DocsICP FilingConsole
官方文档
首页

Access control rules

更新时间:
复制 MD 格式
产品详情
我的收藏

OpenSearch applications that you create with your Alibaba Cloud account are resources owned by that account. By default, your account has full permissions to operate these resources. You can use the Alibaba Cloud Resource Access Management (RAM) service to grant RAM users permission to access and manage your OpenSearch resources.

Note

Note: 

  • The new console provides more fine-grained RAM permissions than the old console. If you use RAM users in the new console, you must create new RAM authorization policies. 

  • The RAM user feature is supported only by API and SDK versions V3 or later. 

  • Third-party data source products must use the RAM permission system. You must grant the corresponding permissions to RAM users within the third-party product. Granting permissions for the ODPS service to RAM users is not supported. This is because after an Alibaba Cloud account authorizes a project for a RAM user, the RAM user cannot list all projects of the Alibaba Cloud account due to cloud limitations. Therefore, the RAM user cannot use the project as a data source for OpenSearch. We recommend connecting to ODPS with your Alibaba Cloud account first, and then using a RAM user to operate OpenSearch applications. 

  • When you use a RAM user to configure an RDS data source in the console, you must also grant the RAM user the required data source permissions. Otherwise, a connection to the RDS service will fail. For more information, see the RDS access authorization section. 

  • Actions that start with Search, such as SearchApp and SearchSuggest, do not currently support IP-based condition checks for authorization. Using IP conditions with these actions will cause errors.

Effective time

Changes to a RAM user's permissions take effect after a 5-minute delay.

Minimum common permission sets

A RAM user needs a minimum set of common permissions to log on to the OpenSearch console. This typically includes permissions for searching an application, viewing the application list, viewing application details, accessing monitoring and alerts, and authorizing RDS access. The following examples are for reference.

Minimum permissions to search an application

To test the document retrieval feature by sending search requests to an application with an SDK, you need permissions to search that application. The following example shows a policy for a search test on an application named app_schema_demo.

{
    "Statement": [
    {
            "Effect": "Allow",
            "Action": "opensearch:SearchApp",
            "Resource": "acs:opensearch:*:*:apps/app_schema_demo"
        }
    ],
    "Version": "1"
}

Permissions to view the application list

After a RAM user logs in, they need permission to view the application list in the console.

{
    "Statement": [
        {
            "Action": [
                "opensearch:ListAppGroup",
                "opensearch:DescribeAppStatistics",
                "opensearch:ListAppGroupErrors"
            ],
            "Effect": "Allow",
            "Resource": "acs:opensearch:*:*:app-groups/*"
        }
    ],
    "Version": "1"
}

Permissions to view application details

The monitoring and alerts feature is integrated into the application details page. Therefore, the RAM user requires permission to view application details. The following example shows the policy to view the details of an application named app_schema_demo.

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "opensearch:DescribeAppGroup",
                "opensearch:ListApp",
                "opensearch:DescribeApp"
            ],
            "Resource": "acs:opensearch:*:*:app-groups/app_schema_demo"
        },
        {
            "Action": "opensearch:ListUserAnalyzers",
            "Effect": "Allow",
            "Resource": "acs:opensearch:*:*:user-analyzers/*"
        }
    ],
    "Version": "1"
}

Permissions for monitoring and alerts

The monitoring and alerts feature uses the Alibaba Cloud CloudMonitor service. You can search for AliyunCloudMonitorReadOnlyAccess in the RAM policy templates to view the read-only policy for CloudMonitor.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "cms:Get*",
                "cms:List*",
                "cms:Query*",
                "cms:BatchQuery*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "opensearch:DescribeApp",
            "Resource": "acs:opensearch:*:*:app-groups/*",
            "Effect": "Allow"
        }
    ]
}

RDS access authorization

Accessing RDS involves two API operations: tables and fields. Because accessing RDS requires adding its IP address to an allowlist, you must also grant the RAM user permission to configure the IP allowlist. (Without this permission, connecting to RDS will fail with an error that the IP allowlist could not be set). Configure RDS authorization directly in the RAM console. On the overview page, you can create a custom authorization policy or role, and then grant permissions to the RAM user on the user management page (RDS authorization reference). The minimum set of permissions for OpenSearch to use RDS is as follows:

  • For more information, see Meanings of variables in Resource (e.g., $regionid, $accountid, and $dbinstanceid).

  • You can also use the * wildcard character for parameter values in Resource.

    {
  "Version": "1",
  "Statement": [
      {
          "Action": "rds:DescribeDBInstanceAttribute",
          "Resource": "acs:rds:$regionid:$accountid:dbinstance/$dbinstanceid",
          "Effect": "Allow"
      },
      {
          "Action": "rds:ModifySecurityIps",
          "Resource": "acs:rds:$regionid:$accountid:dbinstance/$dbinstanceid",
          "Effect": "Allow"
      },
      {
          "Action": "rds:DescribeDBInstanceIPArrayList",
          "Resource": "acs:rds:$regionid:$accountid:dbinstance/$dbinstanceid",
          "Effect": "Allow"
      },
      {
          "Action": "rds:DescribeDBInstanceNetInfoForChannel",
          "Resource": "acs:rds:$regionid:$accountid:dbinstance/$dbinstanceid",
          "Effect": "Allow"
      }
  ]
}

API access permissions

To search, push data, or access suggestion models by using APIs, grant the following permissions.

{
	"Statement": [
	 {
	  "Effect": "Allow",
	  "Action": [
	   "opensearch:PushDoc",
	   "opensearch:SearchApp"
	  ],
	  "Resource": [
	   "acs:opensearch:$regionId:*:apps/$appGroupName",
	   "acs:opensearch:$regionId:*:app-groups/$appGroupName"
	  ]
	 },
	 {
	  "Action": "opensearch:SearchSuggest",
	  "Effect": "Allow",
	  "Resource": "acs:opensearch:$regionId:*:suggestions/$suggestionIdentity"
	 }
	],
	"Version": "1"
   }

Authorization reference

After you determine which applications a RAM user needs to operate, a combination of multiple action permissions is often required to log on to the console. You can grant the RAM user Describe* and List* permissions, or assign a specific combination of permissions based on your use case.

Reference (1)

This policy grants a RAM user under the Alibaba Cloud account 1234 full permission to operate all applications in all regions. After you create this policy in the console of the Alibaba Cloud account, you must grant it to the RAM user in the RAM console or by using the RAM SDK. 1. Create a policy.

{
  "Statement": [
    {
      "Action": "opensearch:*",
      "Effect": "Allow",
      "Resource": "acs:opensearch:*:1234:apps/*"
    }
  ],
  "Version": "1"
}

2. Grant this policy to the specified RAM user.

Reference (2)

This policy grants a RAM user under the Alibaba Cloud account 1234 full permission to operate all applications in the China (Hangzhou) region. After you create this policy in the console of the Alibaba Cloud account, you must grant it to the RAM user in the RAM console or by using the RAM SDK.

1. Create a policy.

{
  "Statement": [
    {
      "Action": "opensearch:*",
      "Effect": "Allow",
      "Resource": "acs:opensearch:cn-hangzhou:1234:apps/*"
    }
  ],
  "Version": "1"
}

2. Grant this policy to the specified RAM user.

Note

Note: 

  • In the resource format, using the * wildcard character matches all resource types. 

  • If you specify an application name in the resource format, even if you specify opensearch:* in the Action of the policy, the policy only includes actions for the specified application resource type and does not include opensearch:ListApp or opensearch:CreateApp

  • Each Action must correspond to the resource format in the same statement. For example, opensearch:ListApp and opensearch:CreateApp apply to all applications and must use * for the resource. Note that these two actions require a different resource format than other actions. 

  • If your authorization policy grants permissions only to a specific application, but you also need opensearch:ListApp and opensearch:CreateApp permissions, you must create another policy. This new policy must include these two actions with the resource format set to *. Then, attach both policies to the specified RAM user.

Troubleshoot console authentication issues

When a RAM user accesses the console, a "RAM user authentication failed" message may appear. If this error occurs, first click the Error Details link. Then, in the PARAMS section, find the action field. Its value is the requested POP Action. Follow these steps:

  • Find the requested POP Action, for example, ListAppGroups. If the action has a DryRun suffix, the corresponding action is the name without the suffix. For example, CreateAppDryRun corresponds to the action CreateApp.

  • Go to the List of application authorization rules to find the corresponding RAM Action and Resource Pattern for ListAppGroups. (Note: The

    RAM Action may not be the same as the POP Action.)

  • Finally, create an authorization policy that grants the required permissions to the RAM user.

Previous:AliyunServiceRoleForOpenSearchNext:Authorization rules of applications