MSE支持阿里云账号通过控制台和OpenAPI为RAM用户授权微服务治理中心的操作权限,避免因暴露阿里云账号密钥造成的安全风险。授权后,您可以通过RAM用户使用MSE微服务治理中心。本文介绍如何在控制台创建RAM用户并为RAM用户授权。
使用场景
某企业开通了微服务引擎MSE服务,由于员工工作职责不同,对资源操作所需权限也不同。运维人员负责做应用和权限的管理,开发人员负责配置应用的规则。现有如下需求:
鉴于安全或信任原因,不希望将云账号密钥直接透露给员工,期望可以为员工相应的账号授予权限。
用户账号只能在授权的前提下操作资源,不需要进行独立的计量计费,所有开销均计入企业账号名下。
随时可以撤销用户账号的权限,也可以随时删除已创建的用户账号。
应用负责人只拥有当前应用的操作权限,其他应用不具备访问及操作权限。
测试人员只拥有测试命名空间下所有应用的操作权限,不允许访问及操作生产环境命名空间。
步骤一:创建RAM用户
具体操作,请参见创建RAM用户。
步骤二:为RAM用户添加权限
在使用RAM用户之前,需要为其添加相应权限。
使用RAM管理员登录RAM控制台。
在左侧导航栏,选择。
在用户页面,单击目标RAM用户操作列的添加权限。
您也可以选中多个RAM用户,单击用户列表下方的添加权限,为RAM用户批量授权。
在新增授权面板,选择权限策略,然后单击确认新增授权。
选择权限策略类型,在文本框中输入要添加的权限策略关键字,然后单击搜索到的权限策略,添加到右侧的已选择权限策略列表中。
权限类型包括系统策略和自定义策略:
系统权限策略(粗粒度授权)
权限策略名称
说明
AliyunMSEFullAccess
管理微服务引擎MSE的权限,等同于阿里云账号的权限,被授予该权限的RAM用户拥有MSE控制台所有功能的操作权限。
AliyunMSEReadOnlyAccess
微服务引擎MSE的只读权限,被授予该权限的RAM用户具有MSE控制台的只读权限。
说明建议为运维人员授予AliyunMSEFullAccess权限策略,允许运维人员创建和删除资源。为开发人员授予AliyunMSEReadOnlyAccess权限策略,允许开发人员查看资源,但无法删除和创建资源。
自定义权限策略(细粒度授权)
如果您需要更细粒度地授权,您可以参考常用权限配置示例来创建自定义策略进行访问控制。创建自定义策略的具体操作步骤,请参见创建自定义权限策略。
在新增授权面板,确认授权完成后,单击关闭。
常用权限配置示例
所有应用的只读权限
为了方便企业内同学查看应用的关键信息,可以考虑授权所有应用的只读权限。
例如,使用阿里云账号授予RAM用户具备当前阿里云账号下的所有微服务治理应用的只读权限。
对应权限策略如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mse:QueryNamespace",
"mse:GetApplicationListWithMetircs",
"mse:ListNamespaces",
"mse:GetEventFilterOptions",
"mse:ListEventRecords",
"mse:GetEventDetail",
"mse:FetchLogConfig",
"mse:QueryBusinessLocations",
"mse:GetApplicationInstanceList",
"mse:listGrayTag",
"mse:QueryServiceDetailWithMetrics",
"mse:GetEventDetail",
"mse:ListEventsPage",
"mse:ListEventsByType",
"mse:GetApplicationTagList"
],
"Resource": "acs:mse:*:*:*"
},
{
"Effect": "Allow",
"Action": "mse:GetApplicationList",
"Resource": "acs:mse:*:*:namespace/${ns}"
}
]
}某个应用的全部操作权限
作为企业内部某个应用的负责人,您将获得对该应用的所有操作权限,同时您的权限将严格限定在您管理的应用范围内。
例如,使用阿里云账号授予RAM用户以下权限:
RAM用户具备当前阿里云账号下的所有微服务治理应用的只读权限。
RAM用户具备指定的微服务治理应用的只读权限。
对应权限策略如下:
{
"Version": "1",
"Statement": [
// 对特定微服务治理应用具有所有权限
{
"Effect": "Allow",
"Action": "mse:*",
"Resource": "acs:mse:*:*:namespace/${ns}/application/${appName}"
},
// 下面为对所有微服务治理应用的只读权限
{
"Effect": "Allow",
"Action": [
"mse:QueryNamespace",
"mse:GetApplicationListWithMetircs",
"mse:ListNamespaces",
"mse:GetEventFilterOptions",
"mse:ListEventRecords",
"mse:GetEventDetail",
"mse:FetchLogConfig",
"mse:QueryBusinessLocations",
"mse:GetApplicationInstanceList",
"mse:listGrayTag",
"mse:QueryServiceDetailWithMetrics",
"mse:GetEventDetail",
"mse:ListEventsPage",
"mse:ListEventsByType",
"mse:GetApplicationTagList"
],
"Resource": "acs:mse:*:*:*"
},
{
"Effect": "Allow",
"Action": "mse:GetApplicationList",
"Resource": "acs:mse:*:*:namespace/${ns}"
}
]
某个命名空间下的全部操作权限
作为企业内部的测试人员,您将获得对测试环境(测试命名空间)所有应用的操作权限,同时您的权限将严格限定在测试环境(测试命名空间)内。
例如,使用阿里云账号授予RAM用户以下权限:
RAM用户具备当前阿里云账号下的所有微服务治理应用的只读权限。
RAM用户具备指定的微服务治理命名空间的读写权限。
对应权限策略如下:
{
"Version": "1",
"Statement": [
// 对特定微服务治理命名空间具有所有权限
{
"Effect": "Allow",
"Action": "mse:*",
"Resource": "acs:mse:*:*:namespace/${ns}/application/*"
},
// 下面为对所有微服务治理应用的只读权限
{
"Effect": "Allow",
"Action": [
"mse:QueryNamespace",
"mse:GetApplicationListWithMetircs",
"mse:ListNamespaces",
"mse:GetEventFilterOptions",
"mse:ListEventRecords",
"mse:GetEventDetail",
"mse:FetchLogConfig",
"mse:QueryBusinessLocations",
"mse:GetApplicationInstanceList",
"mse:listGrayTag",
"mse:QueryServiceDetailWithMetrics",
"mse:GetEventDetail",
"mse:ListEventsPage",
"mse:ListEventsByType",
"mse:GetApplicationTagList",
"mse:QueryAllSwimmingLaneGroup",
"mse:QueryAllSwimmingLane",
"mse:ListAppBySwimmingLaneGroupTags",
"mse:ListAppBySwimmingLaneGroupTag",
"mse:QuerySwimmingLaneById",
"mse:GetTagsBySwimmingLaneGroupId",
"mse:ListSwimmingLaneGateway",
"mse:ListSwimmingLaneGatewayRoute",
"mse:ListAuthPolicy",
"mse:GetServiceList",
"mse:GetServiceListPage"
],
"Resource": "acs:mse:*:*:*"
},
// 对特定微服务治理命名空间具有所有权限
{
"Effect": "Allow",
"Action": [
"mse:GetApplicationList",
"mse:CreateOrUpdateSwimmingLaneGroup",
"mse:CreateOrUpdateSwimmingLane",
"mse:DeleteSwimmingLaneGroup",
"mse:DeleteSwimmingLaneGroup",
"mse:DeleteSwimmingLane"
],
"Resource": "acs:mse:*:*:namespace/${ns}"
}
]
}治理全部资源的读写权限(仅供权限测试,不推荐生产使用)
这里罗列服务治理可能会用到的全部资源的读写权限,方便企业对子账户权限进行梳理和核对,不推荐直接复制到生产环境使用。下述权限配置中 Action 配置和 Resource 可以分别使用 mse:* 和 acs:mse:*:*:* 来取代:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mse:AddAuthPolicy",
"mse:AddServiceTimeConfig",
"mse:AddWhiteScreenRule",
"mse:ApplyGlobalReadWriteSplitRule",
"mse:ApplyReadWriteSplitRule",
"mse:ApplyTagPolicies",
"mse:BatchUpdateRulesEnable",
"mse:BindSentinelBlockFallbackDefinition",
"mse:CheckCanaryPolicy",
"mse:CheckCsRole",
"mse:CheckEciRole",
"mse:CheckRole",
"mse:CheckServiceLinkedRoleForDeleting",
"mse:CheckUserReadinessConfig",
"mse:CheckXTraceServiceStatus",
"mse:CloneSentinelRuleFromAhas",
"mse:CreateApplication",
"mse:CreateCircuitBreakerRule",
"mse:CreateFlowRule",
"mse:CreateGovernanceKubernetesCluster",
"mse:CreateHotParamRule",
"mse:CreateIsolationRule",
"mse:CreateLicenseKey",
"mse:CreateMseServiceApplication",
"mse:CreateNamespace",
"mse:CreateOrUpdateEmptyPushSetting",
"mse:CreateOrUpdateSwimmingLane",
"mse:CreateOrUpdateSwimmingLaneGroup",
"mse:CreateSentinelBlockFallbackDefinition",
"mse:CreateWebFlowRule",
"mse:DeleteCircuitBreakerRules",
"mse:DeleteFaultInjectionRule",
"mse:DeleteFlowRules",
"mse:DeleteGovernanceKubernetesCluster",
"mse:DeleteHotParamRules",
"mse:DeleteIsolationRules",
"mse:DeleteNamespace",
"mse:DeleteSentinelBlockFallbackDefinition",
"mse:DeleteSwimmingLane",
"mse:DeleteSwimmingLaneGroup",
"mse:DeleteWebFlowRules",
"mse:DeleteWhiteScreenRule",
"mse:DescribeAppAgentStatus",
"mse:FetchAppLogConfig",
"mse:FetchDataSourceConfig",
"mse:FetchGlobalReadWriteSplitRules",
"mse:FetchLogConfig",
"mse:FetchLosslessRuleList",
"mse:FetchReadWriteSplitRules",
"mse:FetchRoutePolicyList",
"mse:FetchWhiteScreenRule",
"mse:GenerateAgentLogSts",
"mse:GetAppMessageQueueRoute",
"mse:GetApplicationDetail",
"mse:GetApplicationInstanceList",
"mse:GetApplicationInstancesWithMetircs",
"mse:GetApplicationList",
"mse:GetApplicationListWithMetircs",
"mse:GetApplicationTagList",
"mse:GetAuthPolicyInfo",
"mse:GetCanaryStatus",
"mse:GetClusterOnePilotInfo",
"mse:GetDubboServicePageWithMetrics",
"mse:GetDubboTestMethod",
"mse:GetGovernanceKubernetesCluster",
"mse:GetGovernanceKubernetesClusterList",
"mse:GetLicenseKey",
"mse:GetLocalityDistributionMetrics",
"mse:GetLocalityRule",
"mse:GetLosslessRuleByApp",
"mse:GetMockRuleByConsumerAppId",
"mse:GetMockRuleById",
"mse:GetMockRuleByProviderAppId",
"mse:GetNetworkInfo",
"mse:GetOpenSergoInfoByClusterId",
"mse:GetOutlierPolicyInfo",
"mse:GetOverview ",
"mse:GetResourcePackageStatus",
"mse:GetResourcePackageStatusWithVersion",
"mse:GetRetryRule",
"mse:GetRoutePolicy",
"mse:GetServiceConsumersPage",
"mse:GetServiceDetail",
"mse:GetServiceList",
"mse:GetServiceListPage",
"mse:GetServiceMethodPage",
"mse:GetServiceMethodPageWithMetrics",
"mse:GetServiceProvidersPage",
"mse:GetSpringCloudTestMethod",
"mse:GetTagKey",
"mse:GetTagVal",
"mse:GetTagsBySwimmingLaneGroupId",
"mse:GetTrace",
"mse:GetUserStatus",
"mse:InstallOnePilot",
"mse:InvokeDubboTestMethod",
"mse:InvokeIstioTestMethod",
"mse:InvokeSpringCloudTestMethod",
"mse:ListAdaptiveOverloadProtectionConfig",
"mse:ListAppBySwimmingLaneGroupTag",
"mse:ListAppBySwimmingLaneGroupTags",
"mse:ListAppResource",
"mse:ListAppResourceWithMetrics",
"mse:ListApplicationTagInstancese",
"mse:ListApplicationsWithTagRules",
"mse:ListAuthPolicy",
"mse:ListCircuitBreakerRules",
"mse:ListConnectedSwimmingLaneGroup",
"mse:ListCsKubernetesClusters",
"mse:ListDefaultCircuitBreakerRules",
"mse:ListEventOfReource",
"mse:ListEventRecords",
"mse:ListEventsByType",
"mse:ListEventsPage",
"mse:ListEventsPageByType",
"mse:ListFlowRules",
"mse:ListHotParamRules",
"mse:ListIpOrHosts",
"mse:ListIsolationRules",
"mse:ListKubernetesNamespace",
"mse:ListLogSpanServices",
"mse:ListMscEventRecords",
"mse:ListNamespaces",
"mse:ListProtectedAppResourceWithMetrics",
"mse:ListResourceWhiteListConfigs",
"mse:ListResources",
"mse:ListSentinelBlockFallbackDefinitions",
"mse:ListSpanNames",
"mse:ListSwimPathPercent",
"mse:ListSwimmingLaneGatewayRoute",
"mse:ListWebFlowRules",
"mse:ModifyAdaptiveOverloadProtectionConfig",
"mse:ModifyGovernanceKubernetesCluster",
"mse:ModifyLosslessRule",
"mse:ModifyNamespace",
"mse:OpenXTraceService",
"mse:QueryAhasUserStatus",
"mse:QueryAllSwimmingLane",
"mse:QueryAllSwimmingLaneGroup",
"mse:QueryAppDataSourceList",
"mse:QueryAppListMetrics",
"mse:QueryAppMethodMetrics",
"mse:QueryAppMethodMetricsWithSentinel",
"mse:QueryAppRPCMacMetrics",
"mse:QueryAppResourceMetrics",
"mse:QueryAppResourceMetricsByInstance",
"mse:QueryAppSummaryMetricsOverview",
"mse:QueryAppSummaryMetricsOverviewWithSentinel",
"mse:QueryAppSystemMetricsOfGroup",
"mse:QueryAppSystemMetricsOfGroupByInstance",
"mse:QueryAppTopNMacs",
"mse:QueryDatabaseRoute",
"mse:QueryEmptyPushSetting",
"mse:QueryEventOverview",
"mse:QueryGovernanceKubernetesCluster",
"mse:QueryMetricsAveragedByInstance",
"mse:QueryNamespace",
"mse:QueryNginxIngressGateway",
"mse:QueryResourceTopN",
"mse:QueryServiceDetailWithMetrics",
"mse:QuerySwimmingLaneById",
"mse:RemoveApplication",
"mse:RemoveApplications",
"mse:RemoveAuthPolicy",
"mse:RemoveOutlierPolicy",
"mse:RemoveRoutePolicy",
"mse:ReportAgentInfoForm",
"mse:ReportAgentStartupStatus",
"mse:ReportAppProfile",
"mse:ReportEventBatchForm",
"mse:ReportMetadataForm",
"mse:ReportOneAgentInfo",
"mse:ReportOnePilotInfo",
"mse:ReportSpanStatInfoForm",
"mse:RevertApplicationRoutePolicy",
"mse:SearchTraces",
"mse:TagResources",
"mse:UnbindSentinelBlockFallbackDefinition",
"mse:UpdateAppLogConfig",
"mse:UpdateAuthPolicy",
"mse:UpdateCircuitBreakerRule",
"mse:UpdateCircuitBreakerRulesStatus",
"mse:UpdateDatabaseRoute",
"mse:UpdateDefaultCircuitBreakerRule",
"mse:UpdateFlowRule",
"mse:UpdateFlowRulesStatus",
"mse:UpdateGovernanceServiceSubscribe",
"mse:UpdateHotParamRule",
"mse:UpdateHotParamRulesStatus",
"mse:UpdateInstanceRegisterStatus",
"mse:UpdateIsolationRule",
"mse:UpdateIsolationRulesStatus",
"mse:UpdateLocalityRule",
"mse:UpdateLogConfig",
"mse:UpdateMessageQueueRoute",
"mse:UpdateOpenSergoStatusByClusterId",
"mse:UpdateResourceWhiteListConfig",
"mse:UpdateSentinelBlockFallbackDefinition",
"mse:UpdateWebFlowRule",
"mse:UpdateWebFlowRulesStatus",
"mse:UpdateWhiteScreenRule",
"mse:listGrayTag"
],
"Resource": "acs:mse:*:*:*"
}
]
}该文章对您有帮助吗?