云数据库 TaurusDB
Organizations服务中的服务控制策略(Service Control Policy,以下简称SCP)也可以使用这些授权项元素设置访问控制策略。
SCP不直接进行授权,只划定权限边界。将SCP绑定到组织单元或者成员账号时,并没有直接对组织单元或成员账号授予操作权限,而是规定了成员账号或组织单元包含的成员账号的授权范围。
本章节介绍组织服务中SCP使用的元素,这些元素包含了操作(Action)、资源(Resource)和条件(Condition)。
如何使用这些元素编辑SCP自定义策略,请参考创建SCP。
操作(Action)
操作(Action)即为身份策略中支持的授权项。
- “访问级别”列描述如何对操作进行分类(list、read和write等)。此分类可帮助您了解在身份策略中相应操作对应的访问级别。
- “资源类型”列指每个操作是否支持资源级权限。
- 资源类型支持通配符号*表示所有。如果此列没有值(-),则必须在身份策略语句的Resource元素中指定所有资源类型(“*”)。
- 如果该列包含资源类型,则必须在具有该操作的语句中指定该资源的URN。
- 资源类型列中必需资源在表中用星号(*)标识,表示使用此操作必须指定该资源类型。
关于TaurusDB定义的资源类型的详细信息请参见资源类型(Resource)。
- “条件键”列包括了可以在身份策略语句的Condition元素中支持指定的键值。
- 如果该授权项资源类型列存在值,则表示条件键仅对列举的资源类型生效。
- 如果该授权项资源类型列没有值(-),则表示条件键对整个授权项生效。
- 如果此列条件键没有值(-),表示此操作不支持指定条件键。
关于TaurusDB定义的条件键的详细信息请参见条件(Condition)。
您可以在SCP语句的Action元素中指定以下TaurusDB的相关操作。
授权项 |
描述 |
访问级别 |
资源类型(*为必须) |
条件键 |
---|---|---|---|---|
gaussdbformysql:backup:modifyPolicy |
授予设置自动备份策略的权限。 |
permission_management |
- |
- |
gaussdbformysql:param:delete |
授予删除参数组的权限。 |
permission_management |
- |
- |
gaussdbformysql:instance:switchover |
授予手动主备切换的权限。 |
permission_management |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:auditlog:list |
授予实例获取审计日志列表的权限。 |
list |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:backup:create |
授予创建手动备份权限。 |
write |
- |
- |
gaussdbformysql:backup:delete |
授予删除备份的权限。 |
write |
- |
- |
gaussdbformysql:backup:getRestoreTime |
授予获取实例可恢复时间点的权限。 |
read |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:backup:list |
授予获取备份列表的权限。 |
list |
- |
- |
gaussdbformysql:backup:listPolicy |
授予获取备份策略的权限。 |
list |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:database:create |
授予实例创建数据库的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:database:delete |
授予实例删除数据库的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:database:list |
授予实例查询数据库列表的权限。 |
list |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:database:modify |
授予修改数据库相关信息的权限。 |
permission_management |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:getSecondLevelMonitoringConfig |
授予查询秒级监控配置的权限。 |
read |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:addReadOnlyNodes |
授予添加只读节点的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:create |
授予创建实例的权限。 |
write |
- |
g:EnterpriseProjectId |
gaussdbformysql:instance:delete |
授予删除实例的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:deleteSqlFilterRules |
授予删除Sql限流规则的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:get |
授予获取实例详情的权限。 |
read |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:getDcc |
授予获取专属资源池详情的权限。 |
read |
- |
- |
gaussdbformysql:instance:getSqlFilterRule |
授予获取SQL限流规则的权限。 |
read |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:getSqlFilterStatus |
授予获取SQL限流开关状态的权限。 |
read |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:list |
授予获取实例列表的权限。 |
list |
- |
- |
gaussdbformysql:proxy:list |
授予获取数据库代理列表的权限。 |
list |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:proxy:listSpec |
授予获取数据库代理规格列表的权限。 |
list |
- |
- |
gaussdbformysql:instance:listDcc |
授予获取专属资源列表的权限。 |
list |
- |
- |
gaussdbformysql:instance:listEngine |
授予查询引擎信息的权限。 |
list |
- |
- |
gaussdbformysql:instance:listSpec |
授予查询规格列表的权限。 |
list |
- |
- |
gaussdbformysql:auditlog:operate |
授予开启关闭审计日志的权限。 |
permission_management |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:bindPublicIp |
授予实例绑定公网IP的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:deleteReadOnlyNodes |
授予实例删除只读节点的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:modifyVip |
授予实例修改读写内网地址的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:modifyMaintenanceWindow |
授予修改实例运维时间窗的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:modifySecondLevelMonitorPolicy |
授予修改实例秒级监控频率的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:modifyPassword |
授予修改实例密码的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:modifyPort |
授予修改实例端口的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:modifySecurityGroup |
授予修改实例安全组的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:modifySSL |
授予修改SSL开关的权限。 |
permission_management |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:modifyStorageSize |
授予实例磁盘扩缩容的权限。 |
permission_management |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:rename |
授予修改实例名称的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:unbindPublicIp |
授予实例解绑公网IP的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:upgrade |
授予实例升级内核版本的权限。 |
permission_management |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:user:create |
授予实例创建数据库用户的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:proxy:addNodes |
授予数据库代理节点扩容的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:proxy:create |
授予开启数据库代理的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:proxy:delete |
授予关闭数据库代理的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:proxy:modifySpec |
授予数据库代理规格变更的权限。 |
permission_management |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:proxy:modifyWeight |
授予修改数据库代理权重的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:modifySpec |
授予变更实例规格的权限。 |
permission_management |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:restart |
授予重启实例的权限。 |
permission_management |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:restoreInPlace |
授予备份恢复到已有实例的权限。 |
permission_management |
- |
- |
gaussdbformysql:instance:setSqlFilterRules |
授予设置SQL限流规则的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:setSqlFilterStatus |
授予开启/关闭SQL限流的权限。 |
permission_management |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:instance:tableRestore |
授予PITR库表级恢复的权限。 |
permission_management |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:tag:deal |
授予添加/删除资源标签的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:log:getErrorLogs |
授予获取错误日志的权限。 |
read |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:log:getSlowLogs |
授予获取慢日志的权限。 |
read |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:param:apply |
授予应用参数组的权限。 |
permission_management |
- |
- |
gaussdbformysql:param:create |
授予创建参数组的权限。 |
write |
- |
- |
gaussdbformysql:param:get |
授予获取参数组详情的权限。 |
read |
- |
- |
gaussdbformysql:param:list |
授予获取参数组列表的权限。 |
list |
- |
- |
gaussdbformysql:param:update |
授予修改参数组的权限。 |
write |
- |
- |
gaussdbformysql:proxy:modifyConsistency |
授予修改数据库代理会话一致性的权限。 |
permission_management |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:proxy:modifyTransactionSplit |
授予开启/关闭数据库代理事务拆分的权限。 |
permission_management |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:quota:list |
授予查询配额的权限。 |
read |
- |
- |
gaussdbformysql:quota:modify |
授予修改配额的权限。 |
write |
- |
- |
gaussdbformysql:tag:list |
授予查询标签列表的权限。 |
list |
- |
- |
gaussdbformysql:task:delete |
授予删除任务的权限。 |
write |
- |
- |
gaussdbformysql:task:list |
授予获取任务列表的权限。 |
list |
- |
- |
gaussdbformysql:user:delete |
授予删除数据库用户的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:user:grantPrivilege |
授予修改数据库用户的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:user:list |
授予查询数据库用户列表的权限。 |
list |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:user:modify |
授予查询数据库用户备注的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:user:revokePrivilege |
授予删除数据库用户权限的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:user:updatePassWord |
授予修改数据库用户密码的权限。 |
write |
instance * |
g:EnterpriseProjectId |
gaussdbformysql:proxy:switchConnectionPoolType |
授予更改数据库代理连接池类型的权限。 |
permission_management |
instance * |
g:EnterpriseProjectId |
TaurusDB的API通常对应着一个或多个授权项。表2展示了API与授权项的关系,以及该API需要依赖的授权项。
API |
对应的授权项 |
依赖的授权项 |
---|---|---|
GET /v3/{project_id}/datastores/{database_name} |
gaussdbformysql:instance:listEngine |
- |
GET /v3/{project_id}/flavors/{database_name} |
gaussdbformysql:instance:listSpec |
- |
POST /v3/{project_id}/instances |
gaussdbformysql:instance:create |
- |
GET /v3.1/{project_id}/instances |
gaussdbformysql:instance:list |
- |
POST /v3/{project_id}/instances/{instance_id}/restart |
gaussdbformysql:instance:restart |
- |
DELETE /v3/{project_id}/instances/{instance_id} |
gaussdbformysql:instance:delete |
- |
GET /v3.1/{project_id}/instances/{instance_id} |
gaussdbformysql:instance:get |
- |
GET /v3.1/{project_id}/instances/details |
gaussdbformysql:instance:get |
- |
POST /v3/{project_id}/instances/{instance_id}/nodes/enlarge |
gaussdbformysql:instance:addReadOnlyNodes |
- |
DELETE /v3/{project_id}/instances/{instance_id}/nodes/{node_id} |
gaussdbformysql:instance:deleteReadOnlyNodes |
- |
POST /v3/{project_id}/instances/{instance_id}/volume/extend |
gaussdbformysql:instance:modifyStorageSize |
- |
PUT /v3/{project_id}/instances/{instance_id}/backups/policy/update |
gaussdbformysql:backup:modifyPolicy |
- |
PUT /v3/{project_id}/instances/{instance_id}/name |
gaussdbformysql:instance:rename |
- |
POST /v3/{project_id}/instances/{instance_id}/password |
gaussdbformysql:instance:modifyPassword |
- |
POST /v3/{project_id}/instances/{instance_id}/action |
gaussdbformysql:instance:modifySpec |
- |
GET /v3/{project_id}/dedicated-resources |
gaussdbformysql:instance:listDcc |
- |
GET /v3/{project_id}/dedicated-resource/{dedicated_resource_id} |
gaussdbformysql:instance:getDcc |
- |
POST /v3/{project_id}/instances/{instance_id}/proxy |
gaussdbformysql:proxy:create |
- |
DELETE /v3/{project_id}/instances/{instance_id}/proxy |
gaussdbformysql:proxy:delete |
- |
GET /v3/{project_id}/instances/{instance_id}/proxies |
gaussdbformysql:proxy:list |
- |
GET /v3/{project_id}/instances/{instance_id}/proxy/flavors |
gaussdbformysql:proxy:listSpec |
- |
POST /v3/{project_id}/instances/{instance_id}/proxy/enlarge |
gaussdbformysql:proxy:addNodes |
- |
PUT /v3/{project_id}/instances/{instance_id}/proxy/{proxy_id}/flavor |
gaussdbformysql:proxy:modifySpec |
- |
PUT /v3/{project_id}/instances/{instance_id}/proxy/{proxy_id}/weight |
gaussdbformysql:proxy:modifyWeight |
- |
POST /v3/{project_id}/instances/{instance_id}/proxy/transaction-split |
gaussdbformysql:proxy:modifyTransactionSplit |
- |
POST /v3.1/{project_id}/instances/{instance_id}/error-logs |
gaussdbformysql:log:getErrorLogs |
- |
POST /v3.1/{project_id}/instances/{instance_id}/slow-logs |
gaussdbformysql:log:getSlowLogs |
- |
GET /v3/{project_id}/project-quotas |
gaussdbformysql:quota:list |
- |
GET /v3/{project_id}/quotas |
gaussdbformysql:quota:list |
- |
POST /v3/{project_id}/quotas |
gaussdbformysql:quota:modify |
- |
PUT /v3/{project_id}/quotas |
gaussdbformysql:quota:modify |
- |
POST /v3/{project_id}/backups/create |
gaussdbformysql:backup:create |
- |
GET /v3/{project_id}/backups |
gaussdbformysql:backup:list |
- |
GET /v3/{project_id}/instances/{instance_id}/backups/policy |
gaussdbformysql:backup:listPolicy |
- |
GET /v3/{project_id}/configurations |
gaussdbformysql:param:list |
- |
POST /v3/{project_id}/configurations |
gaussdbformysql:param:create |
- |
DELETE /v3/{project_id}/configurations/{configuration_id} |
gaussdbformysql:param:delete |
- |
GET /v3/{project_id}/configurations/{configuration_id} |
gaussdbformysql:param:get |
- |
PUT /v3/{project_id}/configurations/{configuration_id} |
gaussdbformysql:param:update |
- |
PUT /v3/{project_id}/configurations/{configuration_id}/apply |
gaussdbformysql:param:apply |
- |
GET /v3/{project_id}/instances/{instance_id}/tags |
gaussdbformysql:tag:list |
- |
GET /v3/{project_id}/tags |
gaussdbformysql:tag:list |
- |
POST /v3/{project_id}/instances/{instance_id}/tags/action |
gaussdbformysql:tag:deal |
- |
PUT /v3/{project_id}/instances/{instance_id}/monitor-policy |
gaussdbformysql:instance:modifySecondLevelMonitorPolicy |
- |
GET /v3/{project_id}/instances/{instance_id}/monitor-policy |
gaussdbformysql:instance:getSecondLevelMonitoringConfig |
- |
POST /v3/{project_id}/instances/{instance_id}/nodes/{node_id}/restart |
gaussdbformysql:instance:restart |
- |
POST /v3/{project_id}/instance/{instance_id}/audit-log/switch |
gaussdbformysql:auditlog:operate |
- |
GET /v3/{project_id}/instance/{instance_id}/audit-log/switch-status |
gaussdbformysql:auditlog:list |
- |
GET /v3/{project_id}/jobs |
gaussdbformysql:task:list |
- |
POST /v3/{project_id}/instances/{instance_id}/db-users |
gaussdbformysql:user:create |
- |
GET /v3/{project_id}/instances/{instance_id}/db-users |
gaussdbformysql:user:list |
- |
DELETE /v3/{project_id}/instances/{instance_id}/db-users |
gaussdbformysql:user:delete |
- |
PUT /v3/{project_id}/instances/{instance_id}/db-users/comment |
gaussdbformysql:user:modify |
- |
PUT /v3/{project_id}/instances/{instance_id}/db-users/password |
gaussdbformysql:user:updatePassWord |
- |
POST /v3/{project_id}/instances/{instance_id}/db-users/privilege |
gaussdbformysql:user:grantPrivilege |
- |
DELETE /v3/{project_id}/instances/{instance_id}/db-users/privilege |
gaussdbformysql:user:revokePrivilege |
- |
GET /v3/{project_id}/instances/{instance_id}/databases/charsets |
gaussdbformysql:database:list |
- |
POST /v3/{project_id}/instances/{instance_id}/databases |
gaussdbformysql:database:create |
- |
GET /v3/{project_id}/instances/{instance_id}/databases |
gaussdbformysql:database:list |
- |
DELETE /v3/{project_id}/instances/{instance_id}/databases |
gaussdbformysql:database:delete |
- |
PUT /v3/{project_id}/instances/{instance_id}/databases/comment |
gaussdbformysql:database:modify |
- |
POST /v3/{project_id}/instances/{instance_id}/sql-filter/switch |
gaussdbformysql:instance:setSqlFilterStatus |
- |
GET /v3/{project_id}/instances/{instance_id}/sql-filter/switch |
gaussdbformysql:instance:getSqlFilterStatus |
- |
PUT /v3/{project_id}/instances/{instance_id}/sql-filter/rules |
gaussdbformysql:instance:setSqlFilterRules |
- |
GET /v3/{project_id}/instances/{instance_id}/sql-filter/rules |
gaussdbformysql:instance:getSqlFilterRule |
- |
DELETE /v3/{project_id}/instances/{instance_id}/sql-filter/rules |
gaussdbformysql:instance:deleteSqlFilterRules |
- |
PUT /v3/{project_id}/instances/{instance_id}/proxy/{proxy_id}/session-consistence |
gaussdbformysql:proxy:modifyConsistency |
- |
GET /v3/{project_id}/immediate-jobs |
gaussdbformysql:task:list |
- |
GET /v3/{project_id}/scheduled-jobs |
gaussdbformysql:task:list |
- |
DELETE /v3/{project_id}/scheduled-jobs |
gaussdbformysql:task:delete |
- |
DELETE /v3/{project_id}/jobs/{job_id} |
gaussdbformysql:task:delete |
- |
POST /v3/{project_id}/instances/{instance_id}/db-upgrade |
gaussdbformysql:instance:upgrade |
- |
PUT /v3/{project_id}/instances/{instance_id}/ssl-option |
gaussdbformysql:instance:modifySSL |
- |
PUT /v3/{project_id}/instances/{instance_id}/public-ips/bind |
gaussdbformysql:instance:bindPublicIp |
- |
PUT /v3/{project_id}/instances/{instance_id}/public-ips/unbind |
gaussdbformysql:instance:unbindPublicIp |
- |
PUT /v3/{project_id}/instances/{instance_id}/switchover |
gaussdbformysql:instance:switchover |
- |
PUT /v3/{project_id}/instances/{instance_id}/ops-window |
gaussdbformysql:instance:modifyMaintenanceWindow |
- |
PUT /v3/{project_id}/instances/{instance_id}/security-group |
gaussdbformysql:instance:modifySecurityGroup |
- |
PUT /v3/{project_id}/instances/{instance_id}/internal-ip |
gaussdbformysql:instance:modifyVip |
- |
PUT /v3/{project_id}/instances/{instance_id}/port |
gaussdbformysql:instance:modifyPort |
- |
PUT /v3/{project_id}/instances/{instance_id}/alias |
gaussdbformysql:instance:rename |
- |
DELETE /v3/{project_id}/backups/{backup_id} |
gaussdbformysql:backup:delete |
- |
POST /v3.1/{project_id}/instances/{instance_id}/restore/tables |
gaussdbformysql:instance:tableRestore |
- |
POST /v3/{project_id}/instances/restore |
gaussdbformysql:instance:restoreInPlace |
- |
GET /v3/{project_id}/instances/{instance_id}/restore-time |
gaussdbformysql:backup:getRestoreTime |
- |
PUT /v3/{project_id}/instances/{instance_id}/proxy/{proxy_id}/connection-pool-type |
gaussdbformysql:proxy:switchConnectionPoolType |
- |
资源类型(Resource)
资源类型(Resource)表示身份策略所作用的资源。如表3中的某些操作指定了可以在该操作指定的资源类型,则必须在具有该操作的身份策略语句中指定该资源的URN,身份策略仅作用于此资源;如未指定,Resource默认为“*”,则身份策略将应用到所有资源。您也可以在身份策略中设置条件,从而指定资源类型。
TaurusDB定义了以下可以在自定义身份策略的Resource元素中使用的资源类型。