服务商在创建代运维服务时,需要设置权限策略。在用户创建代运维服务实例后,计算巢会为用户创建相应的权限策略,并授信给计算巢。计算巢会为服务商授予其发布服务的服务实例中所包含资源的相应权限,服务商即可针对这些资源进行相应的代运维操作。
资源限制
私有部署服务附加代运维的服务,权限只限定在用户部署的服务实例内的资源。
纯代运维的服务,权限只限定在用户指定的ECS实例或者计算巢服务实例内的资源。服务商可以在服务实例详情页面查看已授权的运维资源,如下图所示:
权限限制
代运维权限限定在代运维权限全集的系统权限策略AliyunComputeNestPolicyForSupplierRole里,实际服务的代运维权限为代运维权限全集与选择的权限范围的交集。
AliyunComputeNestPolicyForSupplierRole策略内容:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:StartInstance",
"ecs:DescribeInstances",
"ecs:RebootInstance",
"ecs:StopInstance",
"ecs:RunCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeDiagnosticReports",
"ecs:CreateDiagnosticReport",
"ecs:DescribeSecurityGroups",
"ecs:DescribeDisks",
"ecs:DescribeImages",
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMetricRuleList",
"cms:DescribeAlertHistoryList",
"cms:DescribeAlertLogList",
"cms:DescribeLogHistogram",
"cms:DescribeLogCount",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"tag:ListTagResources",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouterInterfaceAttribute",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeVServerGroups",
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"rds:RestartDBInstance",
"actiontrail:LookupEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}代运维权限策略
服务商在配置服务时可选的权限策略为:
权限名 | 权限 | 说明 |
全部权限 | AliyunComputeNestPolicyForFullAccess | 针对用户指定的ECS实例或者计算巢服务实例中阿里云资源的全部权限。 |
只读权限 | AliyunComputeNestPolicyForReadOnly | 针对用户指定的ECS实例或者计算巢服务实例中阿里云资源的只读权限,还包括这部分资源的ActionTrail审计日志。 |
终端登录权限 | AliyunComputeNestPolicyForTerminalLogin | 针对用户指定的ECS实例或者计算巢服务实例中ECS实例的远程连接权限。 |
操作审计权限 | AliyunComputeNestPolicyForTrails | 针对用户指定的ECS实例或者计算巢服务实例中阿里云资源的查看审计日志ActionTrail权限。 |
监控权限 | AliyunComputeNestPolicyForAlarm | 针对用户指定的ECS实例或者计算巢服务实例中阿里云资源的管理阈值报警和事件报警规则的权限。 |
升级权限 | AliyunComputeNestPolicyForUpgrade | 针对用户指定的计算巢服务实例中的应用和服务配置升级和回滚的权限。 |
运维操作权限 | AliyunComputeNestPolicyForOperation | 针对用户指定的服务实例进行运维操作的权限 |
权限策略配置为RAM权限策略,具体内容含义可以参考文档权限策略基本元素。
AliyunComputeNestPolicyForFullAccess
全部权限
代运维权限Policy配置
{
"Action": [
"*"
],
"Effect": "Allow",
"Resource": [
"*"
]
}实际效果
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:StartInstance",
"ecs:DescribeInstances",
"ecs:RebootInstance",
"ecs:StopInstance",
"ecs:RunCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeDiagnosticReports",
"ecs:CreateDiagnosticReport",
"ecs:DescribeSecurityGroups",
"ecs:DescribeDisks",
"ecs:DescribeImages",
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMetricRuleList",
"cms:DescribeAlertHistoryList",
"cms:DescribeAlertLogList",
"cms:DescribeLogHistogram",
"cms:DescribeLogCount",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"tag:ListTagResources",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouterInterfaceAttribute",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeVServerGroups",
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"rds:RestartDBInstance",
"actiontrail:LookupEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunComputeNestPolicyForReadOnly
只读权限
代运维权限Policy配置
{
"Action": [
"*:Describe*",
"*:List*",
"*:Get*",
"*:BatchGet*",
"*:Query*",
"*:BatchQuery*",
"actiontrail:LookupEvents"
],
"Resource": [
"*"
],
"Effect": "Allow"
}实际效果
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:DescribeTerminalSessions",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeDiagnosticReports",
"ecs:DescribeSecurityGroups",
"ecs:DescribeDisks",
"ecs:DescribeImages",
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMetricRuleList",
"cms:DescribeAlertHistoryList",
"cms:DescribeAlertLogList",
"cms:DescribeLogHistogram",
"cms:DescribeLogCount",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"tag:ListTagResources",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouterInterfaceAttribute",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeVServerGroups",
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"actiontrail:LookupEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunComputeNestPolicyForTerminalLogin
终端登录权限
代运维权限Policy配置
{
"Action": [
"ecs:*TerminalSession*",
"tag:List*",
"tag:DescribeRegions",
"ecs:Describe*Instance*",
"cs:Describe*Cluster*",
"cs:GetClusters",
"eci:DescribeContainerGroups",
"eci:ExecContainerCommand"
],
"Resource": [
"*"
],
"Effect": "Allow"
}实际效果
{
"Action": [
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession",
"tag:ListSupportResourceTypes",
"tag:ListTagResources",
"tag:DescribeRegions",
"ecs:DescribeInstances",
"ecs:DescribeInstanceTypes",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeInstanceVncUrl",
"cs:DescribeClusterUserKubeconfig",
"cs:DescribeClusterDetail",
"cs:GetClusters",
"cs:DescribeClusterEndpoints",
"cs:DescribeEdasClusterToken",
"eci:DescribeContainerGroups",
"eci:ExecContainerCommand"
],
"Resource": [
"*"
],
"Effect": "Allow"
}AliyunComputeNestPolicyForTrails
操作审计权限
代运维权限Policy配置
{
"Action": [
"actiontrail:LookupEvents",
"tag:ListTagResources",
"tag:ListSupportResourceTypes",
"tag:DescribeRegions"
],
"Resource": [
"*"
],
"Effect": "Allow"
}实际效果
{
"Action": [
"actiontrail:LookupEvents",
"tag:ListTagResources",
"tag:ListSupportResourceTypes",
"tag:DescribeRegions"
],
"Resource": [
"*"
],
"Effect": "Allow"
}AliyunComputeNestPolicyForAlarm
监控权限
代运维权限Policy配置
{
"Action": [
"cms:Describe*",
"cms:CheckRamRoleForCloudMonitor",
"cms:QueryMetricList",
"cms:*MetricRule*",
"cms:*EventRule*",
"cms:*HostAvailability",
"tag:List*",
"tag:DescribeRegions"
],
"Resource": [
"*"
],
"Effect": "Allow"
}实际效果
{
"Action": [
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMetricRuleList",
"cms:DescribeAlertHistoryList",
"cms:DescribeAlertLogList",
"cms:DescribeLogHistogram",
"cms:DescribeLogCount",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"cms:DescribeMonitorGroupInstances",
"cms:DescribeMonitorGroupCategories",
"cms:DescribeMonitorGroupDynamicRules",
"cms:DescribeMetricRuleTemplateList",
"cms:DescribeAlertingMetricRuleResources",
"cms:DescribeContactGroupList",
"cms:DescribeMonitorGroupInstanceAttribute",
"cms:DescribeMetricListFromProxy",
"cms:DescribeMetricLastFromProxy",
"cms:DescribeMonitoringAgentHosts",
"cms:DescribeMetricTopFromProxy",
"cms:DescribeRegions",
"cms:DescribeDashboardGroupList",
"cms:DescribeHostAvailabilityList",
"cms:DescribeUnhealthyHostAvailability",
"cms:DescribeGroupMonitoringAgentProcess",
"cms:DescribeSystemEventMetaList",
"cms:CheckRamRoleForCloudMonitor",
"cms:DescribeSystemEventHistogram",
"cms:DescribeSystemEventAttribute",
"cms:DescribeEventRuleList",
"cms:DescribeEventRuleTargetList",
"cms:DescribeCustomEventAttribute",
"cms:DescribeCustomEventHistogram",
"cms:DescribeContactListByContactGroup",
"cms:DescribeAlertLogList",
"cms:DescribeCustomMetricList",
"cms:DescribeAlertLogCount",
"cms:DescribeMetricMetaList",
"cms:DescribeConsoleViews",
"cms:DescribeProjectMeta",
"cms:DescribeAlertLogHistogram",
"cms:CreateHostAvailability",
"cms:ModifyHostAvailability",
"tag:DescribeRegions",
"tag:ListSupportResourceTypes",
"tag:ListTagResources"
],
"Resource": [
"*"
],
"Effect": "Allow"
}AliyunComputeNestPolicyForUpgrade
升级权限
代运维权限Policy配置
{
"Effect": "Allow",
"Action": [
"ros:*Stack",
"ros:ListStack*",
"tag:List*Resource*",
"tag:DescribeRegions",
"vpc:Describe*",
"slb:Describe*",
"slb:ListTagResources",
"slb:*AccessControlListEntry",
"slb:ModifyLoadBalancer*",
"ecs:*Instance*",
"ecs:Describe*",
"ecs:RunCommand",
"ecs:*SecurityGroup*",
"ecs:*Disk*",
"ess:ListTagResources",
"ess:DescribeScaling*",
"ess:*ScalingRule",
"ess:*Instances",
"cs:GetUserPermissions",
"cs:Describe*Cluster*",
"cs:GetClusters",
"cs:CreateEdasClusterRole*"
],
"Resource": [
"*"
]
}实际效果
{
"Action": [
"ros:UpdateStack",
"ros:GetStack",
"ros:ListStackEvents",
"ros:ListStackResources",
"tag:DescribeRegions",
"tag:ListSupportResourceTypes",
"tag:ListTagResources",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouterInterfaceAttribute",
"vpc:DescribeEipAddresses",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeVServerGroups",
"slb:ListTagResources",
"slb:DescribeAccessControlLists",
"slb:DescribeAccessControlListAttribute",
"slb:AddAccessControlListEntry",
"slb:RemoveAccessControlListEntry",
"slb:ModifyLoadBalancerInternetSpec",
"slb:ModifyLoadBalancerInstanceSpec",
"ecs:ModifyInstanceAttribute",
"ecs:ReplaceSystemDisk",
"ecs:RunInstances",
"ecs:ModifySecurityGroupAttribute",
"ecs:StartInstance",
"ecs:DescribeInstances",
"ecs:RebootInstance",
"ecs:StopInstance",
"ecs:ModifyInstanceSpec",
"ecs:DescribeInstanceTypes",
"ecs:ModifyPrepayInstanceSpec",
"ecs:ModifyInstanceNetworkSpec",
"ecs:RunCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeDiagnosticReports",
"ecs:CreateDiagnosticReport",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupAttribute",
"ecs:AuthorizeSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:DescribeDisks",
"ecs:ResizeDisk",
"ecs:ModifyDiskSpec",
"ecs:DescribeImages",
"ecs:DescribeInstanceVncUrl",
"ecs:DescribeManagedInstances",
"ecs:CreateSnapshot",
"ecs:CreateAutoSnapshotPolicy",
"ecs:ApplyAutoSnapshotPolicy",
"ecs:StopInstances",
"ecs:ResetDisk",
"ecs:DescribeSnapshots",
"ess:ListTagResources",
"ess:DescribeScalingGroups",
"ess:CreateScalingRule",
"ess:DeleteScalingRule",
"ess:DescribeScalingActivityDetail",
"ess:DescribeScalingActivities",
"ess:ExecuteScalingRule",
"ess:RemoveInstances",
"ess:DetachInstances",
"cs:DescribeClusterUserKubeconfig",
"cs:DescribeClusterDetail",
"cs:GetClusters",
"cs:DescribeClusterEndpoints",
"cs:DescribeEdasClusterToken",
"cs:GetUserPermissions",
"cs:CreateEdasClusterRole",
"cs:CreateEdasClusterRoleBinding"
],
"Resource": [
"*"
],
"Effect": "Allow"
}AliyunComputeNestPolicyForOperation
运维操作权限
代运维权限Policy配置
{
"Action": [
"ros:*Stack",
"ros:ListStack*",
"cs:Get*",
"cs:Describe*Cluster*",
"oos:StartExecution",
"oos:ListExecutions",
"ecs:*Instance*"
],
"Resource": [
"*"
],
"Effect": "Allow"
}实际效果
{
"Action": [
"ros:UpdateStack",
"ros:GetStack",
"ros:ListStackEvents",
"ros:ListStackResources",
"cs:GetClusters",
"cs:GetUserPermissions",
"cs:DescribeClusterUserKubeconfig",
"cs:DescribeClusterDetail",
"cs:DescribeClusterEndpoints",
"cs:DescribeEdasClusterToken",
"oos:StartExecution",
"oos:ListExecutions",
"ecs:StartInstance",
"ecs:DescribeInstances",
"ecs:RebootInstance",
"ecs:StopInstance",
"ecs:ModifyInstanceSpec",
"ecs:DescribeInstanceTypes",
"ecs:ModifyPrepayInstanceSpec",
"ecs:ModifyInstanceNetworkSpec",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeInstanceVncUrl",
"ecs:DescribeManagedInstances",
"ecs:StopInstances"
],
"Resource": [
"*"
],
"Effect": "Allow"
}文档内容是否对您有帮助?