Customize permissions

Last Updated: Jul 19, 2017

Action

Action is an API name, which is used to specify APIs open or restricted for user access. When creating the Table Store authorization policy, add an ots: prefix for each Action and separate multiple Actions using commas. The asterisk (*) wildcard is also supported (including prefix matching and suffix matching).

Typical Action

  • Single API
  1. "Action": "ots:GetRow"
  • Multi API
  1. "Action": [
  2. "ots:PutRow",
  3. "ots:GetRow"
  4. ]
  • All read-only API
  1. "Action": [
  2. "ots:BatchGet*",
  3. "ots:Describe*",
  4. "ots:Get*",
  5. "ots:List*"
  6. ]
  • All read and write API
  1. "Action": "ots:*"

Resource

A Resource in Table Store is composed of multiple fields including product, region, user ID, instance name, and table name. Each field supports asterisk (*) wildcard (including prefix matching and suffix matching).

The format is as follows:

  1. acs:ots:[region]:[user_id]:instance/[instance_name]/table/[table_name]
  • The product is ots.

  • [xxx] indicates a variable.

  • The region is an English abbreviation, for example, cn-hangzhou. For more information about regions of the service nodes, refer to Region.

  • The user ID is the Alibaba Cloud account ID.

Notice: Instance names are case-insensitive. However, you must use lower case letters for [instance_name] in resource definition.

Typical Resource

  • All resources of the users in all regions
  1. "Resource": "acs:ots:*:*:*"
  • All instances and their tables of user 123456 in China East 1 region
  1. "Resource": "acs:ots:cn-hangzhou:123456:instance/*"
  • Instance abc and its tables of user 123456 in China East 1 region
  1. "Resource": [
  2. "acs:ots:cn-hangzhou:123456:instance/abc",
  3. "acs:ots:cn-hangzhou:123456:instance/abc/table/*"
  4. ]
  • All instances whose names begin with abc and their tables
  1. "Resource": "acs:ots:*:*:instance/abc*"
  • All instances whose names begin with abc and their tables whose names begin with xyz (excluding instance resources, and not match acs:ots:*:*:instance/abc*)
  1. "Resource": "acs:ots:*:*:instance/abc*/table/xyz*"
  • All instances whose names end with abc and their tables whose names end with xyz
  1. "Resource": [
  2. "acs:ots:*:*:instance/*abc",
  3. "acs:ots:*:*:instance/*abc/table/*xyz"
  4. ]

API types

Table Store has two types of APIs:

  • Management APIs for reading from and writing to instances.

  • Data APIs for reading from and writing to tables and rows.

The following table lists these APIS:

API/Action API Type Description
ListInstance Management Get instance list, called by console only
InsertInstance Management Create instance, called by console only
GetInstance Management Get instance meta, called by console only
DeleteInstance Management Delete instance, called by console only
ListTable Data Get table list, called by console and SDK
CreateTable Data Create table, called by console and SDK
UpdateTable Data Update table meta, called by console and SDK
DescribeTable Data Get table meta, called by console and SDK
DeleteTable Data Delete table, called by console and SDK
GetRow Data Read a record, called by SDK only
PutRow Data Insert a record, called by SDK only
UpdateRow Data Update a record, called by SDK only
DeleteRow Data Delete a record, called by SDK only
GetRange Data Readrange, called by SDK only
BatchGetRow Data Batch read records, called by SDK only
BatchWriteRow Data Batch write records, called by SDK only

Resources accessed by management APIs

Management APIs are mainly instance-related operations and can be called only on the console. The actions and resources definitions of management APIs have an influence on using the console. The prefix acs:ots:[region]:[user_id]: is omitted in the following accessed resources, describing only the instance and table parts.

API/Action Resource Access
ListInstance instance/*
InsertInstance instance/[instance_name]
GetInstance instance/[instance_name]
DeleteInstance instance/[instance_name]

Resources accessed by data APIs

Data APIs are mainly table-related operations and can be called both on the console and by the SDK. The actions and resources definitions of data APIs have an influence on using the console. The prefix acs:ots:[region]:[user_id]: is omitted in the following accessed resources, describing only the instance and table parts.

API/Action Resource Access
ListTable instance/[instance_name]/table/*
CreateTable instance/[instance_name]/table/[table_name]
UpdateTable instance/[instance_name]/table/[table_name]
DescribeTable instance/[instance_name]/table/[table_name]
DeleteTable instance/[instance_name]/table/[table_name]
GetRow instance/[instance_name]/table/[table_name]
PutRow instance/[instance_name]/table/[table_name]
UpdateRow instance/[instance_name]/table/[table_name]
DeleteRow instance/[instance_name]/table/[table_name]
GetRange instance/[instance_name]/table/[table_name]
BatchGetRow instance/[instance_name]/table/[table_name]
BatchWriteRow instance/[instance_name]/table/[table_name]

Description of common problems

  • In the policy, actions and resources are verified by string matching. when using the asterisk (*) wildcard, prefix matching and suffix matching are distinguished. For example, if a resource is defined as acs:ots:*:*:instance/*/, then acs:ots:*:*:instance/abc cannot be matched. If a resource is defined as acs:ots:*:*:instance/abc, then acs:ots:*:*:instance/abc/table/xyz cannot be matched.

  • To manage instance resources on the Table Store console, you must be granted the permission to read the acs:ots:[region]:[user_id]:instance/* resource, because you need to obtain the instance list on the console.

  • For Batch APIs (such as BatchGetRow and BatchWriteRow), the backend service performs authentications for each table being accessed. Operations can be performed only when authentication is successful for all tables. Otherwise, a permission error is returned.

Condition

The policy supports multiple authentication conditions that are supported on all APIs of Table Store, including access IP address restriction, whether to access through HTTPS, whether to access through Multi-Factor Authentication (MFA), and access time restriction.

Access IP address restriction

Resource Access Management can restrict the source IP addresses used to access Table Store, and filter IP addresses based on the network segment. The following are typical application scenarios:

  • Multiple IP addresses are restricted. For example, only the requests from 10.101.168.111 and 10.101.169.111 are allowed.

    1. {
    2. "Statement": [
    3. {
    4. "Effect": "Allow",
    5. "Action": "ots:*",
    6. "Resource": "acs:ots:*:*:*",
    7. "Condition": {
    8. "IpAddress": {
    9. "acs:SourceIp": [
    10. "10.101.168.111",
    11. "10.101.169.111"
    12. ]
    13. }
    14. }
    15. }
    16. ],
    17. "Version": "1"
    18. }
  • A single IP address is restricted. For example, only the requests from 10.101.168.111 or 10.101.169.111/24 are allowed.

    1. {
    2. "Statement": [
    3. {
    4. "Effect": "Allow",
    5. "Action": "ots:*",
    6. "Resource": "acs:ots:*:*:*",
    7. "Condition": {
    8. "IpAddress": {
    9. "acs:SourceIp": [
    10. "10.101.168.111",
    11. "10.101.169.111/24"
    12. ]
    13. }
    14. }
    15. }
    16. ],
    17. "Version": "1"
    18. }

HTTPS access restriction

Resource Access Management can specify whether to access through HTTPS. The following is a typical application scenario:

  • Access by requests only through HTTPS

    1. {
    2. "Statement": [
    3. {
    4. "Effect": "Allow",
    5. "Action": "ots:*",
    6. "Resource": "acs:ots:*:*:*",
    7. "Condition": {
    8. "Bool": {
    9. "acs:SecureTransport": "true"
    10. }
    11. }
    12. }
    13. ],
    14. "Version": "1"
    15. }

MFA access restriction

Resource Access Management can specify whether to access through MFA. The following is a typical application scenario:

  • Access by requests only through MFA

    1. {
    2. "Statement": [
    3. {
    4. "Effect": "Allow",
    5. "Action": "ots:*",
    6. "Resource": "acs:ots:*:*:*",
    7. "Condition": {
    8. "Bool": {
    9. "acs:MFAPresent ": "true"
    10. }
    11. }
    12. }
    13. ],
    14. "Version": "1"
    15. }

Access time restriction

Resource Access Management can specify the time to access by a request, that is, access is allowed or rejected by requests only before a specified time.

For example, user access is allowed only before 00:00:00 January 1, 2016.

  1. {
  2. "Statement": [
  3. {
  4. "Effect": "Allow",
  5. "Action": "ots:*",
  6. "Resource": "acs:ots:*:*:*",
  7. "Condition": {
  8. "DateLessThan": {
  9. "acs:CurrentTime": "2016-01-01T00:00:00+08:00"
  10. }
  11. }
  12. }
  13. ],
  14. "Version": "1"
  15. }

Typical application scenarios

This section defines the policies in some typical scenarios and offers authorization methods.

Multiple authorization conditions

Users accessing the 10.101.168.111/24 network segment can read from and write to all instances named online-01 and online-02 (including all tables of these instances). In addition, access is allowed only before 0:00:00 January 1, 2016 through HTTPS.

Perform the following steps to grant policy permissions to a subaccount.

  1. Use the primary account to log on to the RAM console.

  2. Click Policies on the left-side navigation pane.

  3. Click New Authorization Policy in the top-right corner.

  4. Select Blank Template

  5. Fill in the Authorization Policy Name and copy the following content to Policy Content.

    1. {
    2. "Statement": [
    3. {
    4. "Effect": "Allow",
    5. "Action": "ots:*",
    6. "Resource": [
    7. "acs:ots:*:*:instance/online-01",
    8. "acs:ots:*:*:instance/online-01/table/*",
    9. "acs:ots:*:*:instance/online-02",
    10. "acs:ots:*:*:instance/online-02/table/*"
    11. ],
    12. "Condition": {
    13. "IpAddress": {
    14. "acs:SourceIp": [
    15. "10.101.168.111/24"
    16. ]
    17. },
    18. "DateLessThan": {
    19. "acs:CurrentTime": "2016-01-01T00:00:00+08:00"
    20. },
    21. "Bool": {
    22. "acs:SecureTransport": "true"
    23. }
    24. }
    25. }
    26. ],
    27. "Version": "1"
    28. }
  6. Click New Authorization Policy and then click Close. The policy is created successfully.

  7. Click Users on the left-side navigation pane.

  8. Locate the subaccount to be authorized, and click Authorization.

  9. Select the policy created in the preceding steps, and click >.

  10. Click OK.

Reject requests

Users accessing the IP address 10.101.169.111 is not allowed to write to all tables of instances in Beijing region whose names begin with online and product. Operations related to instances are not involved.

Refer to the preceding steps to create a new policy and grant policy permissions to a subaccount. When creating a policy, copy the following content to Policy Content.

  1. {
  2. "Statement": [
  3. {
  4. "Effect": "Deny",
  5. "Action": [
  6. "ots:Create*",
  7. "ots:Insert*",
  8. "ots:Put*",
  9. "ots:Update*",
  10. "ots:Delete*",
  11. "ots:BatchWrite*"
  12. ],
  13. "Resource": [
  14. "acs:ots:cn-beijing:*:instance/online*/table/*",
  15. "acs:ots:cn-beijing:*:instance/product*/table/*"
  16. ],
  17. "Condition": {
  18. "IpAddress": {
  19. "acs:SourceIp": [
  20. "10.101.169.111"
  21. ]
  22. }
  23. }
  24. }
  25. ],
  26. "Version": "1"
  27. }
Thank you! We've received your feedback.