Customize permissions to access Tablestore - Tablestore - Alibaba Cloud Documentation Center

This topic describes the definitions of and scenarios for Action, Resource, and Condition in a Resource Access Management (RAM) policy.

Action definition

An Action is the name of an API operation. You can use Action to allow or deny user access to specific API operations.

When you create an authorization policy for Tablestore, you must add the ots: prefix to each Action. You can separate multiple Actions with commas (,). You can also use the asterisk (*) wildcard character for prefix and suffix matching.

The following examples show typical Action definitions:

A single API

"Action": "ots:GetRow"

Multiple APIs

"Action": [
"ots:PutRow",
"ots:GetRow"
]

All read-only APIs

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ots:BatchGet*",
        "ots:Describe*",
        "ots:Get*",
        "ots:List*",
        "ots:Consume*",
        "ots:Search",
        "ots:ComputeSplitPointsBySize"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

All read and write APIs

"Action": "ots:*"

All SQL operation APIs

"Action": "ots:SQL*"

Resource definition

A Tablestore resource consists of multiple fields: product, region, user ID, instance name, and table name. You can use the Resource element to specify the Tablestore resources that a user can access. Each field supports the asterisk (*) wildcard character for prefix and suffix matching. The format of a Resource is as follows:

acs:ots:[region]:[user_id]:instance/[instance_name]/table/[table_name]

The product is fixed to ots. Set [region] to the ID of the region where the resource is located, such as cn-hangzhou. Set [user_id] to your Alibaba Cloud account ID. Set [instance_name] to the Tablestore instance name. Set [table_name] to the Tablestore table name. You can configure these fields as required.

Note

Tablestore instance names are not case-sensitive. In the Resource definition, you must use lowercase for [instance_name].

The Resource definition for a tunnel can be specified only at the instance level. This means a tunnel resource consists of the product, region, user ID, and instance name. The format of the Resource is as follows:

acs:ots:[region]:[user_id]:instance/[instance_name]

Typical Resource definitions

All resources of all users in all regions

"Resource": "acs:ots:*:*:*"

All instances and their tables for user 123456 in the China (Hangzhou) region

"Resource": "acs:ots:cn-hangzhou:123456:instance*"

The instance named abc and all its tables for user 123456 in the China (Hangzhou) region

"Resource": [
"acs:ots:cn-hangzhou:123456:instance/abc",
"acs:ots:cn-hangzhou:123456:instance/abc/table*"
]

All instances whose names start with abc and all their tables

"Resource": "acs:ots:*:*:instance/abc*"

All tables whose names start with xyz in all instances whose names start with abc. This does not include the instance resources and does not match acs:ots:*:*:instance/abc*.
```
"Resource": "acs:ots:*:*:instance/abc*/table/xyz*"                    
```

All instances whose names end with abc and all their tables whose names end with xyz

"Resource": [
"acs:ots:*:*:instance/*abc",
"acs:ots:*:*:instance/*abc/table/*xyz"
]

Notes

In a RAM policy, Action and Resource are authenticated using String Match. The asterisk (*) wildcard character is used for prefix and suffix matching. For example, if you define a Resource as acs:ots:*:*:instance/*/, it does not match acs:ots:*:*:instance/abc. If you define a Resource as acs:ots:*:*:instance/abc, it does not match acs:ots:*:*:instance/abc/table/xyz.
When you log on to the Tablestore console to manage instance resources, the Tablestore console needs to retrieve a list of instances. Therefore, you must grant the user read permissions on acs:ots:[region]:[user_id]:instance/* resources.
For batch operation APIs, such as BatchGetRow and BatchWriteRow, the backend service authenticates each table separately. The operation can be executed only if all tables pass authentication. Otherwise, a permission error is returned.

Tablestore API types

Currently, Tablestore provides instance management APIs, table and data read/write APIs, and real-time channel management and read/write APIs. The following table describes the resource configuration for different types of APIs.

Resources accessed by management APIs

Management APIs are used primarily for instance-related operations and are called by the console and OpenAPI. The following resource definitions omit the acs:ots:[region]:[user_id]: prefix and show only the instance part.

API name	Action	Accessed resource
CreateInstance	ots:InsertInstance	instance/[instance_name]
UpdateInstance	ots:UpdateInstance	instance/[instance_name]
GetInstance	ots:GetInstance	instance/[instance_name]
DeleteInstance	ots:DeleteInstance	instance/[instance_name]
ListInstances	ots:ListInstance	instance/*
ChangeResourceGroup	ots:UpdateInstance	instance/[instance_name]
ListTagResources	ots:ListTagResourcesCustomTags	instance/*
TagResources	ots:TagResourcesCustomTags	instance/[instance_name]
UntagResources	ots:UntagResourcesCustomTags	instance/[instance_name]
UpdateInstancePolicy	ots:UpdateInstancePolicy	instance/[instance_name]
DeleteInstancePolicy	ots:DeleteInstancePolicy	instance/[instance_name]
CheckInstancePolicy	ots:CheckInstancePolicy	instance/[instance_name]
UpdateInstanceElasticVCUUpperLimit	ots:UpdateInstanceElasticVCUUpperLimit	instance/[instance_name]

Resources accessed by data APIs

Data APIs are used primarily for table- and row-related operations and are called by the console and software development kits (SDKs). The Action and Resource definitions for these APIs affect how users use the console. The following resource definitions omit the acs:ots:[region]:[user_id]: prefix and show only the instance and table parts.

API name	Action	Accessed resource
ListTable	ots:ListTable	instance/[instance_name]/table*
CreateTable	ots:CreateTable	instance/[instance_name]/table/[table_name]
UpdateTable	ots:UpdateTable	instance/[instance_name]/table/[table_name]
DescribeTable	ots:DescribeTable	instance/[instance_name]/table/[table_name]
DeleteTable	ots:DeleteTable	instance/[instance_name]/table/[table_name]
CreateGlobalTable	ots:CreateGlobalTable ots:UpdateTable ots:CreateTunnel ots:DescribeTunnel ots:ListTunnel ots:TunnelReadRecords ots:BatchWriteRow	instance/[instance_name]/table/[table_name]
DescribeGlobalTable	ots:DescribeGlobalTable	instance/[instance_name]/table/[table_name]
UpdateGlobalTable	ots:UpdateGlobalTable ots:UpdateTable ots:CreateTunnel ots:DescribeTunnel ots:ListTunnel ots:TunnelReadRecords ots:BatchWriteRow	instance/[instance_name]/table/[table_name]
BindGlobalTable	ots:BindGlobalTable ots:UpdateTable ots:CreateTunnel ots:DescribeTunnel ots:ListTunnel ots:TunnelReadRecords ots:BatchWriteRow	instance/[instance_name]/table/[table_name]
UnbindGlobalTable	ots:UnbindGlobalTable ots:UpdateTable ots:DeleteTunnel	instance/[instance_name]/table/[table_name]
AddDefinedColumn	ots:AddDefinedColumn	instance/[instance_name]/table/[table_name]
DeleteDefinedColumn	ots:DeleteDefinedColumn	instance/[instance_name]/table/[table_name]
GetRow	ots:GetRow	instance/[instance_name]/table/[table_name]
PutRow	ots:PutRow	instance/[instance_name]/table/[table_name]
UpdateRow	ots:UpdateRow	instance/[instance_name]/table/[table_name]
DeleteRow	ots:DeleteRow	instance/[instance_name]/table/[table_name]
GetRange	ots:GetRange	instance/[instance_name]/table/[table_name]
BatchGetRow	ots:BatchGetRow	instance/[instance_name]/table/[table_name]
BatchWriteRow	ots:BatchWriteRow	instance/[instance_name]/table/[table_name]
ComputeSplitPointsBySize	ots:ComputeSplitPointsBySize	instance/[instance_name]/table/[table_name]
StartLocalTransaction	ots:StartLocalTransaction	instance/[instance_name]/table/[table_name]
CommitTransaction	ots:CommitTransaction	instance/[instance_name]/table/[table_name]
AbortTransaction	ots:AbortTransaction	instance/[instance_name]/table/[table_name]
CreateIndex	ots:CreateIndex	instance/[instance_name]/table/[table_name]
DropIndex	ots:DropIndex	instance/[instance_name]/table/[table_name]
CreateSearchIndex	ots:CreateSearchIndex	instance/[instance_name]/table/[table_name]
UpdateSearchIndex	ots:UpdateSearchIndex	instance/[instance_name]/table/[table_name]
DeleteSearchIndex	ots:DeleteSearchIndex	instance/[instance_name]/table/[table_name]
ListSearchIndex	ots:ListSearchIndex	instance/[instance_name]/table/[table_name]
DescribeSearchIndex	ots:DescribeSearchIndex	instance/[instance_name]/table/[table_name]
Search	ots:Search	instance/[instance_name]/table/[table_name]
ComputeSplits	ots:ComputeSplits	instance/[instance_name]/table/[table_name]
ParallelScan	ots:ParallelScan	instance/[instance_name]/table/[table_name]
CreateTunnel	ots:CreateTunnel	instance/[instance_name]/table/[table_name]
DeleteTunnel	ots:DeleteTunnel	instance/[instance_name]/table/[table_name]
ListTunnel	ots:ListTunnel	instance/[instance_name]/table/[table_name]
ConsumeTunnel	ots:ConsumeTunnel	instance/[instance_name]/table/[table_name]
DescribeTunnel	ots:DescribeTunnel	instance/[instance_name]/table/[table_name]
BulkImport	ots:BulkImport	instance/[instance_name]/table/[table_name]
BulkExport	ots:BulkExport	instance/[instance_name]/table/[table_name]
SQL_Select	ots:SQL_Select	instance/[instance_name]/table/[table_name]
SQL_Create	ots:SQL_Create	instance/[instance_name]/table/[table_name]
SQL_DropMapping	ots:SQL_DropMapping	instance/[instance_name]/table/[table_name]

Resources accessed by Tunnel APIs

Tunnel APIs are used primarily for channel-related operations and are called by the console and SDKs. The Action and Resource definitions for these APIs affect how users use the console. The following resource definitions omit the acs:ots:[region]:[user_id]: prefix and show only the instance and table parts.

API name/Action	Accessed resource
ListTable	instance/[instance_name]
CreateTable	instance/[instance_name]
UpdateTable	instance/[instance_name]
DescribeTable	instance/[instance_name]
DeleteTable	instance/[instance_name]
AddDefinedColumn	instance/[instance_name]
DeleteDefinedColumn	instance/[instance_name]
GetRow	instance/[instance_name]
PutRow	instance/[instance_name]
UpdateRow	instance/[instance_name]
DeleteRow	instance/[instance_name]
GetRange	instance/[instance_name]
BatchGetRow	instance/[instance_name]
BatchWriteRow	instance/[instance_name]
ComputeSplitPointsBySize	instance/[instance_name]
StartLocalTransaction	instance/[instance_name]
CommitTransaction	instance/[instance_name]
AbortTransaction	instance/[instance_name]
CreateIndex	instance/[instance_name]
DropIndex	instance/[instance_name]
CreateSearchIndex	instance/[instance_name]
DeleteSearchIndex	instance/[instance_name]
ListSearchIndex	instance/[instance_name]
DescribeSearchIndex	instance/[instance_name]
Search	instance/[instance_name]
CreateTunnel	instance/[instance_name]
DeleteTunnel	instance/[instance_name]
ListTunnel	instance/[instance_name]
DescribeTunnel	instance/[instance_name]
ConsumeTunnel	instance/[instance_name]

Condition definition

You can use the Condition element to configure scenario-based policies for user access. Tablestore supports multiple authentication conditions in policies, such as restricting access based on the source IP address, use of HTTPS, use of multi-factor authentication (MFA), use of TLSv1.2 and TLSv1.3, and access time.

IP address restriction

You can restrict the source IP addresses that can access Tablestore by configuring a whitelist. You can also filter by CIDR block. The following examples show typical configurations:

Restrict multiple IP addresses.

The following example allows access only from requests with the source IP address 10.10.XX.XX or 10.11.XX.XX.

{
"Statement": [
    {
        "Effect": "Allow",
        "Action": "ots:*",
        "Resource": "acs:ots:*:*:*",
        "Condition": {
            "IpAddress": {
                "acs:SourceIp": [
                    "10.10.XX.XX",
                    "10.11.XX.XX"
                ]
            }
        }
    }
],
"Version": "1"
}

Restrict a single IP address and a CIDR block.

The following example allows access only from requests with the source IP address 10.10.XX.XX or from the 10.10.XX.XX/24 CIDR block.

{
"Statement": [
    {
        "Effect": "Allow",
        "Action": "ots:*",
        "Resource": "acs:ots:*:*:*",
        "Condition": {
            "IpAddress": {
                "acs:SourceIp": [
                    "10.10.XX.XX",
                    "10.10.XX.XX/24"
                ]
            }
        }
    }
],
"Version": "1"
}

HTTPS access restriction

You can use a custom policy to restrict access to Tablestore through HTTPS.

The following example requires that requests to access Tablestore must be sent over HTTPS.

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ots:*",
            "Resource": "acs:ots:*:*:*",
            "Condition": {
                "Bool": {
                    "acs:SecureTransport": "true"
                }
            }
        }
    ],
    "Version": "1"
}

TLS version restriction

You can use a custom policy to restrict access to Tablestore through TLSv1.2 and TLSv1.3.

The following example requires that requests to access Tablestore must be sent over TLSv1.2 or TLSv1.3.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ots:*",
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringNotEquals": {
                  "ots:TLSVersion": [
                    "TLSv1.2",
                    "TLSv1.3"
                  ]
                }
            }
        }
    ]
}

MFA access restriction

You can use a custom policy to restrict access to Tablestore through MFA.

The following example requires that requests to access Tablestore must be authenticated by MFA.

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ots:*",
            "Resource": "acs:ots:*:*:*",
            "Condition": {
                "Bool": {
                    "acs:MFAPresent ": "true"
                }
            }
        }
    ],
    "Version": "1"
}

Access time restriction

You can use a custom policy to restrict access based on the time of a request. This lets you deny requests made after a specific point in time.

The following example allows a user to access Tablestore before 00:00:00 on January 1, 2016 (UTC+8). After this time, access is denied.

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ots:*",
            "Resource": "acs:ots:*:*:*",
            "Condition": {
                "DateLessThan": {
                    "acs:CurrentTime": "2016-01-01T00:00:00+08:00"
                }
            }
        }
    ],
    "Version": "1"
}

Common scenarios

This section describes how to define policies and grant permissions for common scenarios by combining Action, Resource, and Condition definitions. Examples include configuring an IP address whitelist, region- and resource-based access permissions, access time periods, and access methods.

Scenario 1: Multiple authorization conditions

Allow users from the 10.10.XX.XX/24 CIDR block to perform read or write operations on all instances named online-01 and online-02, including all tables in the instances. Access is allowed only before 2016-01-01 00:00:00 and must be through HTTPS.

Log on to the Resource Access Management (RAM) console with your Alibaba Cloud account. By default, the RAM service is activated.

Create a policy.

In the navigation pane on the left, choose Permission Management > Policies.
On the Policies page, click Create Policy.

On the Create Policy page, click the Script Editor tab. Enter the following content in the policy document and then click OK.

{
"Statement": [
    {
        "Effect": "Allow",
        "Action": "ots:*",
        "Resource": [
            "acs:ots:*:*:instance/online-01",
            "acs:ots:*:*:instance/online-01/table*",
            "acs:ots:*:*:instance/online-02",
            "acs:ots:*:*:instance/online-02/table*"
        ],
        "Condition": {
            "IpAddress": {
                "acs:SourceIp": [
                    "10.10.XX.XX/24"
                ]
            },
            "DateLessThan": {
                "acs:CurrentTime": "2016-01-01T00:00:00+08:00"
            },
            "Bool": {
                "acs:SecureTransport": "true"
            }
        }
    }
],
"Version": "1"
}

In the Create Policy dialog box, enter a policy name and a description and then click OK.

Grant the policy to a RAM user.
1. In the navigation pane on the left, choose Identities > Users.
2. On the Users page, find the RAM user that you want to authorize and click Add Permissions in the Actions column.
3. In the Add Permissions panel, set the permission type to Custom Policy. Search for the policy that you created and select the check box next to it. The policy is added to the Selected section.
4. Click OK.
5. Click Close.

Scenario 2: Deny requests

For users with the source IP address 10.10.XX.XX, deny write operations on all tables in instances whose names start with online or product in the China (Beijing) region. This does not include operations on the instances.

Log on to the Resource Access Management (RAM) console with your Alibaba Cloud account. By default, the RAM service is activated.

Create a policy.

In the navigation pane on the left, choose Permission Management > Policies.
On the Policies page, click Create Policy.

On the Create Policy page, click the Script Editor tab. Enter the following content in the policy document and then click OK.

{
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ots:Create*",
                "ots:Insert*",
                "ots:Put*",
                "ots:Update*",
                "ots:Delete*",
                "ots:BatchWrite*"
            ],
            "Resource": [
                "acs:ots:cn-beijing:*:instance/online*/table*",
                "acs:ots:cn-beijing:*:instance/product*/table*"
            ],
            "Condition": {
                "IpAddress": {
                    "acs:SourceIp": [
                        "10.10.XX.XX"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}

In the Create Policy dialog box, enter a policy name and a description and then click OK.

Grant the policy to a RAM user.
1. In the navigation pane on the left, choose Identities > Users.
2. On the Users page, find the RAM user that you want to authorize and click Add Permissions in the Actions column.
3. In the Add Permissions panel, set the permission type to Custom Policy. Search for the policy that you created and select the check box next to it. The policy is added to the Selected section.
4. Click Confirm New Authorization.
5. Click Close.

Scenario 3: Restrict a RAM user to manage specified instances

Allow a RAM user to manage only specified instances, without granting permissions to view or manage other instances.

Log on to the Resource Access Management (RAM) console with your Alibaba Cloud account. By default, the RAM service is activated.

Create a policy.

In the navigation pane on the left, choose Permission Management > Policies.
On the Policies page, click Create Policy.
On the Create Policy page, click the Script Editor tab.

Enter the following policy document and then click OK.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ots:ListInstance",
        "ots:ListTagResources"
      ],
      "Resource": "acs:ots:*:*:instance/*"
    },
    {
      "Effect": "Allow",
      "Action": "ots:*",
      "Resource": [
        "acs:ots:*:*:instance/yourInstance",
        "acs:ots:*:*:instance/yourInstance/table*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "cms:Query*",
      "Resource": "*"
    }
  ]
}

The following table describes the policy statements.

Access policy	Description
`{ "Effect": "Allow", "Action": [ "ots:ListInstance", "ots:ListTagResources" ], "Resource": "acs:ots:::instance/*" }`	Important This item is required to restrict a RAM user to managing specified instances in the console. The Overview page in the Tablestore console needs to request the instance list and tag list. Therefore, grant the RAM user permissions to get the instance list and tag list.
`{ "Effect": "Allow", "Action": "ots:", "Resource": [ "acs:ots:::instance/yourInstance", "acs:ots:::instance/yourInstance/table" ] }`	Grants the RAM user all permissions on the `yourInstance` instance and its data tables.
`{ "Effect": "Allow", "Action": "cms:Query", "Resource": "" }`	Grants the RAM user permissions on Cloud Monitor to view monitoring data for instances and tables.

In the Create Policy dialog box, enter a policy name and a description and then click OK.
Grant the policy to a RAM user.
1. In the navigation pane on the left, choose Identities > Users.
2. On the Users page, find the RAM user that you want to authorize and click Add Permissions in the Actions column.
3. In the Add Permissions panel, set the permission type to Custom Policy. Search for the policy that you created and select the corresponding check box. The policy is then added to the Selected section.
4. Click OK.
5. Click Close.