This topic describes the Resource Access Management (RAM) policies that are related to Enterprise Distributed Application Service (EDAS).

Resource variables in policies

In a policy, the following variables are used to define a resource:

  • $regionid: the ID of the region where the resource is deployed, such as cn-shanghai. For more information, see Regions and zones.
  • $namespace: the ID of the microservices namespace. The following figure shows the ID of a microservices namespace.

    To view microservices namespace IDs, log on to the EDAS console. In the left-side navigation pane, choose Resource Management > Microservice Namespaces. On the Microservice Namespace page, you can view the ID of each microservices namespace.

    View the ID of a microservices namespace
  • $clusterId: the ID of the cluster. Example: 8c349f69-505c-436f-8dc7-**********. The following figure shows the ID of a cluster.

    To view cluster IDs, log on to the EDAS console. In the left-side navigation pane, choose Resource Management > ECS Clusters. On the ECS Cluster page, click the desired cluster ID in the Cluster ID/Name column to go to the Cluster Details page to view the ID of the cluster.

    View the ID of a cluster
  • $applicationId: the ID of the application. Example: ec8e38a3-3dca-47a7-b6f9-5**********. The following figure shows the ID of an application.

    To view application IDs, log on to the EDAS console. In the left-side navigation pane, choose Application Management > Applications. On the Applications page, click the name of the desired application in the Application Name column to go to the application details page. On the Basic Information tab of the application details page, you can view the ID of the application.

    Application details

Details about policies

This section describes how an EDAS-defined permission corresponds to a RAM policy.

Microservices namespace management

Table 1. Microservices namespace management
CodeDescriptionDependency actionResource
1.1Create microservices namespacesedas:CreateNamespaceacs:edas:$regionid:$accountid:namespace/*
1.2Delete microservices namespacesedas:ReadNamespaceacs:edas:$regionid:$accountid:namespace/$namespace
edas:DeleteNamespace
1.4Modify microservices namespacesedas:ManageNamespaceacs:edas:$regionid:$accountid:namespace/$namespace
edas:ReadNamespace
1.5View microservices namespacesedas:ReadNamespaceacs:edas:$regionid:$accountid:namespace/$namespace
Table 2. Cluster management
CodeDescriptionDependency actionResource
2.1Create clustersedas:CreateClusteracs:edas:$regionid:$accountid:namespace/$namespace/cluster/*
2.2Delete clustersedas:ReadClusteracs:edas:$regionid:$accountid:namespace/$namespace/cluster/$clusterId
edas:DeleteCluster
2.4Manage clustersedas:ReadClusteracs:edas:$regionid:$accountid:namespace/$namespace/cluster/$clusterId
edas:ManageCluster
2.3View clustersedas:ReadClusteracs:edas:$regionid:$accountid:namespace/$namespace/cluster/$clusterId
Table 3. Application management
CodeDescriptionDependency actionResource
3.1Create applicationsedas:CreateApplicationacs:edas:$regionid:$accountid:namespace/$namespace/application/*
3.2Delete applicationsedas:ReadApplicationacs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
edas:DeleteApplication
3.3View applicationsedas:ReadApplicationacs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
3.4Manage applicationsedas:ManageApplicationacs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
edas:ReadApplication
3.5Configure applicationsedas:ConfigApplicationacs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
edas:ReadApplication
3.6Manage logsedas:ReadApplicationacs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
edas:ManageAppLog
Table 4. Microservices management
CodeDescriptionDependency actionResource
4.1Query microservicesedas:ReadServiceacs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
4.2Test microservicesedas:TestServiceacs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
4.3Manage microservicesedas:ReadServiceacs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
edas:ManageService
Table 5. Configuration management
CodeDescriptionDependency actionResource
5.1View configurationsacms:Racs:acms:$regionid:$accountid:cfg/$namespace/$groupId/$configId
5.2Manage configurationsacms:*acs:acms:$regionid:$accountid:cfg/$namespace/$groupId/$configId
Table 6. System management
CodeDescriptionDependency actionResource
6.1Manage the EDAS systemedas:ManageSystemacs:edas:$regionid:$accountid:*
6.2View operation logsedas:ReadOperationLogacs:edas:$regionid:$accountid:*
6.3System O&Medas:ManageOperationacs:edas:$regionid:$accountid:*
6.4Purchase Elastic Compute Service (ECS) resourcesedas:ECSPurchaseacs:edas:*:*:*
6.5Purchase Server Load Balancer (SLB) resourcesedas:SLBPurchaseacs:edas:*:*:*
6.6Purchase Log Service resourcesedas:SLSPurchaseacs:edas:*:*:*
Table 7. Management of EDAS features that are available for commercial use
CodeDescriptionDependency actionResource
7Manage EDAS features that are available for commercial useedas:ManageCommercializationacs:edas:$regionid:$accountid:*

Cluster management

The following scenarios describe the permissions that are required for managing clusters:

Create clusters

Important For the creation of a cluster, cluster/ in the value of the Resource parameter must be followed by an asterisk (*).
{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:CreateCluster"],
       "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/*"],
       "Effect": "Allow"
      }
   ]
 }

View the details of a cluster

Requires read-only permissions on the cluster, such as the permissions that are required to view the details about a cluster, including the instances and applications in the cluster.
Note You can grant a RAM user the permissions on a resource group so that the RAM user can view the details of the clusters in the resource group.
{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ReadCluster"],
       "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"],
       "Effect": "Allow"
      }
   ]
 }

Manage clusters

Allows a RAM user to create a cluster, add instances to a cluster, modify a cluster, and delete a cluster.

{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ManageCluster"],
       "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"],
       "Effect": "Allow"
      }
   ]
 }
The following examples show how to grant cluster management permissions to a RAM user:
  • Example 1: Grant cluster management permissions to the RAM user but forbid the RAM user from creating clusters.
    {
       "Version": "1",
       "Statement": [
         {
           "Action": ["edas:ManageCluster"],
           "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"],
           "Effect": "Allow"
         },
         {
           "Action": ["edas:CreateCluster"],
           "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/*"],
           "Effect": "Deny"
          }
       ]
     }
    Note If the $clusterId variable is set to a specific cluster ID, the RAM user can manage only the specified cluster. If the $clusterId variable is set to an asterisk (*), the RAM user can manage all clusters in the specified microservices namespace.
  • Example 2: Grant cluster management permissions to the RAM user but forbid the RAM user from creating or deleting clusters.
    {
       "Version": "1",
       "Statement": [
         {
           "Action": ["edas:ManageCluster"],
           "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"],
           "Effect": "Allow"
         },
         {
           "Action": ["edas:CreateCluster","edas:DeleteCluster"],
           "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/*"],
           "Effect": "Deny"
          }
       ]
     }

Delete clusters

{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ReadCluster","edas:DeleteCluster"],
       "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"],
       "Effect": "Allow"
      }
   ]
 }

Microservices namespace management

The following scenarios describe the permissions that are required for managing microservices namespaces:

Create microservices namespaces

Important For the creation of a microservices namespace, namespace/ in the value of the Resource parameter must be followed by an asterisk (*). Otherwise, authentication fails.
{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:CreateNamespace"],
       "Resource": ["acs:edas:$regionid:*:namespace/*"],
       "Effect": "Allow"
      }
   ]
 }

View microservices namespaces

{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ReadNamespace"],
       "Resource": ["acs:edas:$regionid:*:namespace/$namespace"],
       "Effect": "Allow"
      }
   ]
 }

Manage microservices namespaces

To allow a RAM user to modify or rename microservices namespaces, you must grant the RAM user the permissions to manage the microservices namespaces.

{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ManageNamespace"],
       "Resource": ["acs:edas:$regionid:*:namespace/$namespace"],
       "Effect": "Allow"
      }
   ]
 }

Delete microservices namespaces

{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ReadNamespace","edas:DeleteNamespace"],
       "Resource": ["acs:edas:$regionid:*:namespace/$namespace"],
       "Effect": "Allow"
      }
   ]
 }

Resource purchases

To enhance the permission management capabilities of enterprise users, EDAS allows the enterprise users to grant the permissions to purchase resources. The resources include ECS, SLB, and Log Service resources.

The following scenarios describe the permissions that are required for purchasing resources:

Important
  • In all resource purchasing policies, the value of the Resource parameter must be acs:edas:*:*:*. Finer-grained configurations are not supported.
  • Resource purchasing policies apply only to RAM users.

Purchase ECS resources

  • Applicable scope:
    • Purchase ECS resources in an ECS cluster
    • Purchase ECS resources when you create an application in an ECS cluster
    • Purchase ECS resources when you scale out an application in an ECS cluster
  • Sample policy:
    {
      "Version": "1",
      "Statement": [    
        {
          "Effect": "Allow",
          "Action": [
            "edas:ECSPurchase"
          ],
          "Resource": [
            "acs:edas:*:*:*"
          ]
        }
      ]
    }

Purchase SLB resources

  • Applicable scope: Purchase SLB resources when you bind an SLB instance to an application.
  • Sample policy:
    {
      "Version": "1",
      "Statement": [    
        {
          "Effect": "Allow",
          "Action": [
            "edas:SLBPurchase"
          ],
          "Resource": [
            "acs:edas:*:*:*"
          ]
        }
      ]
    }

Purchase Log Service resources

  • Applicable scope: Purchase Log Service resources for an application.
  • Sample policy:
    {
      "Version": "1",
      "Statement": [    
        {
          "Effect": "Allow",
          "Action": [
            "edas:SLSPurchase"
          ],
          "Resource": [
            "acs:edas:*:*:*"
          ]
        }
      ]
    }

Application management

The following scenarios describe the permissions that are required for managing applications:

Permissions on an individual application

  • Manage an application: Allows a RAM user to view the information about an application and manage the configurations and logs of an application, but does not allow the RAM user to create or delete applications.
    {
        "Statement": [
          {
            "Action": [
              "edas:*Application"
            ],
            "Effect": "Allow",
            "Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"]
          },
          {
            "Action": [
              "edas:DeleteApplication"
            ],
            "Resource":["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"],
            "Effect": "Deny"
          },
          {
            "Action": [
              "edas:CreateApplication"
            ],
            "Resource":["acs:edas:$regionid:*:namespace/$namespace/application/*"],
            "Effect": "Deny"
          }
        ],
        "Version": "1"
    }
  • Create an application
    Important To create an application, a user needs to use an instance in the cluster. Therefore, you must grant the RAM user the permissions to view the cluster.
    {
      "Statement": [
        {
          "Action": [
            "edas:CreateApplication",
            "edas:ReadCluster"
          ],
          "Effect": "Allow",
          "Resource": [
                  "acs:edas:$regionid:*:namespace/$namespace/application/*",
              "acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"
          ]
        }
      ],
      "Version": "1"
    }
  • Delete an application
    Important To allow a RAM user to delete an application, you must grant the RAM user the permissions to view the application. Otherwise, the RAM user cannot find the application.
    {
      "Statement": [
        {
          "Action": [
            "edas:DeleteApplication",
            "edas:ReadApplication"
          ],
          "Effect": "Allow",
          "Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"]
        }
      ],
      "Version": "1"
    }
  • Manage logs
    Important To allow a RAM user to manage the logs of an application, you must grant the RAM user the permissions to view the application. Otherwise, the RAM user cannot find the application.
    {
      "Statement": [
        {
          "Action": [
            "edas:ReadApplication",
            "edas:ManageAppLog"
          ],
          "Effect": "Allow",
          "Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"]
        }
      ],
      "Version": "1"
    }
  • Configure an application: Allows a RAM user to set the application port, Tomcat context, load balancing parameters, health check parameters, Java virtual machine (JVM) parameters, and the Intra-zone Provider First feature.
    Important To allow a RAM user to configure an application, you must grant the RAM user the permissions to view the application.
    {
      "Statement": [
        {
          "Action": [
            "edas:ReadApplication",
            "edas:ConfigApplication"
          ],
          "Effect": "Allow",
          "Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"]
        },
      ],
      "Version": "1"
    }

Permissions on multiple applications

  • Query applications: Allows a RAM user to query applications in a specified region.
    Note A region may contain one or more microservices namespaces. This permission allows a RAM user to query applications in all microservices namespaces in a specified region.
    {
        "Statement": [
          {
            "Action": [
              "edas:ReadApplication"
            ],
            "Effect": "Allow",
            "Resource": ["acs:edas:$regionid:*:namespace/*/application/*"]
          }
        ],
        "Version": "1"
    }
  • View applications: Allows a RAM user to view applications in a specified microservices namespace.
    {
        "Statement": [
          {
            "Action": [
              "edas:*Application",
              "edas:ReadCluster"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:edas:$regionid:*:namespace/$namespace/application/*",
              "acs:edas:$regionid:*:namespace/$namespace/cluster/*"
             ]
          }
        ],
        "Version": "1"
    }

Microservices management

The following scenarios describe the permissions that are required for managing microservices:

View microservices

Note To view all microservices, set the $applicationId variable to an asterisk (*) in the policy.
{
    "Statement": [
      {
        "Action": [
          "edas:ReadService"
        ],
        "Effect": "Allow",
        "Resource": [    
            "acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"
            ]
      }
    ],
    "Version": "1"
}

Test microservices

Note To test applications in all microservices namespaces, set the $namespace and $applicationId variables to an asterisk (*).
{
    "Statement": [
      {
        "Action": [
          "edas:TestService"
        ],
        "Effect": "Allow",
        "Resource": [
            "acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"
            ]
      }
    ],
    "Version": "1"
}

Grant an application permissions on microservices

Note To grant all applications permissions on microservices, set the $applicationId variable to an asterisk (*).
{
    "Statement": [
      {
        "Action": [
          "edas:ManageService"
        ],
        "Effect": "Allow",
        "Resource": [
            "acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"
        ]
      }
    ],
    "Version": "1"
}

Remove outlier instances

Important The removal of an outlier instance affects applications in the microservices namespace. You can grant RAM users the permissions to remove outlier instances only in a specified microservices namespace.
{
    "Statement": [
      {
        "Action": [
          "edas:ManageService"
        ],
        "Effect": "Allow",
        "Resource": [
            "acs:edas:$regionid:*:namespace/$namespace"
        ]
      }
    ],
    "Version": "1"
}

Configuration management

EDAS is integrated with Application Configuration Management (ACM). For more information about ACM-specific permissions, see Access control.

System management

Includes the permissions to manage RAM users, view resource usage, and view operations logs.

{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ManageSystem"],
       "Resource": ["acs:edas:*:*:*"],
       "Effect": "Allow"
      }
   ]
 }
Note System permissions are not defined by specific resources. Therefore, set the Resource variable to acs:edas:*:*:* in the policy.

System O&M

Allows a RAM user to view operation logs, perform one or more O&M tasks at a time, and manage resource groups.

{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ManageOperation"],
       "Resource": ["acs:edas:*:*:*"],
       "Effect": "Allow"
      }
   ]
 }

View operation logs

{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ReadOperationLog"],
       "Resource": ["acs:edas:*:*:*"],
       "Effect": "Allow"
      }
   ]
 }