RAM鉴权
在使用 RAM 账号调用阿里云 API 前,需要主账号通过创建授权策略对 RAM 账号进行授权。
资源授权
默认子账号没有权限通过调用阿里云 API 去创建、修改云资源。使用子账号调用 API 时,您需要先创建一个授权策略,然后将这个授权策略关联给对应的子账号完成资源授权。
在创建授权策略时,您可以通过 ARN (Aliyun Resource Name) 指定要授权的资源。ARN 是阿里云为每个资源定义的一个全局的阿里云资源名称。
ARN格式如下:
acs:
service-name:
region:
account-id:
resource-relative-id:其中:
acs:Alibaba Cloud Service 的首字母缩写,表示阿里云的公共云平台。
service-name:阿里云云服务的名称,如 ecs, oss, slb 等。
region:地域信息。如果不支持该项,可以使用通配符星号(*)来代替。
account-id :账号 ID,例如 123456789012****。
resource-relative-id:具体的资源描述,不同的云产品的资源描述也不同,详情参见各云产品的开发文档。
比如
acs:oss::123456789012****:sample_bucket/file1.txt表示 OSS 服务中对象名称是sample_bucket/file1.txt 的资源,对象的所有者是 UID 为123456789012****。
可授权的 OceanBase 资源类型
权限是分级别划分的,从高到底是 instance,tenant,database,高权限包含低权限
权限可以使用“*”来做通配符,兼容所有的字段
资源类型 | 授权策略中的资源描述方法 |
INSTANCE | acs:oceanbase:{region}:{accountId}:instance/{instanceId} |
acs:oceanbase:{region}:{accountId}:instance/* | |
acs:oceanbase:{region}:{accountId}:* | |
acs:oceanbase:{region}:*:* | |
acs:oceanbase:*:*:* | |
TENANT | acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}/* |
acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/* | |
acs:oceanbase:{region}:{accountId}:instance/{instanceId} | |
acs:oceanbase:{region}:{accountId}:instance/* | |
acs:oceanbase:{region}:{accountId}:* | |
acs:oceanbase:{region}:*:* | |
acs:oceanbase:*:*:* | |
ACL | acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}/database/{databaseName} |
acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}/database/* | |
acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}/* | |
acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/* | |
acs:oceanbase:{region}:{accountId}:instance/{instanceId} | |
acs:oceanbase:{region}:{accountId}:instance/* | |
acs:oceanbase:{region}:{accountId}:* | |
acs:oceanbase:{region}:*:* | |
acs:oceanbase:*:*:* |
可授权的负载均衡接口
下表列举了负载均衡中可授权的API及其描述方式:
集群操作
API | 资源描述 |
CreateInstance | 无,通过PayOrderCallBack回调 |
DescribeInstances | acs:oceanbase:{region}:{accountId}:instance/* |
DescribeInstance | acs:oceanbase:{region}:{accountId}:instance/{instanceId} |
acs:oceanbase:{region}:{accountId}:instance/* | |
DescribeInstanceTopology | acs:oceanbase:{region}:{accountId}:instance/{instanceId} |
acs:oceanbase:{region}:{accountId}:instance/* |
租户操作
API | 资源描述 |
CreateTenant | acs:oceanbase:{region}:{accountId}:instance/{instanceId} |
acs:oceanbase:{region}:{accountId}:instance/* | |
DescribeTenant | acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId} |
acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/* | |
acs:oceanbase:{region}:{accountId}:instance/{instanceId} | |
acs:oceanbase:{region}:{accountId}:instance/* | |
CreateTenantReadOnlyConnection | acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId} |
acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/* | |
acs:oceanbase:{region}:{accountId}:instance/{instanceId} | |
acs:oceanbase:{region}:{accountId}:instance/* | |
ModifyTenantPrimaryZone | acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId} |
acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/* | |
acs:oceanbase:{region}:{accountId}:instance/{instanceId} | |
acs:oceanbase:{region}:{accountId}:instance/* | |
DeleteTenants | acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId} |
acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/* | |
acs:oceanbase:{region}:{accountId}:instance/{instanceId} | |
acs:oceanbase:{region}:{accountId}:instance/* | |
ModifyTenantResource | acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId} |
acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/* | |
acs:oceanbase:{region}:{accountId}:instance/{instanceId} | |
acs:oceanbase:{region}:{accountId}:instance/* | |
DescribeInstanceCreatableZone | acs:oceanbase:{region}:{accountId}:instance/{instanceId} |
acs:oceanbase:{region}:{accountId}:instance/* | |
DescribeAvailableCpuResource | acs:oceanbase:{region}:{accountId}:instance/{instanceId} |
acs:oceanbase:{region}:{accountId}:instance/* | |
DescribeAvailableMemResource | acs:oceanbase:{region}:{accountId}:instance/{instanceId} |
acs:oceanbase:{region}:{accountId}:instance/* | |
DescribeInstanceTenantModes | acs:oceanbase:{region}:{accountId}:instance/{instanceId} |
acs:oceanbase:{region}:{accountId}:instance/* |
数据库操作
API | 资源描述 |
DescribeDatabases | acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId} |
acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/* | |
acs:oceanbase:{region}:{accountId}:instance/{instanceId} | |
acs:oceanbase:{region}:{accountId}:instance/* | |
CreateDatabase | cs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId} |
acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/* | |
acs:oceanbase:{region}:{accountId}:instance/{instanceId} | |
acs:oceanbase:{region}:{accountId}:instance/* | |
ModifyDatabaseUserRoles | acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId} |
acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/* | |
acs:oceanbase:{region}:{accountId}:instance/{instanceId} | |
acs:oceanbase:{region}:{accountId}:instance/* | |
ModifyDatabaseDescription | acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId} |
acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/* | |
acs:oceanbase:{region}:{accountId}:instance/{instanceId} | |
acs:oceanbase:{region}:{accountId}:instance/* | |
DeleteDatabases | acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}/database/{databaseName} |
acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}/database/* | |
acs:oceanbase:{region}: {accountId}:instance/{instanceId}/tenant/{tenantId} | |
acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/* | |
acs:oceanbase:{region}:{accountId}:instance/{instanceId} | |
acs:oceanbase:{region}:{accountId}:instance/* |
账号操作
API | 资源描述 |
DescribeTenantUsers | acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId} |
acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/* | |
acs:oceanbase:{region}:{accountId}:instance/{instanceId} | |
acs:oceanbase:{region}:{accountId}:instance/* | |
CreateTenantUser | acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId} |
acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/* | |
acs:oceanbase:{region}:{accountId}:instance/{instanceId} | |
acs:oceanbase:{region}:{accountId}:instance/* | |
DescribeTenantUserRoles | acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId} |
acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/* | |
acs:oceanbase:{region}:{accountId}:instance/{instanceId} | |
acs:oceanbase:{region}:{accountId}:instance/* | |
ModifyTenantUserDescription | acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId} |
acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/* | |
acs:oceanbase:{region}:{accountId}:instance/{instanceId} | |
acs:oceanbase:{region}:{accountId}:instance/* | |
ModifyTenantUserPassword | acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId} |
acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/* | |
acs:oceanbase:{region}:{accountId}:instance/{instanceId} | |
acs:oceanbase:{region}:{accountId}:instance/* | |
ModifyTenantUserRoles | acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId} |
acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/* | |
acs:oceanbase:{region}:{accountId}:instance/{instanceId} | |
acs:oceanbase:{region}:{accountId}:instance/* | |
ModifyTenantUserStatus | acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId} |
acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/* | |
acs:oceanbase:{region}:{accountId}:instance/{instanceId} | |
acs:oceanbase:{region}:{accountId}:instance/* | |
DeleteTenantUsers | acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId} |
acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/* | |
acs:oceanbase:{region}:{accountId}:instance/{instanceId} | |
acs:oceanbase:{region}:{accountId}:instance/* |
参数管理
API | 资源描述 |
DescribeParameters | acs:oceanbase:{region}:{accountId}:instance/{instanceId} |
acs:oceanbase:{region}:{accountId}:instance/* | |
DescribeParametersHistory | acs:oceanbase:{region}:{accountId}:instance/{instanceId} |
acs:oceanbase:{region}:{accountId}:instance/* | |
ModifyParameters | acs:oceanbase:{region}:{accountId}:instance/{instanceId} |
acs:oceanbase:{region}:{accountId}:instance/* |
安全
API | 资源描述 |
CreateSecurityIpGroup | acs:oceanbase:{region}:{accountId}:instance/{instanceId} |
acs:oceanbase:{region}:{accountId}:instance/* | |
ModifySecurityIps | acs:oceanbase:{region}:{accountId}:instance/{instanceId} |
acs:oceanbase:{region}:{accountId}:instance/* | |
DeleteSecurityIpGroup | acs:oceanbase:{region}:{accountId}:instance/{instanceId} |
acs:oceanbase:{region}:{accountId}:instance/* | |
DescribeSecurityIpGroups | acs:oceanbase:{region}:{accountId}:instance/{instanceId} |
acs:oceanbase:{region}:{accountId}:instance/* |