本文介绍如何自定义RAM授权策略。

前提条件

已了解授权策略语言的基本结构和语法。更多信息,请参见 权限策略语法和结构

操作步骤

  1. 使用具有RAM权限的账号登录RAM控制台
  2. 在左侧导航栏,选择权限管理 > 权限策略管理
  3. 设置访问ASM实例的权限。
    1. 权限策略管理页面,单击创建授权策略
    2. 新建自定义权限策略页面,填写策略名称(例如ASMPolicy1),并设置配置模式脚本配置
    3. 在策略内容中编写您的授权策略内容,然后单击确定
      通过改变 Statement中的 Action字段,可以实现API的细粒度鉴权。
      • 授予所有API的权限,您需要设置Action字段为"servicemesh:*"
        {
          "Version": "1",
          "Statement": [
              {
                  "Action": [
                    "servicemesh:*"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }
          ]
        }
      • 授予指定API的权限,您需要设置Action字段为"servicemesh:${API名称}"
        说明 关于API的详细说明,请参见 API概览
        {
          "Version": "1",
          "Statement": [
              {
                  "Action": [
                    "servicemesh:DescribeGuestClusterNamespaces",
                    "servicemesh:DescribeGuestClusterPods",
                    "servicemesh:DescribeServiceMeshDetail"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                    "servicemesh:UpdateMeshFeature"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }
          ]
        }
      • 授予一组API的权限,例如您想要授予所有的Describe权限,您需要设置Action字段为"servicemesh:Describe*"(名称以Describe为首的API)。
        {
          "Version": "1",
          "Statement": [
              {
                  "Action": [
                    "servicemesh:Describe*"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                    "servicemesh:Get*"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }
          ]
        }
      • 补充其它云产品的策略内容。
        {
            "Version": "1",
            "Statement": [
                {
                    "Action": [
                        "servicemesh:*"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                },
                {
                    "Action": [
                        "ecs:CreateSecurityGroup",
                        "ecs:CreateSecurityGroupPermissions",
                        "ecs:DeleteSecurityGroup",
                        "ecs:DescribeAccountAttributes",
                        "ecs:DescribeSecurityGroups",
                        "ecs:AuthorizeSecurityGroup",
                        "ecs:RevokeSecurityGroup",
                        "ecs:AuthorizeSecurityGroupEgress",
                        "ecs:JoinSecurityGroup",
                        "ecs:LeaveSecurityGroup",
                        "ecs:UnassociateEipAddress",
                        "ecs:ReleaseEipAddress",
                        "ecs:RevokeSecurityGroupEgress",
                        "ecs:DescribeInstances",
                        "ecs:DescribeNetworkInterfaces"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                },
                {
                    "Action": [
                        "vpc:DescribeVpcs",
                        "vpc:DescribeVSwitches",
                        "vpc:DescribeEipAddresses",
                        "vpc:DescribeNetworkQuotas",
                        "vpc:AllocateEipAddress",
                        "vpc:AssociateEipAddress",
                        "vpc:UnassociateEipAddress",
                        "vpc:ReleaseEipAddress",
                        "vpc:DeletionProtection",
                        "vpc:DescribeVpcAttribute"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                },
                {
                    "Action": [
                        "slb:DescribeLoadBalancerAttribute",
                        "slb:CreateLoadBalancer",
                        "slb:DeleteLoadBalancer",
                        "slb:RemoveBackendServers",
                        "slb:StartLoadBalancerListener",
                        "slb:StopLoadBalancerListener",
                        "slb:CreateLoadBalancerTCPListener",
                        "slb:AddBackendServers",
                        "slb:CreateVServerGroup",
                        "slb:CreateLoadBalancerHTTPSListener",
                        "slb:CreateLoadBalancerUDPListener",
                        "slb:ModifyLoadBalancerInternetSpec",
                        "slb:SetBackendServers",
                        "slb:AddVServerGroupBackendServers",
                        "slb:DeleteVServerGroup",
                        "slb:ModifyVServerGroupBackendServers",
                        "slb:CreateLoadBalancerHTTPListener",
                        "slb:RemoveVServerGroupBackendServers",
                        "slb:DeleteLoadBalancerListener",
                        "slb:AddTags",
                        "slb:RemoveTags",
                        "slb:SetLoadBalancerDeleteProtection"
                    ],
                    "Resource": [
                        "*"
                    ],
                    "Effect": "Allow"
                },
                {
                    "Action": "xtrace:GetToken",
                    "Resource": "*",
                    "Effect": "Allow"
                },
                {
                    "Action": [
                        "cen:DescribeCenAttachedChildInstances",
                        "cen:DescribeCens"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                },
                {
                    "Action": [
                        "arms:ListClusterFromGrafana",
                        "arms:GetPrometheusApiToken",
                        "arms:Get*"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                },
                {
                    "Action": [
                        "log:GetProject"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                }
            ]
        }
  4. 设置网格实例中的集群权限。
    1. 权限策略管理页面,再次单击创建授权策略
    2. 新建自定义权限策略页面,填写策略名称(例如ASMPolicy2),并设置配置模式脚本配置
    3. 在策略内容中编写您的授权策略内容。
      注意 因为在网格实例中需要增加或者移除ACK集群,所以需要对这些管理的集群设置相应的权限。在以下示例中,将 "Action": "cs:Get*"/"Effect": "Allow"对应的Resource中设置为 "acs:cs:*:*:cluster/{某个集群ID}",也可以设置为 "acs:cs:*:*:cluster/*"(即代表所有的ACK集群)。
      {
          "Version": "1",
          "Statement": [
              {            
                  "Action": "cs:Get*",            
                  "Effect": "Allow",            
                  "Resource": [                
                      "acs:cs:*:*:cluster/{某个集群ID或者*}"            
                  ]        
              }
          ]
      }
    4. 编写完毕后,单击确定
      返回 权限策略管理页面,在搜索框中搜索策略名或备注,可以看到您自定义的授权策略。