By default, list authentication is enabled. When you log on to the Enterprise Distributed Application Service (EDAS) console as a RAM user and perform list operations on related resources, EDAS performs Resource Access Management (RAM) authentication and returns only access results of resources on which you have related permissions.
Background information
- Select a microservice namespace and a cluster from the lists when you create an application.
- Select a microservice namespace from the list when you create a cluster.
- Select a microservice namespace from the list when you view a microservice.
- Select a microservice namespace from a list in the SchedulerX module.
The following table describes the permissions that you can define in RAM policies related to list authentication.
Resource type | Permission |
---|---|
Microservice namespace | edas:ReadNamespace |
Cluster | edas:ReadCluster |
Application | edas:ReadApplication |
Usage notes
When you manage resources, we recommend that you perform unified authorization for microservice namespaces, clusters, and applications. Take note of the following points:
- When you grant the read permissions on an application, we recommend that you also grant the read permissions on the cluster and microservice namespace where the application resides.
- When you grant the read permissions on a cluster, we recommend that you also grant the read permissions on the microservice namespace where the cluster resides.
- The length of a RAM policy is limited. We recommend that you specify a wildcard to define permissions. For example, you can use the EDAS permission assistant to define the permissions to manage all applications in a microservice namespace. For more information, see Use the EDAS permission assistant to create RAM policies.
- If you have a large number of resources, we recommend that you use resource groups
to manage your resources. For more information, see Use resource groups to manage permissions.
Note Only applications and clusters can be added to resource groups. You can use only RAM to manage permissions on microservice namespaces.
Disable list authentication
By default, list authentication is enabled. To disable list authentication, choose Switch List Authentication Method.
in the left-side navigation pane of the EDAS console and clickTroubleshooting
If you encounter the following issues, you can resolve them based on the instructions:
- 1. If Application AppX belongs to Microservice Namespace nX, and RAM User subAccount
has the read permissions on Application AppX, but does not have the read permissions
on Microservice Namespace nX, can Application AppX be found on the Applications page?
Yes. On the Applications page, select All Microservice Namespaces from the Microservice Namespace drop-down list. Application AppX is displayed on the Applications page.
- 2. Why is list authentication not disabled after I perform the operation for disabling
list authentication?
A delay of about 1 minute exists for disabling list authentication. After you perform the operation for disabling list authentication, wait 1 minute and then check whether list authentication is disabled.
- 3. Why am I unable to open the details pages of some resources when list authentication
is disabled?
When list authentication is disabled, the original authentication logic of resources is not affected. When list authentication is disabled, the original authentication logic of resources still exists. If you log on to the EDAS console as a RAM user and the RAM user does not have relevant permissions on specific resources, you cannot access the resources.