SAE服务集成了MSE服务,包括治理中心、注册配置中心和云原生网关功能,RAM用户使用SAE服务调用MSE服务时,需要赋予子账号调用MSE相关功能的权限。本文主要介绍RAM用户使用SAE服务调用MSE服务的相关权限。
为子账号授权步骤
创建自定义权限
为子账号授予自定义权限
在左侧导航栏选择,然后单击目标用户登录名称。
单击权限管理页签,然后在个人权限页签单击新增授权。
在新增授权页签没配置以下参数,然后单击确认新增授权。
资源范围选择为账号级别。
授权主体为目标子账号。
权限策略选择自定义权限,然后勾选目标策略。
MSE自定义权限
在SAE侧使用MSE服务时,有以下三个场景,不同的场景所需的权限不同。
说明
本文主要介绍使用子账号在SAE服务侧调用MSE服务上已有资源的权限。
场景一:调用MSE Nacos实例所需的权限
说明
本文以调用mse-cn-71j48jjx503实例为例进行介绍。mse-cn-71j48jjx503指的是InstanceId而非ClusterId。
授予子账号调用MSE Nacos实例的读写权限
{
"Statement": [
{
"Action": "mse:ListClusters",
"Resource": "acs:mse:*:*:*",
"Effect": "Allow"
},
{
"Action": "mse:*",
"Resource": "acs:mse:*:*:instance/mse-cn-71j48jjx503",
"Effect": "Allow"
}
],
"Version": "1"
}授予子账号调用MSE Nacos实例的只读权限
{
"Statement": [
{
"Action": [
"mse:List*",
"mse:Query*",
"mse:Get*"
],
"Resource": "acs:mse:*:*:*",
"Effect": "Allow"
}
],
"Version": "1"
}场景二:调用微服务治理功能和全链路灰度功能所需的权限
阿里云子账号(RAM用户)持有者使用SAE集成的MSE微服务治理功能和全链路灰度功能时,需要为子账号授予MSE命名空间级别的读写权限。
重要
SAE集成了专业版和企业版MSE的服务。当用户在SAE控制台开通指定版本的MSE服务时,MSE服务会自动创建与该版本对应的命名空间。具体如下:
专业版MSE对应的命名空间为
sae-pro。企业版MSE对应的命名空间为
sae-ent。
请根据开通的MSE版本,为其子账号授予对应命名空间的读写权限。以下将以授予 sae-ent 命名空间的读写权限为例,演示具体操作步骤。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "mse:*",
"Resource": "acs:mse:*:*:namespace/sae-ent/application/*"
},
{
"Effect": "Allow",
"Action": [
"mse:QueryNamespace",
"mse:QueryAppSummaryMetricsOverview",
"mse:GetApplicationListWithMetircs",
"mse:ListNamespaces",
"mse:GetEventFilterOptions",
"mse:ListEventRecords",
"mse:GetEventDetail",
"mse:FetchLogConfig",
"mse:QueryBusinessLocations",
"mse:GetApplicationInstanceList",
"mse:listGrayTag",
"mse:QueryServiceDetailWithMetrics",
"mse:GetEventDetail",
"mse:ListEventsPage",
"mse:ListEventsByType",
"mse:GetApplicationTagList",
"mse:QueryAllSwimmingLaneGroup",
"mse:QueryAllSwimmingLane",
"mse:ListAppBySwimmingLaneGroupTags",
"mse:ListAppBySwimmingLaneGroupTag",
"mse:QuerySwimmingLaneById",
"mse:GetTagsBySwimmingLaneGroupId",
"mse:ListSwimmingLaneGateway",
"mse:ListSwimmingLaneGatewayRoute",
"mse:ListAuthPolicy",
"mse:GetServiceList",
"mse:GetServiceListPage"
],
"Resource": "acs:mse:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"mse:GetApplicationList",
"mse:CreateOrUpdateSwimmingLaneGroup",
"mse:CreateOrUpdateSwimmingLane",
"mse:DeleteSwimmingLaneGroup",
"mse:DeleteSwimmingLane"
],
"Resource": "acs:mse:*:*:namespace/sae-ent"
}
]
}场景三:调用MSE云原生网关所需的权限
说明
本文以授予gw-8090caa2a3ab447a8bc5fdf3********实例的读写权限和只读权限为例进行说明。
授予子账号调用某MSE云原生网关实例的读写权限
{
"Version": "1",
"Statement": [
{
"Action": [
"mse:*"
],
"Resource": "acs:mse:*:*:instance/gw-8090caa2a3ab447a8bc5fdf3********",
"Effect": "Allow"
},
{
"Action": [
"mse:QueryDefaultAlertStatus",
"mse:CreateDefaultAlert",
"mse:ListGatewayZone",
"mse:ListUpgradableGatewayVersions",
"mse:ListEventRecords",
"mse:GetEventFilterOptions",
"mse:GetEventDetail",
"mse:GetGatewaySelection",
"mse:GetGatewayAlarms",
"mse:GetGatewayMigrateNamespacedServices",
"mse:GetPluginGuide",
"mse:GetRegExpCheck",
"mse:GetRegExpTest",
"mse:CheckPluginLua",
"mse:*TagResources",
"mse:*CustomPlugin",
"mse:*GatewayIngressMigrateTask*"
],
"Resource": "acs:mse:*:*:*",
"Effect": "Allow"
},
{
"Action": [
"log:DescribeService",
"log:ListProject",
"log:GetProductDataCollection",
"log:OpenProductDataCollection"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"arms:SearchContactGroup"
],
"Resource": "*",
"Effect": "Allow"
}
]
}相关文档
该文章对您有帮助吗?