更新时间:2022-05-12 GMT+08:00
分享

创建MRS自定义策略

如果系统预置的MRS权限,不满足您的授权要求,可以创建自定义策略。自定义策略中可以添加的授权项(Action)请参考策略及授权项说明

目前支持以下两种方式创建自定义策略:

  • 可视化视图创建自定义策略:无需了解策略语法,按可视化视图导航栏选择云服务、操作、资源、条件等策略内容,可自动生成策略。
  • JSON视图创建自定义策略:可以在选择策略模板后,根据具体需求编辑策略内容;也可以直接在编辑框内编写JSON格式的策略内容。

具体创建步骤请参见:创建自定义策略。本章为您介绍常用的MRS自定义策略样例。

MRS自定义策略样例

  • 示例1:授权用户仅有创建MRS集群的权限
    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "mrs:cluster:create",
                    "ecs:*:*",
                    "bms:*:*",
                    "evs:*:*",
                    "vpc:*:*",
                    "smn:*:*"
                ]
            }
        ]
    }
  • 示例2:授权用户调整MRS集群
    { 
        "Version": "1.1", 
        "Statement": [ 
            { 
                "Effect": "Allow", 
                "Action": [ 
                    "mrs:cluster:resize" 
                ] 
            } 
        ] 
    }
  • 示例3:授权用户创建集群、创建并执行作业、删除单个作业,但不允许用户删除集群的权限
    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "mrs:cluster:create",
                    "mrs:job:submit",
                    "mrs:job:delete"
                ]
            },
            {
                "Effect": "Deny",
                "Action": [
                    "mrs:cluster:delete"
                ]
            }
        ]
    }
  • 示例4:授权用户最小权限,创建ECS规格的集群
    • 创建集群时如果使用秘钥对,增加权限:ecs:serverKeypairs:get和ecs:serverKeypairs:list
    • 创建包周期集群时,增加权限:bss:order:update
    • 创集群时使用数据盘加密,增加权限:kms:cmk:list
    • 创建集群时开启告警功能,增加权限:mrs:alarm:subscribe
    • 创建集群时使用外置数据源,增加权限:rds:instance:list
    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "mrs:cluster:create"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:cloudServers:updateMetadata",
                    "ecs:cloudServerFlavors:get",
                    "ecs:cloudServerQuotas:get",
                    "ecs:servers:list",
                    "ecs:servers:get",
                    "ecs:cloudServers:delete",
                    "ecs:cloudServers:list",
                    "ecs:serverInterfaces:get",
                    "ecs:serverGroups:manage",
                    "ecs:servers:setMetadata",
                    "ecs:cloudServers:get",
                    "ecs:cloudServers:create"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "vpc:securityGroups:create",
                    "vpc:securityGroupRules:delete",
                    "vpc:vpcs:create",
                    "vpc:ports:create",
                    "vpc:securityGroups:get",
                    "vpc:subnets:create",
                    "vpc:privateIps:delete",
                    "vpc:quotas:list",
                    "vpc:networks:get",
                    "vpc:publicIps:list",
                    "vpc:securityGroups:delete",
                    "vpc:securityGroupRules:create",
                    "vpc:privateIps:create",
                    "vpc:ports:get",
                    "vpc:ports:delete",
                    "vpc:publicIps:update",
                    "vpc:subnets:get",
                    "vpc:publicIps:get",
                    "vpc:ports:update",
                    "vpc:vpcs:list"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "evs:quotas:get",
                    "evs:types:get"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "bms:serverFlavors:get"
                ]
            }
        ]
    }
  • 示例5:授权用户最小权限,创建BMS规格的集群
    • 创建集群时如果使用秘钥对,增加权限:ecs:serverKeypairs:get和ecs:serverKeypairs:list
    • 创建包周期集群时,增加权限:bss:order:update
    • 创集群时使用数据盘加密,增加权限:kms:cmk:list
    • 创建集群时开启告警功能,增加权限:mrs:alarm:subscribe
    • 创建集群时使用外置数据源,增加权限:rds:instance:list
    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "mrs:cluster:create"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:servers:list",
                    "ecs:servers:get",
                    "ecs:cloudServers:delete",
                    "ecs:serverInterfaces:get",
                    "ecs:serverGroups:manage",
                    "ecs:servers:setMetadata",
                    "ecs:cloudServers:create",
                    "ecs:cloudServerFlavors:get",
                    "ecs:cloudServerQuotas:get"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "vpc:securityGroups:create",
                    "vpc:securityGroupRules:delete",
                    "vpc:vpcs:create",
                    "vpc:ports:create",
                    "vpc:securityGroups:get",
                    "vpc:subnets:create",
                    "vpc:privateIps:delete",
                    "vpc:quotas:list",
                    "vpc:networks:get",
                    "vpc:publicIps:list",
                    "vpc:securityGroups:delete",
                    "vpc:securityGroupRules:create",
                    "vpc:privateIps:create",
                    "vpc:ports:get",
                    "vpc:ports:delete",
                    "vpc:publicIps:update",
                    "vpc:subnets:get",
                    "vpc:publicIps:get",
                    "vpc:ports:update",
                    "vpc:vpcs:list"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "evs:quotas:get",
                    "evs:types:get"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "bms:servers:get",
                    "bms:servers:list",
                    "bms:serverQuotas:get",
                    "bms:servers:updateMetadata",
                    "bms:serverFlavors:get"
                ]
            }
        ]
    }
  • 示例6:授权用户最小权限,创建ECS和BMS混合集群
    • 创建集群时如果使用秘钥对,增加权限:ecs:serverKeypairs:get和ecs:serverKeypairs:list
    • 创建包周期集群时,增加权限:bss:order:update
    • 创集群时使用数据盘加密,增加权限:kms:cmk:list
    • 创建集群时开启告警功能,增加权限:mrs:alarm:subscribe
    • 创建集群时使用外置数据源,增加权限:rds:instance:list
    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "mrs:cluster:create"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:cloudServers:updateMetadata",
                    "ecs:cloudServerFlavors:get",
                    "ecs:cloudServerQuotas:get",
                    "ecs:servers:list",
                    "ecs:servers:get",
                    "ecs:cloudServers:delete",
                    "ecs:cloudServers:list",
                    "ecs:serverInterfaces:get",
                    "ecs:serverGroups:manage",
                    "ecs:servers:setMetadata",
                    "ecs:cloudServers:get",
                    "ecs:cloudServers:create"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "vpc:securityGroups:create",
                    "vpc:securityGroupRules:delete",
                    "vpc:vpcs:create",
                    "vpc:ports:create",
                    "vpc:securityGroups:get",
                    "vpc:subnets:create",
                    "vpc:privateIps:delete",
                    "vpc:quotas:list",
                    "vpc:networks:get",
                    "vpc:publicIps:list",
                    "vpc:securityGroups:delete",
                    "vpc:securityGroupRules:create",
                    "vpc:privateIps:create",
                    "vpc:ports:get",
                    "vpc:ports:delete",
                    "vpc:publicIps:update",
                    "vpc:subnets:get",
                    "vpc:publicIps:get",
                    "vpc:ports:update",
                    "vpc:vpcs:list"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "evs:quotas:get",
                    "evs:types:get"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "bms:servers:get",
                    "bms:servers:list",
                    "bms:serverQuotas:get",
                    "bms:servers:updateMetadata",
                    "bms:serverFlavors:get"
                ]
            }
        ]
    }
分享:

    相关文档

    相关产品

关闭导读