通过了解资源描述,明确每种资源的特性和访问方式。您可以制定相应的鉴权规则,来有效地管理系统中的各种资源。
资源描述
在通过RAM进行授权时,资源的描述方式如下表所示:
资源类型 | 授权策略中的资源描述 |
* | acs:cr:$regionid:$accountid:* |
instance | acs:cr:$regionid:$accountid:instance/$instanceid |
repository | acs:cr:$regionid:$accountid:repository/$instanceid/* acs:cr:$regionid:$accountid:repository/$instanceid acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/* acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename |
chart | acs:cr:$regionid:$accountid:chart/$instanceid/* acs:cr:$regionid:$accountid:chart/$instanceid acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/* acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/<br>$chartrepositoryname |
参数说明如下表所示:
参数名称 | 说明 |
regionid | 地域ID,可用*代替。 |
accountid | 云账号数字ID,可用*代替。 |
instanceid | 容器镜像服务企业版实例ID。 |
namespacename | 命名空间名称。 |
repositoryname | 镜像仓库名称。 |
chartnamespacename | Chart镜像命名空间名称。 |
chartrepositoryname | Chart镜像仓库名称。 |
鉴权规则
RAM用户或者STS方式访问镜像服务API时,镜像服务会向RAM进行权限检查,以确保调用者拥有相应权限。每个API会根据涉及到的资源以及API的语义来确定需要检查哪些资源的权限。每个API的鉴权规则如下表所示:
*表示通配符。
API | 鉴权Action | 鉴权Resource |
GetAuthorizationToken | cr:GetAuthorizationToken | * |
GetChartNamespace | cr:GetNamespace | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename |
GetChartRepository | cr:GetRepository | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
GetInstance | cr:GetInstance | acs:cr:$regionid:$accountid:instance/$instanceid |
GetInstanceCount | cr:ListInstance | * |
GetInstanceEndpoint | cr:GetInstanceEndpoint | acs:cr:$regionid:$accountid:instance/$instanceid |
GetInstanceUsage | cr:GetInstanceUsage | acs:cr:$regionid:$accountid:instance/$instanceid |
GetInstanceVpcEndpoint | cr:GetInstanceVpcEndpoint | acs:cr:$regionid:$accountid:instance/$instanceid |
GetNamespace | cr:GetNamespace | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename |
GetRepoBuildRecord | cr:GetRepositoryBuildRecord | acs:cr:$regionid:$accountid:repository/$instanceid |
GetRepoBuildRecordStatus | cr:GetBuildRepositoryStatus | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetRepoSyncTask | cr:GetRepositorySync | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetRepoTagLayers | cr:GetRepositoryLayers | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetRepoTagManifest | cr:GetRepositoryManifest | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetRepoTagScanTask | cr:GetScan | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetRepository | cr:GetRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListChartNamespace | cr:ListNamespace | acs:cr:$regionid:$accountid:chart/$instanceid/* |
ListChartRelease | cr:ListChartRelease | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
ListChartRepository | cr:ListRepository | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/* |
ListInstance | cr:ListInstance | * |
ListInstanceEndpoint | cr:ListInstanceEndpoint | acs:cr:$regionid:$accountid:repository/$instanceid |
ListNamespace | cr:ListNamespace | acs:cr:$regionid:$accountid:repository/$instanceid/* |
ListRepoBuildRecord | cr:ListRepositoryBuild | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoBuildRecordLog | cr:GetRepositoryBuildLog | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoBuildRule | cr:ListRepositoryBuildRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoSyncRule | cr:ListSyncRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoSyncTask | cr:GetRepositorySync | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoTag | cr:ListRepositoryTag | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoTrigger | cr:ListWebHook | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoTriggerLog | cr:GetWebHookLog | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoTriggerRecord | cr:GetWebHookLog | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepository | cr:ListRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/* |
CancelRepoBuildRecord | cr:CancelBuildRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateBuildRecordByRule | cr:BuildRepositoryByRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateChartNamespace | cr:CreateNamespace | acs:cr:$regionid:$accountid:chart/$instanceid |
CreateInstanceEndpointAclPolicy | cr:CreateInstanceEndpointAclPolicy | acs:cr:$regionid:$accountid:instance/$instanceid |
CreateInstanceVpcEndpointLinkedVpc | cr:CreateInstanceVpcEndpointLinkedVpc | acs:cr:$regionid:$accountid:instance/$instanceid |
CreateNamespace | cr:CreateNamespace | acs:cr:$regionid:$accountid:repository/$instanceid |
CreateRepoBuildRule | cr:CreateRepositoryBuildRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateRepoSyncRule | cr:CreateSyncRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateRepoSyncTaskByRule | cr:CreateRepositorySync | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateRepoTrigger | cr:CreateWebHook | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateRepository | cr:CreateRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename |
DeleteChartNamespace | cr:DeleteNamespace | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename |
DeleteChartRelease | cr:DeleteChartRelease | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
DeleteChartRepository | cr:DeleteRepository | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
DeleteInstanceEndpointAclPolicy | cr:DeleteInstanceEndpointAclPolicy | acs:cr:$regionid:$accountid:instance/$instanceid |
DeleteInstanceVpcEndpointLinkedVpc | cr:DeleteInstanceVpcEndpointLinkedVpc | acs:cr:$regionid:$accountid:instance/$instanceid |
DeleteNamespace | cr:DeleteNamespace | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename |
DeleteRepoBuildRule | cr:DeleteRepositoryBuildRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
DeleteRepoSyncRule | cr:DeleteSyncRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
DeleteRepoTag | cr:DeleteRepositoryTag | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
DeleteRepoTrigger | cr:DeleteWebHook | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
DeleteRepository | cr:DeleteRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
UpdateChartNamespace | cr:UpdateNamespace | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename |
UpdateChartRepository | cr:UpdateRepository | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
UpdateInstanceEndpointStatus | cr:UpdateInstanceEndpointStatus | acs:cr:$regionid:$accountid:instance/$instanceid |
UpdateNamespace | cr:UpdateNamespace | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename |
UpdateRepoBuildRule | cr:UpdateRepositoryBuildRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
UpdateRepoTrigger | cr:UpdateWebHook | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
UpdateRepository | cr:UpdateRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
PullRepository | cr:PullRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
PushRepository | cr:PushRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
PullChart | cr:PullChart | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
PushChart | cr:PushChart | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
PutScan | cr:PutScan | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetScan | cr:GetScan | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetScanStatus | cr:GetScanStatus | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListScanResult | cr:ListScanResult | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetScanCount | cr:GetScanCount | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetArtifactBuildRule | cr:GetArtifactBuildRule | acs:cr:$regionid:$accountid:instance/$instanceid |
GetPersonalInstanceDomainAccessStatus | cr:GetPersonalInstanceDomainAccessStatus | acs:cr:$regionid:$accountid:instance/$instanceid |
ListRepositoryVulTagCount | cr:ListRepoVulTagCount | acs:cr:$regionid:$accountid:instance/$instanceid |