This topic describes the Action, Resource, and Condition parameters and the scenarios for which the parameters are suitable.

Action

The Action parameter defines the specific API operation or operations to allow or deny. When you create an authorization policy for Tablestore, add the ots: prefix to each API operation and separate multiple API operations with commas (,). When you configure the Action parameter, you can use the wildcard character (*) for prefix matching and suffix matching.

You can use the Action parameter for the following operations:

  • Single API operation
    "Action": "ots:GetRow"                    
  • Multiple API operations
    "Action": [
    "ots:PutRow",
    "ots:GetRow"
    ]                  
  • All read-only API operations
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "ots:BatchGet*",
            "ots:Describe*",
            "ots:Get*",
            "ots:List*",
            "ots:Consume*",
            "ots:Search",
            "ots:ComputeSplitPointsBySize"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }                
  • All read and write API operations
    "Action": "ots:*"               
  • All API operations in SQL
    "Action": "ots:SQL*"

Resource

The Resource parameter in Tablestore consists of multiple fields including the service, region, user_id, instance_name, and table_name. Each field supports the wildcard character (*) for prefix matching and suffix matching. You can configure the Resource parameter based on the following format:

acs:ots:[region]:[user_id]:instance/[instance_name]/table/[table_name]            
The fields that are enclosed in brackets are variables. You must set the service field to ots. The value of the region field specifies the region ID, such as cn-hangzhou. The value of the user_id field specifies the ID of your Alibaba Cloud account.
Note The names of Tablestore instances are not case-sensitive. The value of the instance_name field in the Resource parameter must be specified in lower case.
The Resource parameter in Tunnel Service is defined by instance rather than table and includes fields such as the service, region, user_id, and instance_name. You can configure the Resource parameter in Tunnel Service based on the following format:
acs:ots:[region]:[user_id]:instance/[instance_name]                         

Resource has the following definitions:

  • All resources of users in all regions
    "Resource": "acs:ots:*:*:*"                    
  • All instances and their tables of User 123456 in the China (Hangzhou) region
    "Resource": "acs:ots:cn-hangzhou:123456:instance/*"                  
  • Instance abc and its tables of User 123456 in the China (Hangzhou) region
    "Resource": [
    "acs:ots:cn-hangzhou:123456:instance/abc",
    "acs:ots:cn-hangzhou:123456:instance/abc/table/*"
    ]                   
  • All instances whose names contain the prefix abc and their tables
    "Resource": "acs:ots:*:*:instance/abc*"                   
  • All tables whose names contain the prefix xyz in the instances whose names contain the prefix abc. Instance resources are not included. acs:ots:*:*:instance/abc* does not match this definition.
    "Resource": "acs:ots:*:*:instance/abc*/table/xyz*"                    
  • All instances whose names contain the suffix abc and their tables whose names contain the suffix xyz
    "Resource": [
    "acs:ots:*:*:instance/*abc",
    "acs:ots:*:*:instance/*abc/table/*xyz"
    ]                   

Tablestore API operations

Tablestore provides the following types of API operations:

  • Instance management operations
  • Table operations and data read/write operations
  • Operations for Tunnel Service

The following tables describe the API operations.

  • Instance management operations

    Instance management operations are instance-based operations and can be called only in the console. If you configure the Action and Resource parameters for instance management operations, some console features may be unavailable. The acs:ots:[region]:[user_id]: omitted from the names of the following resources. Only the instance and table are described.

    API operation/Action Resource
    ListInstance instance/*
    InsertInstance instance/[instance_name]
    GetInstance instance/[instance_name]
    DeleteInstance instance/[instance_name]
  • Table operations and data read/write operations

    Table operations and data read/write operations are performed on tables and rows. You can call table operations and data read/write operations by using the Tablestore console or Tablestore SDKs. If you configure the Action and Resource parameters for table operations and data read/write operations, some console features may be unavailable. The acs:ots:[region]:[user_id]: prefix is omitted from the names of the following resources. Only the instance and table are described.

    API operation/Action Resource
    ListTable instance/[instance_name]/table/*
    CreateTable instance/[instance_name]/table/[table_name]
    UpdateTable instance/[instance_name]/table/[table_name]
    DescribeTable instance/[instance_name]/table/[table_name]
    DeleteTable instance/[instance_name]/table/[table_name]
    GetRow instance/[instance_name]/table/[table_name]
    PutRow instance/[instance_name]/table/[table_name]
    UpdateRow instance/[instance_name]/table/[table_name]
    DeleteRow instance/[instance_name]/table/[table_name]
    GetRange instance/[instance_name]/table/[table_name]
    BatchGetRow instance/[instance_name]/table/[table_name]
    BatchWriteRow instance/[instance_name]/table/[table_name]
    ComputeSplitPointsBySize instance/[instance_name]/table/[table_name]
    StartLocalTransaction instance/[instance_name]/table/[table_name]
    CommitTransaction instance/[instance_name]/table/[table_name]
    AbortTransaction instance/[instance_name]/table/[table_name]
    CreateIndex instance/[instance_name]/table/[table_name]
    DropIndex instance/[instance_name]/table/[table_name]
    CreateSearchIndex instance/[instance_name]/table/[table_name]
    DeleteSearchIndex instance/[instance_name]/table/[table_name]
    ListSearchIndex instance/[instance_name]/table/[table_name]
    DescribeSearchIndex instance/[instance_name]/table/[table_name]
    Search instance/[instance_name]/table/[table_name]
    CreateTunnel instance/[instance_name]/table/[table_name]
    DeleteTunnel instance/[instance_name]/table/[table_name]
    ListTunnel instance/[instance_name]/table/[table_name]
    DescribeTunnel instance/[instance_name]/table/[table_name]
    ConsumeTunnel instance/[instance_name]/table/[table_name]
    BulkImport instance/[instance_name]/table/[table_name]
    BulkExport instance/[instance_name]/table/[table_name]
    SQL_Select instance/[instance_name]/table/[table_name]
    SQL_Create instance/[instance_name]/table/[table_name]
    SQL_DropMapping instance/[instance_name]/table/[table_name]
  • Operations for Tunnel Service

    Operations for Tunnel Service are tunnel-related operations and can be called by using the console or Tablestore SDKs. If you configure the Action and Resource parameters for operations for Tunnel Service, some console features may be unavailable. The acs:ots:[region]:[user_id]: prefix is omitted from the names of the following resources. Only the instance and table are described.

    API operation/Action Resource
    ListTable instance/[instance_name]
    CreateTable instance/[instance_name]
    UpdateTable instance/[instance_name]
    DescribeTable instance/[instance_name]
    DeleteTable instance/[instance_name]
    GetRow instance/[instance_name]
    PutRow instance/[instance_name]
    UpdateRow instance/[instance_name]
    DeleteRow instance/[instance_name]
    GetRange instance/[instance_name]
    BatchGetRow instance/[instance_name]
    BatchWriteRow instance/[instance_name]
    ComputeSplitPointsBySize instance/[instance_name]
    StartLocalTransaction instance/[instance_name]
    CommitTransaction instance/[instance_name]
    AbortTransaction instance/[instance_name]
    CreateIndex instance/[instance_name]
    DropIndex instance/[instance_name]
    CreateSearchIndex instance/[instance_name]
    DeleteSearchIndex instance/[instance_name]
    ListSearchIndex instance/[instance_name]
    DescribeSearchIndex instance/[instance_name]
    Search instance/[instance_name]
    CreateTunnel instance/[instance_name]
    DeleteTunnel instance/[instance_name]
    ListTunnel instance/[instance_name]
    DescribeTunnel instance/[instance_name]
    ConsumeTunnel instance/[instance_name]
  • Instructions
    • You can verify the Action and Resource parameters that are configured for a policy by strings. When you configure the Action and Resource parameters, you can use the wildcard character (*) for prefix matching and suffix matching. If Resource is defined as acs:ots:*:*:instance/*/, acs:ots:*:*:instance/abc cannot match the definition. If Resource is defined as acs:ots:*:*:instance/abc, acs:ots:*:*:instance/abc/table/xyz cannot match the definition.
    • To manage instance resources as a RAM user in the Tablestore console, you must grant the RAM user the read permissions on acs:ots:[region]:[user_id]:instance/* to allow the console to obtain the instance list.
    • For batch API operations, such as BatchGetRow and BatchWriteRow, the backend service authenticates each table that you want to access. Operations can be performed only when all tables are authenticated. Otherwise, an error message is returned.

Condition

Policies can support various authentication conditions, including IP address-based access control, HTTPS-based access control, Multi-Factor Authentication (MFA)-based access control, and time-based access control. All Tablestore API operations support these conditions.

  • IP address-based access control

    Resource Access Management (RAM) allows you to specify IP addresses or CIDR blocks that are allowed/restricted to access Tablestore resources. IP address-based access control is suitable for the following scenarios:

    • Allow access from multiple IP addresses. The following sample code allows access from only IP addresses 10.101.168.111 and 10.101.169.111:
      {
      "Statement": [
          {
              "Effect": "Allow",
              "Action": "ots:*",
              "Resource": "acs:ots:*:*:*",
              "Condition": {
                  "IpAddress": {
                      "acs:SourceIp": [
                          "10.101.168.111",
                          "10.101.169.111"
                      ]
                  }
              }
          }
      ],
      "Version": "1"
      }                           
    • Allow access only from one IP address or CIDR block. The following sample code allows access from only the IP address 10.101.168.111 or the CIDR block 10.101.169.111/24:
      {
      "Statement": [
          {
              "Effect": "Allow",
              "Action": "ots:*",
              "Resource": "acs:ots:*:*:*",
              "Condition": {
                  "IpAddress": {
                      "acs:SourceIp": [
                          "10.101.168.111",
                          "10.101.169.111/24"
                      ]
                  }
              }
          }
      ],
      "Version": "1"
      }                            
  • HTTPS-based access control

    RAM allows you to specify whether requests that are sent over HTTPS can access Tablestore resources.

    The following sample code only allows HTTPS requests:

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "ots:*",
                "Resource": "acs:ots:*:*:*",
                "Condition": {
                    "Bool": {
                        "acs:SecureTransport": "true"
                    }
                }
            }
        ],
        "Version": "1"
    }                    
  • MFA-based access control

    RAM allows you to specify whether requests that pass MFA can access Tablestore resources.

    The following sample code only allows requests that have passed MFA:

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "ots:*",
                "Resource": "acs:ots:*:*:*",
                "Condition": {
                    "Bool": {
                        "acs:MFAPresent ": "true"
                    }
                }
            }
        ],
        "Version": "1"
    }                    
  • Time-based access control

    RAM allows you to specify the access time of requests. Access requests earlier than the specified time are allowed or denied. The following example shows a typical application scenario.

    Example: RAM users can access resources only before 00:00:00 January 1, 2016 (UTC+8).

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "ots:*",
                "Resource": "acs:ots:*:*:*",
                "Condition": {
                    "DateLessThan": {
                        "acs:CurrentTime": "2016-01-01T00:00:00+08:00"
                    }
                }
            }
        ],
        "Version": "1"
    }                    

Scenarios

This section describes the specific policies and authorization methods that are supported for the Action, Resource, and Condition parameters.

  • Multiple authorization conditions

    In this scenario, RAM users that use the 10.101.168.111/24 CIDR block can manage the instances named online-01 and online-02 and all tables in these instances, including reading data from and writing data to the tables. Access is allowed only over HTTPS before 00:00:00 January 1, 2016.

    To configure multiple authorization conditions, perform the following steps:

    1. Log on to the RAM console. By default, RAM is activated.
    2. In the left-side navigation pane, choose Permissions > Policies.
    3. On the Policies page, click Create Policy.
    4. Configure the Policy Name parameter and select Script. Enter the following content in the Policy Document field:
      {
      "Statement": [
          {
              "Effect": "Allow",
              "Action": "ots:*",
              "Resource": [
                  "acs:ots:*:*:instance/online-01",
                  "acs:ots:*:*:instance/online-01/table/*",
                  "acs:ots:*:*:instance/online-02",
                  "acs:ots:*:*:instance/online-02/table/*"
              ],
              "Condition": {
                  "IpAddress": {
                      "acs:SourceIp": [
                          "10.101.168.111/24"
                      ]
                  },
                  "DateLessThan": {
                      "acs:CurrentTime": "2016-01-01T00:00:00+08:00"
                  },
                  "Bool": {
                      "acs:SecureTransport": "true"
                  }
              }
          }
      ],
      "Version": "1"
      }                            
    5. Click OK.
    6. In the left-side navigation pane, choose Identities > Users. On the Users page, find the RAM user that you want to manage and click Add Permissions in the Actions column.
    7. In the Add Permissions panel, search for the new policy, and add the policy to the Selected column. Click OK. The selected policy is attached to the RAM user.
  • Reject requests

    In this scenario, RAM users that use the IP address 10.101.169.111 cannot write data to tables that belong to instances whose names contain the online or product prefix, and are located in the China (Beijing) region. This policy does not take effect for operations on instances.

    To reject requests, follow the preceding steps to create a custom permission policy and attach the policy to the RAM user. You need to copy the following content to the Policy Document field when you create the policy:

    {
        "Statement": [
            {
                "Effect": "Deny",
                "Action": [
                    "ots:Create*",
                    "ots:Insert*",
                    "ots:Put*",
                    "ots:Update*",
                    "ots:Delete*",
                    "ots:BatchWrite*"
                ],
                "Resource": [
                    "acs:ots:cn-beijing:*:instance/online*/table/*",
                    "acs:ots:cn-beijing:*:instance/product*/table/*"
                ],
                "Condition": {
                    "IpAddress": {
                        "acs:SourceIp": [
                            "10.101.169.111"
                        ]
                    }
                }
            }
        ],
        "Version": "1"
    }