如何使用Project Policy管理日志服务资源访问权限 - Simple Log Service

Simple Log Service allows you to configure project policies to perform authorization. You can configure a project policy to grant other users access permissions on specific Simple Log Service resources.

Usage notes

You must configure a project policy based on the policy syntax. Before you configure a project policy, you must be familiar with the Action, Resource, and Condition elements. For more information, see Resource list, Action list, and Authentication rules.
If you set the Principal element to an asterisk (*) and do not configure the Condition element when you configure a project policy, the policy applies to all users except the project owner. If you set the Principal element to an asterisk (*) and configure the Condition parameter when you configure a project policy, the policy applies to all users, including the project owner.
You can configure multiple project policies for a project. The total size of the policies cannot exceed 16 KB.

Examples

Example 1: Allow only users that use a specified virtual private cloud (VPC) ID to access a specified project

The following project policy is used to allow only users that use the VPC whose ID is t4nlw426y44rd3iq4**** to access the example-project project:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "log:*"
            ],
            "Principal": [
                "*"
            ],
            "Resource": "acs:log:*:*:project/example-project/*",
            "Condition": {
                "StringNotEquals": {
                    "acs:SourceVpc": [
                        "vpc-t4nlw426y44rd3iq4****"
                    ]
                }
            }
        }
    ]
}

Example 2: Deny write requests for a specified project over the Internet

The following project policy is used to deny write requests for the exampleproject project from users over the Internet:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "log:PostLogStoreLogs"
            ],
            "Principal": [
                "*"
            ],
            "Resource": "acs:log:*:*:project/exampleproject/*",
            "Condition": {
                "StringNotEquals": {
                    "acs:SourceVpc": [
                        "vpc-*"
                    ]
                }
            }
        }
    ]
}

Example 3: Deny access requests from specific IP addresses

The following project policy is used to deny access requests for the exampleproject project from 192.168.0.0/16 and 172.16.215.218:

{
    "Version":"1",
    "Statement":[
        {
            "Effect":"Deny",
            "Action":[
                "*"
            ],
            "Principal":[
                "*"
            ],
            "Resource":"acs:log:*:*:project/exampleproject/*",
            "Condition":{
                "NotIpAddress":{
                    "acs:SourceIp":[
                        "192.168.0.0/16",
                        "172.16.215.218"
                    ]
                }
            }
        }
    ]
}

Use Simple Log Service SDK for Java to manage project policies

Use Simple Log Service SDK for Java to create, delete, or query a project policy. Example:

public class ProjectPolicyDemo {
    // In this example, the AccessKey ID and AccessKey secret are obtained from environment variables.
    static String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
    static String accessKey = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
    static String endPoint = "your-endpoint";
    static String projectName = "your-project";
    // The content of the policy. 
    static String policyText = "{\"Version\":\"1\",\"Statement\":[{\"Action\":[\"log:Post*\"],\"Resource\":\"acs:log:*:*:project/" + projectName + "/*\",\"Effect\":\"Deny\"}]}";
    static Client client = new Client(endPoint, accessKeyId, accessKey);

    public static void main(String[] args) throws LogException {
        client.CreateProject(projectName, "");
        client.setProjectPolicy(projectName, policyText);
        client.getProjectPolicy(projectName);
        Assert.assertEquals(policyText, client.getProjectPolicy(projectName).getPolicyText());
        client.deleteProjectPolicy(projectName);
        Assert.assertEquals("", client.getProjectPolicy(projectName).getPolicyText());
        client.DeleteProject(projectName);
    }
}

Deny access over the Internet. Example:

public class ProjectPolicyDemo {
    // In this example, the AccessKey ID and AccessKey secret are obtained from environment variables.
    static String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
    static String accessKey = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
    static String endPoint = "your-endpoint";
    static String projectName = "your-project";
    static Client client = new Client(endPoint, accessKeyId, accessKey);

    public static void main(String[] args) throws LogException {
        client.CreateProject(projectName, "");
        try {
            client.GetProject(projectName);
        } catch (LogException e) {
            Assert.fail("should not fail : " + e.GetErrorCode());
        }
        String policyText = "{  \"Version\": \"1\",\n" +
                "   \"Statement\": [{" +
                "   \"Action\": [\"log:*\"]," +
                "   \"Resource\": \"*\",\n" +
                "   \"Condition\": {\"StringNotLike\": {\"acs:SourceVpc\":[\"vpc-*\"]}}," +
                "   \"Effect\": \"Deny\"}] }";
        client.setProjectPolicy(projectName, policyText);
        try {
            client.GetProject(projectName);
            Assert.fail("should fail");
        } catch (LogException e) {
            Assert.assertEquals("Unauthorized", e.getErrorCode());
        }
    }
}