Syntax of Fine-Grained Permissions Policies¶
In actual services, you may need to grant different operation permissions on resources to users of different roles. The IAM service provides fine-grained access control. An IAM administrator (a user in the admin group) can create a custom policy containing required permissions. After a policy is granted to a user group, users in the group can obtain all permissions defined by the policy. In this way, IAM implements fine-grained permission management.
To control the GaussDB(DWS) operations on resources more precisely, you can use the user management function of IAM to grant different operation permissions to users of different roles for fine-grained permission control.
Policy Structure¶
A fine-grained policy consists of a Version and a Statement. Each policy can have multiple statements.
Figure 1 Policy structure¶
Policy Syntax¶
In the navigation pane on the IAM console, click Policies and then click the name of a policy to view its details. The DWS ReadOnlyAccess policy is used as an example to describe the syntax of fine-grained policies.
Figure 2 Setting the policy¶
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dws:*:get*",
"dws:*:list*",
"ecs:*:get*",
"ecs:*:list*",
"vpc:*:get*",
"vpc:*:list*",
"evs:*:get*",
"evs:*:list*",
"mrs:*:get*",
"bss:*:list*",
"bss:*:get*"
]
}
]
}
Version: Distinguishes between role-based access control (RBAC) and fine-grained policies.
1.0: RBAC policies. An RBAC policy consists of permissions for an entire service. Users in a group with such a policy assigned are granted all of the permissions required for that service.
1.1: Fine-grained policies. A fine-grained policy consists of API-based permissions for operations on specific resource types. Fine-grained policies, as the name suggests, allow for more fine-grained control than RBAC policies. Users granted permissions of such a policy can only perform specific operations on the corresponding service. Fine-grained policies include system and custom policies.
Statement: Permissions defined by a policy, including Effect and Action.
Effect
The valid values for Effect are Allow and Deny. System policies contain only Allow statements. For custom policies containing both Allow and Deny statements, the Deny statements take precedence.
Action
Permissions in the format of Service name:Resource type:Operation. A policy can contain one or more permissions. The wildcard (
*) is allowed to indicate all of the services, resource types, or operations depending on its location in the action.Example: dws:cluster:create, permissions for create data warehouse clusters.
List of Supported Actions¶
When creating a custom policy on IAM, you can add the operations on GaussDB(DWS) resources or the permissions corresponding to RESTful APIs to the action list of the policy authorization statement so that the policy contains the operation permissions. The following table lists the GaussDB(DWS) permissions.
REST API
For details about RESTful API actions supported by GaussDB(DWS), see .
Management console operations
Table 1 describes the GaussDB(DWS) operations on resources and corresponding permissions.
Note
Some GaussDB(DWS) permissions depend on the actions of ECS, VPC, EVS, ELB, MRS, and OBS. Grant GaussDB(DWS) the required service admin permissions.
Operation | Permission | Dependent Permission | Scope |
|---|---|---|---|
Creating a cluster | "dws:cluster:create" | "dws: "dws: "ecs: "ecs: "ecs: "vpc: "vpc: "vpc: "vpc:securityGroupRules:delete", "vpc:ports:update", "evs: "evs: "evs: |
|
Obtaining the cluster list | "dws:cluster:list" | -- |
|
Obtaining the details of a cluster | "dws:cluster:getDetail" | "dws: "dws: "vpc:vpcs:list", "vpc:securityGroups:get" |
|
Setting automated snapshot policy | "dws:cluster:setAutomatedSnapshot" | "dws:backupPolicy:list" |
|
Setting security parameters/parameter groups | "dws:cluster:setSecuritySettings" | "dws: "dws: |
|
Restarting a Cluster | "dws:cluster:restart" | "dws: "dws: |
|
Scaling out clusters | "dws:cluster:scaleOut" | "dws: "dws: "dws:cluster:scaleOutOrOpenAPIResize", "ecs: "ecs: "ecs: "vpc: "vpc: "vpc: "vpc: "evs: "evs: "evs: |
|
Scaling out or resizing a cluster via API | "dws:cluster:scaleOutOrOpenAPIResize" | "dws: "dws: "vpc:vpcs:list", "vpc:ports:create", "vpc:ports:get", "vpc:ports:update", "vpc:subnets:get", "vpc:subnets:update", "vpc:subnets:create", "vpc:routers:get", "vpc:routers:update", "vpc:networks:create", "vpc:networks:get", "vpc:networks:update", "ecs:serverInterfaces:use", "ecs:serverInterfaces:get", "ecs:cloudServerFlavors:get" |
|
Resetting Your Password | "dws:cluster:resetPassword" | "dws: "dws: |
|
Deleting a cluster | "dws:cluster:delete" | "dws: "dws: "ecs: "ecs: "ecs: "vpc: "vpc: "vpc: "evs: "evs: "evs: |
|
Configuring maintenance windows | "dws:cluster:setMaintainceWindow" | "dws: "dws: |
|
Binding EIPs | "dws:eip:operate" | "dws: "dws: "eip: "eip: |
|
Unbinding EIPs | "dws:eip:operate" | "dws: "dws: "eip: "eip: |
|
Creating MRS connections | "dws:MRSConnection:create" | "dws: "dws: "mrs: "mrs: "mrs:cluster:create", "ecs: "ecs: "ecs: "vpc: "vpc: "vpc: "evs: "evs: "evs: |
|
Updating MRS connections | "dws:MRSConnection:update" | "dws: "dws: "mrs: "mrs: "mrs:cluster:create", "ecs: "ecs: "ecs: "vpc: "vpc: "vpc: "evs: "evs: "evs: |
|
Deleting MRS connections | "dws:MRSConnection:delete" | "dws: "dws: "mrs: "mrs: "mrs:cluster:create" "ecs: "ecs: "ecs: "vpc: "vpc: "vpc: "evs: "evs: "evs: |
|
MRS data source list | "dws:MRSSource:list" | "mrs:cluster:list", "mrs:tag:listResource", "mrs:tag:list", "dws: "dws: |
|
Adding/Deleting tags | "dws:tag:addAndDelete" | "dws: "dws: "dws:openAPITag:update", "dws:openAPITag:getResourceTag", |
|
Editing tags | "dws:tag:edit" | "dws: "dws: "dws:openAPITag:update", "dws:openAPITag:getResourceTag", |
|
Creating a snapshot | "dws:snapshot:create" | "dws: "dws: |
|
Obtaining the snapshot list | "dws:snapshot:list" | -- |
|
Viewing the snapshot list of a cluster | "dws:clusterSnapshot:list" | "dws:cluster:list", "dws:openAPICluster:getDetail" |
|
Deleting snapshots | "dws:snapshot:delete" | "dws:snapshot:list" |
|
Copying snapshots | "dws:snapshot:copy" | "dws:snapshot:list", "dws:snapshot:create" |
|
Restoring data to a new cluster | "dws:cluster:restore" | "dws: "dws: "ecs: "ecs: "ecs: "vpc: "vpc: "vpc: "evs: "evs: "evs: |
|
Resizing a cluster | "dws:cluster:resize" | "dws: "dws: "ecs: "ecs: "ecs: "ecs: "vpc: "vpc: "vpc: "vpc: "evs: "evs: "evs: "evs: |
|
Switchback | "dws:cluster:switchover" | "dws: "dws: |
|
Querying the ELB list | "dws:elb:list" | "dws: "dws: "elb: "elb: |
|
Associating ELB | "dws:elb:bind" | "dws: "dws: "ecs: "ecs: "vpc: "vpc: "evs: "evs: "elb: "elb: "elb: "elb: |
|
Disassociating ELB | "dws:elb:unbind" | "dws: "dws: "ecs: "ecs: "vpc: "vpc: "evs: "evs: "elb: "elb: "elb: |
|
Querying snapshot configurations | "dws:snapshotConfig:list" | "dws: "dws: |
|
Updating a snapshot policy | "dws:backupPolicyDetail:update" | "dws: "dws: |
|
Deleting a snapshot policy | "dws:backupPolicy:delete" | "dws: "dws: |
|
Querying a snapshot policy | "dws:backupPolicy:list" | "dws:cluster:list" |
|
Querying cluster encryption information | "dws:clusterEncryptInfo:list" | "dws: "dws: "KMS Administrator" |
|
Creating an agent | "dws:createAgency:create" | "dws: "dws: "security administrator" |
|
Querying OBS bucket information | "dws:queryBuckets:list" | "dws: "dws: |
|
Adding a node | "dws:expandWithExistedNodes:update" | "dws: "dws: "ecs: "ecs: "ecs: "vpc: "vpc: "vpc: "vpc: "evs: "evs: "evs: |
|
Deleting a DR backup | "dws:disasterRecovery:delete" | "dws: "dws: "ecs: "ecs: "ecs: "vpc: "vpc: "vpc: "evs: "evs: "evs: |
|
Creating a DR backup | "dws:disasterRecovery:create" | "dws: "dws: "ecs: "ecs: "ecs: "vpc: "vpc: "vpc: "evs: "evs: "evs: |
|
Other DR and backup operations | "dws:disasterRecovery:otherOperate" | "dws: "dws: "ecs: "ecs: "ecs: "vpc: "vpc: "vpc: "evs: "evs: "evs: |
|
Querying DR and backup operations | "dws:disasterRecovery:get" | "dws: "dws: "ecs: "ecs: "vpc: "vpc: "evs: "evs: |
|
Adding a CN | "dws:module:install" | "dws: "dws: |
|
Deleting a CN | "dws:module:uninstall" | "dws: "dws: |
|
Removing nodes | "dws:clusterNodes:operate" | "dws: "dws: |
|
Updating the node alias | dws:instanceAliasName:update | dws:cluster:list |
|
Redistributing data | "dws:redistribution:operate" | "dws: "dws: |
|
Querying redistribution | "dws:redistributionInfo:list" | "dws: "dws: |
|
Stopping redistribution | "dws:redistribution:suspend" | "dws: "dws: |
|
Resuming redistribution | "dws:redistribution:recover" | "dws: "dws: |
|
Querying product specifications | "dws:specProduct:list" | "dws: "dws: "ecs: "ecs: |
|
Binding the management plane IP address | "dws:bindManageIp:operate" | "dws: "dws: |
|
Obtaining user authorization | "dws:checkAuthorize:operate" | "dws: "dws: "dws:checkSupport:operate" |
|
Authorizing a user | "dws:authorize:operate" | "dws: "dws: "dws:checkSupport:operate" |
|
Querying user databases | "dws:userDatabase:list" | "dws: "dws: "dws:checkSupport:operate" |
|
Querying user schemas | "dws:schemas:list" | "dws: "dws: "dws:checkSupport:operate" |
|
Querying user tables | "dws:tables:list" | "dws: "dws: |
|
Restoring tables | "dws:tableRestore:operate" | "dws: "dws: |
|
Checking the name of the table to be restored | "dws:tableRestoreCheck:operate" | "dws: "dws: |
|
Checking whether a cluster supports fine-grained backup | "dws:checkSupport:operate" | "dws: "dws: |
|
Querying the list of flavors that can be changed | "dws:supportFlavors:list" | "dws: "dws: |
|
Changing the node flavor | "dws:specResize:operate" | "dws: "dws: "ecs: "ecs: "ecs: |
|
Stopping snapshot creation | "dws:snapshot:stop" | "dws:snapshot:list" |
|
Terminating a session | "dws:dmsSession:terminate" | "dws:dmsGrpcOuter:operation" |
|
Workload report operations | "dws:dmsWorkloadDiagnosisReport:create" | "dws:dmsGrpcOuter:operation" |
|
Modifying an alarm rule | "dws:dmsAlarmRule:update" | "dws:dmsQuery:list" |
|
Enabling an alarm rule | "dws:dmsAlarmRule:enable" | "dws:dmsQuery:list" |
|
Enabling a cluster alarm | "dws:dmsClusterAlarm:enable" | "dws:dmsQuery:list" |
|
Disabling a cluster alarm | "dws:dmsClusterAlarm:disable" | "dws:dmsQuery:list" |
|
gRPC external service | "dws:dmsGrpcOuter:operation" | "dws:dmsQuery:list", "dws:cluster:setSecuritySettings", "obs:bucket:ListAllMyBuckets" |
|
Adding a SQL probe | "dws:dmsProbe:add" | "dws:dmsGrpcOuter:operation" |
|
Modifying a SQL probe | "dws:dmsProbe:update" | "dws:dmsGrpcOuter:operation" |
|
Deleting a SQL probe | "dws:dmsProbe:delete" | "dws:dmsGrpcOuter:operation" |
|
Enabling or disabling a SQL probe | "dws:dmsProbe:enable" | "dws:dmsGrpcOuter:operation" |
|
Creating a User panel | "dws:dmsUserBoard:create" | "dws:dmsQuery:list" |
|
Modifying a user panel | "dws:dmsUserBoard:update" | "dws:dmsQuery:list" |
|
Deleting a user panel | "dws:dmsUserBoard:delete" | "dws:dmsQuery:list" |
|
Terminating a query | "dws:dmsQuery:terminate" | "dws:dmsGrpcOuter:operation" |
|
Enabling or disabling DMS | "dws:dmsService:enableOrDisable" | "dws:dmsQuery:list" |
|
Modifying DMS storage configurations | "dws:dmsStorageConfig:modify" | "dws:dmsQuery:list" |
|
Obtaining, or creating a DDL review | "dws:dmsDdlExamine:getOrCreate" | "dws:dmsGrpcOuter:operation" |
|
Workload snapshot operations | "dws:dmsWorkloadDiagnosisSnapshot:create" | "dws:dmsGrpcOuter:operation" |
|
Creating an alarm rule | "dws:dmsAlarmRule:add" | "dws:dmsQuery:list" |
|
Deleting an alarm rule | "dws:dmsAlarmRule:delete" | "dws:dmsQuery:list" |
|
Executing a SQL probe | "dws:dmsProbe:execute" | "dws:dmsGrpcOuter:operation" |
|
Deleting a monitoring item | "dws:dmsPerformanceMonitor:delete" | "dws:dmsQuery:list" |
|
Enabling or disabling DMS monitoring metrics | "dws:dmsCollectItem:enableOrDisable" | "dws:dmsGrpcOuter:operation" |
|
Modifying DMS monitoring configurations | "dws:dmsCollectConfig:modify" | "dws:dmsGrpcOuter:operation" |
|
OpenAPI Conditional Query | "dws:dmsOpenapiQuery:list" | "dws:cluster:list" |
|
Disabling an alarm rule | "dws:dmsAlarmRule:disable" | "dws:dmsQuery:list" |
|
Deleting an alarm record | "dws:dmsAlarmRecord:delete" | "dws:dmsQuery:list" |
|
Checking SQL probes | "dws:dmsProbe:check" | "dws:dmsGrpcOuter:operation" |
|
Adding a monitoring item | "dws:dmsPerformanceMonitor:add" | "dws:dmsQuery:list" |
|
Modifying monitoring metrics | "dws:dmsPerformanceMonitor:update" | "dws:dmsQuery:list" |
|
Downloading historical monitoring trend | "dws:dmsTrendHistory:down" | "dws:dmsQuery:list" |
|
Obtaining cluster ring information | "dws:ring:list" | "dws: "dws: |
|
Obtaining the cluster process topology | "dws:processTopo:list" | "dws: "dws: |
|
Querying intelligent O&M information | "dws:operationalTask:get" | "dws: "dws: |
|
Intelligent O&M Operations | "dws:operationalTask:operate" | "dws: "dws: |
|
Adding, deleting, and modifying a logical cluster | "dws:logicalCluster:operate" | "dws: "dws: |
|
Querying a logical cluster | "dws:logicalCluster:get" | "dws: "dws: |
|
Creating an endpoint service | "dws:vpcEndpointService:create" | "dws: "dws: |
|
Querying the resource management list | "dws:workLoadManager:get" | "dws: "dws: |
|
Resource management operations | "dws:workLoadManager:operate" | "dws: "dws: |
|
LTS operations | "dws:ltsAccess:operate" | "dws: "dws: |
|
Querying LTS Information | "dws:ltsAccess:get" | "dws: "dws: |
|
Querying events | "dws:event:list" | "dws: "dws: |
|
Querying event specifications | "dws:event:list" | "dws: "dws: |
|
Querying event subscriptions | "dws:eventSub:list" | "dws: "dws: |
|
Creating an event subscription | "dws:eventSub:create" | "dws: "dws: |
|
Updating an event subscription | "dws:eventSub:update" | "dws: "dws: |
|
Deleting an event subscription | "dws:eventSub:delete" | "dws: "dws: |
|
Querying alarm statistics | "dws:alarmStatistic:list" | "dws: "dws: |
|
Querying alarm details | "dws:alarmDetail:list" | "dws: "dws: |
|
Querying alarm configurations | "dws:alarmConfig:list" | "dws: "dws: |
|
Querying alarm subscriptions | "dws:alarmSub:list" | "dws: "dws: |
|
Creating an alarm subscription | "dws:alarmSub:create" | "dws: "dws: |
|
Updating an alarm subscription | "dws:alarmSub:update" | "dws: "dws: |
|
Deleting an alarm subscription | "dws:alarmSub:delete" | "dws: "dws: |
|
Delivering cluster upgrade operations (upgrade, rollback, submission, and retry) | "dws:cluster:doUpdate" | "dws: "dws: |
|
Querying the available upgrade paths of a cluster | "dws:cluster:getUpgradePaths" | "dws: "dws: |
|
Querying cluster upgrade records | "dws:cluster:getUpgradeRecords" | "dws: "dws: |
|
Authentication Logic¶
If a user is granted permissions of multiple policies or of only one policy containing both Allow and Deny statements, then authentication starts from the Deny statements. The following figure shows the authentication logic for resource access.
Figure 3 Authentication logic¶
Note
The actions in each policy bear the OR relationship.
A user accesses the system and makes an operation request.
The system evaluates all the permissions policies assigned to the user.
In these policies, the system looks for explicit deny permissions. If the system finds an explicit deny that applies, it returns a decision of Deny, and the authentication ends.
If no explicit deny is found, the system looks for allow permissions that would apply to the request. If the system finds an explicit allow permission that applies, it returns a decision of Allow, and the authentication ends.
If no explicit allow permission is found, IAM returns a decision of Deny, and the authentication ends.