文档

使用Project Policy管理日志服务资源访问权限

更新时间:

Project Policy是日志服务推出的针对Project的授权策略,您可以通过Project Policy授权其他用户访问您指定的日志服务资源。

使用前须知

  • 通过策略语法的方式配置Project Policy前,您需要先了解Action、Resource以及Condition分类信息。更多信息,请参见资源列表动作列表鉴权规则

  • 配置Project Policy时,如果授权用户选择了匿名账号(*),且不包含Condition的情况下,则Project Policy仅对Project Owner以外的所有用户生效。如果授权用户选择了匿名账号(*),且包含Condition的情况下,则Project Policy会对包含Project Owner在内的所有用户生效。

  • 您可以添加多条Project Policy,但所有Project Policy的大小不允许超过16 KB。

使用示例

  • 示例一:仅允许指定VPC ID的用户访问某个Project资源。

    下述权限策略表示仅允许来自VPC ID为t4nlw426y44rd3iq4****的请求访问名为example-project的Project 。

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Deny",
                "Action": [
                    "log:*"
                ],
                "Principal": [
                    "*"
                ],
                "Resource": "acs:log:*:*:project/example-project/*",
                "Condition": {
                    "StringNotEquals": {
                        "acs:SourceVpc": [
                            "vpc-t4nlw426y44rd3iq4****"
                        ]
                    }
                }
            }
        ]
    }
  • 示例二:拒绝通过公网写入日志到Project。

    下述权限策略表示拒绝使用公网写入日志到名为exampleproject的Project。

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Deny",
                "Action": [
                    "log:PostLogStoreLogs"
                ],
                "Principal": [
                    "*"
                ],
                "Resource": "acs:log:*:*:project/exampleproject/*",
                "Condition": {
                    "StringNotEquals": {
                        "acs:SourceVpc": [
                            "vpc-*"
                        ]
                    }
                }
            }
        ]
    }
  • 示例三:限制访问来源IP地址。

    下述权限策略表示只能通过192.168.0.0/16和172.16.215.218这两个IP地址访问名为exampleproject的Project。

    {
        "Version":"1",
        "Statement":[
            {
                "Effect":"Deny",
                "Action":[
                    "*"
                ],
                "Principal":[
                    "*"
                ],
                "Resource":"acs:log:*:*:project/exampleproject/*",
                "Condition":{
                    "NotIpAddress":{
                        "acs:SourceIp":[
                            "192.168.0.0/16",
                            "172.16.215.218"
                        ]
                    }
                }
            }
        ]
    }

使用Java SDK操作Project Policy

  • 使用Java SDK创建、删除、获取创建的Project Policy。示例如下:

    public class ProjectPolicyDemo {
        // 本示例从环境变量中获取AccessKey ID和AccessKey Secret
        static String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
        static String accessKey = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
        static String endPoint = "your-endpoint";
        static String projectName = "your-project";
        // Policy内容。
        static String policyText = "{\"Version\":\"1\",\"Statement\":[{\"Action\":[\"log:Post*\"],\"Resource\":\"acs:log:*:*:project/" + projectName + "/*\",\"Effect\":\"Deny\"}]}";
        static Client client = new Client(endPoint, accessKeyId, accessKey);
    
        public static void main(String[] args) throws LogException {
            client.CreateProject(projectName, "");
            client.setProjectPolicy(projectName, policyText);
            client.getProjectPolicy(projectName);
            Assert.assertEquals(policyText, client.getProjectPolicy(projectName).getPolicyText());
            client.deleteProjectPolicy(projectName);
            Assert.assertEquals("", client.getProjectPolicy(projectName).getPolicyText());
            client.DeleteProject(projectName);
        }
    }
  • 限制公网访问。示例如下:

    public class ProjectPolicyDemo {
        // 本示例从环境变量中获取AccessKey ID和AccessKey Secret
        static String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
        static String accessKey = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
        static String endPoint = "your-endpoint";
        static String projectName = "your-project";
        static Client client = new Client(endPoint, accessKeyId, accessKey);
    
        public static void main(String[] args) throws LogException {
            client.CreateProject(projectName, "");
            try {
                client.GetProject(projectName);
            } catch (LogException e) {
                Assert.fail("should not fail : " + e.GetErrorCode());
            }
            String policyText = "{  \"Version\": \"1\",\n" +
                    "   \"Statement\": [{" +
                    "   \"Action\": [\"log:*\"]," +
                    "   \"Resource\": \"*\",\n" +
                    "   \"Condition\": {\"StringNotLike\": {\"acs:SourceVpc\":[\"vpc-*\"]}}," +
                    "   \"Effect\": \"Deny\"}] }";
            client.setProjectPolicy(projectName, policyText);
            try {
                client.GetProject(projectName);
                Assert.fail("should fail");
            } catch (LogException e) {
                Assert.assertEquals("Unauthorized", e.getErrorCode());
            }
        }
    }