语法逻辑
<p class="p">自定义访问策略语言是采用JSON对权限控制的一种抽象表述。RAM 授权策略语言可以表达精细的授权语义,可以指定对某个 API-Action 和Resource-ID
授权。</p>
<p class="p">一个权限控制策略(Policy)包含一个或者一组声明(Statement)和版本号(Version)两个部分。一个声明(Statement)又包含一个或者一组资源(Resource)、操作(Action)、约束效力(Effect)和条件(Condition)四个部分。Statement用于定义通过指定的操作方法(Action),是否允许(Effect)对指定资源(Resource)进行操作。</p>
<section class="section" id="Grammatical_logic__section_fhd_2bd_flb"><h2 class="doc-tairway">资源Resource</h2>
<p class="p">Resource是对云服务提供的服务对象实体的抽象。全局的格式如下:</p>
<pre class="pre codeblock"><code>pcs:{$ServiceType}:{$RegionId}:{$AccountId}:{$ResourceType}/{$ResourceIdentifier}</code></pre>
<table class="table" id="Grammatical_logic__table_thx_nyn_pwb"><caption></caption><colgroup><col><col></colgroup><thead class="thead">
<tr class="row">
<th class="entry" id="Grammatical_logic__table_thx_nyn_pwb__entry__1">
<p class="p">项目</p>
</th>
<th class="entry" id="Grammatical_logic__table_thx_nyn_pwb__entry__2">
<p class="p">说明</p>
</th>
</tr>
</thead><tbody class="tbody">
<tr class="row">
<td class="entry" headers="Grammatical_logic__table_thx_nyn_pwb__entry__1 ">
<p class="p">pcs</p>
</td>
<td class="entry" headers="Grammatical_logic__table_thx_nyn_pwb__entry__2 ">
<p class="p">服务标识缩写英文:pcs(Pingan Cloud Service的首字母缩写。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="Grammatical_logic__table_thx_nyn_pwb__entry__1 ">
<p class="p">{$ServiceType}</p>
</td>
<td class="entry" headers="Grammatical_logic__table_thx_nyn_pwb__entry__2 ">
<p class="p">具体服务类型的英文名称简写,如:ram、ecs、igw、elb、vpc、vpn、ecs、obs。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="Grammatical_logic__table_thx_nyn_pwb__entry__1 ">
<p class="p">{$RegionId}</p>
</td>
<td class="entry" headers="Grammatical_logic__table_thx_nyn_pwb__entry__2 ">
<p class="p">地域uuid,如Region-SouthChina。如果不区分地域,用*代替即可。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="Grammatical_logic__table_thx_nyn_pwb__entry__1 ">
<p class="p">{$AccountId}</p>
</td>
<td class="entry" headers="Grammatical_logic__table_thx_nyn_pwb__entry__2 ">
<p class="p">账号uuid(如:Tenant-h18HTXgEJ4),一般用*代替即可。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="Grammatical_logic__table_thx_nyn_pwb__entry__1 ">
<p class="p">{$ResourceType}</p>
</td>
<td class="entry" headers="Grammatical_logic__table_thx_nyn_pwb__entry__2 ">
<p class="p">资源类型, 一个服务类型里可包含多个资源类型,比如Instance。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="Grammatical_logic__table_thx_nyn_pwb__entry__1 ">
<p class="p">{$ResourceIdentifier}</p>
</td>
<td class="entry" headers="Grammatical_logic__table_thx_nyn_pwb__entry__2 ">
<p class="p">标识具体资源实例,一般为资源UUID。与资源类型一起,标识某种类型资源的某个实例,如instance/Instance-WiF4qB标识uuid为Instance-WiF4qB的云主机实例。</p>
</td>
</tr>
</tbody></table>
</section>
<section class="section" id="Grammatical_logic__section_qjf_hbd_flb"><h2 class="doc-tairway">执行动作Action</h2>
<p class="p">Action用于描述用户执行的操作。可以是一个确定的值(例如:ListInstances),也可以使用通配符*表示一系列操作(例如List*,表示指定服务下所有Action名称以List开头的操作,包括ListInstances,ListSecurityGroups等)。</p>
<table class="table" id="Grammatical_logic__table_e4f_xyn_pwb"><caption></caption><colgroup><col><col><col></colgroup><thead class="thead">
<tr class="row">
<th class="entry" id="Grammatical_logic__table_e4f_xyn_pwb__entry__1">
<p class="p">Action</p>
</th>
<th class="entry" id="Grammatical_logic__table_e4f_xyn_pwb__entry__2">
<p class="p">Resource</p>
</th>
<th class="entry" id="Grammatical_logic__table_e4f_xyn_pwb__entry__3">
<p class="p">说明</p>
</th>
</tr>
</thead><tbody class="tbody">
<tr class="row">
<td class="entry" headers="Grammatical_logic__table_e4f_xyn_pwb__entry__1 " rowspan="2">
<p class="p">AddUserToGroup</p>
</td>
<td class="entry" headers="Grammatical_logic__table_e4f_xyn_pwb__entry__2 ">
<p class="p">pcs:ram:*:${AccountId}:group/${GroupName}</p>
</td>
<td class="entry" headers="Grammatical_logic__table_e4f_xyn_pwb__entry__3 " rowspan="2">
<p class="p">将子用户添加到群组</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="Grammatical_logic__table_e4f_xyn_pwb__entry__2 ">
<p class="p">pcs:ram:*:${AccountId}:user/${LoginName}</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="Grammatical_logic__table_e4f_xyn_pwb__entry__1 ">
<p class="p">AdminResetPassword</p>
</td>
<td class="entry" headers="Grammatical_logic__table_e4f_xyn_pwb__entry__2 ">
<p class="p">pcs:ram:*:${AccountId}:user/*</p>
</td>
<td class="entry" headers="Grammatical_logic__table_e4f_xyn_pwb__entry__3 ">
<p class="p">重置子账号密码</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="Grammatical_logic__table_e4f_xyn_pwb__entry__1 " rowspan="2"><p class="p">AttachPolicyToGro</p>up</td>
<td class="entry" headers="Grammatical_logic__table_e4f_xyn_pwb__entry__2 ">
<p class="p">pcs:ram:*:${AccountId}:group/${GroupName}</p>
</td>
<td class="entry" headers="Grammatical_logic__table_e4f_xyn_pwb__entry__3 " rowspan="2">
<p class="p">为组附加授权</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="Grammatical_logic__table_e4f_xyn_pwb__entry__2 ">
<p class="p">pcs:ram:*:${AccountId}:policy/${PolicyName}</p>
</td>
</tr>
</tbody></table>
</section>
<section class="section" id="Grammatical_logic__section_chz_stk_flb"><h2 class="doc-tairway">约束效力Effect</h2>
<p class="p">约束效力取值可以是Allow或者Deny。取值Allow表示允许进行操作,取值Deny表示拒绝操作。鉴权过程若遇到权限声明冲突,遵循Deny优先原则。</p>
<p class="p">我们来看一个自定义访问策略示例,它表示允许对云主机实例Instance-TrcJCCYtYW和Instance-fR8YYjTu90的开机和关机操作的策略。</p>
<pre class="pre codeblock"><code>{
"Statement":[
{
"Resource":[
"pcs:ecs:*:*:instance/Instance-TrcJCCYtYW",
"pcs:ecs:*:*:instance/Instance-fR8YYjTu90"
],
"Action":[
"ecs:StartInstance",
"ecs:StopInstance"
],
"Effect":"Allow"
}
],
"Version":"1"
}</code></pre>
</section>
<section class="section" id="Grammatical_logic__section_zw3_gzn_pwb"><h2 class="doc-tairway">条件(Condition)</h2><p class="p">Condition是策略中的可选元素,用于限定授权生效的条件。一个条件句由条件关键字、条件类型(运算符)和条件值组成。目前支持的条件相关说明如下:</p><table class="table" id="Grammatical_logic__table_qq1_jzn_pwb"><caption></caption><colgroup><col><col></colgroup><thead class="thead">
<tr class="row">
<th class="entry" id="Grammatical_logic__table_qq1_jzn_pwb__entry__1">
<p class="p">条件键</p>
</th>
<th class="entry" id="Grammatical_logic__table_qq1_jzn_pwb__entry__2">
<p class="p">条件类型(运算符) </p>
</th>
</tr>
</thead><tbody class="tbody">
<tr class="row">
<td class="entry" headers="Grammatical_logic__table_qq1_jzn_pwb__entry__1 " rowspan="6">
<p class="p">pcs:CurrentTime(日期类型)</p>
</td>
<td class="entry" headers="Grammatical_logic__table_qq1_jzn_pwb__entry__2 ">
<p class="p"> DateEquals(日期等于)</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="Grammatical_logic__table_qq1_jzn_pwb__entry__2 ">
<p class="p"> DateNotEquals(日期不等于) </p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="Grammatical_logic__table_qq1_jzn_pwb__entry__2 ">
<p class="p"> DateLessThanEquals(日期小于等于) </p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="Grammatical_logic__table_qq1_jzn_pwb__entry__2 ">
<p class="p"> DateLessThan(日期小于) </p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="Grammatical_logic__table_qq1_jzn_pwb__entry__2 ">
<p class="p"> DateGreaterThanEquals(日期大于等于)</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="Grammatical_logic__table_qq1_jzn_pwb__entry__2 ">
<p class="p">DateGreaterThan(日期大于) </p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="Grammatical_logic__table_qq1_jzn_pwb__entry__1 " rowspan="2">
<p class="p"> pcs:sourceIp(IP类型) </p>
</td>
<td class="entry" headers="Grammatical_logic__table_qq1_jzn_pwb__entry__2 ">
<p class="p">IpAddress(允许IP) </p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="Grammatical_logic__table_qq1_jzn_pwb__entry__2 ">
<p class="p"> NotIpAddress(不允许IP)</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="Grammatical_logic__table_qq1_jzn_pwb__entry__1 ">
<p class="p"> pcs:ResourceTag(标签类型) </p>
</td>
<td class="entry" headers="Grammatical_logic__table_qq1_jzn_pwb__entry__2 ">
<p class="p"> ResourceTagCheck (标签资源校验) </p>
</td>
</tr>
</tbody></table><p class="p"><strong class="ph b">示例如下:</strong></p><pre class="pre codeblock" id="Grammatical_logic__codeblock_zsc_nzn_pwb"><code>"Condition": {
"DateEquals": {
"pcs:CurrentTime": "2019-05-21 17:40:00 +0800"
}
}
</code></pre><p class="p"><strong class="ph b">逻辑说明:</strong></p><p class="p">条件块(Condition
Block)由一个或多个条件句构成。一般情况下,同一个策略描述中,条件句、条件块之间的逻辑如下:</p><img class="image" id="Grammatical_logic__image_jt2_tzn_pwb" src="https://obs-cn-shanghai.fincloud.pinganyun.com/pacloud/20232402143131-1a64cf5c99ed.png"><ul class="ul" id="Grammatical_logic__ul_kpy_tzn_pwb">
<li class="li">在一个条件句中,通用条件关键字可以指定一个或多个值。<ul class="ul" id="Grammatical_logic__ul_lpy_tzn_pwb">
<li class="li">策略效果为“允许”且条件类型为正向类型时,多个条件值之间为【或】关系,即条件检查时,多个值满足其一即可判定条件满足。</li>
<li class="li">需特别注意:如策略效果为“拒绝”或条件类型为非正向类型(如NotIpAddress,
DateNotEquals),条件检查时,一个条件句中的多个值必须全部满足。</li>
</ul></li>
<li class="li">在条件块中,条件块下的多个条件句之间为【且】关系,必须同时满足,才能判定条件满足。</li>
</ul></section>
提交成功!非常感谢您的反馈,我们会继续努力做到更好!