This topic describes the Resource Access Management (RAM) policies that are related to Enterprise Distributed Application Service (EDAS).
Resource variables in policies
In a policy, the following variables are used to define a resource:
- $regionid: the ID of the region where the resource is deployed, such as cn-shanghai. For more information, see Regions and zones.
- $namespace: the ID of the microservices namespace. The following figure shows the ID of a microservices namespace.
To view microservices namespace IDs, log on to the EDAS console. In the left-side navigation pane, choose . On the Microservice Namespace page, you can view the ID of each microservices namespace.
- $clusterId: the ID of the cluster. Example: 8c349f69-505c-436f-8dc7-**********. The following figure shows the ID of a cluster.
To view cluster IDs, log on to the EDAS console. In the left-side navigation pane, choose . On the ECS Cluster page, click the desired cluster ID in the Cluster ID/Name column to go to the Cluster Details page to view the ID of the cluster.
- $applicationId: the ID of the application. Example: ec8e38a3-3dca-47a7-b6f9-5**********. The following figure shows the ID of an application.
To view application IDs, log on to the EDAS console. In the left-side navigation pane, choose . On the Applications page, click the name of the desired application in the Application Name column to go to the application details page. On the Basic Information tab of the application details page, you can view the ID of the application.
Details about policies
This section describes how an EDAS-defined permission corresponds to a RAM policy.
Microservices namespace management
| Code | Description | Dependency action | Resource |
|---|---|---|---|
| 1.1 | Create microservices namespaces | edas:CreateNamespace | acs:edas:$regionid:$accountid:namespace/* |
| 1.2 | Delete microservices namespaces | edas:ReadNamespace | acs:edas:$regionid:$accountid:namespace/$namespace |
| edas:DeleteNamespace | |||
| 1.4 | Modify microservices namespaces | edas:ManageNamespace | acs:edas:$regionid:$accountid:namespace/$namespace |
| edas:ReadNamespace | |||
| 1.5 | View microservices namespaces | edas:ReadNamespace | acs:edas:$regionid:$accountid:namespace/$namespace |
| Code | Description | Dependency action | Resource |
|---|---|---|---|
| 2.1 | Create clusters | edas:CreateCluster | acs:edas:$regionid:$accountid:namespace/$namespace/cluster/* |
| 2.2 | Delete clusters | edas:ReadCluster | acs:edas:$regionid:$accountid:namespace/$namespace/cluster/$clusterId |
| edas:DeleteCluster | |||
| 2.4 | Manage clusters | edas:ReadCluster | acs:edas:$regionid:$accountid:namespace/$namespace/cluster/$clusterId |
| edas:ManageCluster | |||
| 2.3 | View clusters | edas:ReadCluster | acs:edas:$regionid:$accountid:namespace/$namespace/cluster/$clusterId |
| Code | Description | Dependency action | Resource |
|---|---|---|---|
| 3.1 | Create applications | edas:CreateApplication | acs:edas:$regionid:$accountid:namespace/$namespace/application/* |
| 3.2 | Delete applications | edas:ReadApplication | acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId |
| edas:DeleteApplication | |||
| 3.3 | View applications | edas:ReadApplication | acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId |
| 3.4 | Manage applications | edas:ManageApplication | acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId |
| edas:ReadApplication | |||
| 3.5 | Configure applications | edas:ConfigApplication | acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId |
| edas:ReadApplication | |||
| 3.6 | Manage logs | edas:ReadApplication | acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId |
| edas:ManageAppLog |
| Code | Description | Dependency action | Resource |
|---|---|---|---|
| 4.1 | Query microservices | edas:ReadService | acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId |
| 4.2 | Test microservices | edas:TestService | acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId |
| 4.3 | Manage microservices | edas:ReadService | acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId |
| edas:ManageService |
| Code | Description | Dependency action | Resource |
|---|---|---|---|
| 5.1 | View configurations | acms:R | acs:acms:$regionid:$accountid:cfg/$namespace/$groupId/$configId |
| 5.2 | Manage configurations | acms:* | acs:acms:$regionid:$accountid:cfg/$namespace/$groupId/$configId |
| Code | Description | Dependency action | Resource |
|---|---|---|---|
| 6.1 | Manage the EDAS system | edas:ManageSystem | acs:edas:$regionid:$accountid:* |
| 6.2 | View operation logs | edas:ReadOperationLog | acs:edas:$regionid:$accountid:* |
| 6.3 | System O&M | edas:ManageOperation | acs:edas:$regionid:$accountid:* |
| 6.4 | Purchase Elastic Compute Service (ECS) resources | edas:ECSPurchase | acs:edas:*:*:* |
| 6.5 | Purchase Server Load Balancer (SLB) resources | edas:SLBPurchase | acs:edas:*:*:* |
| 6.6 | Purchase Log Service resources | edas:SLSPurchase | acs:edas:*:*:* |
| Code | Description | Dependency action | Resource |
|---|---|---|---|
| 7 | Manage EDAS features that are available for commercial use | edas:ManageCommercialization | acs:edas:$regionid:$accountid:* |
Cluster management
The following scenarios describe the permissions that are required for managing clusters:
Create clusters
Important For the creation of a cluster,
cluster/ in the value of the Resource parameter must be followed by an asterisk (*). {
"Version": "1",
"Statement": [
{
"Action": ["edas:CreateCluster"],
"Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/*"],
"Effect": "Allow"
}
]
}View the details of a cluster
Requires read-only permissions on the cluster, such as the permissions that are required to view the details about a cluster, including the instances and applications in the cluster.
Note You can grant a RAM user the permissions on a resource group so that the RAM user can view the details of the clusters in the resource group.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ReadCluster"],
"Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"],
"Effect": "Allow"
}
]
}Manage clusters
Allows a RAM user to create a cluster, add instances to a cluster, modify a cluster, and delete a cluster.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ManageCluster"],
"Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"],
"Effect": "Allow"
}
]
}The following examples show how to grant cluster management permissions to a RAM user:
- Example 1: Grant cluster management permissions to the RAM user but forbid the RAM user from creating clusters.
{ "Version": "1", "Statement": [ { "Action": ["edas:ManageCluster"], "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"], "Effect": "Allow" }, { "Action": ["edas:CreateCluster"], "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/*"], "Effect": "Deny" } ] }Note If the$clusterIdvariable is set to a specific cluster ID, the RAM user can manage only the specified cluster. If the $clusterId variable is set to an asterisk (*), the RAM user can manage all clusters in the specified microservices namespace. - Example 2: Grant cluster management permissions to the RAM user but forbid the RAM user from creating or deleting clusters.
{ "Version": "1", "Statement": [ { "Action": ["edas:ManageCluster"], "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"], "Effect": "Allow" }, { "Action": ["edas:CreateCluster","edas:DeleteCluster"], "Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/*"], "Effect": "Deny" } ] }
Delete clusters
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ReadCluster","edas:DeleteCluster"],
"Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"],
"Effect": "Allow"
}
]
}Microservices namespace management
The following scenarios describe the permissions that are required for managing microservices namespaces:
Create microservices namespaces
Important For the creation of a microservices namespace,
namespace/ in the value of the Resource parameter must be followed by an asterisk (*). Otherwise, authentication fails. {
"Version": "1",
"Statement": [
{
"Action": ["edas:CreateNamespace"],
"Resource": ["acs:edas:$regionid:*:namespace/*"],
"Effect": "Allow"
}
]
}View microservices namespaces
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ReadNamespace"],
"Resource": ["acs:edas:$regionid:*:namespace/$namespace"],
"Effect": "Allow"
}
]
}Manage microservices namespaces
To allow a RAM user to modify or rename microservices namespaces, you must grant the RAM user the permissions to manage the microservices namespaces.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ManageNamespace"],
"Resource": ["acs:edas:$regionid:*:namespace/$namespace"],
"Effect": "Allow"
}
]
}Delete microservices namespaces
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ReadNamespace","edas:DeleteNamespace"],
"Resource": ["acs:edas:$regionid:*:namespace/$namespace"],
"Effect": "Allow"
}
]
}Resource purchases
To enhance the permission management capabilities of enterprise users, EDAS allows the enterprise users to grant the permissions to purchase resources. The resources include ECS, SLB, and Log Service resources.
The following scenarios describe the permissions that are required for purchasing resources:
Important
- In all resource purchasing policies, the value of the
Resourceparameter must beacs:edas:*:*:*. Finer-grained configurations are not supported. - Resource purchasing policies apply only to RAM users.
Purchase ECS resources
- Applicable scope:
- Purchase ECS resources in an ECS cluster
- Purchase ECS resources when you create an application in an ECS cluster
- Purchase ECS resources when you scale out an application in an ECS cluster
- Sample policy:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "edas:ECSPurchase" ], "Resource": [ "acs:edas:*:*:*" ] } ] }
Purchase SLB resources
- Applicable scope: Purchase SLB resources when you bind an SLB instance to an application.
- Sample policy:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "edas:SLBPurchase" ], "Resource": [ "acs:edas:*:*:*" ] } ] }
Purchase Log Service resources
- Applicable scope: Purchase Log Service resources for an application.
- Sample policy:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "edas:SLSPurchase" ], "Resource": [ "acs:edas:*:*:*" ] } ] }
Application management
The following scenarios describe the permissions that are required for managing applications:
Permissions on an individual application
- Manage an application: Allows a RAM user to view the information about an application and manage the configurations and logs of an application, but does not allow the RAM user to create or delete applications.
{ "Statement": [ { "Action": [ "edas:*Application" ], "Effect": "Allow", "Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"] }, { "Action": [ "edas:DeleteApplication" ], "Resource":["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"], "Effect": "Deny" }, { "Action": [ "edas:CreateApplication" ], "Resource":["acs:edas:$regionid:*:namespace/$namespace/application/*"], "Effect": "Deny" } ], "Version": "1" } - Create an applicationImportant To create an application, a user needs to use an instance in the cluster. Therefore, you must grant the RAM user the permissions to view the cluster.
{ "Statement": [ { "Action": [ "edas:CreateApplication", "edas:ReadCluster" ], "Effect": "Allow", "Resource": [ "acs:edas:$regionid:*:namespace/$namespace/application/*", "acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId" ] } ], "Version": "1" } - Delete an applicationImportant To allow a RAM user to delete an application, you must grant the RAM user the permissions to view the application. Otherwise, the RAM user cannot find the application.
{ "Statement": [ { "Action": [ "edas:DeleteApplication", "edas:ReadApplication" ], "Effect": "Allow", "Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"] } ], "Version": "1" } - Manage logsImportant To allow a RAM user to manage the logs of an application, you must grant the RAM user the permissions to view the application. Otherwise, the RAM user cannot find the application.
{ "Statement": [ { "Action": [ "edas:ReadApplication", "edas:ManageAppLog" ], "Effect": "Allow", "Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"] } ], "Version": "1" } - Configure an application: Allows a RAM user to set the application port, Tomcat context, load balancing parameters, health check parameters, Java virtual machine (JVM) parameters, and the Intra-zone Provider First feature. Important To allow a RAM user to configure an application, you must grant the RAM user the permissions to view the application.
{ "Statement": [ { "Action": [ "edas:ReadApplication", "edas:ConfigApplication" ], "Effect": "Allow", "Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"] }, ], "Version": "1" }
Permissions on multiple applications
- Query applications: Allows a RAM user to query applications in a specified region. Note A region may contain one or more microservices namespaces. This permission allows a RAM user to query applications in all microservices namespaces in a specified region.
{ "Statement": [ { "Action": [ "edas:ReadApplication" ], "Effect": "Allow", "Resource": ["acs:edas:$regionid:*:namespace/*/application/*"] } ], "Version": "1" } - View applications: Allows a RAM user to view applications in a specified microservices namespace.
{ "Statement": [ { "Action": [ "edas:*Application", "edas:ReadCluster" ], "Effect": "Allow", "Resource": [ "acs:edas:$regionid:*:namespace/$namespace/application/*", "acs:edas:$regionid:*:namespace/$namespace/cluster/*" ] } ], "Version": "1" }
Microservices management
The following scenarios describe the permissions that are required for managing microservices:
View microservices
Note To view all microservices, set the
$applicationId variable to an asterisk (*) in the policy. {
"Statement": [
{
"Action": [
"edas:ReadService"
],
"Effect": "Allow",
"Resource": [
"acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"
]
}
],
"Version": "1"
}Test microservices
Note To test applications in all microservices namespaces, set the
$namespace and $applicationId variables to an asterisk (*). {
"Statement": [
{
"Action": [
"edas:TestService"
],
"Effect": "Allow",
"Resource": [
"acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"
]
}
],
"Version": "1"
}Grant an application permissions on microservices
Note To grant all applications permissions on microservices, set the
$applicationId variable to an asterisk (*). {
"Statement": [
{
"Action": [
"edas:ManageService"
],
"Effect": "Allow",
"Resource": [
"acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"
]
}
],
"Version": "1"
}Remove outlier instances
Important The removal of an outlier instance affects applications in the microservices namespace. You can grant RAM users the permissions to remove outlier instances only in a specified microservices namespace.
{
"Statement": [
{
"Action": [
"edas:ManageService"
],
"Effect": "Allow",
"Resource": [
"acs:edas:$regionid:*:namespace/$namespace"
]
}
],
"Version": "1"
}Configuration management
EDAS is integrated with Application Configuration Management (ACM). For more information about ACM-specific permissions, see Access control.
System management
Includes the permissions to manage RAM users, view resource usage, and view operations logs.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ManageSystem"],
"Resource": ["acs:edas:*:*:*"],
"Effect": "Allow"
}
]
}Note System permissions are not defined by specific resources. Therefore, set the
Resource variable to acs:edas:*:*:* in the policy. System O&M
Allows a RAM user to view operation logs, perform one or more O&M tasks at a time, and manage resource groups.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ManageOperation"],
"Resource": ["acs:edas:*:*:*"],
"Effect": "Allow"
}
]
}View operation logs
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ReadOperationLog"],
"Resource": ["acs:edas:*:*:*"],
"Effect": "Allow"
}
]
}