代运维权限说明

服务商在创建代运维服务时,需要设置权限策略。在用户创建代运维服务实例后,计算巢会为用户创建相应的权限策略,并授信给计算巢。计算巢会为服务商授予其发布服务的服务实例中所包含资源的相应权限,服务商即可针对这些资源进行相应的代运维操作。

资源限制

  1. 私有部署服务附加代运维的服务,权限只限定在用户部署的服务实例内的资源。

  2. 纯代运维的服务,权限只限定在用户指定的ECS实例或者计算巢服务实例内的资源。服务商可以在服务实例详情页面查看已授权的运维资源,如下图所示:3.png

权限限制

代运维权限限定在代运维权限全集的系统权限策略AliyunComputeNestPolicyForSupplierRole里,实际服务的代运维权限为代运维权限全集与选择的权限范围的交集。

AliyunComputeNestPolicyForSupplierRole策略内容:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:StartInstance",
                "ecs:DescribeInstances",
                "ecs:RebootInstance",
                "ecs:StopInstance",
                "ecs:RunCommand",
                "ecs:DescribeInvocations",
                "ecs:DescribeInvocationResults",
                "ecs:StartTerminalSession",
                "ecs:DescribeTerminalSessions",
                "ecs:CloseTerminalSession",
                "ecs:DescribeInstanceHistoryEvents",
                "ecs:DescribeDiagnosticReports",
                "ecs:CreateDiagnosticReport",
                "ecs:DescribeSecurityGroups",
                "ecs:DescribeDisks",
                "ecs:DescribeImages",
                "cms:DescribeMetricData",
                "cms:DescribeMetricList",
                "cms:QueryMetricList",
                "cms:DescribeMetricRuleList",
                "cms:DescribeAlertHistoryList",
                "cms:DescribeAlertLogList",
                "cms:DescribeLogHistogram",
                "cms:DescribeLogCount",
                "cms:DescribeDynamicTagRuleList",
                "cms:DescribeMonitorGroups",
                "tag:ListTagResources",
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches",
                "vpc:DescribeVSwitchAttributes",
                "vpc:DescribeVpcAttribute",
                "vpc:DescribeRouteEntryList",
                "vpc:DescribeRouteTableList",
                "vpc:DescribeRouteTables",
                "vpc:DescribeRouterInterfaces",
                "vpc:DescribeRouterInterfaceAttribute",
                "slb:DescribeLoadBalancers",
                "slb:DescribeLoadBalancerListeners",
                "slb:DescribeLoadBalancerAttribute",
                "slb:DescribeVServerGroups",
                "rds:DescribeDBInstances",
                "rds:DescribeDBInstanceAttribute",
                "rds:RestartDBInstance",
                "actiontrail:LookupEvents"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

代运维权限策略

服务商在配置服务时可选的权限策略为:

权限名

权限

说明

全部权限

AliyunComputeNestPolicyForFullAccess

针对用户指定的ECS实例或者计算巢服务实例中阿里云资源的全部权限。

只读权限

AliyunComputeNestPolicyForReadOnly

针对用户指定的ECS实例或者计算巢服务实例中阿里云资源的只读权限,还包括这部分资源的ActionTrail审计日志。

终端登录权限

AliyunComputeNestPolicyForTerminalLogin

针对用户指定的ECS实例或者计算巢服务实例中ECS实例的远程连接权限。

操作审计权限

AliyunComputeNestPolicyForTrails

针对用户指定的ECS实例或者计算巢服务实例中阿里云资源的查看审计日志ActionTrail权限。

监控权限

AliyunComputeNestPolicyForAlarm

针对用户指定的ECS实例或者计算巢服务实例中阿里云资源的管理阈值报警和事件报警规则的权限。

升级权限

AliyunComputeNestPolicyForUpgrade

针对用户指定的计算巢服务实例中的应用和服务配置升级和回滚的权限。

运维操作权限

AliyunComputeNestPolicyForOperation

针对用户指定的服务实例进行运维操作的权限

权限策略配置为RAM权限策略,具体内容含义可以参考文档权限策略基本元素

AliyunComputeNestPolicyForFullAccess

全部权限

代运维权限Policy配置

{
  "Action": [
    "*"
  ],
  "Effect": "Allow",
  "Resource": [
    "*"
  ]
}

实际效果

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:StartInstance",
                "ecs:DescribeInstances",
                "ecs:RebootInstance",
                "ecs:StopInstance",
                "ecs:RunCommand",
                "ecs:DescribeInvocations",
                "ecs:DescribeInvocationResults",
                "ecs:StartTerminalSession",
                "ecs:DescribeTerminalSessions",
                "ecs:CloseTerminalSession",
                "ecs:DescribeInstanceHistoryEvents",
                "ecs:DescribeDiagnosticReports",
                "ecs:CreateDiagnosticReport",
                "ecs:DescribeSecurityGroups",
                "ecs:DescribeDisks",
                "ecs:DescribeImages",
                "cms:DescribeMetricData",
                "cms:DescribeMetricList",
                "cms:QueryMetricList",
                "cms:DescribeMetricRuleList",
                "cms:DescribeAlertHistoryList",
                "cms:DescribeAlertLogList",
                "cms:DescribeLogHistogram",
                "cms:DescribeLogCount",
                "cms:DescribeDynamicTagRuleList",
                "cms:DescribeMonitorGroups",
                "tag:ListTagResources",
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches",
                "vpc:DescribeVSwitchAttributes",
                "vpc:DescribeVpcAttribute",
                "vpc:DescribeRouteEntryList",
                "vpc:DescribeRouteTableList",
                "vpc:DescribeRouteTables",
                "vpc:DescribeRouterInterfaces",
                "vpc:DescribeRouterInterfaceAttribute",
                "slb:DescribeLoadBalancers",
                "slb:DescribeLoadBalancerListeners",
                "slb:DescribeLoadBalancerAttribute",
                "slb:DescribeVServerGroups",
                "rds:DescribeDBInstances",
                "rds:DescribeDBInstanceAttribute",
                "rds:RestartDBInstance",
                "actiontrail:LookupEvents"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

AliyunComputeNestPolicyForReadOnly

只读权限

代运维权限Policy配置

{
  "Action": [
    "*:Describe*",
    "*:List*",
    "*:Get*",
    "*:BatchGet*",
    "*:Query*",
    "*:BatchQuery*",
    "actiontrail:LookupEvents"
  ],
  "Resource": [
    "*"
  ],
  "Effect": "Allow"
}

实际效果

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:DescribeInstances",
                "ecs:DescribeInvocations",
                "ecs:DescribeInvocationResults",
                "ecs:DescribeTerminalSessions",
                "ecs:DescribeInstanceHistoryEvents",
                "ecs:DescribeDiagnosticReports",
                "ecs:DescribeSecurityGroups",
                "ecs:DescribeDisks",
                "ecs:DescribeImages",
                "cms:DescribeMetricData",
                "cms:DescribeMetricList",
                "cms:QueryMetricList",
                "cms:DescribeMetricRuleList",
                "cms:DescribeAlertHistoryList",
                "cms:DescribeAlertLogList",
                "cms:DescribeLogHistogram",
                "cms:DescribeLogCount",
                "cms:DescribeDynamicTagRuleList",
                "cms:DescribeMonitorGroups",
                "tag:ListTagResources",
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches",
                "vpc:DescribeVSwitchAttributes",
                "vpc:DescribeVpcAttribute",
                "vpc:DescribeRouteEntryList",
                "vpc:DescribeRouteTableList",
                "vpc:DescribeRouteTables",
                "vpc:DescribeRouterInterfaces",
                "vpc:DescribeRouterInterfaceAttribute",
                "slb:DescribeLoadBalancers",
                "slb:DescribeLoadBalancerListeners",
                "slb:DescribeLoadBalancerAttribute",
                "slb:DescribeVServerGroups",
                "rds:DescribeDBInstances",
                "rds:DescribeDBInstanceAttribute",
                "actiontrail:LookupEvents"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

AliyunComputeNestPolicyForTerminalLogin

终端登录权限

代运维权限Policy配置

{
  "Action": [
    "ecs:*TerminalSession*",
    "tag:List*",
    "tag:DescribeRegions",
    "ecs:Describe*Instance*",
    "cs:Describe*Cluster*",
    "cs:GetClusters",
    "eci:DescribeContainerGroups",
    "eci:ExecContainerCommand"
  ],
  "Resource": [
    "*"
  ],
  "Effect": "Allow"
}

实际效果

{
  "Action": [
    "ecs:StartTerminalSession",
    "ecs:DescribeTerminalSessions",
    "ecs:CloseTerminalSession",
    "tag:ListSupportResourceTypes",
    "tag:ListTagResources",
    "tag:DescribeRegions",
    "ecs:DescribeInstances",
    "ecs:DescribeInstanceTypes",
    "ecs:DescribeInstanceHistoryEvents",
    "ecs:DescribeInstanceVncUrl",
    "cs:DescribeClusterUserKubeconfig",
    "cs:DescribeClusterDetail",
    "cs:GetClusters",
    "cs:DescribeClusterEndpoints",
    "cs:DescribeEdasClusterToken",
    "eci:DescribeContainerGroups",
    "eci:ExecContainerCommand"
  ],
  "Resource": [
    "*"
  ],
  "Effect": "Allow"
}

AliyunComputeNestPolicyForTrails

操作审计权限

代运维权限Policy配置

{
  "Action": [
    "actiontrail:LookupEvents",
    "tag:ListTagResources",
    "tag:ListSupportResourceTypes",
    "tag:DescribeRegions"
  ],
  "Resource": [
    "*"
  ],
  "Effect": "Allow"
}

实际效果

{
  "Action": [
    "actiontrail:LookupEvents",
    "tag:ListTagResources",
    "tag:ListSupportResourceTypes",
    "tag:DescribeRegions"
  ],
  "Resource": [
    "*"
  ],
  "Effect": "Allow"
}

AliyunComputeNestPolicyForAlarm

监控权限

代运维权限Policy配置

{
  "Action": [
    "cms:Describe*",
    "cms:CheckRamRoleForCloudMonitor",
    "cms:QueryMetricList",
    "cms:*MetricRule*",
    "cms:*EventRule*",
    "cms:*HostAvailability",
    "tag:List*",
    "tag:DescribeRegions"
  ],
  "Resource": [
    "*"
  ],
  "Effect": "Allow"
}

实际效果

{
  "Action": [
    "cms:DescribeMetricData",
    "cms:DescribeMetricList",
    "cms:QueryMetricList",
    "cms:DescribeMetricRuleList",
    "cms:DescribeAlertHistoryList",
    "cms:DescribeAlertLogList",
    "cms:DescribeLogHistogram",
    "cms:DescribeLogCount",
    "cms:DescribeDynamicTagRuleList",
    "cms:DescribeMonitorGroups",
    "cms:DescribeMonitorGroupInstances",
    "cms:DescribeMonitorGroupCategories",
    "cms:DescribeMonitorGroupDynamicRules",
    "cms:DescribeMetricRuleTemplateList",
    "cms:DescribeAlertingMetricRuleResources",
    "cms:DescribeContactGroupList",
    "cms:DescribeMonitorGroupInstanceAttribute",
    "cms:DescribeMetricListFromProxy",
    "cms:DescribeMetricLastFromProxy",
    "cms:DescribeMonitoringAgentHosts",
    "cms:DescribeMetricTopFromProxy",
    "cms:DescribeRegions",
    "cms:DescribeDashboardGroupList",
    "cms:DescribeHostAvailabilityList",
    "cms:DescribeUnhealthyHostAvailability",
    "cms:DescribeGroupMonitoringAgentProcess",
    "cms:DescribeSystemEventMetaList",
    "cms:CheckRamRoleForCloudMonitor",
    "cms:DescribeSystemEventHistogram",
    "cms:DescribeSystemEventAttribute",
    "cms:DescribeEventRuleList",
    "cms:DescribeEventRuleTargetList",
    "cms:DescribeCustomEventAttribute",
    "cms:DescribeCustomEventHistogram",
    "cms:DescribeContactListByContactGroup",
    "cms:DescribeAlertLogList",
    "cms:DescribeCustomMetricList",
    "cms:DescribeAlertLogCount",
    "cms:DescribeMetricMetaList",
    "cms:DescribeConsoleViews",
    "cms:DescribeProjectMeta",
    "cms:DescribeAlertLogHistogram",
    "cms:CreateHostAvailability",
    "cms:ModifyHostAvailability",
    "tag:DescribeRegions",
    "tag:ListSupportResourceTypes",
    "tag:ListTagResources"
  ],
  "Resource": [
    "*"
  ],
  "Effect": "Allow"
}

AliyunComputeNestPolicyForUpgrade

升级权限

代运维权限Policy配置

{
  "Effect": "Allow",
  "Action": [
    "ros:*Stack",
    "ros:ListStack*",
    "tag:List*Resource*",
    "tag:DescribeRegions",
    "vpc:Describe*",
    "slb:Describe*",
    "slb:ListTagResources",
    "slb:*AccessControlListEntry",
    "slb:ModifyLoadBalancer*",
    "ecs:*Instance*",
    "ecs:Describe*",
    "ecs:RunCommand",
    "ecs:*SecurityGroup*",
    "ecs:*Disk*",
    "ess:ListTagResources",
    "ess:DescribeScaling*",
    "ess:*ScalingRule",
    "ess:*Instances",
    "cs:GetUserPermissions",
    "cs:Describe*Cluster*",
    "cs:GetClusters",
    "cs:CreateEdasClusterRole*"
  ],
  "Resource": [
    "*"
  ]
}

实际效果

{
  "Action": [
    "ros:UpdateStack",
    "ros:GetStack",
    "ros:ListStackEvents",
    "ros:ListStackResources",
    "tag:DescribeRegions",
    "tag:ListSupportResourceTypes",
    "tag:ListTagResources",
    "vpc:DescribeVpcs",
    "vpc:DescribeVSwitches",
    "vpc:DescribeVSwitchAttributes",
    "vpc:DescribeVpcAttribute",
    "vpc:DescribeRouteEntryList",
    "vpc:DescribeRouteTableList",
    "vpc:DescribeRouteTables",
    "vpc:DescribeRouterInterfaces",
    "vpc:DescribeRouterInterfaceAttribute",
    "vpc:DescribeEipAddresses",
    "slb:DescribeLoadBalancers",
    "slb:DescribeLoadBalancerListeners",
    "slb:DescribeLoadBalancerAttribute",
    "slb:DescribeVServerGroups",
    "slb:ListTagResources",
    "slb:DescribeAccessControlLists",
    "slb:DescribeAccessControlListAttribute",
    "slb:AddAccessControlListEntry",
    "slb:RemoveAccessControlListEntry",
    "slb:ModifyLoadBalancerInternetSpec",
    "slb:ModifyLoadBalancerInstanceSpec",
    "ecs:ModifyInstanceAttribute",
    "ecs:ReplaceSystemDisk",
    "ecs:RunInstances",
    "ecs:ModifySecurityGroupAttribute",
    "ecs:StartInstance",
    "ecs:DescribeInstances",
    "ecs:RebootInstance",
    "ecs:StopInstance",
    "ecs:ModifyInstanceSpec",
    "ecs:DescribeInstanceTypes",
    "ecs:ModifyPrepayInstanceSpec",
    "ecs:ModifyInstanceNetworkSpec",
    "ecs:RunCommand",
    "ecs:DescribeInvocations",
    "ecs:DescribeInvocationResults",
    "ecs:StartTerminalSession",
    "ecs:DescribeTerminalSessions",
    "ecs:CloseTerminalSession",
    "ecs:DescribeInstanceHistoryEvents",
    "ecs:DescribeDiagnosticReports",
    "ecs:CreateDiagnosticReport",
    "ecs:DescribeSecurityGroups",
    "ecs:DescribeSecurityGroupAttribute",
    "ecs:AuthorizeSecurityGroup",
    "ecs:RevokeSecurityGroup",
    "ecs:DescribeDisks",
    "ecs:ResizeDisk",
    "ecs:ModifyDiskSpec",
    "ecs:DescribeImages",
    "ecs:DescribeInstanceVncUrl",
    "ecs:DescribeManagedInstances",
    "ecs:CreateSnapshot",
    "ecs:CreateAutoSnapshotPolicy",
    "ecs:ApplyAutoSnapshotPolicy",
    "ecs:StopInstances",
    "ecs:ResetDisk",
    "ecs:DescribeSnapshots",
    "ess:ListTagResources",
    "ess:DescribeScalingGroups",
    "ess:CreateScalingRule",
    "ess:DeleteScalingRule",
    "ess:DescribeScalingActivityDetail",
    "ess:DescribeScalingActivities",
    "ess:ExecuteScalingRule",
    "ess:RemoveInstances",
    "ess:DetachInstances",
    "cs:DescribeClusterUserKubeconfig",
    "cs:DescribeClusterDetail",
    "cs:GetClusters",
    "cs:DescribeClusterEndpoints",
    "cs:DescribeEdasClusterToken",
    "cs:GetUserPermissions",
    "cs:CreateEdasClusterRole",
    "cs:CreateEdasClusterRoleBinding"
  ],
  "Resource": [
    "*"
  ],
  "Effect": "Allow"
}

AliyunComputeNestPolicyForOperation

运维操作权限

代运维权限Policy配置

{
  "Action": [
    "ros:*Stack",
    "ros:ListStack*",
    "cs:Get*",
    "cs:Describe*Cluster*",
    "oos:StartExecution",
    "oos:ListExecutions",
    "ecs:*Instance*"
  ],
  "Resource": [
    "*"
  ],
  "Effect": "Allow"
}

实际效果

{
  "Action": [
    "ros:UpdateStack",
    "ros:GetStack",
    "ros:ListStackEvents",
    "ros:ListStackResources",
    "cs:GetClusters",
    "cs:GetUserPermissions",
    "cs:DescribeClusterUserKubeconfig",
    "cs:DescribeClusterDetail",
    "cs:DescribeClusterEndpoints",
    "cs:DescribeEdasClusterToken",
    "oos:StartExecution",
    "oos:ListExecutions",
    "ecs:StartInstance",
    "ecs:DescribeInstances",
    "ecs:RebootInstance",
    "ecs:StopInstance",
    "ecs:ModifyInstanceSpec",
    "ecs:DescribeInstanceTypes",
    "ecs:ModifyPrepayInstanceSpec",
    "ecs:ModifyInstanceNetworkSpec",
    "ecs:DescribeInstanceHistoryEvents",
    "ecs:DescribeInstanceVncUrl",
    "ecs:DescribeManagedInstances",
    "ecs:StopInstances"
  ],
  "Resource": [
    "*"
  ],
  "Effect": "Allow"
}