在使用RAM账号调用蚂蚁区块链服务API前,需要主账号通过创建授权策略对RAM账号进行授权。在授权策略中,使用资源描述符(Alibaba Cloud Resource Name,ARN)指定授权资源。

本文提供了在蚂蚁区块链服务中通过访问控制实现团队或者部门成员鉴权、跨账号资源授权以及跨云服务授权的RAM鉴权规则。在了解如何使用访问控制RAM授权和访问区块链服务之前,确保您已阅读了RAM产品文档RAM API文档

可授权的蚂蚁区块链资源类型

在进行RAM子账号授权时,蚂蚁区块链资源的描述方式如下:

资源类型 授权策略中的资源描述方法
联盟 acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId
区块链 acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
合约工程 acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/contractProject/$projectId

其中,$consortiumId为联盟Id,$blockchainId为区块链Id,$projectId为联盟内的合约工程Id。

可授权的蚂蚁区块链接口

下表列举了蚂蚁区块链中可授权的API及其描述方式:

API 资源描述
CreateAntChainConsortium acs:baas:*:$accountId:antChainConsortium/*
DescribeAntChainConsortiums acs:baas:*:$accountId:antChainConsortium/*
UpdateAntChainConsortium acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId
DeleteAntChainConsortium acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId
InviteAntChainMember acs:baas:*:$accountId:*
AgreeAntChainInvitation acs:baas:*:$accountId:*
DescribeAntChainMembers acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId
UpdateAntChainMember acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId
DescribeAntChains acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/*
CreateAntChain acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/*
UpdateAntChain acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
ApplyAntChainCertificate acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
ApplyAntChainCertificateWithKeyAutoCreation acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
DescribeAntChainDownloadPaths acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
ResetAntChainCertificate acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
DescribeAntChainLatestBlocks acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
DescribeAntChainLatestTransactionDigests acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
DescribeAntChainInformation acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
DescribeAntChainTransactionStatistics acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
DescribeAntChainBlock acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
DescribeAntChainTransaction acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
DescribeAntChainTransactionReceipt acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
ResetAntChainUserCertificate acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
DescribeAntChainAccounts acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
DescribeAntChainNodes acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
CreateAntChainAccount acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
CreateAntChainAccountWithKeyPairAutoCreation acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
FreezeAntChainAccount acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
UnfreezeAntChainAccount acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
DescribeAntChainCertificateApplications acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
CreateAntChainContractProject acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/contractProject/*
CopyAntChainContractProject acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/contractProject/*
DeleteAntChainContractProject acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/contractProject/$projectId
UpdateAntChainContractProject acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/contractProject/$projectId
DescribeAntChainContractProjects acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/contractProject/*
DescribeAntChainContractProjectContentTree acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/contractProject/$projectId
CreateAntChainContractContent acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/contractProject/$projectId
DeleteAntChainContractContent acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/contractProject/$projectId
UpdateAntChainContractContent acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/contractProject/$projectId
DescribeCloudIDEEnvConfigs acs:baas:*:$accountId:*
ProcessCloudIDEContractTransaction acs:baas:*:$accountId:*
概览页面体验链相关接口 符合不鉴权条件,不进行RAM鉴权。
DescribeAntChainRegions 该接口不进行RAM鉴权。
DescribeAntChainQRCodeAuthorization acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
UpdateAntChainQRCodeAuthorization acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
DescribeAntChainMiniAppBrowserQRCodeAuthorizedUsers acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
BatchAddAntChainMiniAppQRCodeAuthorizedUsers acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
DeleteAntChainMiniAppQRCodeAuthorizedUser acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
DescribeAntChainMiniAppBrowserQRCodeAccessLog acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId
DescribeAntChainMiniAppBrowserTransactionQRCode acs:baas:*:$consortiumOwnerUid:antChainConsortium/$consortiumId/blockchain/$blockchainId

蚂蚁区块链RAM规则示例

例1 :授权BaaS服务只读类操作。这种类型的权限能够允许用户通过控制台或API查看区块链状态,下载SDK。

{

   "Statement": [{

       "Action": ["baas:DescribeAntChain*"],

        "Effect": "Allow",

        "Resource": "acs:baas:*:*:*"

   }],

   "Version": "1"

}
例2:授权联盟管理类操作(查询,创建、更新、删除)。这种类型的权限允许用户通过控制台或API管理联盟。
{

  "Statement": [{

     "Action": "baas:*AntChainConsortium*",

     "Effect": "Allow",
     "Resource": ["acs:baas:*:*:antChainConsortium/*"]

  }],

  "Version": "1"

}

例3:更精细化的链码开发者授权。该权限通常需要全部的读类型操作,以及特定联盟的资源管理类操作。按照最小权限原则,以合约管理功能为例,需要限制该用户仅能对用于指定联盟的指定合约工程进行操作。将下面的antChainConsortium/$consortiumId/contractProject/$projectId替换为具体资源在区块链服务中的资源Id。

{

 "Statement": [{

   "Action": ["baas:DescribeAntChain*"],

    "Effect": "Allow",

    "Resource": "acs:baas:*:*:*"

 },

 {

    "Action": "baas:*AntChainContract*",

    "Effect": "Allow",

    "Resource": ["acs:baas:*:*:antChainConsortium/$consortiumId/contractProject/$projectId"]

 }],

 "Version": "1"

}