使用自定义权限策略有助于实现权限的精细化管控,是提升资源访问安全的有效手段。如果系统权限策略不能满足您的要求,您可以为点播服务创建自定义权限策略实现最小授权。
背景信息
如果您还不了解什么是自定义策略,请参见创建自定义权限策略。
点播服务API与权限策略
Action
的对应关系请参见操作(Action)。点播服务的自定义策略可能会涉及对OSS资源的管控,参考对象存储OSS API概览。
常见自定义权限策略场景及示例
禁止上传Object ACL权限为公共读的文件到OSS Bucket
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:PostObject",
"oss:CopyObject",
"oss:AppendObject",
"oss:InitiateMultipartUpload",
"oss:MultipartUpload",
"oss:UploadPart",
"oss:UploadPartCopy",
"oss:PutObjectAcl",
"oss:PutObject"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"oss:x-oss-object-acl": ["public-read-write", "public-read"]
}
}
}
]
}
只允许IP来源为192.168.XX.XX的请求者访问播放接口
{
"Version": "1",
"Statement": [
{
"Action": [
"vod:GetPlayInfo",
"vod:GetVideoPlayAuth",
"vod:GetVideoPlayInfo",
"vod:GetVideoInfo"
],
"Resource": "*",
"Effect": "Allow",
"Condition": {
"IpAddress": {
"acs:SourceIp": "192.168.XX.XX"
}
}
}
]
}
授予使用媒体审核的权限
说明
为保证权限完整性,当媒体审核功能的API分组下增加了新的接口时,您需要同步更新下述示例中的Action
列表。
{
"Version": "1",
"Statement": [
{
"Action": [
"vod:SetAuditSecurityIp",
"vod:ListAuditSecurityIp",
"vod:CreateAudit",
"vod:GetAuditHistory",
"vod:SubmitAIMediaAuditJob",
"vod:GetAIMediaAuditJob",
"vod:GetMediaAuditResult",
"vod:GetMediaAuditResultDetail",
"vod:GetMediaAuditResultTimeline"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
授予使用云剪辑的权限
说明
为保证权限完整性,当媒体审核功能的API分组下增加了新的接口时,您需要同步更新下述示例中的Action
列表。
{
"Version": "1",
"Statement": [
{
"Action": [
"vod:ProduceEditingProjectVideo",
"vod:AddEditingProject",
"vod:UpdateEditingProject",
"vod:DeleteEditingProject",
"vod:GetEditingProject",
"vod:SearchEditingProject",
"vod:SetEditingProjectMaterials",
"vod:GetEditingProjectMaterials"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
该文章对您有帮助吗?