高速通道相关API的鉴权规则

更新时间:2018-02-05 21:56:14

当子账号通过OpenAPI主账号的高速通道资源进行访问时,高速通道后台向 RAM 进行权限检查,以确保资源拥有者的确将相关资源的相关权限授予了调用者。

每个不同的OpenAPI会根据涉及到的资源以及API的语义来确定需要检查哪些资源的权限。每个API的鉴权规则见下表:

Action Resource Condition
vpc:DescribeAccessPoints acs:vpc:*:$accountid:*
vpc:CreatePhysicalConnection acs:vpc:$regionid:$accountid:physicalconnection/*
vpc:DescribePhysicalConnections acs:vpc:$regionid:$accountid:physicalconnection/*
vpc:ModifyPhysicalConnectionAttribute acs:vpc:$regionid:$accountid:physicalconnection/$physicalconnectionid
vpc:EnablePhysicalConnection acs:vpc:$regionid:$accountid:physicalconnection/$physicalconnectionid
vpc:CancelPhysicalConnection acs:vpc:$regionid:$accountid:physicalconnection/$physicalconnectionid
vpc:TerminatePhysicalConnection acs:vpc:$regionid:$accountid:physicalconnection/$physicalconnectionid
vpc:DeletePhysicalConnection acs:vpc:$regionid:$accountid:physicalconnection/$physicalconnectionid
vpc:CreateVirtualBorderRouter acs:vpc:$regionid:$accountid:virtualborderrouter/*
acs:vpc:$regionid:$accountid:physicalconnection/$physicalconnectionid
vpc:DescribeVirtualBorderRouters acs:vpc:$regionid:$accountid:virtualborderrouter/*
vpc:ModifyVirtualBorderRouterAttribute acs:vpc:$regionid:$accountid:virtualborderrouter/$virtualborderrouterid
vpc:DeleteVirtualBorderRouter acs:vpc:$regionid:$accountid:virtualborderrouter/$virtualborderrouterid
vpc:DescribeVirtualBorderRoutersForPhysicalConnection acs:vpc:$regionid:$accountid:virtualborderrouter/* “vpd:PhysicalConnection”:”acs:vpc:$regionid:$accountid:physicalconnection/$physicalconnectionid”
vpc:TerminateVirtualBorderRouter acs:vpc:$regionid:$accountid:virtualborderrouter/$virtualborderrouterid
vpc:RecoverVirtualBorderRouter acs:vpc:$regionid:$accountid:virtualborderrouter/$virtualborderrouterid
vpc:CreateRouteEntry acs:vpc:$regionid:$accountid:routertable/$routertableid
vpc:DescribeRouteTables acs:vpc:$regionid:$accountid:routertable/* VRouter中的路由表:
“vpc:VRouter”:”acs:vpc$regionid:$accountid:vrouter/$vrouterid”
VirtualBorderRouter中的路由表:
“vpc:VirtualBorderRouter”:”acs:vpc:$regionid:$accountid:virtualborderrouter/$virtualborderrouterid”
vpc:DeleteRouteEntry acs:vpc:$regionid:$accountid:routertable/$routertableid
vpc:CreateRouterInterface 所属路由器RouterType为VRouter:
acs:vpc:$regionid:$accountid:routerinterface/*
acs:vpc:$regionid:$accountid:vrouter/$vrouterid
所属路由器RouterType为VirtualBorderRouter:
acs:vpc:$regionid:$accountid:routerinterface/*
acs:vpc:$regionid:$accountid:virtualborderrouter/$virtualborderrouterid
vpc:ConnectRouterInterface acs:vpc:$regionid:$accountid:routerinterface/$routerinterfaceid
vpc:DescribeRouterInterfaces acs:vpc:$regionid:$accountid:routerinterface/*
vpc:DeactivateRouterInterface acs:vpc:$regionid:$accountid:routerinterface/$routerinterfaceid
vpc:ActivateRouterInterface acs:vpc:$regionid:$accountid:routerinterface/$routerinterfaceid
vpc:ModifyRouterInterfaceAttribute acs:vpc:$regionid:$accountid:routerinterface/$routerinterfaceid
vpc:ModifyRouterInterfaceSpec acs:vpc:$regionid:$accountid:routerinterface/$routerinterfaceid
vpc:DeleteRouterInterface acs:vpc:$regionid:$accountid:routerinterface/$routerinterfaceid