自定义访问策略
<p class="shortdesc"></p>
<p class="p">自定义访问策略语言是采用JSON对权限控制的一种抽象表述。RAM 授权策略语言可以表达精细的授权语义,可以指定对某个 API-Action 和Resource-ID
授权。</p>
<p class="p">一个权限控制策略(Policy)包含一个或者一组声明(Statement)和版本号(Version)两个部分。一个声明(Statement)又包含一个或者一组资源(Resource)、操作方法(Action)和约束效力(Effect)三个部分。Statement用于定义通过指定的操作方法(Action),是否允许(Effect)对指定资源(Resource)进行操作。</p>
<section class="section" id="custom__section_fhd_2bd_flb"><h2 class="doc-tairway">资源Resource</h2>
<p class="p">Resource是对云服务提供的服务对象实体的抽象。全局的格式如下:</p>
<pre class="pre codeblock"><code>pcs:{$ServiceType}:{$RegionId}:{$AccountId}:{$ResourceType}/{$ResourceIdentifier}</code></pre>
<table class="table" id="custom__table_gvv_gbd_flb"><caption></caption><colgroup><col style="width:153pt"><col style="width:311pt"></colgroup><thead class="thead">
<tr class="row">
<th class="entry" id="custom__table_gvv_gbd_flb__entry__1">项目</th>
<th class="entry" id="custom__table_gvv_gbd_flb__entry__2">说明</th>
</tr>
</thead><tbody class="tbody">
<tr class="row">
<td class="entry" headers="custom__table_gvv_gbd_flb__entry__1 ">
<p class="p">pcs</p>
</td>
<td class="entry" headers="custom__table_gvv_gbd_flb__entry__2 ">
<p class="p">平安云服务标识缩写英文:pcs(Pingan Cloud
Service的首字母缩写。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="custom__table_gvv_gbd_flb__entry__1 ">
<p class="p">{$ServiceType}</p>
</td>
<td class="entry" headers="custom__table_gvv_gbd_flb__entry__2 ">
<p class="p">具体服务类型的英文名称简写,如:ram, ecs, igw, elb, vpc, vpn, ecs, obs。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="custom__table_gvv_gbd_flb__entry__1 ">
<p class="p">{$RegionId}</p>
</td>
<td class="entry" headers="custom__table_gvv_gbd_flb__entry__2 ">
<p class="p">地域uuid,如Region-SouthChina。如果不区分地域,用*代替即可。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="custom__table_gvv_gbd_flb__entry__1 ">
<p class="p">{$AccountId}</p>
</td>
<td class="entry" headers="custom__table_gvv_gbd_flb__entry__2 ">
<p class="p">账号uuid(如:Tenant-h18HTXgEJ4),一般用*代替即可。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="custom__table_gvv_gbd_flb__entry__1 ">
<p class="p">{$ResourceType}</p>
</td>
<td class="entry" headers="custom__table_gvv_gbd_flb__entry__2 ">
<p class="p">资源类型, 一个服务类型里可包含多个资源类型,比如Instance。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="custom__table_gvv_gbd_flb__entry__1 ">
<p class="p">{$ResourceIdentifier}</p>
</td>
<td class="entry" headers="custom__table_gvv_gbd_flb__entry__2 ">
<p class="p">标识具体资源实例,可以是相应的name,id等。与资源类型一起,标识某种类型资源的某个实例,如instance/Instance-WiF4qB标识uuid为Instance-WiF4qB的云主机实例。</p>
</td>
</tr>
</tbody></table>
</section>
<section class="section" id="custom__section_qjf_hbd_flb"><h2 class="doc-tairway">执行动作Action</h2>
<p class="p">Action用于描述用户执行的操作。可以是一个确定的值(例如:ListInstances),也可以使用通配符*表示一系列操作(例如List*,表示指定服务下所有Action名称以List开头的操作,包括ListInstances,ListSecurityGroups等)。</p>
<table class="table" id="custom__table_j5t_bhd_flb"><caption></caption><colgroup><col><col><col></colgroup><thead class="thead">
<tr class="row">
<th class="entry" id="custom__table_j5t_bhd_flb__entry__1">Action</th>
<th class="entry" id="custom__table_j5t_bhd_flb__entry__2">Resource</th>
<th class="entry" id="custom__table_j5t_bhd_flb__entry__3">说明</th>
</tr>
</thead><tbody class="tbody">
<tr class="row">
<td class="entry" headers="custom__table_j5t_bhd_flb__entry__1 " rowspan="2">
<p class="p">AddUserToGroup</p>
</td>
<td class="entry" headers="custom__table_j5t_bhd_flb__entry__2 ">
<p class="p">pcs:ram:*:${AccountId}:group/${GroupName}</p>
</td>
<td class="entry" headers="custom__table_j5t_bhd_flb__entry__3 " rowspan="2">
<p class="p">将子用户添加到群组</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="custom__table_j5t_bhd_flb__entry__2 ">
<p class="p">pcs:ram:*:${AccountId}:user/${LoginName}</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="custom__table_j5t_bhd_flb__entry__1 ">
<p class="p">AdminResetPassword</p>
</td>
<td class="entry" headers="custom__table_j5t_bhd_flb__entry__2 ">
<p class="p">pcs:ram:*:${AccountId}:user/*</p>
</td>
<td class="entry" headers="custom__table_j5t_bhd_flb__entry__3 ">
<p class="p">重置子账号密码</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="custom__table_j5t_bhd_flb__entry__1 " rowspan="2">
<p class="p">AttachPolicyToGroup</p>
</td>
<td class="entry" headers="custom__table_j5t_bhd_flb__entry__2 ">
<p class="p">pcs:ram:*:${AccountId}:group/${GroupName}</p>
</td>
<td class="entry" headers="custom__table_j5t_bhd_flb__entry__3 " rowspan="2">
<p class="p">为组附加授权</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="custom__table_j5t_bhd_flb__entry__2 ">
<p class="p">pcs:ram:*:${AccountId}:policy/${PolicyName}</p>
</td>
</tr>
</tbody></table>
</section>
<section class="section" id="custom__section_chz_stk_flb"><h2 class="doc-tairway">约束效力Effect</h2>
<p class="p">约束效力取值可以是Allow或者Deny。取值Allow表示允许进行操作,取值Deny表示拒绝操作。鉴权过程若遇到权限声明冲突,遵循Deny优先原则。</p>
<p class="p">我们来看一个自定义访问策略示例,它表示允许对云主机实例Instance-TrcJCCYtYW和Instance-fR8YYjTu90的开机和关机操作的策略。</p>
<pre class="pre codeblock"><code>{
"Statement":[
{
"Resource":[
"pcs:ecs:*:*:instance/Instance-TrcJCCYtYW",
"pcs:ecs:*:*:instance/Instance-fR8YYjTu90"
],
"Action":[
"ecs:StartInstance",
"ecs:StopInstance"
],
"Effect":"Allow"
}
],
"Version":"1"
}</code></pre>
</section>
提交成功!非常感谢您的反馈,我们会继续努力做到更好!