如果系统权限策略不能满足您的要求,您可以创建自定义权限策略实现最小授权。使用自定义权限策略有助于实现权限的精细化管控,是提升资源访问安全的有效手段。本文介绍微服务引擎MSE使用自定义权限策略的场景和策略示例。
什么是自定义权限策略
在基于RAM的访问控制体系中,自定义权限策略是指在系统权限策略之外,您可以自主创建、更新和删除的权限策略。自定义权限策略的版本更新需由您来维护。
创建自定义权限策略后,需为RAM用户、用户组或RAM角色绑定权限策略,这些RAM身份才能获得权限策略中指定的访问权限。
已创建的权限策略支持删除,但删除前需确保该策略未被引用。如果该权限策略已被引用,您需要在该权限策略的引用记录中移除授权。
自定义权限策略支持版本控制,您可以按照RAM规定的版本管理机制来管理您创建的自定义权限策略版本。
操作文档
配置注册中心常用自定义授权样例
授予用户某些实例的只读服务的权限。
{ "Version": "1", "Statement": [ { "Action": [ "mse:QueryNacosNaming" ], "Resource": [ "acs:mse:*:*:instance/${instanceId1}", "acs:mse:*:*:instance/${instanceId2}" ], "Effect": "Allow" } ] }
授予用户某些实例读取和修改服务的权限。
{ "Version": "1", "Statement": [ { "Action": [ "mse:QueryNacosNaming", "mse:UpdateNacosNaming" ], "Resource": [ "acs:mse:*:*:instance/${instanceId1}", "acs:mse:*:*:instance/${instanceId2}" ], "Effect": "Allow" } ] }
授予用户只能读取某个实例中的某个命名空间服务的权限。
{ "Statement": [ { "Effect": "Allow", "Action": "mse:QueryNacosNaming", "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}" } ], "Version": "1" }
授予用户能读取和修改某个实例中某个命名空间下的${group}服务的权限。
{ "Statement": [ { "Effect": "Allow", "Action": [ "mse:QueryNacosNaming", "mse:UpdateNacosNaming" ], "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}" } ], "Version": "1" }
授予用户只能读取某个${group}下的${serviceName}服务的权限。
{ "Statement": [ { "Effect": "Allow", "Action": "mse:QueryNacosNaming", "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}/naming/${serviceName}" } ], "Version": "1" }
授予用户能读取和修改某个${group}下的${serviceName}服务的权限。
{ "Statement": [ { "Effect": "Allow", "Action": [ "mse:QueryNacosNaming", "mse:UpdateNacosNaming" ], "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}/naming/${serviceName}" } ], "Version": "1" }
微服务治理常用自定义授权样例
所有应用的只读权限
为了方便企业内同学查看应用的关键信息,可以考虑授权所有应用的只读权限。
例如,使用阿里云账号授予RAM用户具备当前阿里云账号下的所有微服务治理应用的只读权限。
对应权限策略如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mse:QueryNamespace",
"mse:GetApplicationListWithMetircs",
"mse:ListNamespaces",
"mse:GetEventFilterOptions",
"mse:ListEventRecords",
"mse:GetEventDetail",
"mse:FetchLogConfig",
"mse:QueryBusinessLocations",
"mse:GetApplicationInstanceList",
"mse:listGrayTag",
"mse:QueryServiceDetailWithMetrics",
"mse:GetEventDetail",
"mse:ListEventsPage",
"mse:ListEventsByType",
"mse:GetApplicationTagList"
],
"Resource": "acs:mse:*:*:*"
},
{
"Effect": "Allow",
"Action": "mse:GetApplicationList",
"Resource": "acs:mse:*:*:namespace/${ns}"
}
]
}
某个应用的全部操作权限
作为企业内部某个应用的负责人,您将获得对该应用的所有操作权限,同时您的权限将严格限定在您管理的应用范围内。
例如,使用阿里云账号授予RAM用户以下权限:
RAM用户具备当前阿里云账号下的所有微服务治理应用的只读权限。
RAM用户具备指定的微服务治理应用的只读权限。
对应权限策略如下:
{
"Version": "1",
"Statement": [
// 对特定微服务治理应用具有所有权限
{
"Effect": "Allow",
"Action": "mse:*",
"Resource": "acs:mse:*:*:namespace/${ns}/application/${appName}"
},
// 下面为对所有微服务治理应用的只读权限
{
"Effect": "Allow",
"Action": [
"mse:QueryNamespace",
"mse:GetApplicationListWithMetircs",
"mse:ListNamespaces",
"mse:GetEventFilterOptions",
"mse:ListEventRecords",
"mse:GetEventDetail",
"mse:FetchLogConfig",
"mse:QueryBusinessLocations",
"mse:GetApplicationInstanceList",
"mse:listGrayTag",
"mse:QueryServiceDetailWithMetrics",
"mse:GetEventDetail",
"mse:ListEventsPage",
"mse:ListEventsByType",
"mse:GetApplicationTagList"
],
"Resource": "acs:mse:*:*:*"
},
{
"Effect": "Allow",
"Action": "mse:GetApplicationList",
"Resource": "acs:mse:*:*:namespace/${ns}"
}
]
某个命名空间下的全部操作权限
作为企业内部的测试人员,您将获得对测试环境(测试命名空间)所有应用的操作权限,同时您的权限将严格限定在测试环境(测试命名空间)内。
例如,使用阿里云账号授予RAM用户以下权限:
RAM用户具备当前阿里云账号下的所有微服务治理应用的只读权限。
RAM用户具备指定的微服务治理命名空间的读写权限。
对应权限策略如下:
{
"Version": "1",
"Statement": [
// 对特定微服务治理命名空间具有所有权限
{
"Effect": "Allow",
"Action": "mse:*",
"Resource": "acs:mse:*:*:namespace/${ns}/application/*"
},
// 下面为对所有微服务治理应用的只读权限
{
"Effect": "Allow",
"Action": [
"mse:QueryNamespace",
"mse:GetApplicationListWithMetircs",
"mse:ListNamespaces",
"mse:GetEventFilterOptions",
"mse:ListEventRecords",
"mse:GetEventDetail",
"mse:FetchLogConfig",
"mse:QueryBusinessLocations",
"mse:GetApplicationInstanceList",
"mse:listGrayTag",
"mse:QueryServiceDetailWithMetrics",
"mse:GetEventDetail",
"mse:ListEventsPage",
"mse:ListEventsByType",
"mse:GetApplicationTagList",
"mse:QueryAllSwimmingLaneGroup",
"mse:QueryAllSwimmingLane",
"mse:ListAppBySwimmingLaneGroupTags",
"mse:ListAppBySwimmingLaneGroupTag",
"mse:QuerySwimmingLaneById",
"mse:GetTagsBySwimmingLaneGroupId",
"mse:ListSwimmingLaneGateway",
"mse:ListSwimmingLaneGatewayRoute",
"mse:ListAuthPolicy",
"mse:GetServiceList",
"mse:GetServiceListPage"
],
"Resource": "acs:mse:*:*:*"
},
// 对特定微服务治理命名空间具有所有权限
{
"Effect": "Allow",
"Action": [
"mse:GetApplicationList",
"mse:CreateOrUpdateSwimmingLaneGroup",
"mse:CreateOrUpdateSwimmingLane",
"mse:DeleteSwimmingLaneGroup",
"mse:DeleteSwimmingLaneGroup",
"mse:DeleteSwimmingLane"
],
"Resource": "acs:mse:*:*:namespace/${ns}"
}
]
}
云原生网关常用自定义授权样例
示例一:授予RAM用户对云原生网关实例gw-f23fcdca44c84769a6652245ecc****的读写权限。
{ "Statement": [ { "Action": [ "mse:*" ], "Resource": "acs:mse:*:*:instance/gw-f23fcdca44c84769a6652245ecc****", "Effect": "Allow" } ], "Version": "1" }
示例二:授予RAM用户对所有云原生网关实例的读权限。
{ "Statement": [ { "Action": [ "mse:List*", "mse:Query*", "mse:Get*", "mse:Pull*" ], "Resource": "acs:mse:*:*:*", "Effect": "Allow" } ], "Version": "1" }
示例三:授予RAM用户控制台提示的资源操作权限。
{ "Statement": [ { "Action": [ "mse:UpdateGatewayName" ], "Resource": "acs:mse:cn-hangzhou:{主账号ID}:instance/{网关实例ID} ", "Effect": "Allow" } ], "Version": "1" }