This topic describes the definitions and application scenarios of Action, Resource, and Condition.

Action

Action defines the specific API operation or operations to allow or deny. When creating a Table Store authorization policy, add the ots: prefix to each API operation and separate different API operations with commas (,). The asterisk (*) wildcard is used in Action to specify the prefix matching and suffix matching.

Action is defined as follows:

  • Single API operation

    "Action": "ots:GetRow"
    					
  • Multiple API operations

    "Action": [
    "ots:PutRow",
    "ots:GetRow"
    ]
    					
  • All read-only API operations

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "ots:BatchGet*",
            "ots:Describe*",
            "ots:Get*",
            "ots:List*",
            "ots:Consume*",
            "ots:Search",
            "ots:ComputeSplitPointsBySize"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }                
  • All read and write API operations

    "Action": "ots:*"               

Resource

Resource in Table Store is composed of multiple fields, including the service, region, user ID, instance name, and table name. Each field supports asterisk (*) wildcards for prefix and suffix matching. The format is as follows:

acs:ots:[region]:[user_id]:instance/[instance_name]/table/[table_name]
			
The fields enclosed in brackets are variables. The value of the region field must be region IDs, such as cn-hangzhou. The user_id field is set to an Alibaba Cloud account ID.
Note
  • Table Store instance names are not case-sensitive. However, the instance_name field in Resource must be in lower case.
  • Resource is defined for Tunnel Service by instances rather than tables and includes fields such as service, region, user ID, and instance name in the definition. The format is as follows:
    acs:ots:[region]:[user_id]:instance/[instance_name]
    							

Resource is defined as follows:

  • All resources of users in all regions

    "Resource": "acs:ots:*:*:*"
    					
  • All instances and their tables of User 123456 in China (Hangzhou)

    "Resource": "acs:ots:cn-hangzhou:123456:instance/*"
    					
  • Instance abc and its tables of User 123456 in China (Hangzhou)

    "Resource": [
    "acs:ots:cn-hangzhou:123456:instance/abc",
    "acs:ots:cn-hangzhou:123456:instance/abc/table/*"
    ]
    					
  • All instances with the prefix abc and their tables

    "Resource": "acs:ots:*:*:instance/abc*"
    					
  • All instances with the prefix abc and their tables with the prefix xyz. Instance resources do not match acs:ots:*:*:instance/abc*.

    "Resource": "acs:ots:*:*:instance/abc*/table/xyz*"
    					
  • All instances with the suffix abc and their tables with the suffix xyz

    "Resource": [
    "acs:ots:*:*:instance/*abc",
    "acs:ots:*:*:instance/*abc/table/*xyz"
    ]
    					

Table Store API operations

Table Store provides two types of API operations:

  • Management API operations for reading from and writing to instances.

  • Data API operations for reading from and writing to tables and rows.

Details about these API operations are as follows:

  • Resources for management API operations

    Management API operations are instance-based operations and can only be called through the console. Specifying Action and Resource for Management API operations determines subsequent use of the console. The acs: ots: [region]: [user_id]: prefix is omitted in the following accessed resources. Only the instance and table are described.

    API operation/Action Resource
    ListInstance instance/*
    InsertInstance instance/[instance_name]
    GetInstance instance/[instance_name]
    DeleteInstance instance/[instance_name]
  • Resources for data API operations

    Data API operations are table- and row-based operations, which can be called through the console or by the SDK. Specifying Action and Resource for data API operations determines subsequent use of the console. The acs:ots:[region]:[user_id]: prefix is omitted in the following accessed resources. Only the instance and table are described.

    API operation/Action Resource
    ListTable instance/[instance_name]/table/*
    CreateTable instance/[instance_name]/table/[table_name]
    UpdateTable instance/[instance_name]/table/[table_name]
    DescribeTable instance/[instance_name]/table/[table_name]
    DeleteTable instance/[instance_name]/table/[table_name]
    GetRow instance/[instance_name]/table/[table_name]
    PutRow instance/[instance_name]/table/[table_name]
    UpdateRow instance/[instance_name]/table/[table_name]
    DeleteRow instance/[instance_name]/table/[table_name]
    GetRange instance/[instance_name]/table/[table_name]
    BatchGetRow instance/[instance_name]/table/[table_name]
    BatchWriteRow instance/[instance_name]/table/[table_name]
    ComputeSplitPointsBySize instance/[instance_name]/table/[table_name]
    StartLocalTransaction instance/[instance_name]/table/[table_name]
    CommitTransaction instance/[instance_name]/table/[table_name]
    AbortTransaction instance/[instance_name]/table/[table_name]
    CreateIndex instance/[instance_name]/table/[table_name]
    DropIndex instance/[instance_name]/table/[table_name]
    CreateSearchIndex instance/[instance_name]/table/[table_name]
    DeleteSearchIndex instance/[instance_name]/table/[table_name]
    ListSearchIndex instance/[instance_name]/table/[table_name]
    DescribeSearchIndex instance/[instance_name]/table/[table_name]
    Search instance/[instance_name]/table/[table_name]
    CreateTunnel instance/[instance_name]/table/[table_name]
    DeleteTunnel instance/[instance_name]/table/[table_name]
    ListTunnel instance/[instance_name]/table/[table_name]
    DescribeTunnel instance/[instance_name]/table/[table_name]
    CosumeTunnel instance/[instance_name]/table/[table_name]
  • Resources for Tunnel Service API operations

    API operations for Tunnel Service are instance-based operations and can be called through the console or by the SDK. Specifying Action and Resource for Tunnel Service API operations determines subsequent use of the console. The acs:ots:[region]:[user_id]: prefix is omitted in the following accessed resources. Only the instance and table are described.

    API operation/Action Resource
    ListTable instance/[instance_name]
    CreateTable instance/[instance_name]
    UpdateTable instance/[instance_name]
    DescribeTable instance/[instance_name]
    DeleteTable instance/[instance_name]
    GetRow instance/[instance_name]
    PutRow instance/[instance_name]
    UpdateRow instance/[instance_name]
    DeleteRow instance/[instance_name]
    GetRange instance/[instance_name]
    BatchGetRow instance/[instance_name]
    BatchWriteRow instance/[instance_name]
    ComputeSplitPointsBySize instance/[instance_name]
    StartLocalTransaction instance/[instance_name]
    CommitTransaction instance/[instance_name]
    AbortTransaction instance/[instance_name]
    CreateIndex instance/[instance_name]
    DropIndex instance/[instance_name]
    CreateSearchIndex instance/[instance_name]
    DeleteSearchIndex instance/[instance_name]
    ListSearchIndex instance/[instance_name]
    DescribeSearchIndex instance/[instance_name]
    Search instance/[instance_name]
    CreateTunnel instance/[instance_name]
    DeleteTunnel instance/[instance_name]
    ListTunnel instance/[instance_name]
    DescribeTunnel instance/[instance_name]
    CosumeTunnel instance/[instance_name]
  • Instructions
    • Action and Resource in a policy are verified by string matching. The asterisk (*) wildcard is used to specify the prefix matching and suffix matching. If Resource is defined as acs:ots:*:*:instance/*/, acs:ots:*:*:instance/abc cannot be matched. If Resource is defined as acs:ots:*:*:instance/abc, acs:ots:*:*:instance/abc/table/xyz cannot be matched.

    • To use a RAM user account to manage instance resources through the Table Store console, the RAM user account must be granted read permissions on acs:ots:[region]:[user_id]:instance/* because the console needs to obtain the instance list.

    • For batch API operations, such as BatchGetRow and BatchWriteRow, the backend service authenticates each table to be accessed. Operations can only be performed when all tables are authenticated. Otherwise, an error message is returned.

Condition

Policies can support a variety of authentication conditions, including IP address-based access control, HTTPS-based access control, Multi-Factor Authentication (MFA)-based access control, and time-based access control. These conditions are supported by all Table Store API operations.

  • IP address-based access control

    RAM allows you to specify IP addresses or CIDR blocks that are used to access Table Store resources.  Typical application scenarios are as follows:

    • Specify multiple IP addresses. For example, the following code indicates that only access requests from IP addresses 10.101.168.111 and 10.101.169.111 are allowed.

      {
      "Statement": [
          {
              "Effect": "Allow",
              "Action": "ots:*",
              "Resource": "acs:ots:*:*:*",
              "Condition": {
                  "IpAddress": {
                      "acs:SourceIp": [
                          "10.101.168.111",
                          "10.101.169.111"
                      ]
                  }
              }
          }
      ],
      "Version": "1"
      }
      							
    • Specify one IP address or CIDR block. For example, the following code indicates that only access requests from IP address 10.101.168.111 or CIDR block 10.101.169.111/24 are allowed.

      {
      "Statement": [
          {
              "Effect": "Allow",
              "Action": "ots:*",
              "Resource": "acs:ots:*:*:*",
              "Condition": {
                  "IpAddress": {
                      "acs:SourceIp": [
                          "10.101.168.111",
                          "10.101.169.111/24"
                      ]
                  }
              }
          }
      ],
      "Version": "1"
      }
      							
  • HTTPS-based access control

    RAM allows you to specify whether resources must be accessed by requests over HTTPS.

    The following example indicates that Table Store resources must be accessed by requests over HTTPS.

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "ots:*",
                "Resource": "acs:ots:*:*:*",
                "Condition": {
                    "Bool": {
                        "acs:SecureTransport": "true"
                    }
                }
            }
        ],
        "Version": "1"
    }
    					
  • MFA-based access control

    RAM allows you to specify whether resources must be accessed by requests that have passed MFA.

    The following example indicates that Table Store resources must be accessed by requests that have passed MFA.

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "ots:*",
                "Resource": "acs:ots:*:*:*",
                "Condition": {
                    "Bool": {
                        "acs:MFAPresent ": "true"
                    }
                }
            }
        ],
        "Version": "1"
    }
    					
  • Time-based access control

    RAM allows you to specify the access time of requests. Access requests earlier than the specified time are allowed or denied. The following example shows a typical application scenario.

    Example: RAM users are allowed to access resources only before 00:00:00 January 1, 2016 (UTC+8).

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "ots:*",
                "Resource": "acs:ots:*:*:*",
                "Condition": {
                    "DateLessThan": {
                        "acs:CurrentTime": "2016-01-01T00:00:00+08:00"
                    }
                }
            }
        ],
        "Version": "1"
    }
    					

Scenarios

This section describes specific policies in typical scenarios and offers authorization methods based on the definitions of Action, Resource, and Condition.

  • Multiple authorization conditions

    In this scenario, RAM users using the 10.101.168.111/24 CIDR block are allowed to read from and write to all instances named online-01 and online-02 (including all tables of these instances). Access is only allowed before 0:00:00 January 1, 2016, and all access requests must be made over HTTPS.

    The procedure is as follows:

    1. Log on to the RAM console with an Alibaba Cloud account. (Assume that RAM is activated.)
    2. In the left-side navigation pane, choose Permissions > Policies to go to the Policies page.
    3. Click Create Policy to go to the Create Custom Policy page.
    4. Enter Policy Name and select Script as the Configuration Mode. Enter the following content in the Policy Document field:
      {
      "Statement": [
          {
              "Effect": "Allow",
              "Action": "ots:*",
              "Resource": [
                  "acs:ots:*:*:instance/online-01",
                  "acs:ots:*:*:instance/online-01/table/*",
                  "acs:ots:*:*:instance/online-02",
                  "acs:ots:*:*:instance/online-02/table/*"
              ],
              "Condition": {
                  "IpAddress": {
                      "acs:SourceIp": [
                          "10.101.168.111/24"
                      ]
                  },
                  "DateLessThan": {
                      "acs:CurrentTime": "2016-01-01T00:00:00+08:00"
                  },
                  "Bool": {
                      "acs:SecureTransport": "true"
                  }
              }
          }
      ],
      "Version": "1"
      }
      							
    5. Click OK.
    6. In the left-side navigation pane, choose Identities > Users. On the Users page that appears, click Add Permissions in the Actions column corresponding to a RAM user account.
    7. In the Add Permissions dialog box that appears, search for the newly created policy, and click the policy to add the permissions to the Selected column. Click OK. The selected permissions are granted to the RAM user account.
  • Reject requests

    In this scenario, RAM users using the IP address 10.101.169.111 are not allowed to write to any tables that belong to instances prefixed with online or product and located in China (Beijing). This policy does not define actions and permissions on instances.

    To reject requests, perform the steps described in the preceding "Multiple authorization conditions" section to create a new policy and grant policy permissions to the designated RAM user. Copy the following content to Policy Document during policy creation:

    {
        "Statement": [
            {
                "Effect": "Deny",
                "Action": [
                    "ots:Create*",
                    "ots:Insert*",
                    "ots:Put*",
                    "ots:Update*",
                    "ots:Delete*",
                    "ots:BatchWrite*"
                ],
                "Resource": [
                    "acs:ots:cn-beijing:*:instance/online*/table/*",
                    "acs:ots:cn-beijing:*:instance/product*/table/*"
                ],
                "Condition": {
                    "IpAddress": {
                        "acs:SourceIp": [
                            "10.101.169.111"
                        ]
                    }
                }
            }
        ],
        "Version": "1"
    }