MSE支援阿里雲帳號通過控制台和OpenAPI為RAM使用者授權微服務治理中心的操作許可權,避免因暴露阿里雲帳號密鑰造成的安全風險。授權後,您可以通過RAM使用者使用MSE微服務治理中心。本文介紹如何在控制台建立RAM使用者並為RAM使用者授權。
使用情境
某企業開通了微服務引擎MSE服務,由於員工工作職責不同,對資源操作要求的權限也不同。營運人員負責做應用和許可權的管理,開發人員負責配置應用的規則。現有如下需求:
鑒於安全或信任原因,不希望將雲帳號密鑰直接透露給員工,期望可以為員工相應的帳號授予許可權。
使用者帳號只能在授權的前提下操作資源,不需要進行獨立的計量計費,所有開銷均計入企業帳號名下。
隨時可以撤銷使用者帳號的許可權,也可以隨時刪除已建立的使用者帳號。
應用負責人只擁有當前應用的操作許可權,其他應用不具備訪問及操作許可權。
測試人員只擁有測試命名空間下所有應用的操作許可權,不允許訪問及操作生產環境命名空間。
步驟一:建立RAM使用者
具體操作,請參見建立RAM使用者。
步驟二:為RAM使用者添加許可權
在使用RAM使用者之前,需要為其添加相應許可權。
使用Resource Access Management員登入RAM控制台。
在左側導覽列,選擇。
在使用者頁面,單擊目標RAM使用者操作列的添加許可權。
您也可以選中多個RAM使用者,單擊使用者列表下方的添加許可權,為RAM使用者大量授權。
在新增授權面板,選擇權限原則,然後單擊確認新增授權。
選擇權限原則類型,在文字框中輸入要添加的權限原則關鍵字,然後單擊搜尋到的權限原則,添加到右側的已選擇權限原則列表中。
權限類別型包括系統策略和自訂策略:
系統權限原則(粗粒度授權)
權限原則名稱
說明
AliyunMSEFullAccess
管理微服務引擎MSE的許可權,等同於阿里雲帳號的許可權,被授予該許可權的RAM使用者擁有MSE控制台所有功能的操作許可權。
AliyunMSEReadOnlyAccess
微服務引擎MSE的唯讀許可權,被授予該許可權的RAM使用者具有MSE控制台的唯讀許可權。
說明建議為營運人員授予AliyunMSEFullAccess權限原則,允許營運人員建立和刪除資源。為開發人員授予AliyunMSEReadOnlyAccess權限原則,允許開發人員查看資源,但無法刪除和建立資源。
自訂權限原則(細粒度授權)
如果您需要更細粒度地授權,您可以參考常用許可權配置樣本來建立自訂策略進行存取控制。建立自訂策略的具體操作步驟,請參見建立自訂權限原則。
在新增授權面板,確認授權完成後,單擊關閉。
常用許可權配置樣本
所有應用的唯讀許可權
為方便企業內使用者查看應用的關鍵資訊,可以考慮授權所有應用的唯讀許可權。
例如,使用阿里雲帳號授予RAM使用者具備當前阿里雲帳號下的所有微服務治理應用的唯讀許可權。
對應權限原則如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mse:QueryNamespace",
"mse:GetApplicationListWithMetircs",
"mse:ListNamespaces",
"mse:GetEventFilterOptions",
"mse:ListEventRecords",
"mse:GetEventDetail",
"mse:FetchLogConfig",
"mse:QueryBusinessLocations",
"mse:GetApplicationInstanceList",
"mse:listGrayTag",
"mse:QueryServiceDetailWithMetrics",
"mse:GetEventDetail",
"mse:ListEventsPage",
"mse:ListEventsByType",
"mse:GetApplicationTagList"
],
"Resource": "acs:mse:*:*:*"
},
{
"Effect": "Allow",
"Action": "mse:GetApplicationList",
"Resource": "acs:mse:*:*:namespace/${ns}"
}
]
}某個應用的全部操作許可權
作為企業內部某個應用的負責人,您將獲得對該應用的所有操作許可權,同時您的許可權將嚴格限定在您管理的應用範圍內。
例如,使用阿里雲帳號授予RAM使用者以下許可權:
RAM使用者具備當前阿里雲帳號下的所有微服務治理應用的唯讀許可權。
RAM使用者具備指定的微服務治理應用的唯讀許可權。
對應權限原則如下:
{
"Version": "1",
"Statement": [
// 對特定微服務治理應用具有所有許可權
{
"Effect": "Allow",
"Action": "mse:*",
"Resource": "acs:mse:*:*:namespace/${ns}/application/${appName}"
},
// 下面為對所有微服務治理應用的唯讀許可權
{
"Effect": "Allow",
"Action": [
"mse:QueryNamespace",
"mse:GetApplicationListWithMetircs",
"mse:ListNamespaces",
"mse:GetEventFilterOptions",
"mse:ListEventRecords",
"mse:GetEventDetail",
"mse:FetchLogConfig",
"mse:QueryBusinessLocations",
"mse:GetApplicationInstanceList",
"mse:listGrayTag",
"mse:QueryServiceDetailWithMetrics",
"mse:GetEventDetail",
"mse:ListEventsPage",
"mse:ListEventsByType",
"mse:GetApplicationTagList"
],
"Resource": "acs:mse:*:*:*"
},
{
"Effect": "Allow",
"Action": "mse:GetApplicationList",
"Resource": "acs:mse:*:*:namespace/${ns}"
}
]
某個命名空間下的全部操作許可權
作為企業內部的測試人員,您將獲得對測試環境(測試命名空間)所有應用的操作許可權,同時您的許可權將嚴格限定在測試環境(測試命名空間)內。
例如,使用阿里雲帳號授予RAM使用者以下許可權:
RAM使用者具備當前阿里雲帳號下的所有微服務治理應用的唯讀許可權。
RAM使用者具備指定的微服務治理命名空間的讀寫權限。
對應權限原則如下:
{
"Version": "1",
"Statement": [
// 對特定微服務治理命名空間具有所有許可權
{
"Effect": "Allow",
"Action": "mse:*",
"Resource": "acs:mse:*:*:namespace/${ns}/application/*"
},
// 下面為對所有微服務治理應用的唯讀許可權
{
"Effect": "Allow",
"Action": [
"mse:QueryNamespace",
"mse:GetApplicationListWithMetircs",
"mse:ListNamespaces",
"mse:GetEventFilterOptions",
"mse:ListEventRecords",
"mse:GetEventDetail",
"mse:FetchLogConfig",
"mse:QueryBusinessLocations",
"mse:GetApplicationInstanceList",
"mse:listGrayTag",
"mse:QueryServiceDetailWithMetrics",
"mse:GetEventDetail",
"mse:ListEventsPage",
"mse:ListEventsByType",
"mse:GetApplicationTagList",
"mse:QueryAllSwimmingLaneGroup",
"mse:QueryAllSwimmingLane",
"mse:ListAppBySwimmingLaneGroupTags",
"mse:ListAppBySwimmingLaneGroupTag",
"mse:QuerySwimmingLaneById",
"mse:GetTagsBySwimmingLaneGroupId",
"mse:ListSwimmingLaneGateway",
"mse:ListSwimmingLaneGatewayRoute",
"mse:ListAuthPolicy",
"mse:GetServiceList",
"mse:GetServiceListPage"
],
"Resource": "acs:mse:*:*:*"
},
// 對特定微服務治理命名空間具有所有許可權
{
"Effect": "Allow",
"Action": [
"mse:GetApplicationList",
"mse:CreateOrUpdateSwimmingLaneGroup",
"mse:CreateOrUpdateSwimmingLane",
"mse:DeleteSwimmingLaneGroup",
"mse:DeleteSwimmingLaneGroup",
"mse:DeleteSwimmingLane"
],
"Resource": "acs:mse:*:*:namespace/${ns}"
}
]
}子帳號快速接入許可權
如果需要使用子帳號完成快速接入流程,該帳號在MSE側需要至少擁有以下樣本中的全部許可權。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mse:CheckServiceLinkRole",
"mse:GetUserStatus",
"mse:QueryNamespace",
"mse:ListCsKubernetesClusters",
"mse:CheckEciRole",
"mse:ListCsKubernetesClusters",
"mse:CheckCsRole",
"mse:GetClusterOnePilotInfo",
"mse:GetGovernanceKubernetesCluster",
"mse:InstallOnePilot",
"mse:CreateNamespace",
"mse:ModifyGovernanceKubernetesCluster",
"mse:QueryGovernanceKubernetesCluster",
"mse:ListNamespaces"
],
"Resource": "*"
}
]
}治理全部資源的讀寫權限(僅供許可權測試,不推薦生產使用)
這裡羅列服務治理可能會用到的全部資源的讀寫權限,方便企業對子賬戶許可權進行梳理和核對,不推薦直接複製到生產環境使用。下述許可權配置中 Action 配置和 Resource 可以分別使用 mse:* 和 acs:mse:*:*:* 來取代:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mse:AddAuthPolicy",
"mse:AddServiceTimeConfig",
"mse:AddWhiteScreenRule",
"mse:ApplyGlobalReadWriteSplitRule",
"mse:ApplyReadWriteSplitRule",
"mse:ApplyTagPolicies",
"mse:BatchUpdateRulesEnable",
"mse:BindSentinelBlockFallbackDefinition",
"mse:CheckCanaryPolicy",
"mse:CheckCsRole",
"mse:CheckEciRole",
"mse:CheckRole",
"mse:CheckServiceLinkedRoleForDeleting",
"mse:CheckUserReadinessConfig",
"mse:CheckXTraceServiceStatus",
"mse:CloneSentinelRuleFromAhas",
"mse:CreateApplication",
"mse:CreateCircuitBreakerRule",
"mse:CreateFlowRule",
"mse:CreateGovernanceKubernetesCluster",
"mse:CreateHotParamRule",
"mse:CreateIsolationRule",
"mse:CreateLicenseKey",
"mse:CreateMseServiceApplication",
"mse:CreateNamespace",
"mse:CreateOrUpdateEmptyPushSetting",
"mse:CreateOrUpdateSwimmingLane",
"mse:CreateOrUpdateSwimmingLaneGroup",
"mse:CreateSentinelBlockFallbackDefinition",
"mse:CreateWebFlowRule",
"mse:DeleteCircuitBreakerRules",
"mse:DeleteFaultInjectionRule",
"mse:DeleteFlowRules",
"mse:DeleteGovernanceKubernetesCluster",
"mse:DeleteHotParamRules",
"mse:DeleteIsolationRules",
"mse:DeleteNamespace",
"mse:DeleteSentinelBlockFallbackDefinition",
"mse:DeleteSwimmingLane",
"mse:DeleteSwimmingLaneGroup",
"mse:DeleteWebFlowRules",
"mse:DeleteWhiteScreenRule",
"mse:DescribeAppAgentStatus",
"mse:FetchAppLogConfig",
"mse:FetchDataSourceConfig",
"mse:FetchGlobalReadWriteSplitRules",
"mse:FetchLogConfig",
"mse:FetchLosslessRuleList",
"mse:FetchReadWriteSplitRules",
"mse:FetchRoutePolicyList",
"mse:FetchWhiteScreenRule",
"mse:GenerateAgentLogSts",
"mse:GetAppMessageQueueRoute",
"mse:GetApplicationDetail",
"mse:GetApplicationInstanceList",
"mse:GetApplicationInstancesWithMetircs",
"mse:GetApplicationList",
"mse:GetApplicationListWithMetircs",
"mse:GetApplicationTagList",
"mse:GetAuthPolicyInfo",
"mse:GetCanaryStatus",
"mse:GetClusterOnePilotInfo",
"mse:GetDubboServicePageWithMetrics",
"mse:GetDubboTestMethod",
"mse:GetGovernanceKubernetesCluster",
"mse:GetGovernanceKubernetesClusterList",
"mse:GetLicenseKey",
"mse:GetLocalityDistributionMetrics",
"mse:GetLocalityRule",
"mse:GetLosslessRuleByApp",
"mse:GetMockRuleByConsumerAppId",
"mse:GetMockRuleById",
"mse:GetMockRuleByProviderAppId",
"mse:GetNetworkInfo",
"mse:GetOpenSergoInfoByClusterId",
"mse:GetOutlierPolicyInfo",
"mse:GetOverview ",
"mse:GetResourcePackageStatus",
"mse:GetResourcePackageStatusWithVersion",
"mse:GetRetryRule",
"mse:GetRoutePolicy",
"mse:GetServiceConsumersPage",
"mse:GetServiceDetail",
"mse:GetServiceList",
"mse:GetServiceListPage",
"mse:GetServiceMethodPage",
"mse:GetServiceMethodPageWithMetrics",
"mse:GetServiceProvidersPage",
"mse:GetSpringCloudTestMethod",
"mse:GetTagKey",
"mse:GetTagVal",
"mse:GetTagsBySwimmingLaneGroupId",
"mse:GetTrace",
"mse:GetUserStatus",
"mse:InstallOnePilot",
"mse:InvokeDubboTestMethod",
"mse:InvokeIstioTestMethod",
"mse:InvokeSpringCloudTestMethod",
"mse:ListAdaptiveOverloadProtectionConfig",
"mse:ListAppBySwimmingLaneGroupTag",
"mse:ListAppBySwimmingLaneGroupTags",
"mse:ListAppResource",
"mse:ListAppResourceWithMetrics",
"mse:ListApplicationTagInstancese",
"mse:ListApplicationsWithTagRules",
"mse:ListAuthPolicy",
"mse:ListCircuitBreakerRules",
"mse:ListConnectedSwimmingLaneGroup",
"mse:ListCsKubernetesClusters",
"mse:ListDefaultCircuitBreakerRules",
"mse:ListEventOfReource",
"mse:ListEventRecords",
"mse:ListEventsByType",
"mse:ListEventsPage",
"mse:ListEventsPageByType",
"mse:ListFlowRules",
"mse:ListHotParamRules",
"mse:ListIpOrHosts",
"mse:ListIsolationRules",
"mse:ListKubernetesNamespace",
"mse:ListLogSpanServices",
"mse:ListMscEventRecords",
"mse:ListNamespaces",
"mse:ListProtectedAppResourceWithMetrics",
"mse:ListResourceWhiteListConfigs",
"mse:ListResources",
"mse:ListSentinelBlockFallbackDefinitions",
"mse:ListSpanNames",
"mse:ListSwimPathPercent",
"mse:ListSwimmingLaneGatewayRoute",
"mse:ListWebFlowRules",
"mse:ModifyAdaptiveOverloadProtectionConfig",
"mse:ModifyGovernanceKubernetesCluster",
"mse:ModifyLosslessRule",
"mse:ModifyNamespace",
"mse:OpenXTraceService",
"mse:QueryAhasUserStatus",
"mse:QueryAllSwimmingLane",
"mse:QueryAllSwimmingLaneGroup",
"mse:QueryAppDataSourceList",
"mse:QueryAppListMetrics",
"mse:QueryAppMethodMetrics",
"mse:QueryAppMethodMetricsWithSentinel",
"mse:QueryAppRPCMacMetrics",
"mse:QueryAppResourceMetrics",
"mse:QueryAppResourceMetricsByInstance",
"mse:QueryAppSummaryMetricsOverview",
"mse:QueryAppSummaryMetricsOverviewWithSentinel",
"mse:QueryAppSystemMetricsOfGroup",
"mse:QueryAppSystemMetricsOfGroupByInstance",
"mse:QueryAppTopNMacs",
"mse:QueryDatabaseRoute",
"mse:QueryEmptyPushSetting",
"mse:QueryEventOverview",
"mse:QueryGovernanceKubernetesCluster",
"mse:QueryMetricsAveragedByInstance",
"mse:QueryNamespace",
"mse:QueryNginxIngressGateway",
"mse:QueryResourceTopN",
"mse:QueryServiceDetailWithMetrics",
"mse:QuerySwimmingLaneById",
"mse:RemoveApplication",
"mse:RemoveApplications",
"mse:RemoveAuthPolicy",
"mse:RemoveOutlierPolicy",
"mse:RemoveRoutePolicy",
"mse:ReportAgentInfoForm",
"mse:ReportAgentStartupStatus",
"mse:ReportAppProfile",
"mse:ReportEventBatchForm",
"mse:ReportMetadataForm",
"mse:ReportOneAgentInfo",
"mse:ReportOnePilotInfo",
"mse:ReportSpanStatInfoForm",
"mse:RevertApplicationRoutePolicy",
"mse:SearchTraces",
"mse:TagResources",
"mse:UnbindSentinelBlockFallbackDefinition",
"mse:UpdateAppLogConfig",
"mse:UpdateAuthPolicy",
"mse:UpdateCircuitBreakerRule",
"mse:UpdateCircuitBreakerRulesStatus",
"mse:UpdateDatabaseRoute",
"mse:UpdateDefaultCircuitBreakerRule",
"mse:UpdateFlowRule",
"mse:UpdateFlowRulesStatus",
"mse:UpdateGovernanceServiceSubscribe",
"mse:UpdateHotParamRule",
"mse:UpdateHotParamRulesStatus",
"mse:UpdateInstanceRegisterStatus",
"mse:UpdateIsolationRule",
"mse:UpdateIsolationRulesStatus",
"mse:UpdateLocalityRule",
"mse:UpdateLogConfig",
"mse:UpdateMessageQueueRoute",
"mse:UpdateOpenSergoStatusByClusterId",
"mse:UpdateResourceWhiteListConfig",
"mse:UpdateSentinelBlockFallbackDefinition",
"mse:UpdateWebFlowRule",
"mse:UpdateWebFlowRulesStatus",
"mse:UpdateWhiteScreenRule",
"mse:listGrayTag"
],
"Resource": "acs:mse:*:*:*"
}
]
}