更新时间:2021-12-08 GMT+08:00
分享

BCE自定义策略

如果系统预置的BCE权限,不满足您的授权要求,可以创建自定义策略。自定义策略中可以添加的授权项(Action)请参考权限及授权项

目前华为云支持以下两种方式创建自定义策略:

  • 可视化视图创建自定义策略:无需了解策略语法,按可视化视图导航栏选择云服务、操作、资源、条件等策略内容,可自动生成策略。
  • JSON视图创建自定义策略:可以在选择策略模板后,根据具体需求编辑策略内容;也可以直接在编辑框内编写JSON格式的策略内容。

具体创建步骤请参见:创建自定义策略。本章为您介绍常用的BCE自定义策略样例。

BCE自定义策略样例

  • 示例1:配置BCE FullAccess策略,该策略有依赖,具体说明请参见权限管理
    {
        "Version": "1.1",
        "Statement": [
            {
                "Action": [
                    "swr:repository:getTag",
                    "swr:repository:getRepository",
                    "swr:repository:getNamespace",
                    "swr:repository:listNamespaces",
                    "swr:repository:listTags",
                    "swr:repository:listRepositories"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "bce:*:*",
                    "cce:cluster:get",
                    "cce:cluster:list",
                    "cce:node:get",
                    "cce:node:list",
                    "cce:storage:create",
                    "cce:storage:list",
                    "CCI:namespace:get",
                    "CCI:namespace:list",
                    "CCI:namespaceSubResource:Create",
                    "CCI:namespaceSubResource:Delete",
                    "CCI:namespaceSubResource:Get",
                    "CCI:namespaceSubResource:List",
                    "CCI:namespaceSubResource:Update",
                    "CCI:network:get",
                    "CCI:network:list",
                    "rds:database:list",
                    "rds:instance:list",
                    "vpc:vpcs:get",
                    "vpc:subnets:get",
                    "vpc:vpcs:list",
                    "evs:volumes:list",
                    "sfs:shares:getAllSharesDetail",
                    "sfs:shares:ShareAction",
                    "evs:volumes:get"
                ],
                "Effect": "Allow"
            }
        ]
    }
  • 示例2:配置BCE ReadOnlyAccess策略,该策略有依赖,具体说明请参见权限管理
    {
        "Version": "1.1",
        "Statement": [
            {
                "Action": [
                    "swr:repository:getTag",
                    "swr:repository:getRepository",
                    "swr:repository:getNamespace",
                    "swr:repository:listNamespaces",
                    "swr:repository:listTags",
                    "swr:repository:listRepositories"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "bce:*:list",
                    "bce:*:get",
                    "cce:cluster:get",
                    "cce:cluster:list",
                    "cce:node:get",
                    "cce:node:list",
                    "cce:storage:list",
                    "CCI:namespace:get",
                    "CCI:namespace:list",
                    "CCI:namespaceSubResource:Get",
                    "CCI:namespaceSubResource:List",
                    "CCI:network:get",
                    "CCI:network:list",
                    "rds:database:list",
                    "rds:instance:list",
                    "vpc:vpcs:get",
                    "vpc:subnets:get",
                    "vpc:vpcs:list",
                    "evs:volumes:list",
                    "sfs:shares:getAllSharesDetail",
                    "sfs:shares:ShareAction",
                    "evs:volumes:get"
                ],
                "Effect": "Allow"
            }
        ]
    }
  • 示例3:配置BCE CommonOperations策略,该策略有依赖,具体说明请参见权限管理
    {
        "Version": "1.1",
        "Statement": [
            {
                "Action": [
                    "swr:repository:getTag",
                    "swr:repository:getRepository",
                    "swr:repository:getNamespace",
                    "swr:repository:listNamespaces",
                    "swr:repository:listTags",
                    "swr:repository:listRepositories"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "bce:*:get",
                    "bce:*:list",
                    "bce:commonWorkflows:*",
                    "bce:commonWorkflowTemplates:*",
                    "bce:executions:*",
                    "bce:executionsExtend:*",
                    "bce:hpcJobs:*",
                    "bce:tfjobs:*",
                    "bce:queues:*",
                    "bce:workflowsExtend:*",
                    "bce:workflows:*",
                    "cce:cluster:get",
                    "cce:cluster:list",
                    "cce:node:get",
                    "cce:node:list",
                    "cce:storage:create",
                    "cce:storage:list",
                    "CCI:namespace:get",
                    "CCI:namespace:list",
                    "CCI:namespaceSubResource:Create",
                    "CCI:namespaceSubResource:Delete",
                    "CCI:namespaceSubResource:Get",
                    "CCI:namespaceSubResource:List",
                    "CCI:namespaceSubResource:Update",
                    "CCI:network:get",
                    "CCI:network:list",
                    "rds:database:list",
                    "rds:instance:list",
                    "vpc:vpcs:get",
                    "vpc:subnets:get",
                    "vpc:vpcs:list",
                    "evs:volumes:list",
                    "sfs:shares:getAllSharesDetail",
                    "sfs:shares:ShareAction",
                    "evs:volumes:get"
                ],
                "Effect": "Allow"
            }
        ]
    }
  • 示例4:查询队列列表
    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "
                         bce:queues:list
                     "
                ]
            }
        ]
    }
  • 示例5:拒绝用户删除GCS作业

    拒绝策略需要同时配合其他策略使用,否则没有实际作用。用户被授予的策略中,一个授权项的作用如果同时存在Allow和Deny,则遵循Deny优先原则

    如果您给用户授予BCE FullAccess的系统策略,但不希望用户拥有BCE FullAccess中定义的删除GCS作业权限,您可以创建一条拒绝删除GCS作业的自定义策略,然后同时将BCE FullAccess和拒绝策略授予用户,根据Deny优先原则,则用户可以对BCE执行除了删除GCS作业外的所有操作。拒绝策略示例如下:

    {
            "Version": "1.1",
            "Statement": [
                    {
                            "Action": [
                                    "bce:executions:delete"
                            ],
                            "Effect": "Deny"
                    }
            ]
    }
分享:

    相关文档

    相关产品