权限指在某种条件下 ,允许 (Allow) 或 拒绝 (Deny) 对某些资源执行某些操作。

权限的载体是授权策略。自定义权限,即在自定义授权策略时定义某些权限。在 RAM 控制台,策略管理页面,单击新建授权策略开始创建自定义授权策略。创建自定义授权策略时,请选择模板为空白模板。

授权策略是 JSON 格式的字符串,需包含以下参数:

  • Action:表示要授权的操作。IoT 操作都以iot: 开头。定义方式和示例,请参见本文档中Action 定义。

  • Effect : 表示授权类型,取值:AllowDeny

  • Resource :物联网平台目前暂不支持资源粒度的授权,请填写*

  • Condition :表示鉴权条件。详细信息,请参见本文档中 Condition 定义。

Action 定义

Action是 API 的名称。在创建 IoT 的授权策略时,每个 Action 前缀均为iot:,多个 Action 以逗号分隔。并且,支持使用星号通配符。IoT API 名称定义,请参见IoT API 授权映射表

下面介绍一些典型的 Action 定义示例。

  • 定义单个 API。
    "Action": "iot:CreateProduct"
  • 定义多个API。
    "Action": [
    "iot:UpdateProduct",
    "iot:QueryProduct"
    ]
  • 定义所有只读 API。
    {
      "Version": "1", 
      "Statement": [
        {
          "Action": [
            "iot:Query*", 
            "iot:List*", 
            "iot:Get*", 
            "iot:BatchGet*", 
            "iot:Check*"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "rds:DescribeDBInstances", 
            "rds:DescribeDatabases", 
            "rds:DescribeAccounts", 
            "rds:DescribeDBInstanceNetInfo"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": "ram:ListRoles", 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "mns:ListTopic", 
            "mns:GetTopicRef"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "dhs:ListProject", 
            "dhs:GetProject", 
            "dhs:ListTopic", 
            "dhs:GetTopic"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "ots:ListInstance", 
            "ots:GetInstance", 
            "ots:ListTable", 
            "ots:DescribeTable"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "ons:OnsRegionList", 
            "ons:OnsInstanceInServiceList", 
            "ons:OnsTopicList", 
            "ons:OnsTopicGet"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "hitsdb:DescribeRegions", 
            "hitsdb:DescribeHiTSDBInstanceList", 
            "hitsdb:DescribeHiTSDBInstance"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "fc:ListServices", 
            "fc:GetService", 
            "fc:GetFunction", 
            "fc:ListFunctions"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "log:ListShards", 
            "log:ListLogStores", 
            "log:ListProject"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "cms:QueryMetricList"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }
      ]
    }
  • 定义所有读写 API。
    {
      "Version": "1", 
      "Statement": [
        {
          "Action": "iot:*", 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "rds:DescribeDBInstances", 
            "rds:DescribeDatabases", 
            "rds:DescribeAccounts", 
            "rds:DescribeDBInstanceNetInfo", 
            "rds:ModifySecurityIps"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": "ram:ListRoles", 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "mns:ListTopic", 
            "mns:GetTopicRef"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "dhs:ListProject", 
            "dhs:ListTopic", 
            "dhs:GetProject", 
            "dhs:GetTopic"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "ots:ListInstance", 
            "ots:ListTable", 
            "ots:DescribeTable", 
            "ots:GetInstance"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "ons:OnsRegionList", 
            "ons:OnsInstanceInServiceList", 
            "ons:OnsTopicList", 
            "ons:OnsTopicGet"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "hitsdb:DescribeRegions", 
            "hitsdb:DescribeHiTSDBInstanceList", 
            "hitsdb:DescribeHiTSDBInstance", 
            "hitsdb:ModifyHiTSDBInstanceSecurityIpList"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "fc:ListServices", 
            "fc:GetService", 
            "fc:GetFunction", 
            "fc:ListFunctions"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "log:ListShards", 
            "log:ListLogStores", 
            "log:ListProject"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": "ram:PassRole", 
          "Resource": "*", 
          "Effect": "Allow", 
          "Condition": {
            "StringEquals": {
              "acs:Service": "iot.aliyuncs.com"
            }
          }
        }, 
        {
          "Action": [
            "cms:QueryMetricList"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }
      ]
    }

Condition 定义

目前 RAM 授权策略支持访问 IP 限制、是否通过 HTTPS 访问、是否通过 MFA(多因素认证)访问、访问时间限制等多种鉴权条件。物联网平台的所有 API 均支持这些条件。

访问 IP 限制

访问控制可以限制访问 IoT 的源 IP 地址,并且支持根据网段进行过滤。以下是典型的使用场景示例。

  • 限制单个 IP 地址和 IP 网段。例如,只允许 IP 地址为 10.101.168.111 或 10.101.169.111/24 网段的请求访问。
    {
      "Statement": [
        {
          "Effect": "Allow", 
          "Action": "iot:*", 
          "Resource": "*", 
          "Condition": {
            "IpAddress": {
              "acs:SourceIp": [
                "10.101.168.111", 
                "10.101.169.111/24"
              ]
            }
          }
        }
      ], 
      "Version": "1"
    }
  • 限制多个 IP 地址。例如,只允许 IP 地址为 10.101.168.111 和 10.101.169.111 的请求访问。
    {
      "Statement": [
        {
          "Effect": "Allow", 
          "Action": "iot:*", 
          "Resource": "*", 
          "Condition": {
            "IpAddress": {
              "acs:SourceIp": [
                "10.101.168.111", 
                "10.101.169.111"
              ]
            }
          }
        }
      ], 
      "Version": "1"
    }
HTTPS 访问限制

访问控制可以限制是否通过 HTTPS 访问。

示例:限制必须通过 HTTPS 请求访问。

{
  "Statement": [
    {
      "Effect": "Allow", 
      "Action": "iot:*", 
      "Resource": "*", 
      "Condition": {
        "Bool": {
          "acs:SecureTransport": "true"
        }
      }
    }
  ], 
  "Version": "1"
}
MFA 访问限制

访问控制可以限制是否通过 MFA(多因素认证)访问。MFA访问适用于控制台登录,使用API访问无需MFA码。

示例:限制必须通过 MFA 请求访问。

{
  "Statement": [
    {
      "Effect": "Allow", 
      "Action": "iot:*", 
      "Resource": "*", 
      "Condition": {
        "Bool": {
          "acs:MFAPresent ": "true"
        }
      }
    }
  ], 
  "Version": "1"
}
访问时间限制

访问控制可以限制请求的访问时间,即只允许或拒绝在某个时间点范围之前的请求。

示例:用户可以在北京时间 2019 年 1 月 1 号凌晨之前访问,之后则不能访问。

{
  "Statement": [
    {
      "Effect": "Allow", 
      "Action": "iot:*", 
      "Resource": "*", 
      "Condition": {
        "DateLessThan": {
          "acs:CurrentTime": "2019-01-01T00:00:00+08:00"
        }
      }
    }
  ], 
  "Version": "1"
}

典型使用场景

结合以上对 Action、Resource 和 Condition 的定义,下面介绍一些典型使用场景的授权策略定义和授权方法。

允许访问的授权策略示例

场景:定义访问 IP 地址为 10.101.168.111/24 网段的用户访问 IoT 的权限,且要求只能在 2019-01-01 00:00:00 之前访问和通过 HTTPS 访问。

{
  "Statement": [
    {
      "Effect": "Allow", 
      "Action": "iot:*", 
      "Resource": "*", 
      "Condition": {
        "IpAddress": {
          "acs:SourceIp": [
            "10.101.168.111/24"
          ]
        }, 
        "DateLessThan": {
          "acs:CurrentTime": "2019-01-01T00:00:00+08:00"
        }, 
        "Bool": {
          "acs:SecureTransport": "true"
        }
      }
    }
  ], 
  "Version": "1"
}
拒绝访问的授权策略示例

场景:拒绝访问 IP 地址为 10.101.169.111 的用户对 IoT 执行读操作。

{
  "Statement": [
    {
      "Effect": "Deny", 
      "Action": [
        "iot:Query*", 
        "iot:List*", 
        "iot:Get*", 
        "iot:BatchGet*"
      ], 
      "Resource": "*", 
      "Condition": {
        "IpAddress": {
          "acs:SourceIp": [
            "10.101.169.111"
          ]
        }
      }
    }
  ], 
  "Version": "1"
}

授权策略创建成功后,在访问控制 RAM 控制台,用户管理页面,将此权限授予子账号用户。获得授权的子账号用户就可以进行权限中定义的操作。创建子账号和授权操作帮助,请参见子账号访问