All Products
Search
Document Center

Microservices Engine:Custom policies for MSE

Last Updated:Nov 21, 2024

If the system policies of Microservices Engine (MSE) cannot meet your requirements, you can create custom policies to implement the principle of least privilege. Custom policies allow you to implement fine-grained control over permissions and improve resource access security. This topic describes how to use custom policies for MSE and provides examples of custom policies.

What is a custom policy?

Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.

  • After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.

  • You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, before you can delete the RAM policy you must detach the RAM policy from the principal.

  • Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.

References

Create a custom policy on the Visual editor tab

  1. Log on to the RAM console as a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Permissions > Policies.

  3. On the Policies page, click Create Policy.

  4. On the Create Policy page, click the Visual editor tab.

  5. Configure the policy and click Next to edit policy information.

    1. In the Effect section, select Allow or Deny.

    2. In the Service section, select an Alibaba Cloud service.

      Note

      The Alibaba Cloud services that you can select are displayed in the Service section.

    3. In the Action section, select All action(s) or Select action(s).

      The system displays the actions that can be configured based on the Alibaba Cloud service you select in the previous step. If you select Select action(s), you must select actions.

    4. In the Resource section, select All resource(s) or Specified resource(s).

      The system displays the resources that can be configured based on the actions you select in the previous step. If you select Specified resource(s), you must click Add resource to configure one or more Alibaba Cloud Resource Names (ARNs) of resources. You can also click Match all to select all resources for each action that you select.

      Note

      The resource ARNs that are required for an action are tagged with Required. We strongly recommend that you configure the resource ARNs that are tagged with Required. This ensures that the custom policy takes effect as expected.

    5. In the Condition section, click Add condition to configure a condition.

      Conditions include Alibaba Cloud common conditions and service-specific conditions. The system displays the conditions that can be configured based on the Alibaba Cloud service and the actions that you select. You need to only select a condition key and configure the Operator and Value parameters.

    6. Click Add statement and repeat the preceding steps to configure multiple custom policy statements.

  6. Specify the Name and Description fields.

  7. Check and optimize the content of the custom policy.

    • Basic optimization

      The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:

      • Deletes unnecessary conditions.

      • Deletes unnecessary arrays.

    • (Optional) Advanced optimization

      You can move the pointer over Optional: advanced optimize and click Perform. The system performs the following operations during the advanced optimization:

      • Splits resources or conditions that are incompatible with actions.

      • Narrows down resources.

      • Deduplicates or merges policy statements.

  8. Click OK.

Examples of common custom policies for Microservices Registry

  • Grant a user the read-only permissions on services of specific instances.

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "mse:QueryNacosNaming"
                ],
                "Resource": [
                    "acs:mse:*:*:instance/${instanceId1}",
                    "acs:mse:*:*:instance/${instanceId2}"
                ],
                "Effect": "Allow"
            }
        ]
    }
  • Grant a user the permissions to read and modify services of specific instances.

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "mse:QueryNacosNaming",
                    "mse:UpdateNacosNaming"
                ],
                "Resource": [
                    "acs:mse:*:*:instance/${instanceId1}",
                    "acs:mse:*:*:instance/${instanceId2}"
                ],
                "Effect": "Allow"
            }
        ]
    }
    Note

    ${instanceId1} and ${instanceId2} indicate the MSE instance IDs.

  • Grant a user the read-only permissions on services in a specific namespace of an instance.

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "mse:QueryNacosNaming",
                "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}"
            }
        ],
        "Version": "1"
    }
  • Grant a user the permissions to read and modify services of the ${group} group in a specific namespace of an instance.

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "mse:QueryNacosNaming",
                    "mse:UpdateNacosNaming"
                ],
                "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}"
            }
        ],
        "Version": "1"
    }
  • Grant a user the read-only permissions on the ${serviceName} service of the ${group} group.

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "mse:QueryNacosNaming",
                "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}/naming/${serviceName}"
            }
        ],
        "Version": "1"
    }
  • Grant a user the permissions to read and modify the ${serviceName} service of the ${group} group.

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "mse:QueryNacosNaming",
                    "mse:UpdateNacosNaming"
                ],
                "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}/naming/${serviceName}"
            }
        ],
        "Version": "1"
    }

Examples of common custom policies for Microservices Governance

Grant read-only permissions on all applications

To allow enterprise employees to view key information of applications, the enterprise can grant read-only permissions on all applications to the employees.

For example, the enterprise uses an Alibaba Cloud account to grant a RAM user read-only permissions on all Microservices Governance-enabled applications of the current Alibaba Cloud account.

The following code shows a sample policy.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "mse:QueryNamespace",
        "mse:GetApplicationListWithMetircs",
        "mse:ListNamespaces",
        "mse:GetEventFilterOptions",
        "mse:ListEventRecords",
        "mse:GetEventDetail",
        "mse:FetchLogConfig",
        "mse:QueryBusinessLocations",
        "mse:GetApplicationInstanceList",
        "mse:listGrayTag",
        "mse:QueryServiceDetailWithMetrics",
        "mse:GetEventDetail",
        "mse:ListEventsPage",
        "mse:ListEventsByType",
        "mse:GetApplicationTagList"
      ],
      "Resource": "acs:mse:*:*:*"
    },
    {
      "Effect": "Allow",
      "Action": "mse:GetApplicationList",
      "Resource": "acs:mse:*:*:namespace/${ns}"
    }
  ]
}

Grant all operation permissions on an application to a RAM user

As the owner of an application of the enterprise, you need to be granted all operation permissions on the application. Your permissions are strictly limited to the scope of the application that you manage.

For example, the enterprise uses an Alibaba Cloud account to grant the following permissions to a RAM user:

  • Read-only permissions on all Microservices Governance-enabled applications of the current Alibaba Cloud account.

  • Read-only permissions on a specific Microservices Governance-enabled application.

The following code shows a sample policy.

{
  "Version": "1",
  "Statement": [
    // All permissions on a specific Microservices Governance-enabled application
    {
      "Effect": "Allow",
      "Action": "mse:*",
      "Resource": "acs:mse:*:*:namespace/${ns}/application/${appName}"
    },
    // Read-only permissions on all Microservices Governance-enabled applications
    {
      "Effect": "Allow",
      "Action": [
        "mse:QueryNamespace",
        "mse:GetApplicationListWithMetircs",
        "mse:ListNamespaces",
        "mse:GetEventFilterOptions",
        "mse:ListEventRecords",
        "mse:GetEventDetail",
        "mse:FetchLogConfig",
        "mse:QueryBusinessLocations",
        "mse:GetApplicationInstanceList",
        "mse:listGrayTag",
        "mse:QueryServiceDetailWithMetrics",
        "mse:GetEventDetail",
        "mse:ListEventsPage",
        "mse:ListEventsByType",
        "mse:GetApplicationTagList"
      ],
      "Resource": "acs:mse:*:*:*"
    },
    {
      "Effect": "Allow",
      "Action": "mse:GetApplicationList",
      "Resource": "acs:mse:*:*:namespace/${ns}"
    }
  ]

Grant operation permissions on all applications in a namespace

As a test engineer of an enterprise, you need to be granted operation permissions on all applications in a test environment (test namespace). Your permissions are strictly limited to the scope of the test environment (test namespace).

For example, the enterprise uses an Alibaba Cloud account to grant the following permissions to a RAM user:

  • Read-only permissions on all Microservices Governance-enabled applications of the current Alibaba Cloud account.

  • Read and write permissions on applications in a specific Microservices Governance namespace.

The following code shows a sample policy.

{
"Version": "1",
    "Statement": [
        // All permissions on applications in a specific Microservices Governance namespace
        {
            "Effect": "Allow",
            "Action": "mse:*",
            "Resource": "acs:mse:*:*:namespace/${ns}/application/*"
        },
        // Read-only permissions on all Microservices Governance-enabled applications
        {
            "Effect": "Allow",
            "Action": [
                "mse:QueryNamespace",
                "mse:GetApplicationListWithMetircs",
                "mse:ListNamespaces",
                "mse:GetEventFilterOptions",
                "mse:ListEventRecords",
                "mse:GetEventDetail",
                "mse:FetchLogConfig",
                "mse:QueryBusinessLocations",
                "mse:GetApplicationInstanceList",
                "mse:listGrayTag",
                "mse:QueryServiceDetailWithMetrics",
                "mse:GetEventDetail",
                "mse:ListEventsPage",
                "mse:ListEventsByType",
                "mse:GetApplicationTagList",
                "mse:QueryAllSwimmingLaneGroup",
                "mse:QueryAllSwimmingLane",
                "mse:ListAppBySwimmingLaneGroupTags",
                "mse:ListAppBySwimmingLaneGroupTag",
                "mse:QuerySwimmingLaneById",
                "mse:GetTagsBySwimmingLaneGroupId",
                "mse:ListSwimmingLaneGateway",
                "mse:ListSwimmingLaneGatewayRoute",
                "mse:ListAuthPolicy",
                "mse:GetServiceList",
                "mse:GetServiceListPage"
            ],
            "Resource": "acs:mse:*:*:*"
        },
        // All permissions on applications in a specific Microservices Governance namespace
        {
            "Effect": "Allow",
            "Action": [
                "mse:GetApplicationList",
                "mse:CreateOrUpdateSwimmingLaneGroup",
                "mse:CreateOrUpdateSwimmingLane",
                "mse:DeleteSwimmingLaneGroup",
                "mse:DeleteSwimmingLaneGroup",
                "mse:DeleteSwimmingLane"
            ],
            "Resource": "acs:mse:*:*:namespace/${ns}"
        }
    ]
}

Examples of common custom policies for Cloud-native Gateway

Grant a user or role the permissions on all gateways

If you want to grant a RAM user or role the operation permissions on all cloud-native gateways, you can attach the following system policies to the RAM user or role:

  • Read-only permission: AliyunMSEReadOnlyAccess

  • Read and write permissions: AliyunMSEFullAccess

Grant a user or role the permissions on a specific gateway

If you want to grant a RAM user or role the operation permissions on a specific gateway, you can grant resource-level permissions to the RAM user or role.

  • Example 1: Grant a RAM user the read-only permission on the cloud-native gateway named gw-8090caa2a3ab447a8bc5fdf3********.

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "mse:Query*",
                    "mse:List*",
                    "mse:Get*",
                    "mse:Select*",
                    "mse:Pull*",
                    "mse:GatewayBlackWhite*",
                    "mse:GatewayHealthCheckList",
                    "mse:GatewayQueryMonitor",
                    "mse:UploadWasmFile"
                ],
                "Resource": "acs:mse:*:*:instance/gw-8090caa2a3ab447a8bc5fdf3********",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "mse:QueryDefaultAlertStatus",
                    "mse:ListGatewayZone",
                    "mse:ListUpgradableGatewayVersions",
                    "mse:ListTagResources",
                    "mse:ListGatewayIngressMigrateTask",
                    "mse:ListEventRecords",
                    "mse:GetEventFilterOptions",
                    "mse:GetEventDetail",
                    "mse:GetGatewaySelection",
                    "mse:GetGatewayAlarms",
                    "mse:GetGatewayMigrateNamespacedServices",
                    "mse:GetGatewayIngressMigrateTaskDetail",
                    "mse:GetPluginGuide",
                    "mse:GetRegExpCheck",
                    "mse:GetRegExpTest",
                    "mse:CheckPluginLua"
                ],
                "Resource": "acs:mse:*:*:*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "log:DescribeService",
                    "log:ListProject",
                    "log:GetProductDataCollection"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "arms:SearchContactGroup"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
  • Example 2: Grant a RAM user the read and write permissions on a cloud-native gateway named gw-8090caa2a3ab447a8bc5fdf3********.

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "mse:*"
                ],
                "Resource": "acs:mse:*:*:instance/gw-8090caa2a3ab447a8bc5fdf3********",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "mse:QueryDefaultAlertStatus",
                    "mse:CreateDefaultAlert",
                    "mse:ListGatewayZone",
                    "mse:ListUpgradableGatewayVersions",
                    "mse:ListEventRecords",
                    "mse:GetEventFilterOptions",
                    "mse:GetEventDetail",
                    "mse:GetGatewaySelection",
                    "mse:GetGatewayAlarms",
                    "mse:GetGatewayMigrateNamespacedServices",
                    "mse:GetPluginGuide",
                    "mse:GetRegExpCheck",
                    "mse:GetRegExpTest",
                    "mse:CheckPluginLua",
                    "mse:*TagResources",
                    "mse:*CustomPlugin",
                    "mse:*GatewayIngressMigrateTask*"
                ],
                "Resource": "acs:mse:*:*:*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "log:DescribeService",
                    "log:ListProject",
                    "log:GetProductDataCollection",
                    "log:OpenProductDataCollection"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "arms:SearchContactGroup"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }

Usage notes

The preceding permissions can only allow you to perform required operations in the MSE console. Specific capabilities of cloud-native gateways depend on other cloud services. You can configure permissions for your RAM user or role based on the permission configuration documentation of other cloud services. This allows your RAM user or role to use all the features of cloud-native gateways. The following table describes the mappings between the cloud services on which cloud-native gateways depend and related cloud-native gateway modules.

Cloud service

Cloud-native gateway module

References

Simple Log Service

  • Log Center. To access the Log Center tab, choose Cloud-native Gateway > Gateways. On the Gateways page, click the name of a gateway to go to the gateway details page. On the page that appears, choose Observation Analysis > Log Center.

  • Plug-in Logs. To access the Plug-in Logs tab, choose Cloud-native Gateway > Gateways. On the Gateways page, click the name of a gateway to go to the gateway details page. On the page that appears, click Plug-in Marketplace. Then, click a plug-in card to go to the plug-in details page. On the page that appears, click Plug-in Logs.

Custom policies for Simple Log Service

Application Real-Time Monitoring Service (ARMS)

  • Tracing Analysis. To access the Tracing Analysis tab, choose Cloud-native Gateway > Gateways. On the Gateways page, click the name of a gateway to go to the gateway details page. On the page that appears, choose Observation Analysis > Tracing Analysis.

  • Alerts. To use the Alerts feature, choose Cloud-native Gateway > Alerts.

System policies for ARMS

References

RAM authorization