This topic describes the Resource Access Management (RAM) policies that are related to Enterprise Distributed Application Service (EDAS).

Resource variables in policies

In a policy, the following variables are used to define a resource:

  • $regionid: the ID of the region where the resource is deployed, such as cn-shanghai. For more information, see Regions and zones.
  • $namespace: the ID of the microservice namespace. To view microservice namespace IDs, log on to the EDAS console and choose Resource Management > Microservice Namespaces in the left-side navigation pane. On the Microservice Namespaces page, you can view the ID of each microservice namespace. The following figure shows the ID of a microservice namespace. View the ID of a microservice namespace
  • $clusterId: the ID of the cluster. Example: 8c349f69-505c-436f-8dc7-**********. You can view the ID of a cluster on the details page of the cluster. View the ID of a cluster
  • $applicationId: the ID of the application. Example: ec8e38a3-3dca-47a7-b6f9-5**********. You can view the ID of an application on the Basic Information tab of the application. Application details

Details about policies

This section describes how an EDAS-defined permission corresponds to a RAM policy.

Microservice namespace management

Table 1. Microservice namespace management
Code Description Dependency action Resource
1.1 Create microservice namespaces edas:CreateNamespace acs:edas:$regionid:$accountid:namespace/*
1.2 Delete microservice namespaces edas:ReadNamespace acs:edas:$regionid:$accountid:namespace/$namespace
edas:DeleteNamespace
1.4 Modify microservice namespaces edas:ManageNamespace acs:edas:$regionid:$accountid:namespace/$namespace
edas:ReadNamespace
Table 2. Cluster management
Code Description Dependency action Resource
2.1 Create clusters edas:CreateCluster acs:edas:$regionid:$accountid:namespace/$namespace/cluster/*
2.2 Delete clusters edas:ReadCluster acs:edas:$regionid:$accountid:namespace/$namespace/cluster/$clusterId
edas:DeleteCluster
2.4 Manage clusters edas:ReadCluster acs:edas:$regionid:$accountid:namespace/$namespace/cluster/$clusterId
edas:ManageCluster
2.3 View clusters edas:ReadCluster acs:edas:$regionid:$accountid:namespace/$namespace/cluster/$clusterId
Table 3. Application management
Code Description Dependency action Resource
3.1 Create applications edas:CreateApplication acs:edas:$regionid:$accountid:namespace/$namespace/application/*
3.2 Delete applications edas:ReadApplication acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
edas:DeleteApplication
3.3 View applications edas:ReadApplication acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
3.4 Manage applications edas:ManageApplication acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
edas:ReadApplication
3.5 Configure applications edas:ConfigApplication acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
edas:ReadApplication
3.6 Manage logs edas:ReadApplication acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
edas:ManageAppLog
Table 4. Microservice management
Code Description Dependency action Resource
4.1 Query microservices edas:ReadService acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
4.2 Test microservices edas:TestService acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
4.3 Manage microservices edas:ReadService acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId
edas:ManageService
Table 5. Configuration management
Code Description Dependency action Resource
5.1 View configurations acms:R acs:acms:$regionid:$accountid:cfg/$namespace/$groupId/$configId
5.2 Manage configurations acms:* acs:acms:$regionid:$accountid:cfg/$namespace/$groupId/$configId
Table 6. System management
Code Description Dependency action Resource
6.1 Manage the EDAS system edas:ManageSystem acs:edas:$regionid:$accountid:*
6.2 View operation logs edas:ReadOperationLog acs:edas:$regionid:$accountid:*
6.3 System O&M edas:ManageOperation acs:edas:$regionid:$accountid:*
6.4 Purchase Elastic Compute Service (ECS) resources edas:ECSPurchase acs:edas:*:*:*
6.5 Purchase Server Load Balancer (SLB) resources edas:SLBPurchase acs:edas:*:*:*
6.6 Purchase Log Service resources. edas:SLSPurchase acs:edas:*:*:*
Table 7. Management of EDAS features that are available for commercial use
Code Description Dependency action Resource
7 Manage EDAS features that are available for commercial use edas:ManageCommercialization acs:edas:$regionid:$accountid:*

Cluster management

The following scenarios describe the permissions that are required for managing clusters:

View the details of clusters

Requires read-only permissions on clusters, such as the permissions that are required to view the details about a cluster, including the instances and applications in the cluster.
Note You can grant a RAM user the permissions on a resource group so that the RAM user can view the details of the clusters in the resource group.
{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ReadCluster"],
       "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"],
       "Effect": "Allow"
      }
   ]
 }

Delete clusters

{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ReadCluster","edas:DeleteCluster"],
       "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"],
       "Effect": "Allow"
      }
   ]
 }

Create clusters

Notice To create a cluster, cluster/ in the value of the Resource parameter must be followed by an asterisk (*).
{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:CreateCluster"],
       "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/*"],
       "Effect": "Allow"
      }
   ]
 }

Manage clusters

Allows a RAM user to create a cluster, add instances to a cluster, modify a cluster, and delete a cluster.

{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ManageCluster"],
       "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"],
       "Effect": "Allow"
      }
   ]
 }
The following examples show how to grant cluster management permissions to a RAM user:
  • Example 1: Grant cluster management permissions to the RAM user but forbid the RAM user from creating clusters.
    {
       "Version": "1",
       "Statement": [
         {
           "Action": ["edas:ManageCluster"],
           "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"],
           "Effect": "Allow"
         },
         {
           "Action": ["edas:CreateCluster"],
           "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/*"],
           "Effect": "Deny"
          }
       ]
     }
    Note If the $clusterId variable is set to a specific cluster ID, the RAM user can manage only the specified cluster. If the $clusterId variable is set to an asterisk (*), the RAM user can manage all clusters in the specified microservice namespace.
  • Example 2: Grant cluster management permissions to a RAM user but forbid the RAM from creating or deleting clusters.
    {
       "Version": "1",
       "Statement": [
         {
           "Action": ["edas:ManageCluster"],
           "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"],
           "Effect": "Allow"
         },
         {
           "Action": ["edas:CreateCluster","edas:DeleteCluster"],
           "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/*"],
           "Effect": "Deny"
          }
       ]
     }

Microservice namespace management

The following scenarios describe the permissions that are required for managing microservice namespaces:

Delete microservice namespaces

{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ReadNamespace","edas:DeleteNamespace"],
       "Resource": ["acs:edas:$regionid:*:namespace/$namespace"],
       "Effect": "Allow"
      }
   ]
 }

Create microservice namespaces

Notice To create a namespace, namespace/ in the value of the Resource parameter must be followed by an asterisk (*).
{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:CreateNamespace"],
       "Resource": ["acs:edas:$regionid:*:namespace/*"],
       "Effect": "Allow"
      }
   ]
 }

Manage microservice namespaces

To allow a RAM user to modify or rename microservice namespaces, you must grant the RAM user the permissions to manage the microservice namespaces.

{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ManageNamespace"],
       "Resource": ["acs:edas:$regionid:*:namespace/$namespace"],
       "Effect": "Allow"
      }
   ]
 }

Resource purchases

To enhance the permission management capabilities of enterprise users, EDAS allows the enterprise users to grant the permissions to purchase resources. The resources include ECS, SLB, and Log Service resources.

The following scenarios describe the permissions that are required for purchasing resources:

Notice
  • In all resource purchasing policies, the value of the Resource parameter must be acs:edas:*:*:*. Finer-grained configurations are not supported.
  • Resource purchasing policies apply only to RAM users.

Purchase ECS resources

  • Applicable scope:
    • Purchase ECS resources in an ECS cluster
    • Purchase ECS resources when you create an application in an ECS cluster
    • Purchase ECS resources when you scale out an application in an ECS cluster
  • Sample policy:
    {
      "Version": "1",
      "Statement": [    
        {
          "Effect": "Allow",
          "Action": [
            "edas:ECSPurchase"
          ],
          "Resource": [
            "acs:edas:*:*:*"
          ]
        }
      ]
    }

Purchase SLB resources

  • Applicable scope: Purchase SLB resources when you bind an SLB instance to an application.
  • Sample policy:
    {
      "Version": "1",
      "Statement": [    
        {
          "Effect": "Allow",
          "Action": [
            "edas:SLBPurchase"
          ],
          "Resource": [
            "acs:edas:*:*:*"
          ]
        }
      ]
    }

Purchase Log Service resources

  • Applicable scope: Purchase Log Service resources for an application.
  • Sample policy:
    {
      "Version": "1",
      "Statement": [    
        {
          "Effect": "Allow",
          "Action": [
            "edas:SLSPurchase"
          ],
          "Resource": [
            "acs:edas:*:*:*"
          ]
        }
      ]
    }

Application management

The following scenarios describe the permissions that are required for managing applications:

Permissions on an individual application

  • Manage an application: Allows a RAM user to view the information about an application and manage the configurations and logs of an application, but does not allow the RAM user to create or delete applications.
    {
        "Statement": [
          {
            "Action": [
              "edas:*Application"
            ],
            "Effect": "Allow",
            "Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"]
          },
          {
            "Action": [
              "edas:DeleteApplication"
            ],
            "Resource":["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"],
            "Effect": "Deny"
          },
          {
            "Action": [
              "edas:CreateApplication"
            ],
            "Resource":["acs:edas:$regionid:*:namespace/$namespace/application/*"],
            "Effect": "Deny"
          }
        ],
        "Version": "1"
    }
  • Create an application
    Notice To create an application, an instance in the cluster is required. Therefore, you must grant the RAM user the permissions to view the cluster.
    {
      "Statement": [
        {
          "Action": [
            "edas:CreateApplication",
            "edas:ReadCluster"
          ],
          "Effect": "Allow",
          "Resource": [
                  "acs:edas:$regionid:*:namespace/$namespace/application/*",
              "acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"
          ]
        }
      ],
      "Version": "1"
    }
  • Delete an application
    Notice To allow a RAM user to delete an application, you must grant the RAM user the permissions to view the application. Otherwise, the RAM user cannot find the application.
    {
      "Statement": [
        {
          "Action": [
            "edas:DeleteApplication",
            "edas:ReadApplication"
          ],
          "Effect": "Allow",
          "Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"]
        }
      ],
      "Version": "1"
    }
  • Manage logs
    Notice To allow a RAM user to manage the logs of an application, you must grant the RAM user the permissions to view the application. Otherwise, the RAM user cannot find the application.
    {
      "Statement": [
        {
          "Action": [
            "edas:ReadApplication",
            "edas:ManageAppLog"
          ],
          "Effect": "Allow",
          "Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"]
        }
      ],
      "Version": "1"
    }
  • Configure an application: Allows a RAM user to set the application port, Tomcat context, load balancing parameters, health check parameters, Java virtual machine (JVM) parameters, and service priority in the current zone.
    Notice To allow a RAM user to configure an application, you must grant the RAM user the permissions to view the application.
    {
      "Statement": [
        {
          "Action": [
            "edas:ReadApplication",
            "edas:ConfigApplication"
          ],
          "Effect": "Allow",
          "Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"]
        },
      ],
      "Version": "1"
    }

Permissions on multiple applications

  • Query applications: Allows a RAM user to query applications in a specified region.
    Note A region may contain one or more microservice namespaces. This permission allows a RAM user to query applications in all microservice namespaces in a specified region.
    {
        "Statement": [
          {
            "Action": [
              "edas:ReadApplication"
            ],
            "Effect": "Allow",
            "Resource": ["acs:edas:$regionid:*:namespace/*/application/*"]
          }
        ],
        "Version": "1"
    }
  • View applications: Allows a RAM user to view applications in a specified microservice namespace.
    {
        "Statement": [
          {
            "Action": [
              "edas:*Application",
              "edas:ReadCluster"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:edas:$regionid:*:namespace/$namespace/application/*",
              "acs:edas:$regionid:*:namespace/$namespace/cluster/*"
             ]
          }
        ],
        "Version": "1"
    }

Microservice management

The following scenarios describe the permissions that are required for managing microservices:

View microservices

Note To view all microservices, set the $applicationId variable to an asterisk (*) in the policy.
{
    "Statement": [
      {
        "Action": [
          "edas:ReadService"
        ],
        "Effect": "Allow",
        "Resource": [    
            "acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"
            ]
      }
    ],
    "Version": "1"
}

Test microservices

Note To test applications in all microservice namespaces, set the $namespace and $applicationId variables to an asterisk (*).
{
    "Statement": [
      {
        "Action": [
          "edas:TestService"
        ],
        "Effect": "Allow",
        "Resource": [
            "acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"
            ]
      }
    ],
    "Version": "1"
}

Grant an application permissions on microservices

Note To grant all applications permissions on microservices, set the $applicationId variable to an asterisk (*).
{
    "Statement": [
      {
        "Action": [
          "edas:ManageService"
        ],
        "Effect": "Allow",
        "Resource": [
            "acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"
        ]
      }
    ],
    "Version": "1"
}

Remove outlier instances

Notice The removal of an outlier instance affects applications in the microservice namespace. You can grant RAM users the permissions to remove outlier instances only in a specified microservice namespace.
{
    "Statement": [
      {
        "Action": [
          "edas:ManageService"
        ],
        "Effect": "Allow",
        "Resource": [
            "acs:edas:$regionid:*:namespace/$namespace"
        ]
      }
    ],
    "Version": "1"
}

Configuration management

EDAS is integrated with Application Configuration Management. For more information about Application Configuration Management-specific permissions, see Access control.

System management

Includes the permissions to manage RAM users, view resource usage, and view operations logs.

{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ManageSystem"],
       "Resource": ["acs:edas:*:*:*"],
       "Effect": "Allow"
      }
   ]
 }
Note System permissions are not defined by specific resources. Therefore, set the Resource variable to acs:edas:*:*:* in the policy.

System O&M

Allows a RAM user to view operation logs, perform one or more O&M tasks at a time, and manage resource groups.

{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ManageOperation"],
       "Resource": ["acs:edas:*:*:*"],
       "Effect": "Allow"
      }
   ]
 }

View operation logs

{
   "Version": "1",
   "Statement": [
     {
       "Action": ["edas:ReadOperationLog"],
       "Resource": ["acs:edas:*:*:*"],
       "Effect": "Allow"
      }
   ]
 }