Tablestore uses JSON-formatted authorization policies for fine-grained resource access control. Each policy defines the Action, Resource, and Condition elements and applies to instance policies, RAM policies, and control policies.
Authorization syntax
An authorization policy uses JSON format and consists of a version number (Version) and one or more authorization statements (Statement). Each statement contains the Effect, Action, Resource, and Condition elements.
Syntax structure
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": ["ots:ActionName"],
"Resource": ["acs:ots:region:account-id:instance-and-resource-path"],
"Condition": {
"ConditionOperator": {
"ConditionKey": ["ConditionValue"]
}
}
}
]
}
Field description
|
Field |
Description |
Required |
|
Version |
The version number of the authorization policy. The value is fixed to |
Yes |
|
Statement |
The body of the authorization. You can configure one or more statements. |
Yes |
|
Effect |
The authorization effect. Valid values: |
Yes |
|
Action |
The operations to allow or deny. For more information, see Action. |
Yes |
|
Resource |
The resources to authorize. For more information, see Resource. |
Yes |
|
Condition |
The conditions under which the authorization takes effect. For more information, see Condition. |
No |
Action
Action specifies the operations to allow or deny on a resource. Each action must be prefixed with ots:, and multiple actions are separated by commas (,). The asterisk (*) wildcard supports both prefix and suffix matching. Common action definitions:
A single API operation
"Action": "ots:GetRow"
Multiple API operations
"Action": [
"ots:PutRow",
"ots:GetRow"
]
All read-only API operations
"Action": [
"ots:BatchGet*",
"ots:Describe*",
"ots:Get*",
"ots:List*",
"ots:Consume*",
"ots:Search",
"ots:ComputeSplitPointsBySize"
]
All read and write API operations
"Action": "ots:*"
All SQL API operations
"Action": "ots:SQL*"
Resource
Resource specifies the scope of accessible resources and consists of fields such as product, region, account ID, instance name, and table name. Each field supports the asterisk (*) wildcard for both prefix and suffix matching. The format is as follows:
acs:ots:[region]:[user_id]:instance/[instance_name]/table/[table_name]
The product is fixed to ots. [region] is the region ID where the resource resides, such as cn-hangzhou. [user_id] is the Alibaba Cloud account ID. [instance_name] and [table_name] are the instance and table names. Replace these placeholders with your actual values.
For Tunnel operations, the Resource can only be specified at the instance level. The format is as follows:
acs:ots:[region]:[user_id]:instance/[instance_name]
Usage notes
-
Instance names in Tablestore are case-insensitive. Specify
[instance_name]in lowercase in a Resource definition. -
Action and Resource are verified by string matching, and the asterisk (
*) wildcard distinguishes between prefix and suffix matching. For example, a Resource definition ofacs:ots:*:*:instance/abcdoes not matchacs:ots:*:*:instance/abc/table/xyz. -
To manage instance resources in the Tablestore console, the console must obtain the instance list. Therefore, grant the user read permissions on the
acs:ots:[region]:[user_id]:instance/*resource. -
For batch operation API operations (such as BatchGetRow and BatchWriteRow), Tablestore authorizes each accessed table separately. The operation runs only if all tables pass authorization. Otherwise, a permission error is returned.
Typical Resource definitions
-
All resources of all accounts in all regions.
"Resource": "acs:ots:*:*:*" -
All instances and their tables in account 123456 in the China (Hangzhou) region.
"Resource": "acs:ots:cn-hangzhou:123456:instance*" -
The instance named abc and all its tables in account 123456 in the China (Hangzhou) region.
"Resource": [ "acs:ots:cn-hangzhou:123456:instance/abc", "acs:ots:cn-hangzhou:123456:instance/abc/table*" ] -
All instances whose names start with abc and all their tables.
"Resource": "acs:ots:*:*:instance/abc*" -
All tables whose names start with xyz in all instances whose names start with abc (excluding the instance resource, which does not match
acs:ots:*:*:instance/abc*)."Resource": "acs:ots:*:*:instance/abc*/table/xyz*"
API types and resources
Tablestore API operations fall into two categories: instance management operations and table/data read-write operations. The resource configuration for each type is as follows:
Resources accessed by management API operations
Management API operations handle instance-level tasks and are called by both the console and OpenAPI. The resources below omit the acs:ots:[region]:[user_id]: prefix and show only the instance part.
|
API operation |
Action |
Accessed resource |
|
CreateInstance |
|
instance/[instance_name] |
|
UpdateInstance |
|
instance/[instance_name] |
|
GetInstance |
|
instance/[instance_name] |
|
DeleteInstance |
|
instance/[instance_name] |
|
ListInstances |
|
instance/* |
|
ChangeResourceGroup |
|
instance/[instance_name] |
|
ListTagResources |
|
instance/* |
|
TagResources |
|
instance/[instance_name] |
|
UntagResources |
|
instance/[instance_name] |
|
UpdateInstancePolicy |
|
instance/[instance_name] |
|
DeleteInstancePolicy |
|
instance/[instance_name] |
|
CheckInstancePolicy |
|
instance/[instance_name] |
|
UpdateInstanceElasticVCUUpperLimit |
|
instance/[instance_name] |
Resources accessed by data API operations
Data API operations handle table-level and row-level tasks, called by both the console and SDKs. The Action and Resource definitions affect the console user experience. The resources below omit the acs:ots:[region]:[user_id]: prefix and show only the instance and table parts.
|
API operation |
Action |
Accessed resource |
|
ListTable |
|
instance/[instance_name]/table* |
|
CreateTable |
|
instance/[instance_name]/table/[table_name] |
|
UpdateTable |
|
instance/[instance_name]/table/[table_name] |
|
DescribeTable |
|
instance/[instance_name]/table/[table_name] |
|
DeleteTable |
|
instance/[instance_name]/table/[table_name] |
|
CreateGlobalTable |
|
instance/[instance_name]/table/[table_name] |
|
DescribeGlobalTable |
|
instance/[instance_name]/table/[table_name] |
|
UpdateGlobalTable |
|
instance/[instance_name]/table/[table_name] |
|
BindGlobalTable |
|
instance/[instance_name]/table/[table_name] |
|
UnbindGlobalTable |
|
instance/[instance_name]/table/[table_name] |
|
AddDefinedColumn |
|
instance/[instance_name]/table/[table_name] |
|
DeleteDefinedColumn |
|
instance/[instance_name]/table/[table_name] |
|
GetRow |
|
instance/[instance_name]/table/[table_name] |
|
PutRow |
|
instance/[instance_name]/table/[table_name] |
|
UpdateRow |
|
instance/[instance_name]/table/[table_name] |
|
DeleteRow |
|
instance/[instance_name]/table/[table_name] |
|
GetRange |
|
instance/[instance_name]/table/[table_name] |
|
BatchGetRow |
|
instance/[instance_name]/table/[table_name] |
|
BatchWriteRow |
|
instance/[instance_name]/table/[table_name] |
|
ComputeSplitPointsBySize |
|
instance/[instance_name]/table/[table_name] |
|
StartLocalTransaction |
|
instance/[instance_name]/table/[table_name] |
|
CommitTransaction |
|
instance/[instance_name]/table/[table_name] |
|
AbortTransaction |
|
instance/[instance_name]/table/[table_name] |
|
CreateIndex |
|
instance/[instance_name]/table/[table_name] |
|
DropIndex |
|
instance/[instance_name]/table/[table_name] |
|
CreateSearchIndex |
|
instance/[instance_name]/table/[table_name] |
|
UpdateSearchIndex |
|
instance/[instance_name]/table/[table_name] |
|
DeleteSearchIndex |
|
instance/[instance_name]/table/[table_name] |
|
ListSearchIndex |
|
instance/[instance_name]/table/[table_name] |
|
DescribeSearchIndex |
|
instance/[instance_name]/table/[table_name] |
|
Search |
|
instance/[instance_name]/table/[table_name] |
|
ComputeSplits |
|
instance/[instance_name]/table/[table_name] |
|
ParallelScan |
|
instance/[instance_name]/table/[table_name] |
|
CreateTunnel |
|
instance/[instance_name]/table/[table_name] |
|
DeleteTunnel |
|
instance/[instance_name]/table/[table_name] |
|
ListTunnel |
|
instance/[instance_name]/table/[table_name] |
|
ConsumeTunnel |
|
instance/[instance_name]/table/[table_name] |
|
DescribeTunnel |
|
instance/[instance_name]/table/[table_name] |
|
BulkImport |
|
instance/[instance_name]/table/[table_name] |
|
BulkExport |
|
instance/[instance_name]/table/[table_name] |
|
SQL_Select |
|
instance/[instance_name]/table/[table_name] |
|
SQL_Create |
|
instance/[instance_name]/table/[table_name] |
|
SQL_DropMapping |
|
instance/[instance_name]/table/[table_name] |
Condition
Condition specifies the constraints under which the authorization takes effect. It consists of a condition operator, a condition key, and a condition value.
Condition operators
A condition operator defines how a condition key is compared with a condition value. Supported types include String, Number, Date and time, Boolean, and IP address. For the complete list, see Conditional operators.
Condition keys
The following table lists the custom and common condition keys that Tablestore supports.
|
Type |
Condition key |
Description |
|
Tablestore custom conditions |
|
Applies to the CreateTable and UpdateTable operations. Specifies whether to allow only the creation or update of encrypted tables. The value type is String. Valid values: true and false. Configuration example: |
|
|
Specifies whether to allow only access from a trusted proxy. Access from the console uses a trusted proxy. The value type is String. Valid values: true and false. Configuration example: |
|
|
|
Applies to the CreateInstance and UpdateInstance operations. Specifies whether to allow only the creation of instances that cannot be accessed over the Internet. The value type is String. Valid values: true and false. Configuration example: |
|
|
|
Sets the allowed client TLS versions. This also restricts access to the HTTPS protocol only. The value type is String. Valid values: TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3. A single condition supports multiple TLS versions. When multiple TLS versions are configured, a client can access Tablestore successfully by using any of the configured TLS versions. |
|
|
|
Restricts the AccessKey ID (AK) of the request source. The value type is String. To specify multiple AccessKey IDs, enter one AccessKey ID per line. |
|
|
Common conditions |
|
Restricts the source IP address or CIDR block of the access. The value type is String. Valid values: IPv4 or IPv6 IP addresses and CIDR blocks. A single condition supports multiple IP addresses or CIDR blocks. Important
In an instance policy, if you configure |
|
|
Restricts the source VPC of the access. The value type is String. Valid values: the source VPC ID and |
|
|
|
Restricts the request protocol, specifically whether access uses secure transport (HTTPS). The value type is Bool. Valid values:
If |
|
|
|
Restricts the time when a request arrives at the Tablestore server. The value type is Date and time, in ISO 8601 format, for example, |
|
|
|
Restricts whether access uses multi-factor authentication (MFA). The value type is Bool. Valid values: true and false. |