使用自訂權限原則有助於實現許可權的精細化管控,是提升資源訪問安全的有效手段。如果系統權限原則不能滿足您的要求,您可以為點播服務建立自訂權限原則實現最小授權。
背景資訊
如果您還不瞭解什麼是自訂策略,請參見建立自訂權限原則。
點播服務API與權限原則
Action的對應關係請參見操作(Action)。點播服務的自訂策略可能會涉及對OSS資源的管控,參考Object Storage Service API概覽。
常見自訂權限原則情境及樣本
禁止上傳Object ACL許可權為公用讀取的檔案到OSS Bucket
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:PostObject",
"oss:CopyObject",
"oss:AppendObject",
"oss:InitiateMultipartUpload",
"oss:MultipartUpload",
"oss:UploadPart",
"oss:UploadPartCopy",
"oss:PutObjectAcl",
"oss:PutObject"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"oss:x-oss-object-acl": ["public-read-write", "public-read"]
}
}
}
]
}只允許IP來源為192.168.XX.XX的要求者訪問播放介面
{
"Version": "1",
"Statement": [
{
"Action": [
"vod:GetPlayInfo",
"vod:GetVideoPlayAuth",
"vod:GetVideoPlayInfo",
"vod:GetVideoInfo"
],
"Resource": "*",
"Effect": "Allow",
"Condition": {
"IpAddress": {
"acs:SourceIp": "192.168.XX.XX"
}
}
}
]
}授予使用媒體審核的許可權
說明
為保證許可權完整性,當媒體審核功能的API分組下增加了新的介面時,您需要同步更新下述樣本中的Action列表。
{
"Version": "1",
"Statement": [
{
"Action": [
"vod:SetAuditSecurityIp",
"vod:ListAuditSecurityIp",
"vod:CreateAudit",
"vod:GetAuditHistory",
"vod:SubmitAIMediaAuditJob",
"vod:GetAIMediaAuditJob",
"vod:GetMediaAuditResult",
"vod:GetMediaAuditResultDetail",
"vod:GetMediaAuditResultTimeline"
],
"Resource": "*",
"Effect": "Allow"
}
]
}授予使用雲剪輯的許可權
說明
為保證許可權完整性,當媒體審核功能的API分組下增加了新的介面時,您需要同步更新下述樣本中的Action列表。
{
"Version": "1",
"Statement": [
{
"Action": [
"vod:ProduceEditingProjectVideo",
"vod:AddEditingProject",
"vod:UpdateEditingProject",
"vod:DeleteEditingProject",
"vod:GetEditingProject",
"vod:SearchEditingProject",
"vod:SetEditingProjectMaterials",
"vod:GetEditingProjectMaterials"
],
"Resource": "*",
"Effect": "Allow"
}
]
}