Ketika penyedia layanan membuat layanan O&M yang dihosting, mereka harus menentukan kebijakan yang diperlukan untuk melakukan operasi O&M. Setelah pelanggan membuat instance layanan O&M yang dihosting, Compute Nest membuat kebijakan yang ditentukan serta peran tautan-layanan Compute Nest. Compute Nest melampirkan kebijakan tersebut kepada penyedia layanan untuk mengizinkan mereka melakukan operasi O&M tertentu pada sumber daya dalam instance layanan.
Batasan pada sumber daya
Untuk layanan privat dengan fitur O&M yang dihosting diaktifkan, penyedia layanan hanya memiliki izin pada sumber daya dalam instance layanan privat yang dibuat oleh pelanggan.
Untuk layanan O&M murni yang dihosting, penyedia layanan hanya memiliki izin pada instance Elastic Compute Service (ECS) tertentu atau sumber daya dalam instance layanan tertentu. Penyedia layanan dapat melihat sumber daya tempat mereka diberikan izin O&M pada halaman detail instance layanan.
Batasan pada izin
Izin O&M yang dihosting yang dapat diberikan kepada penyedia layanan berada dalam ruang lingkup kebijakan sistem AliyunComputeNestPolicyForSupplierRole. Izin yang sebenarnya diberikan kepada penyedia layanan adalah irisan dari kebijakan AliyunComputeNestPolicyForSupplierRole dan kebijakan yang mereka tentukan saat mengonfigurasi layanan.
Konten kebijakan AliyunComputeNestPolicyForSupplierRole
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:StartInstance",
"ecs:DescribeInstances",
"ecs:RebootInstance",
"ecs:StopInstance",
"ecs:RunCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeDiagnosticReports",
"ecs:CreateDiagnosticReport",
"ecs:DescribeSecurityGroups",
"ecs:DescribeDisks",
"ecs:DescribeImages",
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMetricRuleList",
"cms:DescribeAlertHistoryList",
"cms:DescribeAlertLogList",
"cms:DescribeLogHistogram",
"cms:DescribeLogCount",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"tag:ListTagResources",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouterInterfaceAttribute",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeVServerGroups",
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"rds:RestartDBInstance",
"actiontrail:LookupEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}Kebijakan O&M yang dihosting
Tabel berikut menjelaskan kebijakan yang dapat dipilih oleh penyedia layanan saat mengonfigurasi layanan.
Izin | Kebijakan | Deskripsi |
Semua Izin | AliyunComputeNestPolicyForFullAccess | Izin penuh pada instance ECS tertentu atau sumber daya Alibaba Cloud dalam instance layanan tertentu. |
Izin Baca-saja | AliyunComputeNestPolicyForReadOnly | Izin baca-saja pada instance ECS tertentu atau sumber daya Alibaba Cloud dalam instance layanan tertentu dan pada log audit dari sumber daya tersebut yang direkam oleh ActionTrail. |
Izin Masuk Terminal | AliyunComputeNestPolicyForTerminalLogin | Izin untuk masuk jarak jauh ke instance ECS tertentu atau instance ECS dalam instance layanan tertentu. |
Izin Audit Operasi | AliyunComputeNestPolicyForTrails | Izin untuk melihat log audit yang direkam oleh ActionTrail untuk instance ECS tertentu atau sumber daya Alibaba Cloud dalam instance layanan tertentu. |
Izin Pemantauan | AliyunComputeNestPolicyForAlarm | Izin untuk mengelola aturan peringatan yang dipicu oleh ambang batas dan peristiwa untuk instance ECS tertentu atau sumber daya Alibaba Cloud dalam instance layanan tertentu. |
Izin Peningkatan | AliyunComputeNestPolicyForUpgrade | Izin untuk meningkatkan dan memutar balik aplikasi dan konfigurasi layanan dari instance layanan tertentu. |
Izin O&M | AliyunComputeNestPolicyForOperation | Izin untuk melakukan operasi O&M pada instance layanan tertentu. |
Kebijakan di atas merupakan kebijakan Resource Access Management (RAM). Untuk informasi lebih lanjut, lihat Elemen Dasar Kebijakan.
AliyunComputeNestPolicyForFullAccess
Semua Izin
Konten Kebijakan
{
"Action": [
"*"
],
"Effect": "Allow",
"Resource": [
"*"
]
}Efek Aktual
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:StartInstance",
"ecs:DescribeInstances",
"ecs:RebootInstance",
"ecs:StopInstance",
"ecs:RunCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeDiagnosticReports",
"ecs:CreateDiagnosticReport",
"ecs:DescribeSecurityGroups",
"ecs:DescribeDisks",
"ecs:DescribeImages",
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMetricRuleList",
"cms:DescribeAlertHistoryList",
"cms:DescribeAlertLogList",
"cms:DescribeLogHistogram",
"cms:DescribeLogCount",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"tag:ListTagResources",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouterInterfaceAttribute",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeVServerGroups",
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"rds:RestartDBInstance",
"actiontrail:LookupEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunComputeNestPolicyForReadOnly
Izin Baca-saja
Konten Kebijakan
{
"Action": [
"*:Describe*",
"*:List*",
"*:Get*",
"*:BatchGet*",
"*:Query*",
"*:BatchQuery*",
"actiontrail:LookupEvents"
],
"Resource": [
"*"
],
"Effect": "Allow"
}Efek Aktual
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:DescribeTerminalSessions",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeDiagnosticReports",
"ecs:DescribeSecurityGroups",
"ecs:DescribeDisks",
"ecs:DescribeImages",
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMetricRuleList",
"cms:DescribeAlertHistoryList",
"cms:DescribeAlertLogList",
"cms:DescribeLogHistogram",
"cms:DescribeLogCount",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"tag:ListTagResources",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouterInterfaceAttribute",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeVServerGroups",
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"actiontrail:LookupEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunComputeNestPolicyForTerminalLogin
Izin Masuk Terminal
Konten Kebijakan
{
"Action": [
"ecs:*TerminalSession*",
"tag:List*",
"tag:DescribeRegions",
"ecs:Describe*Instance*",
"cs:Describe*Cluster*",
"cs:GetClusters",
"eci:DescribeContainerGroups",
"eci:ExecContainerCommand"
],
"Resource": [
"*"
],
"Effect": "Allow"
}Efek Aktual
{
"Action": [
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession",
"tag:ListSupportResourceTypes",
"tag:ListTagResources",
"tag:DescribeRegions",
"ecs:DescribeInstances",
"ecs:DescribeInstanceTypes",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeInstanceVncUrl",
"cs:DescribeClusterUserKubeconfig",
"cs:DescribeClusterDetail",
"cs:GetClusters",
"cs:DescribeClusterEndpoints",
"cs:DescribeEdasClusterToken",
"eci:DescribeContainerGroups",
"eci:ExecContainerCommand"
],
"Resource": [
"*"
],
"Effect": "Allow"
}AliyunComputeNestPolicyForTrails
Izin Audit Operasi
Konten Kebijakan
{
"Action": [
"actiontrail:LookupEvents",
"tag:ListTagResources",
"tag:ListSupportResourceTypes",
"tag:DescribeRegions"
],
"Resource": [
"*"
],
"Effect": "Allow"
}Efek Aktual
{
"Action": [
"actiontrail:LookupEvents",
"tag:ListTagResources",
"tag:ListSupportResourceTypes",
"tag:DescribeRegions"
],
"Resource": [
"*"
],
"Effect": "Allow"
}AliyunComputeNestPolicyForAlarm
Izin Pemantauan
Konten Kebijakan
{
"Action": [
"cms:Describe*",
"cms:CheckRamRoleForCloudMonitor",
"cms:QueryMetricList",
"cms:*MetricRule*",
"cms:*EventRule*",
"cms:*HostAvailability",
"tag:List*",
"tag:DescribeRegions"
],
"Resource": [
"*"
],
"Effect": "Allow"
}Efek Aktual
{
"Action": [
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMetricRuleList",
"cms:DescribeAlertHistoryList",
"cms:DescribeAlertLogList",
"cms:DescribeLogHistogram",
"cms:DescribeLogCount",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"cms:DescribeMonitorGroupInstances",
"cms:DescribeMonitorGroupCategories",
"cms:DescribeMonitorGroupDynamicRules",
"cms:DescribeMetricRuleTemplateList",
"cms:DescribeAlertingMetricRuleResources",
"cms:DescribeContactGroupList",
"cms:DescribeMonitorGroupInstanceAttribute",
"cms:DescribeMetricListFromProxy",
"cms:DescribeMetricLastFromProxy",
"cms:DescribeMonitoringAgentHosts",
"cms:DescribeMetricTopFromProxy",
"cms:DescribeRegions",
"cms:DescribeDashboardGroupList",
"cms:DescribeHostAvailabilityList",
"cms:DescribeUnhealthyHostAvailability",
"cms:DescribeGroupMonitoringAgentProcess",
"cms:DescribeSystemEventMetaList",
"cms:CheckRamRoleForCloudMonitor",
"cms:DescribeSystemEventHistogram",
"cms:DescribeSystemEventAttribute",
"cms:DescribeEventRuleList",
"cms:DescribeEventRuleTargetList",
"cms:DescribeCustomEventAttribute",
"cms:DescribeCustomEventHistogram",
"cms:DescribeContactListByContactGroup",
"cms:DescribeAlertLogList",
"cms:DescribeCustomMetricList",
"cms:DescribeAlertLogCount",
"cms:DescribeMetricMetaList",
"cms:DescribeConsoleViews",
"cms:DescribeProjectMeta",
"cms:DescribeAlertLogHistogram",
"cms:CreateHostAvailability",
"cms:ModifyHostAvailability",
"tag:DescribeRegions",
"tag:ListSupportResourceTypes",
"tag:ListTagResources"
],
"Resource": [
"*"
],
"Effect": "Allow"
}AliyunComputeNestPolicyForUpgrade
Izin Peningkatan
Konten Kebijakan
{
"Effect": "Allow",
"Action": [
"ros:*Stack",
"ros:ListStack*",
"tag:List*Resource*",
"tag:DescribeRegions",
"vpc:Describe*",
"slb:Describe*",
"slb:ListTagResources",
"slb:*AccessControlListEntry",
"slb:ModifyLoadBalancer*",
"ecs:*Instance*",
"ecs:Describe*",
"ecs:RunCommand",
"ecs:*SecurityGroup*",
"ecs:*Disk*",
"ess:ListTagResources",
"ess:DescribeScaling*",
"ess:*ScalingRule",
"ess:*Instances",
"cs:GetUserPermissions",
"cs:Describe*Cluster*",
"cs:GetClusters",
"cs:CreateEdasClusterRole*"
],
"Resource": [
"*"
]
}Efek Aktual
{
"Action": [
"ros:UpdateStack",
"ros:GetStack",
"ros:ListStackEvents",
"ros:ListStackResources",
"tag:DescribeRegions",
"tag:ListSupportResourceTypes",
"tag:ListTagResources",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouterInterfaceAttribute",
"vpc:DescribeEipAddresses",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeVServerGroups",
"slb:ListTagResources",
"slb:DescribeAccessControlLists",
"slb:DescribeAccessControlListAttribute",
"slb:AddAccessControlListEntry",
"slb:RemoveAccessControlListEntry",
"slb:ModifyLoadBalancerInternetSpec",
"slb:ModifyLoadBalancerInstanceSpec",
"ecs:ModifyInstanceAttribute",
"ecs:ReplaceSystemDisk",
"ecs:RunInstances",
"ecs:ModifySecurityGroupAttribute",
"ecs:StartInstance",
"ecs:DescribeInstances",
"ecs:RebootInstance",
"ecs:StopInstance",
"ecs:ModifyInstanceSpec",
"ecs:DescribeInstanceTypes",
"ecs:ModifyPrepayInstanceSpec",
"ecs:ModifyInstanceNetworkSpec",
"ecs:RunCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeDiagnosticReports",
"ecs:CreateDiagnosticReport",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupAttribute",
"ecs:AuthorizeSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:DescribeDisks",
"ecs:ResizeDisk",
"ecs:ModifyDiskSpec",
"ecs:DescribeImages",
"ecs:DescribeInstanceVncUrl",
"ecs:DescribeManagedInstances",
"ecs:CreateSnapshot",
"ecs:CreateAutoSnapshotPolicy",
"ecs:ApplyAutoSnapshotPolicy",
"ecs:StopInstances",
"ecs:ResetDisk",
"ecs:DescribeSnapshots",
"ess:ListTagResources",
"ess:DescribeScalingGroups",
"ess:CreateScalingRule",
"ess:DeleteScalingRule",
"ess:DescribeScalingActivityDetail",
"ess:DescribeScalingActivities",
"ess:ExecuteScalingRule",
"ess:RemoveInstances",
"ess:DetachInstances",
"cs:DescribeClusterUserKubeconfig",
"cs:DescribeClusterDetail",
"cs:GetClusters",
"cs:DescribeClusterEndpoints",
"cs:DescribeEdasClusterToken",
"cs:GetUserPermissions",
"cs:CreateEdasClusterRole",
"cs:CreateEdasClusterRoleBinding"
],
"Resource": [
"*"
],
"Effect": "Allow"
}AliyunComputeNestPolicyForOperation
Izin O&M
Konten Kebijakan
{
"Action": [
"ros:*Stack",
"ros:ListStack*",
"cs:Get*",
"cs:Describe*Cluster*",
"oos:StartExecution",
"oos:ListExecutions",
"ecs:*Instance*"
],
"Resource": [
"*"
],
"Effect": "Allow"
}Efek Aktual
{
"Action": [
"ros:UpdateStack",
"ros:GetStack",
"ros:ListStackEvents",
"ros:ListStackResources",
"cs:GetClusters",
"cs:GetUserPermissions",
"cs:DescribeClusterUserKubeconfig",
"cs:DescribeClusterDetail",
"cs:DescribeClusterEndpoints",
"cs:DescribeEdasClusterToken",
"oos:StartExecution",
"oos:ListExecutions",
"ecs:StartInstance",
"ecs:DescribeInstances",
"ecs:RebootInstance",
"ecs:StopInstance",
"ecs:ModifyInstanceSpec",
"ecs:DescribeInstanceTypes",
"ecs:ModifyPrepayInstanceSpec",
"ecs:ModifyInstanceNetworkSpec",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeInstanceVncUrl",
"ecs:DescribeManagedInstances",
"ecs:StopInstances"
],
"Resource": [
"*"
],
"Effect": "Allow"
}