This topic describes the Resource Access Management (RAM) permission policies that are related to Enterprise Distributed Application Service (EDAS).

Resource variables in permission policies

In a permission policy, the following variables are used to define a resource:

  • $regionid: The ID of the region where the resource is deployed, for example, cn-shanghai. For more information, see Regions and zones.
  • $namespace: The ID of the namespace. To view namespace IDs, log on to the EDAS console and choose Resource Management > Namespaces in the left-side navigation pane. On the Namespace page, you can view the ID of each namespace. The following figure shows the ID of a namespace.Namespace ID
  • $clusterId: The ID of the cluster, for example, 8c349f69-505c-436f-8dc7-xxxxxxxxx. You can view the ID of a cluster on the cluster details page.Cluster ID
  • $applicationId: The ID of the application, for example, ec8e38a3-3dca-47a7-b6f9-5xxxxxxxxxx. You can view the ID of an application on the basic information page of the application.Application ID

Details about permission policies

This section describes how an EDAS-defined permission corresponds to a permission policy of RAM.

Namespace management

Table 1. Namespace management
Code Description Dependency action Resource
1.1 Create namespaces edas:CreateNamespace acs:edas:$regionid:$accountid:namespace/*
1.2 Delete namespaces edas:ReadNamespace acs:edas:$regionid:$accountid:namespace/$namespace
edas:DeleteNamespace
1.4 Modify namespaces edas:ManageNamespace acs:edas:$regionid:$accountid:namespace/$namespace
edas:ReadNamespace
Table 2. Cluster management
Code Description Dependency action Resource
2.1 Create clusters edas:CreateCluster acs:edas:$regionid:$accountid:namespace/$namespace/cluster/*
2.2 Delete clusters edas:ReadCluster acs:edas:$regionid:$accountid:namespace/$namespace/cluster/$clusterId
edas:DeleteCluster
2.4 Manage clusters edas:ReadCluster acs:edas:$regionid:$accountid:namespace/$namespace/cluster/$clusterId
edas:ManageCluster
2.3 Query clusters edas:ReadCluster acs:edas:$regionid:$accountid:namespace/$namespace/cluster/$clusterId
Table 3. Application management
Code Description Dependency action Resource
3.1 Create applications edas:CreateApplication acs:edas:$regionid:$accountid:namespace/$namespace/application/*
3.2 Delete applications edas:ReadApplication acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
edas:DeleteApplication
3.3 Query applications edas:ReadApplication acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
3.4 Manage applications edas:ManageApplication acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
edas:ReadApplication
3.5 Configure applications edas:ConfigApplication acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
edas:ReadApplication
3.6 Manage logs edas:ReadApplication acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
edas:ManageAppLog
Table 4. Microservice management
Code Description Dependency action Resource
4.1 Query microservices edas:ReadService acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
4.2 Test microservices edas:TestService acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
4.3 Manage microservices edas:ReadService acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
edas:ManageService
Table 5. Configuration management
Code Description Dependency action Resource
5.1 Query configurations acms:R acs:acms:$regionid:$accountid:cfg/$namespace/$groupId/$configId
5.2 Manage configurations acms:* acs:acms:$regionid:$accountid:cfg/$namespace/$groupId/$configId
Table 6. System management
Code Description Dependency action Resource
6.1 Manage the EDAS system edas:ManageSystem acs:edas:$regionid:$accountid:*
6.2 Query operations logs edas:ReadOperationLog acs:edas:$regionid:$accountid:*
6.3 Perform system O&M edas:ManageOperation acs:edas:$regionid:$accountid:*
Table 7. Management of EDAS features that are available for commercial use
Code Description Dependency action Resource
7 EDAS features that are available for commercial use edas:ManageCommercialization acs:edas:$regionid:$accountid:*

Cluster management

The following scenarios describe the permissions that are required for managing clusters:

Query details about clusters

Requires read-only permissions on clusters. For example, the permissions that are required to query the details about a cluster, including the instances and applications in the cluster.
Note You must grant RAM user the permissions to access the resource group. Then, the RAM user can query details about clusters in the resource group.
{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ReadCluster"],
       "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"],
       "Effect": "Allow"
      }
   ]
 }

Delete clusters

{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ReadCluster","edas:DeleteCluster"],
       "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"],
       "Effect": "Allow"
      }
   ]
 }

Create clusters

Notice To create a cluster, the cluster/ filed in Resource must be followed by an asterisk (*).
{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:CreateCluster"],
       "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/*"],
       "Effect": "Allow"
      }
   ]
 }

Manage clusters

Allows a RAM user to create a cluster, add instances to a cluster, modify a cluster, and delete a cluster.

Notice To create a cluster, the cluster/ field in Resource must be followed by an asterisk (*).
{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ManageCluster"],
       "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"],
       "Effect": "Allow"
      }
   ]
 }
The following examples show how to grant cluster management permissions to a RAM user:
  • Example 1: Grant cluster management permissions to the RAM user but forbid the RAM user from creating clusters.
    {
       "Version": "1",
       "Statement": [
         {
           "Action": ["edas:ManageCluster"],
           "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"],
           "Effect": "Allow"
         },
         {
           "Action": ["edas:CreateCluster"],
           "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/*"],
           "Effect": "Deny"
          }
       ]
     }
    Note If $clusterId is set to a specific cluster ID, the RAM user can manage only the specified cluster. If $clusterId is set to an asterisk (*), the RAM user can manage all clusters in the specified namespace.
  • Example 2: Grant cluster management permissions to a RAM user but forbid the RAM from creating or deleting clusters.
    {
       "Version": "1",
       "Statement": [
         {
           "Action": ["edas:ManageCluster"],
           "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"],
           "Effect": "Allow"
         },
         {
           "Action": ["edas:CreateCluster","edas:DeleteCluster"],
           "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/*"],
           "Effect": "Deny"
          }
       ]
     }

Namespace management

The following scenarios describe the permissions that are required for managing namespaces:

Delete namespaces

{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ReadNamespace","edas:DeleteNamespace"],
       "Resource": ["acs:edas:$regionid:*:namespace/$namespace"],
       "Effect": "Allow"
      }
   ]
 }

Create namespaces

Notice To create a namespace, the namespace/ field in Resource must be followed by an asterisk (*).
{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:CreateNamespace"],
       "Resource": ["acs:edas:$regionid:*:namespace/*"],
       "Effect": "Allow"
      }
   ]
 }

Manage namespaces

To allow a RAM user to modify or rename namespaces, you must grant the RAM user the permissions to manage namespaces.

{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ManageNamespace"],
       "Resource": ["acs:edas:$regionid:*:namespace/$namespace"],
       "Effect": "Allow"
      }
   ]
 }

Application management

The following scenarios describe the permissions that are required for managing namespaces:

Permissions on an individual application

  • Manage an application: Allows a RAM user to query the information about an application and manage the configuration and logs of an application, but does not allow the RAM user to create or delete applications.
    {
        "Statement": [
          {
            "Action": [
              "edas:*Application"
            ],
            "Effect": "Allow",
            "Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"]
          },
          {
            "Action": [
              "edas:DeleteApplication"
            ],
            "Resource":["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"],
            "Effect": "Deny"
          },
          {
            "Action": [
              "edas:CreateApplication"
            ],
            "Resource":["acs:edas:$regionid:*:namespace/$namespace/application/*"],
            "Effect": "Deny"
          }
        ],
        "Version": "1"
    }
  • Create an application
    Notice To create an application, an instance in the cluster is required. Therefore, you must grant the RAM user the permissions to query the cluster.
    {
      "Statement": [
        {
          "Action": [
            "edas:CreateApplication",
            "edas:ReadCluster"
          ],
          "Effect": "Allow",
          "Resource": [
                  "acs:edas:$regionid:*:namespace/$namespace/application/*",
              "acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"
          ]
        }
      ],
      "Version": "1"
    }
  • Delete an application
    Notice To allow a RAM user to delete an application, you must grant the RAM user the permissions to query the application. Otherwise, the RAM user cannot find the application.
    {
      "Statement": [
        {
          "Action": [
            "edas:DeleteApplication",
            "edas:ReadApplication"
          ],
          "Effect": "Allow",
          "Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"]
        }
      ],
      "Version": "1"
    }
  • Manage logs
    Notice To allow a RAM user to manage the logs of an application, you must grant the RAM user the permissions to query the application. Otherwise, the RAM user cannot find the application.
    {
      "Statement": [
        {
          "Action": [
            "edas:ReadApplication",
            "edas:ManageAppLog"
          ],
          "Effect": "Allow",
          "Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"]
        }
      ],
      "Version": "1"
    }
  • Configure an application: Allows a RAM user to set the application port, Tomcat context, load balancing parameters, health check parameters, Java virtual machine (JVM) parameters, and service priority in the current zone.
    Notice To allow a RAM user to configure an application, you must grant the RAM user the permissions to query the application.
    {
      "Statement": [
        {
          "Action": [
            "edas:ReadApplication",
            "edas:ConfigApplication"
          ],
          "Effect": "Allow",
          "Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"]
        },
      ],
      "Version": "1"
    }

Permissions on multiple applications

  • Query applications: Allows a RAM user to query applications in a specified region.
    Note A region may contain one or more namespaces. This permission allows a RAM user to query applications in all namespaces in a specified region.
    {
        "Statement": [
          {
            "Action": [
              "edas:ReadApplication"
            ],
            "Effect": "Allow",
            "Resource": ["acs:edas:$regionid:*:namespace/*/application/*"]
          }
        ],
        "Version": "1"
    }
  • Query applications: Allows a RAM user to query applications in a specified namespace.
    {
        "Statement": [
          {
            "Action": [
              "edas:*Application",
              "edas:ReadCluster"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:edas:$regionid:*:namespace/$namespace/application/*",
              "acs:edas:$regionid:*:namespace/$namespace/cluster/*"
             ]
          }
        ],
        "Version": "1"
    }

Microservice management

The following scenarios describe the permissions that are required for managing microservices:

Query microservices

Note To query all microservices, set $applicationId to an asterisk (*) in the permission policy.
{
    "Statement": [
      {
        "Action": [
          "edas:ReadService"
        ],
        "Effect": "Allow",
        "Resource": [    
            "acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"
            ]
      }
    ],
    "Version": "1"
}

Test microservices

Note To test applications in all namespaces, set $namespace and $applicationId to an asterisk (*).
{
    "Statement": [
      {
        "Action": [
          "edas:TestService"
        ],
        "Effect": "Allow",
        "Resource": [
            "acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"
            ]
      }
    ],
    "Version": "1"
}

Grant an application permissions on microservices

Note To grant all applications permissions on microservices, set $applicationId to an asterisk (*).
{
    "Statement": [
      {
        "Action": [
          "edas:ManageService"
        ],
        "Effect": "Allow",
        "Resource": [
            "acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"
        ]
      }
    ],
    "Version": "1"
}

Eject outlier instances

Notice The ejection of an outlier instance affects applications in the namespace. You can grant RAM users the permissions to eject outlier instances only in a specified namespace.
{
    "Statement": [
      {
        "Action": [
          "edas:ManageService"
        ],
        "Effect": "Allow",
        "Resource": [
            "acs:edas:$regionid:*:namespace/$namespace"
        ]
      }
    ],
    "Version": "1"
}

Configuration management

EDAS is integrated with ACM. For more information about ACM-specific permissions, see Access control.

System management

Includes the permissions to manage sub-accounts, query resource usage, and query operations logs.

{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ManageSystem"],
       "Resource": ["acs:edas:*:*:*"],
       "Effect": "Allow"
      }
   ]
 }
Note System permissions are not defined by specific resources. Therefore, set Resource to acs:edas:*:*:* in the permission policy.

Perform system O&M

Allows a RAM user to query operations logs, perform one or more O&M tasks at a time, and manage resource groups.

{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ManageOperation"],
       "Resource": ["acs:edas:*:*:*"],
       "Effect": "Allow"
      }
   ]
 }

Query operations logs

{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ReadOperationLog"],
       "Resource": ["acs:edas:*:*:*"],
       "Effect": "Allow"
      }
   ]
 }