背景介紹
SLS的Project預設可以從任意IP寫入資料,當通過LoongCollector(原Logtail)向SLS寫資料時,非預期來來源資料也可能被寫入。因此需要Project Policy做一層安全攔截,指定可以寫入資料的IP段。例如線上已有穩定啟動並執行生產叢集A,日誌寫入Project A,並配置了警示等自動化營運策略,為了防止測試叢集或新叢集的日誌誤寫入Project A對日常營運造成幹擾,就可以使用Project Policy。
使用前須知
Project Policy僅支援通過SDK配置,暫不控制台入口。
瞭解Action、Resource以及Condition等授權資訊。
配置Project Policy時,若授權使用者選擇了匿名帳號(*):
使用樣本
以Java SDK為例展示設定Project Policy的流程,更多語言參考SDK概述。
下載Java SDK開發包。
建立src/main/java/com/aliyun/openservices/log/sample/ProjectPolicyDemo.java。
根據情境使用如下範例程式碼,根據注釋修改參數值。
僅允許指定VPC訪問某個Project資源
範例程式碼 | 權限原則 |
代碼中參數擷取方式參考如下: package com.aliyun.openservices.log.sample;
import com.aliyun.openservices.log.Client;
import com.aliyun.openservices.log.exception.LogException;
import org.junit.Assert;
public class ProjectPolicyDemo {
// 本樣本從環境變數中擷取AccessKey ID和AccessKey Secret
static String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
static String accessKey = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
static String endPoint = "your-endpoint"; // 修改為Log ServiceProject的地區對應的endPoint。
static String projectName = "example-project";// 修改為Log ServiceProject的名稱。
static Client client = new Client(endPoint, accessKeyId, accessKey);
public static void main(String[] args) throws LogException {
try {
client.GetProject(projectName);
} catch (LogException e) {
Assert.fail("should not fail : " + e.GetErrorCode());
}
String policyText="{\"Version\":\"1\",\"Statement\":[{\"Action\":[\"log:*\"],\"Principal\": [\"*\"],\"Resource\":\"acs:log:*:*:project/" + projectName + "/*\",\"Condition\": {\"StringNotEquals\": {\"acs:SourceVpc\": [\"vpc-t4nlw426y44rd3iq4****\"]}},\"Effect\":\"Deny\"}]}";
client.setProjectPolicy(projectName, policyText);
client.getProjectPolicy(projectName);
Assert.assertEquals(policyText, client.getProjectPolicy(projectName).getPolicyText());
}
}
| 範例程式碼中policyText使用的權限原則如下,表示僅允許來自VPC ID為t4nlw426y44rd3iq4****的請求訪問名為example-project的Project 。 {
"Version": "1",
"Statement": [
{
"Action": [
"log:*"
],
"Principal": [
"*"
],
"Resource": "acs:log:*:*:project/example-project/*",
"Condition": {
"StringNotEquals": {
"acs:SourceVpc": [
"vpc-t4nlw426y44rd3iq4****"
]
}
},
"Effect": "Deny"
}
]
}
|
禁止特定IP訪問
範例程式碼 | 權限原則 |
代碼中參數擷取方式參考如下: package com.aliyun.openservices.log.sample;
import com.aliyun.openservices.log.Client;
import com.aliyun.openservices.log.exception.LogException;
import org.junit.Assert;
public class ProjectPolicyDemo {
// 本樣本從環境變數中擷取AccessKey ID和AccessKey Secret
static String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
static String accessKey = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
static String endPoint = "your-endpoint"; // 修改為Log ServiceProject的地區對應的endPoint。
static String projectName = "example-project";// 修改為Log ServiceProject的名稱。
static Client client = new Client(endPoint, accessKeyId, accessKey);
public static void main(String[] args) throws LogException {
try {
client.GetProject(projectName);
} catch (LogException e) {
Assert.fail("should not fail : " + e.GetErrorCode());
}
String policyText="{\"Version\":\"1\",\"Statement\":[{\"Action\":[\"*\"],\"Principal\": [\"*\"],\"Resource\":\"acs:log:*:*:project/" + projectName + "/*\",\"Condition\": {\"IpAddress\":{\"acs:SourceIp\":[\"192.168.0.0\",\"172.16.215.218\"]}},\"Effect\":\"Deny\"}]}";
client.setProjectPolicy(projectName, policyText);
client.getProjectPolicy(projectName);
Assert.assertEquals(policyText, client.getProjectPolicy(projectName).getPolicyText());
}
}
| 下述權限原則表示192.168.0.0和172.16.215.218這兩個IP地址不能訪問名為example-project的Project。 {
"Version":"1",
"Statement":[
{
"Effect":"Deny",
"Action":[
"*"
],
"Principal":[
"*"
],
"Resource":"acs:log:*:*:project/example-project/*",
"Condition":{
"IpAddress":{
"acs:SourceIp":[
"192.168.0.0",
"172.16.215.218"
]
}
}
}
]
}
|
禁止外網IP寫入
範例程式碼 | 權限原則 |
代碼中參數擷取方式參考如下: package com.aliyun.openservices.log.sample;
import com.aliyun.openservices.log.Client;
import com.aliyun.openservices.log.exception.LogException;
import org.junit.Assert;
public class ProjectPolicyDemo {
// 本樣本從環境變數中擷取AccessKey ID和AccessKey Secret
static String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
static String accessKey = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
static String endPoint = "your-endpoint"; // 修改為Log ServiceProject的地區對應的endPoint。
static String projectName = "example-project";// 修改為Log ServiceProject的名稱。
static Client client = new Client(endPoint, accessKeyId, accessKey);
public static void main(String[] args) throws LogException {
try {
client.GetProject(projectName);
} catch (LogException e) {
Assert.fail("should not fail : " + e.GetErrorCode());
}
String policyText="{\"Version\":\"1\",\"Statement\":[{\"Action\":[\"log:PostLogStoreLogs\"],\"Principal\": [\"*\"],\"Resource\":\"acs:log:*:*:project/" + projectName + "/*\",\"Condition\":{\"StringNotLike\": {\"acs:SourceVpc\":[\"vpc-*\"]}},\"Effect\":\"Deny\"}]}";
client.setProjectPolicy(projectName, policyText);
client.getProjectPolicy(projectName);
Assert.assertEquals(policyText, client.getProjectPolicy(projectName).getPolicyText());
}
}
| 下述權限原則表示拒絕使用外網寫入日誌到名為example-project的Project。 {
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"log:PostLogStoreLogs"
],
"Principal": [
"*"
],
"Resource": "acs:log:*:*:project/example-project/*",
"Condition": {
"StringNotLike": {
"acs:SourceVpc": [
"vpc-*"
]
}
}
}
]
}
|
刪除Project Policy
如果後續不需要存取控制,可刪除Project Policy。
package com.aliyun.openservices.log.sample;
import com.aliyun.openservices.log.Client;
import com.aliyun.openservices.log.exception.LogException;
import org.junit.Assert;
public class ProjectPolicyDemo {
// 本樣本從環境變數中擷取AccessKey ID和AccessKey Secret
static String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
static String accessKey = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
static String endPoint = "your-endpoint"; // 修改為Log ServiceProject的地區對應的endPoint。
static String projectName = "example-project";// 修改為Log ServiceProject的名稱。
static Client client = new Client(endPoint, accessKeyId, accessKey);
public static void main(String[] args) throws LogException {
client.deleteProjectPolicy(projectName);
Assert.assertEquals("", client.getProjectPolicy(projectName).getPolicyText());
}
}
進入專案概覽頁面,在訪問網域名稱中複製公網網域名稱。