服务商在创建代运维服务时,需要设置权限策略。在用户创建代运维服务实例后,计算巢会为用户创建相应的权限策略,并授信给计算巢。计算巢会为服务商授予其发布服务的服务实例中所包含资源的相应权限,服务商即可针对这些资源进行相应的代运维操作。
资源限制
私有部署服务附加代运维的服务,权限只限定在用户部署的服务实例内的资源。
纯代运维的服务,权限只限定在用户指定的ECS实例或者计算巢服务实例内的资源。服务商可以在服务实例详情页面查看已授权的运维资源,如下图所示:
权限限制
代运维权限限定在代运维权限全集的系统权限策略AliyunComputeNestPolicyForSupplierRole里。实际服务的代运维权限为代运维权限全集与选择的权限范围的交集。
AliyunComputeNestPolicyForSupplierRole策略内容:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:StartInstance",
"ecs:DescribeInstances",
"ecs:RebootInstance",
"ecs:StopInstance",
"ecs:RunCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeDiagnosticReports",
"ecs:CreateDiagnosticReport",
"ecs:DescribeSecurityGroups",
"ecs:DescribeDisks",
"ecs:DescribeImages",
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMetricRuleList",
"cms:DescribeAlertHistoryList",
"cms:DescribeAlertLogList",
"cms:DescribeLogHistogram",
"cms:DescribeLogCount",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"tag:ListTagResources",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouterInterfaceAttribute",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeVServerGroups",
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"rds:RestartDBInstance",
"actiontrail:LookupEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}代运维权限策略
服务商在配置服务时可选的权限策略为:
权限名 | 权限 | 说明 |
全部权限 | AliyunComputeNestPolicyForFullAccess | 针对用户指定的ECS实例或者计算巢服务实例中阿里云资源的全部权限,具体的权限策略请参考文档。 |
只读权限 | AliyunComputeNestPolicyForReadOnly | 针对用户指定的ECS实例或者计算巢服务实例中阿里云资源的只读权限,还包括这部分资源的ActionTrail审计日志。 |
远程连接权限 | AliyunComputeNestPolicyForTerminalLogin | 针对用户指定的ECS实例或者计算巢服务实例中ECS实例的远程连接权限。 |
健康诊断权限 | AliyunComputeNestPolicyForDiagnoseInstance | 针对用户指定的ECS实例或者计算巢服务实例中ECS实例的诊断健康状态权限。 |
操作审计权限 | AliyunComputeNestPolicyForTrails | 针对用户指定的ECS实例或者计算巢服务实例中阿里云资源的查看审计日志ActionTrail权限。 |
事件权限 | AliyunComputeNestPolicyForEvents | 针对用户指定的ECS实例或者计算巢服务实例中ECS实例的查询系统事件信息的权限。 |
权限策略配置为RAM权限策略,具体内容含义可以参考文档权限策略基本元素。
AliyunComputeNestPolicyForFullAccess
全部权限
控制台显示
{
"Action": [
"*"
],
"Effect": "Allow",
"Resource": [
"*"
]
}实际效果
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:StartInstance",
"ecs:DescribeInstances",
"ecs:RebootInstance",
"ecs:StopInstance",
"ecs:RunCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeDiagnosticReports",
"ecs:CreateDiagnosticReport",
"ecs:DescribeSecurityGroups",
"ecs:DescribeDisks",
"ecs:DescribeImages",
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMetricRuleList",
"cms:DescribeAlertHistoryList",
"cms:DescribeAlertLogList",
"cms:DescribeLogHistogram",
"cms:DescribeLogCount",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"tag:ListTagResources",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouterInterfaceAttribute",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeVServerGroups",
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"rds:RestartDBInstance",
"actiontrail:LookupEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunComputeNestPolicyForReadOnly
只读权限
控制台显示
{
"Action": [
"*:Describe*",
"*:List*",
"*:Get*",
"*:BatchGet*",
"*:Query*",
"*:BatchQuery*",
"actiontrail:LookupEvents"
],
"Resource": [
"*"
],
"Effect": "Allow"
}实际效果
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:DescribeTerminalSessions",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeDiagnosticReports",
"ecs:DescribeSecurityGroups",
"ecs:DescribeDisks",
"ecs:DescribeImages",
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMetricRuleList",
"cms:DescribeAlertHistoryList",
"cms:DescribeAlertLogList",
"cms:DescribeLogHistogram",
"cms:DescribeLogCount",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"tag:ListTagResources",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouterInterfaceAttribute",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeVServerGroups",
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"actiontrail:LookupEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunComputeNestPolicyForTerminalLogin
远程连接权限
控制台显示
{
"Action": [
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession"
],
"Resource": [
"*"
],
"Effect": "Allow"
}实际效果
{
"Action": [
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession"
],
"Resource": [
"*"
],
"Effect": "Allow"
}AliyunComputeNestPolicyForDiagnoseInstance
健康诊断权限
控制台显示
{
"Action": [
"ecs:CreateDiagnosticReport",
"ecs:DescribeDiagnosticReports"
],
"Resource": [
"*"
],
"Effect": "Allow"
}实际效果
{
"Action": [
"ecs:CreateDiagnosticReport",
"ecs:DescribeDiagnosticReports"
],
"Resource": [
"*"
],
"Effect": "Allow"
}AliyunComputeNestPolicyForTrails
操作审计权限
控制台显示
{
"Action": [
"actiontrail:LookupEvents"
],
"Resource": [
"*"
],
"Effect": "Allow"
}实际效果
{
"Action": [
"actiontrail:LookupEvents"
],
"Resource": [
"*"
],
"Effect": "Allow"
}AliyunComputeNestPolicyForEvents
事件权限
控制台显示
{
"Action": [
"ecs:DescribeInstanceHistoryEvents"
],
"Resource": [
"*"
],
"Effect": "Allow"
}实际效果
{
"Action": [
"ecs:DescribeInstanceHistoryEvents"
],
"Resource": [
"*"
],
"Effect": "Allow"
}反馈
- 本页导读 (0)
文档反馈