Project Policy是日志服務推出的針對Project的授權策略,您可以通過Project Policy授權其他用戶訪問您指定的日志服務資源。
使用前須知
通過策略語法的方式配置Project Policy前,您需要先了解Action、Resource以及Condition分類信息。更多信息,請參見資源列表、動作列表和鑒權規則。
配置Project Policy時,如果授權用戶選擇了匿名賬號(*),且不包含Condition的情況下,則Project Policy僅對Project Owner以外的所有用戶生效。如果授權用戶選擇了匿名賬號(*),且包含Condition的情況下,則Project Policy會對包含Project Owner在內的所有用戶生效。
您可以添加多條Project Policy,但所有Project Policy的大小不允許超過16 KB。
使用示例
示例一:僅允許指定VPC ID的用戶訪問某個Project資源。
下述權限策略表示僅允許來自VPC ID為t4nlw426y44rd3iq4****的請求訪問名為example-project的Project 。
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": [ "log:*" ], "Principal": [ "*" ], "Resource": "acs:log:*:*:project/example-project/*", "Condition": { "StringNotEquals": { "acs:SourceVpc": [ "vpc-t4nlw426y44rd3iq4****" ] } } } ] }示例二:拒絕通過公網寫入日志到Project。
下述權限策略表示拒絕使用公網寫入日志到名為exampleproject的Project。
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": [ "log:PostLogStoreLogs" ], "Principal": [ "*" ], "Resource": "acs:log:*:*:project/exampleproject/*", "Condition": { "StringNotEquals": { "acs:SourceVpc": [ "vpc-*" ] } } } ] }示例三:限制訪問來源IP地址。
下述權限策略表示只能通過192.168.0.0/16和172.16.215.218這兩個IP地址訪問名為exampleproject的Project。
{ "Version":"1", "Statement":[ { "Effect":"Deny", "Action":[ "*" ], "Principal":[ "*" ], "Resource":"acs:log:*:*:project/exampleproject/*", "Condition":{ "NotIpAddress":{ "acs:SourceIp":[ "192.168.0.0/16", "172.16.215.218" ] } } } ] }
使用Java SDK操作Project Policy
使用Java SDK創建、刪除、獲取創建的Project Policy。示例如下:
public class ProjectPolicyDemo { // 本示例從環境變量中獲取AccessKey ID和AccessKey Secret static String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"); static String accessKey = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"); static String endPoint = "your-endpoint"; static String projectName = "your-project"; // Policy內容。 static String policyText = "{\"Version\":\"1\",\"Statement\":[{\"Action\":[\"log:Post*\"],\"Resource\":\"acs:log:*:*:project/" + projectName + "/*\",\"Effect\":\"Deny\"}]}"; static Client client = new Client(endPoint, accessKeyId, accessKey); public static void main(String[] args) throws LogException { client.CreateProject(projectName, ""); client.setProjectPolicy(projectName, policyText); client.getProjectPolicy(projectName); Assert.assertEquals(policyText, client.getProjectPolicy(projectName).getPolicyText()); client.deleteProjectPolicy(projectName); Assert.assertEquals("", client.getProjectPolicy(projectName).getPolicyText()); client.DeleteProject(projectName); } }限制公網訪問。示例如下:
public class ProjectPolicyDemo { // 本示例從環境變量中獲取AccessKey ID和AccessKey Secret static String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"); static String accessKey = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"); static String endPoint = "your-endpoint"; static String projectName = "your-project"; static Client client = new Client(endPoint, accessKeyId, accessKey); public static void main(String[] args) throws LogException { client.CreateProject(projectName, ""); try { client.GetProject(projectName); } catch (LogException e) { Assert.fail("should not fail : " + e.GetErrorCode()); } String policyText = "{ \"Version\": \"1\",\n" + " \"Statement\": [{" + " \"Action\": [\"log:*\"]," + " \"Resource\": \"*\",\n" + " \"Condition\": {\"StringNotLike\": {\"acs:SourceVpc\":[\"vpc-*\"]}}," + " \"Effect\": \"Deny\"}] }"; client.setProjectPolicy(projectName, policyText); try { client.GetProject(projectName); Assert.fail("should fail"); } catch (LogException e) { Assert.assertEquals("Unauthorized", e.getErrorCode()); } } }
文檔內容是否對您有幫助?