访问控制(RAM)是阿里云提供的管理用户身份与资源访问权限的服务。使用 RAM 可以让您避免与其他用户共享阿里云账号密钥,并可按需为用户授予最小权限。RAM 中使用权限策略描述授权的具体内容。
本文为您介绍 智能开放搜索 OpenSearch 为 RAM 权限策略定义的操作(Action)、资源(Resource)和条件(Condition)。 智能开放搜索 OpenSearch 的 RAM 代码(RamCode)为 opensearch ,支持的授权粒度为 服务级 。
权限策略通用结构
权限策略支持 JSON 格式,其通用结构如下:
{
"Version": "1",
"Statement": [
{
"Effect": "<Effect>",
"Action": "<Action>",
"Resource": "<Resource>",
"Condition": {
"<Condition_operator>": {
"<Condition_key>": [
"<Condition_value>"
]
}
}
}
]
} 各字段含义如下:
Effect:权限策略效果。取值:Allow(允许)、Deny(拒绝)。
Action:授予允许或拒绝权限的具体操作。具体信息,请参见操作(Action)。
Resource:受操作影响的具体对象,您可以使用资源 ARN 来描述指定资源。具体信息,请参见资源(Resource)。
Condition:指授权生效的条件。可选字段。具体信息,请参见条件(Condition)。
Condition_operator:条件运算符,不同类型的条件对应不同的条件运算符。具体信息,请参见权限策略基本元素。
Condition_key:条件关键字。
Condition_value:条件关键字对应的值。
操作(Action)
下表是智能开放搜索 OpenSearch定义的操作,这些操作可以在 RAM 权限策略语句的Action元素中使用,用来授予执行该操作的权限。下面对表中的具体项提供说明:
操作:是指具体的权限点。
API:是指操作对应的 API 接口。
访问级别:是指每个操作的访问级别,取值为写入(Write)、读取(Read)或列出(List)。
资源类型:是指操作中支持授权的资源类型。具体说明如下:
对于必选的资源类型,用前面加 * 表示。
对于不支持资源级授权的操作,用
全部资源表示。
条件关键字:是指云产品自身定义的条件关键字。该列不体现适用于任何操作的通用条件关键字。
关联操作:是指成功执行操作所需要的其他权限。操作者必须同时具备关联操作的权限,操作才能成功。
|
操作 |
API |
访问级别 |
资源类型 |
条件关键字 |
关联操作 |
| opensearch:UpdateApp | UpdateABTestGroup | update |
*AbTestGroup
|
无 | 无 |
| opensearch:DescribeFunction | ListFunctionResources | list |
*FunctionResource
|
无 | 无 |
| opensearch:ListApp | ListABTestFixedFlowDividers | none |
*AbTestExperiment
|
无 | 无 |
| opensearch:ListApp | DescribeApps | list |
*App
|
无 | 无 |
| opensearch:DescribeSortScript | ListSortScripts | list |
*App
|
无 | 无 |
| opensearch:BindEsInstance | BindEsInstance | none |
*AppGroup
|
无 | 无 |
| opensearch:DescribeSortScript | GetSortScript | get |
*App
|
无 | 无 |
| opensearch:ListDataCollections | ListDataCollections | get |
*DataCollection
|
无 | 无 |
| opensearch:WriteInterventionDictionary | CreateInterventionDictionary | create |
*InterventionDictionary
|
无 | 无 |
| opensearch:ListApp | ListABTestGroups | list |
*AbTestGroup
|
无 | 无 |
| opensearch:WriteSortScript | CompileSortScript | update |
*App
|
无 | 无 |
| opensearch:WriteUserAnalyzer | PushUserAnalyzerEntries | update |
*Analyzer
|
无 | 无 |
| opensearch:GetDomain | GetDomain | get |
*全部资源
|
无 | 无 |
| opensearch:DescribeAppStatistics | DescribeAppStatistics | get |
*App
|
无 | 无 |
| opensearch:WriteFunction | UpdateFunctionInstance | update |
*FunctionInstance
|
无 | 无 |
| opensearch:DescribeSearchStrategy | ListSearchStrategies | list |
*SearchStrategy
|
无 | 无 |
| opensearch:CreateApp | CreateApp | create |
*App
|
无 | 无 |
| opensearch:DeleteApp | DeleteABTestGroup | delete |
*AbTestGroup
|
无 | 无 |
| opensearch:WriteSortScript | DeleteSortScriptFile | update |
*App
|
无 | 无 |
| opensearch:ModifyAppGroup | ModifyAppGroupQuota | update |
*AppGroup
|
无 | 无 |
| opensearch:UnBindEsInstance | UnbindEsInstance | none |
*AppGroup
|
无 | 无 |
| opensearch:ListScheduledTask | ListScheduledTasks | list |
*ScheduledTask
|
无 | 无 |
| opensearch:ListApp | ListABTestScenes | list |
*AbTestScene
|
无 | 无 |
| opensearch:ValidateDataSources | ValidateDataSources | get |
*全部资源
|
无 | 无 |
| opensearch:DeleteUserAnalyzer | RemoveUserAnalyzer | delete |
*Analyzer
|
无 | 无 |
| opensearch:DescribeFunction | GetFunctionVersion | get |
*FunctionInstance
|
无 | 无 |
| opensearch:DescribeUserAnalyzer | DescribeUserAnalyzer | get |
*Analyzer
|
无 | 无 |
| opensearch:EnableSlowQuery | EnableSlowQuery | none |
*AppGroup
|
无 | 无 |
| opensearch:WriteFunction | DeleteFunctionInstance | delete |
*FunctionInstance
*Instance
|
无 | 无 |
| opensearch:CreateAppGroup | CreateAppGroup | create |
*AppGroup
|
无 | 无 |
| opensearch:ListSortExpression | ListSortExpressions | list |
*FirstRank
*SecondRank
|
无 | 无 |
| opensearch:UpdateApp | UpdateABTestScene | update |
*AbTestScene
|
无 | 无 |
| opensearch:ListFirstRank | ListFirstRanks | list |
*FirstRank
|
无 | 无 |
| opensearch:DescribeApp | DescribeABTestExperiment | get |
*AbTestExperiment
|
无 | 无 |
| opensearch:ListProceedings | ListProceedings | none |
*AppGroup
|
无 | 无 |
| opensearch:TagResources | TagResources | none |
*AppGroup
|
无 | 无 |
| opensearch:ListTagResources | ListTagResources | get |
*AppGroup
|
无 | 无 |
| opensearch:WriteSortScript | CreateSortScript | create |
*App
|
无 | 无 |
| opensearch:StartSlowQueryAnalyzer | StartSlowQueryAnalyzer | none |
*AppGroup
|
无 | 无 |
| opensearch:WriteQueryProcessor | CreateQueryProcessor | create |
*QueryProcessor
|
无 | 无 |
| opensearch:DisableSlowQuery | DisableSlowQuery | none |
*AppGroup
|
无 | 无 |
| opensearch:DescribeDataCollection | DescribeDataCollction | get |
*DataCollection
|
无 | 无 |
| opensearch:WriteFunction | CreateFunctionInstance | create |
*FunctionInstance
|
无 | 无 |
| opensearch:WriteSortScript | ReleaseSortScript | update |
*App
|
无 | 无 |
| opensearch:WriteFunction | DeleteFunctionResource | delete |
*FunctionResource
|
无 | 无 |
| opensearch:DescribeApp | DescribeApp | get |
*App
|
无 | 无 |
| opensearch:WriteFunction | UpdateFunctionResource | update |
*FunctionResource
|
无 | 无 |
| opensearch:WriteAppGroupCredential | CreateAppGroupCredentials | create |
*AppGroupCredential
|
无 | 无 |
| opensearch:DescribeFunction | GetFunctionTask | get |
*FunctionTask
|
无 | 无 |
| opensearch:UpdateApp | UpdateABTestFixedFlowDividers | update |
*AbTestExperiment
|
无 | 无 |
| opensearch:ListDataSourceTables | ListDataSourceTables | get |
*全部资源
|
无 | 无 |
| opensearch:CreateUserAnalyzer | CreateUserAnalyzer | create |
*Analyzer
|
无 | 无 |
| opensearch:DescribeApp | ListQuotaReviewTasks | none |
*AppGroup
|
无 | 无 |
| opensearch:DescribeFunction | GetFunctionResource | get |
*FunctionResource
|
无 | 无 |
| opensearch:WriteInterventionDictionary | PushInterventionDictionaryEntries | update |
*InterventionDictionary
|
无 | 无 |
| opensearch:DeleteApp | DeleteABTestExperiment | delete |
*AbTestExperiment
|
无 | 无 |
| opensearch:WriteFirstRank | RemoveFirstRank | delete |
*FirstRank
|
无 | 无 |
| opensearch:WriteFunction | UpdateFunctionDefaultInstance | update |
*FunctionInstance
|
无 | 无 |
| opensearch:WriteFunction | CreateFunctionTask | create |
*FunctionTask
|
无 | 无 |
| opensearch:DescribeSlowQueryStatus | DescribeSlowQueryStatus | none |
*AppGroup
|
无 | 无 |
| opensearch:DescribeFunction | ListFunctionInstances | get |
*FunctionInstance
|
无 | 无 |
| opensearch:RemoveAppGroup | RemoveAppGroup | delete |
*AppGroup
|
无 | 无 |
| opensearch:WriteSearchStrategy | CreateSearchStrategy | create |
*SearchStrategy
|
无 | 无 |
| opensearch:WriteFirstRank | ModifyFirstRank | update |
*FirstRank
|
无 | 无 |
| opensearch:CreateApp | CreateABTestExperiment | create |
*AbTestExperiment
|
无 | 无 |
| opensearch:DescribeFunction | ListFunctionTasks | get |
*FunctionTask
|
无 | 无 |
| opensearch:ListApp | ListABTestExperiments | list |
*AbTestExperiment
|
无 | 无 |
| opensearch:DeleteApp | DeleteABTestScene | delete |
*AbTestScene
|
无 | 无 |
| opensearch:UntagResources | UntagResources | none |
*AppGroup
|
无 | 无 |
| opensearch:DescribeInterventionDictionary | ListInterventionDictionaryNerResults | none |
*InterventionDictionary
|
无 | 无 |
| opensearch:ListQueryProcessor | ListQueryProcessors | list |
*QueryProcessor
|
无 | 无 |
| opensearch:DescribeAppGroup | DescribeAppGroup | get |
*AppGroup
|
无 | 无 |
| opensearch:WriteSummary | UpdateSummaries | update |
*App
|
无 | 无 |
| opensearch:ListUserAnalyzers | ListUserAnalyzers | list |
*Analyzer
|
无 | 无 |
| opensearch:CreateScheduledTask | CreateScheduledTask | create |
*ScheduledTask
|
无 | 无 |
| opensearch:DescribeApp | DescribeABTestScene | get |
*AbTestScene
|
无 | 无 |
| opensearch:ModifyAppGroup | UnbindESUserAnalyzer | none |
*AppGroup
|
无 | 无 |
| opensearch:DescribeQueryProcessor | ListQueryProcessorAnalyzerResults | none |
*QueryProcessor
|
无 | 无 |
| opensearch:DescribeSortScript | GetScriptFileNames |
*SortScript
|
无 | 无 | |
| opensearch:GenerateMergedTable | GenerateMergedTable | get |
*全部资源
|
无 | 无 |
| opensearch:WriteQueryProcessor | ModifyQueryProcessor | update |
*QueryProcessor
|
无 | 无 |
| opensearch:WriteSecondRank | RemoveSecondRank | delete |
*SecondRank
|
无 | 无 |
| opensearch:ListSecondRank | ListSecondRanks | list |
*SecondRank
|
无 | 无 |
| opensearch:WriteSortScript | DeleteSortScript | delete |
*App
|
无 | 无 |
| opensearch:ListDataSourceTableFields | ListDataSourceTableFields | get |
*全部资源
|
无 | 无 |
| opensearch:DescribeFirstRank | DescribeFirstRank | get |
*FirstRank
|
无 | 无 |
| opensearch:RemoveApp | RemoveApp | delete |
*App
|
无 | 无 |
| opensearch:WriteInterventionDictionary | RemoveInterventionDictionary | delete |
*InterventionDictionary
|
无 | 无 |
| opensearch:UpdateApp | UpdateABTestExperiment | update |
*AbTestExperiment
|
无 | 无 |
| opensearch:DescribeSearchStrategy | GetSearchStrategy | get |
*SearchStrategy
|
无 | 无 |
| opensearch:WriteSecondRank | CreateSecondRank | create |
*SecondRank
|
无 | 无 |
| opensearch:WriteSearchStrategy | UpdateSearchStrategy | update |
*SearchStrategy
|
无 | 无 |
| opensearch:WriteDataCollection | RemoveDataCollection | delete |
*DataCollection
|
无 | 无 |
| opensearch:DescribeUserAnalyzer | ListUserAnalyzerEntries | list |
*Analyzer
|
无 | 无 |
| opensearch:ListQueryProcessorNers | ListQueryProcessorNers | none |
*QueryProcessor
|
无 | 无 |
| opensearch:UpdateApp | ReplaceAppGroupCommodityCode | none |
*AppGroup
|
无 | 无 |
| opensearch:WriteFunction | CreateFunctionResource |
*FunctionResource
|
无 | 无 | |
| opensearch:WriteQueryProqcessor | RemoveQueryProcessor | delete |
*QueryProcessor
|
无 | 无 |
| opensearch:DescribeInterventionDictionary | ListInterventionDictionaryRelatedEntities | none |
*InterventionDictionary
|
无 | 无 |
| opensearch:DescribeFunction | GetFunctionDefaultInstance | get |
*FunctionDefaultInstance
|
无 | 无 |
| opensearch:DescribeQueryProcessor | DescribeQueryProcessor |
*QueryProcessor
|
无 | 无 | |
| opensearch:DescribeInterventionDictionary | DescribeInterventionDictionary | get |
*InterventionDictionary
|
无 | 无 |
| opensearch:WriteSortScript | SaveSortScriptFile | update |
*App
|
无 | 无 |
| opensearch:ListStatisticLogs | ListStatisticLogs | none |
*AppGroup
|
无 | 无 |
| opensearch:ListSlowQueryQueries | ListSlowQueryQueries | none |
*AppGroup
|
无 | 无 |
| opensearch:ModifyScheduledTask | ModifyScheduledTask | update |
*ScheduledTask
|
无 | 无 |
| opensearch:DescribeSortScript | GetSortScriptFile | get |
*SortScript
|
无 | 无 |
| opensearch:DescribeSecondRank | DescribeSecondRank | get |
*SecondRank
|
无 | 无 |
| opensearch:DescribeScheduledTask | DescribeScheduledTask | get |
*ScheduledTask
|
无 | 无 |
| opensearch:WriteSecondRank | ModifySecondRank | update |
*SecondRank
|
无 | 无 |
| opensearch:WriteSortScript | UpdateSortScript | update |
*App
|
无 | 无 |
| opensearch:WriteSearchStrategy | RemoveSearchStrategy | delete |
*SearchStrategy
|
无 | 无 |
| opensearch:CreateApp | CreateABTestScene | create |
*ABTestScenes
|
无 | 无 |
| opensearch:ListSlowQueryCategories | ListSlowQueryCategories | none |
*AppGroup
|
无 | 无 |
| opensearch:ModifyAppGroup | ModifyAppGroup | update |
*AppGroup
|
无 | 无 |
| opensearch:WriteFunction | DeleteFunctionTask | delete |
*FunctionTask
|
无 | 无 |
| opensearch:DescribeFunction | GetFunctionInstance | get |
*FunctionInstance
|
无 | 无 |
| opensearch:DescribeInterventionDictionary | ListInterventionDictionaryEntries | list |
*InterventionDictionary
|
无 | 无 |
| opensearch:DescribeFunction | GetFunctionCurrentVersion | get |
*全部资源
|
无 | 无 |
| opensearch:ListInterventionDictionaries | ListInterventionDictionaries | list |
*InterventionDictionary
|
无 | 无 |
| opensearch:ModifyAppGroup | BindESUserAnalyzer | none |
*AppGroup
|
无 | 无 |
| opensearch:CreateApp | CreateABTestGroup | create |
*AbTestGroup
|
无 | 无 |
| opensearch:ListStatisticReport | ListStatisticReport | none |
*AppGroup
|
无 | 无 |
| opensearch:DeleteApp | RemoveScheduledTask | delete |
*ScheduledTask
|
无 | 无 |
| opensearch:UpdateApp | RenewAppGroup | update |
*AppGroup
|
无 | 无 |
| opensearch:UpdateApp | UpdateFetchFields | update |
*App
|
无 | 无 |
| opensearch:ListAppGroup | ListAppGroups | list |
*AppGroup
|
无 | 无 |
| opensearch:DescribeApp | DescribeABTestGroup | get |
*AbTestGroup
|
无 | 无 |
| opensearch:WriteFirstRank | CreateFirstRank | create |
*FirstRank
|
无 | 无 |
资源(Resource)
下表是智能开放搜索 OpenSearch定义的资源,这些资源可以在 RAM 权限策略语句的Resource元素中使用,用来授予对该资源执行具体操作的权限。 其中,资源 ARN 是资源在阿里云上的唯一标识。具体说明如下:
{#}为变量标识,需要您替换为实际值。例如:{#ramcode}需要您替换为实际的云服务RAM代码。*表示全部。例如:{#resourceType}为*时:表示全部资源。{#regionId}为*时:表示全部地域。{#accountId}为*时:表示全部阿里云账号。
资源类型 |
资源 ARN |
| AbTestGroup |
|
| FunctionResource |
|
| AbTestExperiment |
|
| App |
|
| AppGroup |
|
| DataCollection |
|
| InterventionDictionary |
|
| Analyzer |
|
| FunctionInstance |
|
| SearchStrategy |
|
| ScheduledTask |
|
| AbTestScene |
|
| Instance |
|
| FirstRank |
|
| SecondRank |
|
| QueryProcessor |
|
| AppGroupCredential |
|
| FunctionTask |
|
| SortScript |
|
| FunctionDefaultInstance |
|
| ABTestScenes |
|
条件(Condition)
智能开放搜索 OpenSearch未定义产品级别的条件关键字。如需查看适用于所有云产品的通用条件关键字,请参见通用条件关键字。
相关操作
您可以创建自定义权限策略,并将权限策略授予 RAM 用户、RAM 用户组或 RAM 角色。具体操作如下: