Project Policy是阿里云SLS推出的针对Project的授权策略,您可以通过Project Policy授权其他用户访问您指定的SLS资源。

使用前须知

  • 通过策略语法的方式配置Project Policy前,您需要先了解SLS Action、Resource以及Condition分类信息。更多信息,请参见资源列表动作列表鉴权规则
  • 配置Project Policy时,如果授权用户选择了匿名账号(*),且不包含Condition的情况下,则Project Policy仅对Project Owner以外的所有用户生效。如果授权用户选择了匿名账号(*),且包含Condition的情况下,则Project Policy会对包含Project Owner在内的所有用户生效。
  • 您可以添加多条Project Policy,但所有Project Policy的大小不允许超过16 KB。

使用示例

  • 示例一:拒绝非指定VPC ID的用户访问某个Project资源
    以下Project Policy示例用于拒绝VPC ID不为t4nlw426y44rd3iq4****的用户访问目标项目exampleproject的权限。 
    {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "log:*"
            ],
            "Principal": [
                "*"
            ],
            "Resource": "acs:log:*:*:project/exampleproject/*",
            "Condition": {
                "StringNotEquals": {
                    "acs:SourceVpc": [
                        "vpc-t4nlw426y44rd3iq4****"
                    ]
                }
            }
        }
    ]
}
  • 示例二:拒绝公网写入某个日志Project
    以下Project Policy示例用于拒绝用户使用公网写入日志到日志项目exampleproject的权限。 
    {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "log:PostLogStoreLogs"
            ],
            "Principal": [
                "*"
            ],
            "Resource": "acs:log:*:*:project/exampleproject/*",
            "Condition": {
                "StringNotEquals": {
                    "acs:SourceVpc": [
                        "vpc-*"
                    ]
                }
            }
        }
    ]
}

使用Java SDK操作Project Policy

  • 使用Java SDK创建、删除、获取创建的Project Policy。示例如下:
    public class ProjectPolicyDemo {
    static String accessKeyId = "your-access-key-id";
    static String accessKey = "your-access-key";
    static String endPoint = "your-endpoint";
    static String projectName = "your-project";
    # Policy内容。
    static String policyText = "{\"Version\":\"1\",\"Statement\":[{\"Action\":[\"log:Post*\"],\"Resource\":\"acs:log:*:*:project/" + projectName + "/*\",\"Effect\":\"Deny\"}]}";
    static Client client = new Client(endPoint, accessKeyId, accessKey);

    public static void main(String[] args) throws LogException {
        client.CreateProject(projectName, "");
        client.setProjectPolicy(projectName, policyText);
        client.getProjectPolicy(projectName);
        Assert.assertEquals(policyText, client.getProjectPolicy(projectName).getPolicyText());
        client.deleteProjectPolicy(projectName);
        Assert.assertEquals("", client.getProjectPolicy(projectName).getPolicyText());
        client.DeleteProject(projectName);
    }
}
  • 限制公网访问。示例如下:
    public class ProjectPolicyDemo {
    static String accessKeyId = "your-access-key-id";
    static String accessKey = "your-access-key";
    static String endPoint = "your-endpoint";
    static String projectName = "your-project";
    static Client client = new Client(endPoint, accessKeyId, accessKey);

    public static void main(String[] args) throws LogException {
        client.CreateProject(projectName, "");
        try {
            client.GetProject(projectName);
        } catch (LogException e) {
            Assert.fail("should not fail : " + e.GetErrorCode());
        }
        String policyText = "{  \"Version\": \"1\",\n" +
                "   \"Statement\": [{" +
                "   \"Action\": [\"log:*\"]," +
                "   \"Resource\": \"*\",\n" +
                "   \"Condition\": {\"StringNotLike\": {\"acs:SourceVpc\":[\"vpc-*\"]}}," +
                "   \"Effect\": \"Deny\"}] }";
        client.setProjectPolicy(projectName, policyText);
        try {
            client.GetProject(projectName);
            Assert.fail("should fail");
        } catch (LogException e) {
            Assert.assertEquals("Unauthorized", e.getErrorCode());
        }
    }
}