代運(yùn)維權(quán)限說(shuō)明
更新時(shí)間:
服務(wù)商在創(chuàng)建代運(yùn)維服務(wù)時(shí),需要設(shè)置權(quán)限策略。在用戶創(chuàng)建代運(yùn)維服務(wù)實(shí)例后,計(jì)算巢會(huì)為用戶創(chuàng)建相應(yīng)的權(quán)限策略,并授信給計(jì)算巢。計(jì)算巢會(huì)為服務(wù)商授予其發(fā)布服務(wù)的服務(wù)實(shí)例中所包含資源的相應(yīng)權(quán)限,服務(wù)商即可針對(duì)這些資源進(jìn)行相應(yīng)的代運(yùn)維操作。
資源限制
私有部署服務(wù)附加代運(yùn)維的服務(wù),權(quán)限只限定在用戶部署的服務(wù)實(shí)例內(nèi)的資源。
純代運(yùn)維的服務(wù),權(quán)限只限定在用戶指定的ECS實(shí)例或者計(jì)算巢服務(wù)實(shí)例內(nèi)的資源。服務(wù)商可以在服務(wù)實(shí)例詳情頁(yè)面查看已授權(quán)的運(yùn)維資源,如下圖所示:
權(quán)限限制
代運(yùn)維權(quán)限限定在代運(yùn)維權(quán)限全集的系統(tǒng)權(quán)限策略AliyunComputeNestPolicyForSupplierRole里,實(shí)際服務(wù)的代運(yùn)維權(quán)限為代運(yùn)維權(quán)限全集與選擇的權(quán)限范圍的交集。
AliyunComputeNestPolicyForSupplierRole策略內(nèi)容:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:StartInstance",
"ecs:DescribeInstances",
"ecs:RebootInstance",
"ecs:StopInstance",
"ecs:RunCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeDiagnosticReports",
"ecs:CreateDiagnosticReport",
"ecs:DescribeSecurityGroups",
"ecs:DescribeDisks",
"ecs:DescribeImages",
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMetricRuleList",
"cms:DescribeAlertHistoryList",
"cms:DescribeAlertLogList",
"cms:DescribeLogHistogram",
"cms:DescribeLogCount",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"tag:ListTagResources",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouterInterfaceAttribute",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeVServerGroups",
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"rds:RestartDBInstance",
"actiontrail:LookupEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}代運(yùn)維權(quán)限策略
服務(wù)商在配置服務(wù)時(shí)可選的權(quán)限策略為:
權(quán)限名 | 權(quán)限 | 說(shuō)明 |
全部權(quán)限 | AliyunComputeNestPolicyForFullAccess | 針對(duì)用戶指定的ECS實(shí)例或者計(jì)算巢服務(wù)實(shí)例中阿里云資源的全部權(quán)限。 |
只讀權(quán)限 | AliyunComputeNestPolicyForReadOnly | 針對(duì)用戶指定的ECS實(shí)例或者計(jì)算巢服務(wù)實(shí)例中阿里云資源的只讀權(quán)限,還包括這部分資源的ActionTrail審計(jì)日志。 |
終端登錄權(quán)限 | AliyunComputeNestPolicyForTerminalLogin | 針對(duì)用戶指定的ECS實(shí)例或者計(jì)算巢服務(wù)實(shí)例中ECS實(shí)例的遠(yuǎn)程連接權(quán)限。 |
操作審計(jì)權(quán)限 | AliyunComputeNestPolicyForTrails | 針對(duì)用戶指定的ECS實(shí)例或者計(jì)算巢服務(wù)實(shí)例中阿里云資源的查看審計(jì)日志ActionTrail權(quán)限。 |
監(jiān)控權(quán)限 | AliyunComputeNestPolicyForAlarm | 針對(duì)用戶指定的ECS實(shí)例或者計(jì)算巢服務(wù)實(shí)例中阿里云資源的管理閾值報(bào)警和事件報(bào)警規(guī)則的權(quán)限。 |
升級(jí)權(quán)限 | AliyunComputeNestPolicyForUpgrade | 針對(duì)用戶指定的計(jì)算巢服務(wù)實(shí)例中的應(yīng)用和服務(wù)配置升級(jí)和回滾的權(quán)限。 |
運(yùn)維操作權(quán)限 | AliyunComputeNestPolicyForOperation | 針對(duì)用戶指定的服務(wù)實(shí)例進(jìn)行運(yùn)維操作的權(quán)限 |
權(quán)限策略配置為RAM權(quán)限策略,具體內(nèi)容含義可以參考文檔權(quán)限策略基本元素。
AliyunComputeNestPolicyForFullAccess
全部權(quán)限
代運(yùn)維權(quán)限Policy配置
{
"Action": [
"*"
],
"Effect": "Allow",
"Resource": [
"*"
]
}實(shí)際效果
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:StartInstance",
"ecs:DescribeInstances",
"ecs:RebootInstance",
"ecs:StopInstance",
"ecs:RunCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeDiagnosticReports",
"ecs:CreateDiagnosticReport",
"ecs:DescribeSecurityGroups",
"ecs:DescribeDisks",
"ecs:DescribeImages",
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMetricRuleList",
"cms:DescribeAlertHistoryList",
"cms:DescribeAlertLogList",
"cms:DescribeLogHistogram",
"cms:DescribeLogCount",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"tag:ListTagResources",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouterInterfaceAttribute",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeVServerGroups",
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"rds:RestartDBInstance",
"actiontrail:LookupEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunComputeNestPolicyForReadOnly
只讀權(quán)限
代運(yùn)維權(quán)限Policy配置
{
"Action": [
"*:Describe*",
"*:List*",
"*:Get*",
"*:BatchGet*",
"*:Query*",
"*:BatchQuery*",
"actiontrail:LookupEvents"
],
"Resource": [
"*"
],
"Effect": "Allow"
}實(shí)際效果
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:DescribeTerminalSessions",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeDiagnosticReports",
"ecs:DescribeSecurityGroups",
"ecs:DescribeDisks",
"ecs:DescribeImages",
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMetricRuleList",
"cms:DescribeAlertHistoryList",
"cms:DescribeAlertLogList",
"cms:DescribeLogHistogram",
"cms:DescribeLogCount",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"tag:ListTagResources",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouterInterfaceAttribute",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeVServerGroups",
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"actiontrail:LookupEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunComputeNestPolicyForTerminalLogin
終端登錄權(quán)限
代運(yùn)維權(quán)限Policy配置
{
"Action": [
"ecs:*TerminalSession*",
"tag:List*",
"tag:DescribeRegions",
"ecs:Describe*Instance*",
"cs:Describe*Cluster*",
"cs:GetClusters",
"eci:DescribeContainerGroups",
"eci:ExecContainerCommand"
],
"Resource": [
"*"
],
"Effect": "Allow"
}實(shí)際效果
{
"Action": [
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession",
"tag:ListSupportResourceTypes",
"tag:ListTagResources",
"tag:DescribeRegions",
"ecs:DescribeInstances",
"ecs:DescribeInstanceTypes",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeInstanceVncUrl",
"cs:DescribeClusterUserKubeconfig",
"cs:DescribeClusterDetail",
"cs:GetClusters",
"cs:DescribeClusterEndpoints",
"cs:DescribeEdasClusterToken",
"eci:DescribeContainerGroups",
"eci:ExecContainerCommand"
],
"Resource": [
"*"
],
"Effect": "Allow"
}AliyunComputeNestPolicyForTrails
操作審計(jì)權(quán)限
代運(yùn)維權(quán)限Policy配置
{
"Action": [
"actiontrail:LookupEvents",
"tag:ListTagResources",
"tag:ListSupportResourceTypes",
"tag:DescribeRegions"
],
"Resource": [
"*"
],
"Effect": "Allow"
}實(shí)際效果
{
"Action": [
"actiontrail:LookupEvents",
"tag:ListTagResources",
"tag:ListSupportResourceTypes",
"tag:DescribeRegions"
],
"Resource": [
"*"
],
"Effect": "Allow"
}AliyunComputeNestPolicyForAlarm
監(jiān)控權(quán)限
代運(yùn)維權(quán)限Policy配置
{
"Action": [
"cms:Describe*",
"cms:CheckRamRoleForCloudMonitor",
"cms:QueryMetricList",
"cms:*MetricRule*",
"cms:*EventRule*",
"cms:*HostAvailability",
"tag:List*",
"tag:DescribeRegions"
],
"Resource": [
"*"
],
"Effect": "Allow"
}實(shí)際效果
{
"Action": [
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMetricRuleList",
"cms:DescribeAlertHistoryList",
"cms:DescribeAlertLogList",
"cms:DescribeLogHistogram",
"cms:DescribeLogCount",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"cms:DescribeMonitorGroupInstances",
"cms:DescribeMonitorGroupCategories",
"cms:DescribeMonitorGroupDynamicRules",
"cms:DescribeMetricRuleTemplateList",
"cms:DescribeAlertingMetricRuleResources",
"cms:DescribeContactGroupList",
"cms:DescribeMonitorGroupInstanceAttribute",
"cms:DescribeMetricListFromProxy",
"cms:DescribeMetricLastFromProxy",
"cms:DescribeMonitoringAgentHosts",
"cms:DescribeMetricTopFromProxy",
"cms:DescribeRegions",
"cms:DescribeDashboardGroupList",
"cms:DescribeHostAvailabilityList",
"cms:DescribeUnhealthyHostAvailability",
"cms:DescribeGroupMonitoringAgentProcess",
"cms:DescribeSystemEventMetaList",
"cms:CheckRamRoleForCloudMonitor",
"cms:DescribeSystemEventHistogram",
"cms:DescribeSystemEventAttribute",
"cms:DescribeEventRuleList",
"cms:DescribeEventRuleTargetList",
"cms:DescribeCustomEventAttribute",
"cms:DescribeCustomEventHistogram",
"cms:DescribeContactListByContactGroup",
"cms:DescribeAlertLogList",
"cms:DescribeCustomMetricList",
"cms:DescribeAlertLogCount",
"cms:DescribeMetricMetaList",
"cms:DescribeConsoleViews",
"cms:DescribeProjectMeta",
"cms:DescribeAlertLogHistogram",
"cms:CreateHostAvailability",
"cms:ModifyHostAvailability",
"tag:DescribeRegions",
"tag:ListSupportResourceTypes",
"tag:ListTagResources"
],
"Resource": [
"*"
],
"Effect": "Allow"
}AliyunComputeNestPolicyForUpgrade
升級(jí)權(quán)限
代運(yùn)維權(quán)限Policy配置
{
"Effect": "Allow",
"Action": [
"ros:*Stack",
"ros:ListStack*",
"tag:List*Resource*",
"tag:DescribeRegions",
"vpc:Describe*",
"slb:Describe*",
"slb:ListTagResources",
"slb:*AccessControlListEntry",
"slb:ModifyLoadBalancer*",
"ecs:*Instance*",
"ecs:Describe*",
"ecs:RunCommand",
"ecs:*SecurityGroup*",
"ecs:*Disk*",
"ess:ListTagResources",
"ess:DescribeScaling*",
"ess:*ScalingRule",
"ess:*Instances",
"cs:GetUserPermissions",
"cs:Describe*Cluster*",
"cs:GetClusters",
"cs:CreateEdasClusterRole*"
],
"Resource": [
"*"
]
}實(shí)際效果
{
"Action": [
"ros:UpdateStack",
"ros:GetStack",
"ros:ListStackEvents",
"ros:ListStackResources",
"tag:DescribeRegions",
"tag:ListSupportResourceTypes",
"tag:ListTagResources",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouterInterfaceAttribute",
"vpc:DescribeEipAddresses",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeVServerGroups",
"slb:ListTagResources",
"slb:DescribeAccessControlLists",
"slb:DescribeAccessControlListAttribute",
"slb:AddAccessControlListEntry",
"slb:RemoveAccessControlListEntry",
"slb:ModifyLoadBalancerInternetSpec",
"slb:ModifyLoadBalancerInstanceSpec",
"ecs:ModifyInstanceAttribute",
"ecs:ReplaceSystemDisk",
"ecs:RunInstances",
"ecs:ModifySecurityGroupAttribute",
"ecs:StartInstance",
"ecs:DescribeInstances",
"ecs:RebootInstance",
"ecs:StopInstance",
"ecs:ModifyInstanceSpec",
"ecs:DescribeInstanceTypes",
"ecs:ModifyPrepayInstanceSpec",
"ecs:ModifyInstanceNetworkSpec",
"ecs:RunCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeDiagnosticReports",
"ecs:CreateDiagnosticReport",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupAttribute",
"ecs:AuthorizeSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:DescribeDisks",
"ecs:ResizeDisk",
"ecs:ModifyDiskSpec",
"ecs:DescribeImages",
"ecs:DescribeInstanceVncUrl",
"ecs:DescribeManagedInstances",
"ecs:CreateSnapshot",
"ecs:CreateAutoSnapshotPolicy",
"ecs:ApplyAutoSnapshotPolicy",
"ecs:StopInstances",
"ecs:ResetDisk",
"ecs:DescribeSnapshots",
"ess:ListTagResources",
"ess:DescribeScalingGroups",
"ess:CreateScalingRule",
"ess:DeleteScalingRule",
"ess:DescribeScalingActivityDetail",
"ess:DescribeScalingActivities",
"ess:ExecuteScalingRule",
"ess:RemoveInstances",
"ess:DetachInstances",
"cs:DescribeClusterUserKubeconfig",
"cs:DescribeClusterDetail",
"cs:GetClusters",
"cs:DescribeClusterEndpoints",
"cs:DescribeEdasClusterToken",
"cs:GetUserPermissions",
"cs:CreateEdasClusterRole",
"cs:CreateEdasClusterRoleBinding"
],
"Resource": [
"*"
],
"Effect": "Allow"
}AliyunComputeNestPolicyForOperation
運(yùn)維操作權(quán)限
代運(yùn)維權(quán)限Policy配置
{
"Action": [
"ros:*Stack",
"ros:ListStack*",
"cs:Get*",
"cs:Describe*Cluster*",
"oos:StartExecution",
"oos:ListExecutions",
"ecs:*Instance*"
],
"Resource": [
"*"
],
"Effect": "Allow"
}實(shí)際效果
{
"Action": [
"ros:UpdateStack",
"ros:GetStack",
"ros:ListStackEvents",
"ros:ListStackResources",
"cs:GetClusters",
"cs:GetUserPermissions",
"cs:DescribeClusterUserKubeconfig",
"cs:DescribeClusterDetail",
"cs:DescribeClusterEndpoints",
"cs:DescribeEdasClusterToken",
"oos:StartExecution",
"oos:ListExecutions",
"ecs:StartInstance",
"ecs:DescribeInstances",
"ecs:RebootInstance",
"ecs:StopInstance",
"ecs:ModifyInstanceSpec",
"ecs:DescribeInstanceTypes",
"ecs:ModifyPrepayInstanceSpec",
"ecs:ModifyInstanceNetworkSpec",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeInstanceVncUrl",
"ecs:DescribeManagedInstances",
"ecs:StopInstances"
],
"Resource": [
"*"
],
"Effect": "Allow"
}文檔內(nèi)容是否對(duì)您有幫助?