件信息列表 | √ | x |
workspace:imageServer:recreate | POST | /v1/{project_id}/image-servers/{server_id}/actions/recreate-image | 构建云应用镜像 | √ | √ |
workspace:imageServer:batchDelete | PATCH | /v1/{project_id}/image-servers/actions/batch-delete | 批量删除镜像实例 | √ | √ |
workspace:imageServer:listImageSubJobs | GET | /v1/{project_id}/image-server-sub-jobs | 子任务查询 | √ | x |
workspace:imageServer:batchDeleteImageSubJobs | PATCH | /v1/{project_id}/image-server-sub-jobs/actions/batch-delete | 批量删除子任务 | √ | x |
workspace:imageServer:countImageSubJobs | GET | /v1/{project_id}/image-server-sub-jobs/actions/count | 子任务数量查询 | √ | x |
workspace:jobs:get | GET | /v1/{project_id}/job/{job_id} | 查询任务的执行状态 | √ | x |
workspace:appGroup:listMailRecord | GET | /v1/{project_id}/mails | 查询应用组授权邮件发送记录 | √ | x |
workspace:appGroup:resendMail | POST | /v1/{project_id}/mails/actions/send | 重发应用组授权邮件(根据授权邮件记录) | √ | x |
workspace:appGroup:resendMail | POST | /v1/{project_id}/mails/actions/send-by-authorization | 重发应用组授权邮件(根据授权记录) | √ | x |
workspace:storage:listPersistentStorage | GET | /v1/{project_id}/persistent-storages | 查询WKS存储 | √ | x |
workspace:storage:createPersistentStorage | POST | /v1/{project_id}/persistent-storages | 创建WKS存储 | √ | x |
workspace:storage:deletePersistentStorage | DELETE | /v1/{project_id}/persistent-storages/{storage_id} | 删除WKS存储 | √ | x |
workspace:storage:updateUserFolderAssignment | POST | /v1/{project_id}/persistent-storages/{storage_id}/actions/assign-folder | 创建个人存储目录 | √ | x |
workspace:storage:updateShareFolderAssignment | POST | /v1/{project_id}/persistent-storages/{storage_id}/actions/assign-share-folder | 修改共享目录成员 | √ | x |
workspace:storage:createShareFolder | POST | /v1/{project_id}/persistent-storages/{storage_id}/actions/create-share-folder | 创建共享存储目录 | √ | x |
workspace:storage:deleteStorageClaim | POST | /v1/{project_id}/persistent-storages/{storage_id}/actions/delete-storage-claim | 删除共享目录 | √ | x |
workspace:storage:deleteUserStorageAttachment | POST | /v1/{project_id}/persistent-storages/{storage_id}/actions/delete-user-attachment | 删除个人存储目录 | √ | x |
workspace:storage:batchDeletePersistentStorage | POST | /v1/{project_id}/persistent-storages/actions/batch-delete | 删除WKS存储 | √ | x |
workspace:storage:listStorageAssignment | GET | /v1/{project_id}/persistent-storages/actions/list-attachments | 查询个人存储目录 | √ | x |
workspace:storage:listShareFolder | GET | /v1/{project_id}/persistent-storages/actions/list-share-folders | 查询共享存储目录 | √ | x |
workspace:policyGroups:list | GET | /v1/{project_id}/policy-groups | 查询策略组列表 | √ | x |
workspace:policyGroups:create | POST | /v1/{project_id}/policy-groups | 新增策略组 | √ | x |
workspace:policyGroups:delete | DELETE | /v1/{project_id}/policy-groups/{policy_group_id} | 删除策略组 | √ | x |
workspace:policyGroups:get | GET | /v1/{project_id}/policy-groups/{policy_group_id} | 查询策略组详情 | √ | x |
workspace:policyGroups:update | PATCH | /v1/{project_id}/policy-groups/{policy_group_id} | 修改策略组 | √ | x |
workspace:policyGroups:listPolicies | GET | /v1/{project_id}/policy-groups/{policy_group_id}/policy | 查询策略组中的策略项 | √ | x |
workspace:policyGroups:listTargets | GET | /v1/{project_id}/policy-groups/{policy_group_id}/target | 查询策略组应用对象 | √ | x |
workspace:policyGroups:getOriginalPolicies | GET | /v1/{project_id}/policy-groups/actions/list-original-policy | 查询初始策略项 | √ | x |
workspace:policyGroups:listDetail | GET | /v1/{project_id}/policy-groups/show/detail | 查询策略组详情列表 | √ | x |
workspace:policyGroups:listTemplate | GET | /v1/{project_id}/policy-templates | 查询策略模板列表 | √ | x |
workspace:policyGroups:createTemplate | POST | /v1/{project_id}/policy-templates | 新增策略模板 | √ | x |
workspace:policyGroups:deleteTemplate | DELETE | /v1/{project_id}/policy-templates/{policy_template_id} | 删除策略模板 | √ | x |
workspace:policyGroups:updateTemplate | PATCH | /v1/{project_id}/policy-templates/{policy_template_id} | 修改策略模板 | √ | x |
workspace:privacystatements:get | GET | /v1/{project_id}/privacy-statement | 查询最新版本的隐私声明 | √ | x |
workspace:privacystatements:sign | POST | /v1/{project_id}/privacy-statement | 签署隐私声明 | √ | x |
workspace:scalingPolicy:delete | DELETE | /v1/{project_id}/scaling-policy | 删除弹性伸缩策略 | √ | x |
workspace:scalingPolicy:list | GET | /v1/{project_id}/scaling-policy | 查询服务器组弹性伸缩策略 | √ | x |
workspace:scalingPolicy:create | PUT | /v1/{project_id}/scaling-policy | 新增/修改弹性伸缩策略 | √ | x |
workspace:scheduledTasks:list | GET | /v1/{project_id}/schedule-task | 查询定时任务列表 | √ | x |
workspace:scheduledTasks:create | POST | /v1/{project_id}/schedule-task | 新增定时任务 | √ | x |
workspace:scheduledTasks:getRecord | GET | /v1/{project_id}/schedule-task/{execute_history_id}/execute-detail | 查询定时任务执行子任务列表 | √ | x |
workspace:scheduledTasks:delete | DELETE | /v1/{project_id}/schedule-task/{task_id} | 删除任务 | √ | x |
workspace:scheduledTasks:get | GET | /v1/{project_id}/schedule-task/{task_id} | 查询指定定时任务详情 | √ | x |
workspace:scheduledTasks:update | PATCH | /v1/{project_id}/schedule-task/{task_id} | 修改定时任务 | √ | x |
workspace:scheduledTasks:listRecords | GET | /v1/{project_id}/schedule-task/{task_id}/execute-history | 查询定时任务执行列表 | √ | x |
workspace:scheduledTasks:batchDelete | POST | /v1/{project_id}/schedule-task/actions/batch-delete | 批量删除定时任务 | √ | x |
workspace:scheduledTasks:getFuture | POST | /v1/{project_id}/schedule-task/future-executions | 未来执行的具体时间列表 | √ | x |
workspace:session:listAppConnection | POST | /v1/{project_id}/session/app-connection | 查询应用使用记录 | √ | x |
workspace:session:logoffUserSession | POST | /v1/{project_id}/session/logoff | 用户会话注销 | √ | x |
workspace:session:listUserConnection | POST | /v1/{project_id}/session/user-connection | 查询用户登录记录 | √ | x |
workspace:session:listSessionByUserName | GET | /v1/{project_id}/session/user-session-info | 根据用户名查询当前会话 | √ | x |
workspace:storagePolicy:create | PUT | /v1/{project_id}/storages-policy/actions/create-statements | 新增或更新存储目录访问权限自定义策略 | √ | x |
workspace:storagePolicy:list | GET | /v1/{project_id}/storages-policy/actions/list-statements | 查询存储目录访问权限策略 | √ | x |
workspace:users:list | GET | /v1/{project_id}/users | 查询用户(组) | √ | x |
workspace:storage:listSfs3Storage | GET | /v1/persistent-storages/actions/list-sfs-storages | 查询SFS3.0存储 | √ | x |
workspace:baseResource:list | GET | /v1/{project_id}/availability-zone | 查询可用分区列表 | √ | x |
workspace:tenants:listConfigInfo | POST | /v1/{project_id}/bundles/batch-query-config-info | 查询企业系统配置 | √ | x |
workspace:baseResource:list | GET | /v1/{project_id}/product | 查询云应用套餐 | √ | x |
workspace:baseResource:list | GET | /v1/{project_id}/session-type | 查询会话套餐列表 | √ | x |
workspace:tenants:active | POST | /v1/{project_id}/tenant/action/active | 租户服务激活、初始化 | √ | x |
workspace:tenants:listTenantProfile | GET | /v1/{project_id}/tenant/profile | 查询租户信息 | √ | x |
workspace:baseResource:list | GET | /v1/{project_id}/volume-type | 查询可用磁盘类型 | √ | x |
workspace:server:listServerMetricData | GET | /v1/{project_id}/app-servers/server-metric-data/{server_id} | 查询服务器的监控数据 | √ | x |
workspace:session:listSessions | GET | /v1/{project_id}/session/list-sessions | 查询企业会话列表 | √ | x |
