This topic describes the Action, Resource, and Condition elements in Resource Access Management (RAM) policies and the scenarios for which the RAM policies are suitable.
Action
The Action element specifies one or more API operations. You can specify the Action element to allow or deny user access to the API operations.
When you create a policy for Tablestore, you must add the ots: prefix to each action and separate multiple actions with commas (,). When you specify the Action element, you can use the asterisk (*) wildcard character for prefix and suffix matching.
The following examples show how to define the Action element:
Single API operation
"Action": "ots:GetRow" Multiple API operations
"Action": [
"ots:PutRow",
"ots:GetRow"
] All read-only API operations
{
"Version": "1",
"Statement": [
{
"Action": [
"ots:BatchGet*",
"ots:Describe*",
"ots:Get*",
"ots:List*",
"ots:Consume*",
"ots:Search",
"ots:ComputeSplitPointsBySize"
],
"Resource": "*",
"Effect": "Allow"
}
]
} All read and write API operations
"Action": "ots:*" All SQL-related API operations
"Action": "ots:SQL*"Resource
The Resource element for Tablestore consists of multiple fields, including service, region, user_id, instance_name, and table_name. Each field supports the asterisk (*) wildcard character for prefix and suffix matching. You can use the Resource element to specify the Tablestore resources that other users can access. Specify the Resource element in the following format:
acs:ots:[region]:[user_id]:instance/[instance_name]/table/[table_name] You must set the value of the service field to ots. The region field specifies the ID of the region in which the resource resides, such as cn-hangzhou. The user_id field specifies the ID of the Alibaba Cloud account. The instance_name field specifies the name of the Tablestore instance. The table_name field specifies the name of the Tablestore table. Configure the preceding fields based on your business requirements.
The name of the Tablestore instance is not case-sensitive. We recommend that you specify the value of the instance_name field in the Resource element in lowercase.
The Resource element for Tunnel Service is defined by instance rather than table and includes fields such as service, region, user_id, and instance_name. Specify the Resource element in the following format:
acs:ots:[region]:[user_id]:instance/[instance_name] Typical resource definitions
All resources of all Alibaba Cloud accounts in all regions
"Resource": "acs:ots:*:*:*"All instances and their tables of User 123456 in the China (Hangzhou) region
"Resource": "acs:ots:cn-hangzhou:123456:instance*"Instance abc and its tables of User 123456 in the China (Hangzhou) region
"Resource": [ "acs:ots:cn-hangzhou:123456:instance/abc", "acs:ots:cn-hangzhou:123456:instance/abc/table*" ]All instances whose names contain the abc prefix and their tables
"Resource": "acs:ots:*:*:instance/abc*"All tables whose names contain the xyz prefix in the instances whose names contain the abc prefix (Instance resources are not included.
acs:ots:*:*:instance/abc*does not match the definition.)"Resource": "acs:ots:*:*:instance/abc*/table/xyz*"All instances whose names contain the abc suffix and their tables whose names contain the xyz suffix
"Resource": [ "acs:ots:*:*:instance/*abc", "acs:ots:*:*:instance/*abc/table/*xyz" ]
Usage notes
The Action and Resource elements in a RAM policy are verified by performing string matching operations. When you specify the Action and Resource elements, you can use the asterisk (*) wildcard character for prefix and suffix matching. If the Resource element is defined as
acs:ots:*:*:instance/*/,acs:ots:*:*:instance/abcdoes not match the definition. If the Resource element is defined asacs:ots:*:*:instance/abc,acs:ots:*:*:instance/abc/table/xyzdoes not match the definition.If a user wants to manage instances in the Tablestore console, the Tablestore console must query the list of instances. In this case, you must grant the user the read permissions on the
acs:ots:[region]:[user_id]:instance/*resources.When you perform an operation on multiple tables at the same time by calling API operations, such as BatchGetRow and BatchWriteRow, the backend service separately authenticates each table. You can perform the operation on multiple tables at the same time only if all tables pass the authentication. Otherwise, a permission error is returned.
Tablestore API operations
Tablestore provides the following types of API operations: instance management operations, table operations, data read/write operations, and operations for Tunnel Service. The following tables describe how to configure resources for the API operations.
Instance management operations
Instance management operations are instance-related operations and can be called only in the Tablestore console. If you specify the Action and Resource elements for instance management operations, several features may be unavailable in the Tablestore console. The acs:ots:[region]:[user_id]: prefix is omitted from the names of the following resources. Only the instance and table are described.
API operation/Action | Resource |
ListInstance | instance/* |
InsertInstance | instance/[instance_name] |
GetInstance | instance/[instance_name] |
DeleteInstance | instance/[instance_name] |
Table operations and data read/write operations
Table operations and data read/write operations are performed on tables and rows and can be called in the Tablestore console or by using Tablestore SDKs. If you specify the Action and Resource elements for table operations and data read/write operations, several features may be unavailable in the Tablestore console. The acs:ots:[region]:[user_id]: prefix is omitted from the names of the following resources. Only the instance and table are described.
API operation/Action | Resource |
ListTable | instance/[instance_name]/table* |
CreateTable | instance/[instance_name]/table/[table_name] |
UpdateTable | instance/[instance_name]/table/[table_name] |
DescribeTable | instance/[instance_name]/table/[table_name] |
DeleteTable | instance/[instance_name]/table/[table_name] |
GetRow | instance/[instance_name]/table/[table_name] |
PutRow | instance/[instance_name]/table/[table_name] |
UpdateRow | instance/[instance_name]/table/[table_name] |
DeleteRow | instance/[instance_name]/table/[table_name] |
GetRange | instance/[instance_name]/table/[table_name] |
BatchGetRow | instance/[instance_name]/table/[table_name] |
BatchWriteRow | instance/[instance_name]/table/[table_name] |
ComputeSplitPointsBySize | instance/[instance_name]/table/[table_name] |
StartLocalTransaction | instance/[instance_name]/table/[table_name] |
CommitTransaction | instance/[instance_name]/table/[table_name] |
AbortTransaction | instance/[instance_name]/table/[table_name] |
CreateIndex | instance/[instance_name]/table/[table_name] |
DropIndex | instance/[instance_name]/table/[table_name] |
CreateSearchIndex | instance/[instance_name]/table/[table_name] |
DeleteSearchIndex | instance/[instance_name]/table/[table_name] |
ListSearchIndex | instance/[instance_name]/table/[table_name] |
DescribeSearchIndex | instance/[instance_name]/table/[table_name] |
Search | instance/[instance_name]/table/[table_name] |
CreateTunnel | instance/[instance_name]/table/[table_name] |
DeleteTunnel | instance/[instance_name]/table/[table_name] |
ListTunnel | instance/[instance_name]/table/[table_name] |
DescribeTunnel | instance/[instance_name]/table/[table_name] |
ConsumeTunnel | instance/[instance_name]/table/[table_name] |
BulkImport | instance/[instance_name]/table/[table_name] |
BulkExport | instance/[instance_name]/table/[table_name] |
SQL_Select | instance/[instance_name]/table/[table_name] |
SQL_Create | instance/[instance_name]/table/[table_name] |
SQL_DropMapping | instance/[instance_name]/table/[table_name] |
Operations for Tunnel Service
Operations for Tunnel Service are tunnel-related operations and can be called in the Tablestore console or by using Tablestore SDKs. If you specify the Action and Resource elements for operations for Tunnel Service, several features may be unavailable in the Tablestore console. The acs:ots:[region]:[user_id]: prefix is omitted from the names of the following resources. Only the instance and table are described.
API operation/Action | Resource |
ListTable | instance/[instance_name] |
CreateTable | instance/[instance_name] |
UpdateTable | instance/[instance_name] |
DescribeTable | instance/[instance_name] |
DeleteTable | instance/[instance_name] |
GetRow | instance/[instance_name] |
PutRow | instance/[instance_name] |
UpdateRow | instance/[instance_name] |
DeleteRow | instance/[instance_name] |
GetRange | instance/[instance_name] |
BatchGetRow | instance/[instance_name] |
BatchWriteRow | instance/[instance_name] |
ComputeSplitPointsBySize | instance/[instance_name] |
StartLocalTransaction | instance/[instance_name] |
CommitTransaction | instance/[instance_name] |
AbortTransaction | instance/[instance_name] |
CreateIndex | instance/[instance_name] |
DropIndex | instance/[instance_name] |
CreateSearchIndex | instance/[instance_name] |
DeleteSearchIndex | instance/[instance_name] |
ListSearchIndex | instance/[instance_name] |
DescribeSearchIndex | instance/[instance_name] |
Search | instance/[instance_name] |
CreateTunnel | instance/[instance_name] |
DeleteTunnel | instance/[instance_name] |
ListTunnel | instance/[instance_name] |
DescribeTunnel | instance/[instance_name] |
ConsumeTunnel | instance/[instance_name] |
Condition
You can use the Condition element to configure policies in which specific conditions are specified to allow or deny user access. The policies for Tablestore support IP address-based access control, HTTPS-based access control, multi-factor authentication (MFA)-based access control, TLS version-based access control, and time-based access control.
IP address-based access control
You can create an IP address whitelist to specify the IP addresses or CIDR blocks that are allowed access to Tablestore resources. IP address-based access control is suitable for the following scenarios:
Allow access from multiple IP addresses
The following sample code provides an example on how to allow requests to access Tablestore resources only from the IP addresses 10.10.XX.XX and 10.11.XX.XX.XX:
{ "Statement": [ { "Effect": "Allow", "Action": "ots:*", "Resource": "acs:ots:*:*:*", "Condition": { "IpAddress": { "acs:SourceIp": [ "10.10.XX.XX", "10.11.XX.XX" ] } } } ], "Version": "1" }Allow access only from one IP address or CIDR block
The following sample code provides an example on how to allow requests to access Tablestore resources only from the IP address 10.10.XX.XX or CIDR block 10.10.XX.XX/24:
{ "Statement": [ { "Effect": "Allow", "Action": "ots:*", "Resource": "acs:ots:*:*:*", "Condition": { "IpAddress": { "acs:SourceIp": [ "10.10.XX.XX", "10.10.XX.XX/24" ] } } } ], "Version": "1" }
HTTPS-based access control
You can create a custom policy to allow only the requests that are sent over HTTPS to access Tablestore resources.
The following sample code provides an example on how to allow only the requests that are sent over HTTPS to access Tablestore resources:
{
"Statement": [
{
"Effect": "Allow",
"Action": "ots:*",
"Resource": "acs:ots:*:*:*",
"Condition": {
"Bool": {
"acs:SecureTransport": "true"
}
}
}
],
"Version": "1"
} TLS version-based access control
You can create a custom policy to allow only the requests that are sent over TLS V1.2 or TLS V1.3 to access Tablestore resources.
The following sample code provides an example on how to allow only the requests that are sent over TLS V1.2 or TLS V1.3 to access Tablestore resources:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ots:*",
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"ots:TLSVersion": [
"TLSv1.2",
"TLSv1.3"
]
}
}
}
]
}MFA-based access control
You can create a custom policy to allow only the requests that pass MFA to access Tablestore resources.
The following sample code provides an example on how to allow only the requests that pass MFA to access Tablestore resources:
{
"Statement": [
{
"Effect": "Allow",
"Action": "ots:*",
"Resource": "acs:ots:*:*:*",
"Condition": {
"Bool": {
"acs:MFAPresent ": "true"
}
}
}
],
"Version": "1"
} Time-based access control
You can create a custom policy to specify the access time of requests. Access requests that are sent earlier than the specified point in time are allowed or denied.
The following sample code provides an example on how to allow users to access Tablestore resources only before 00:00 on January 1, 2016 (UTC+8):
{
"Statement": [
{
"Effect": "Allow",
"Action": "ots:*",
"Resource": "acs:ots:*:*:*",
"Condition": {
"DateLessThan": {
"acs:CurrentTime": "2016-01-01T00:00:00+08:00"
}
}
}
],
"Version": "1"
} Scenarios
This section describes the specific policies and authorization methods in typical scenarios based on the definitions of the Action, Resource, and Condition elements. For example, an IP address whitelist can be configured, access to specific resources in specific regions can be denied or allowed, and the access time and method can be specified.
Scenario 1: Multiple access control conditions
In this scenario, RAM users who use the 10.10.XX.XX/24 CIDR block can manage the instances named online-01 and online-02 and all tables in the instances, including reading data from and writing data to the tables. Access is allowed only over HTTPS before 00:00:00 on January 1, 2016.
Log on to the RAM console. Take note that you must activate the RAM service.
Create a custom policy.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab. On the JSON tab, enter the following code in the policy document:
{ "Statement": [ { "Effect": "Allow", "Action": "ots:*", "Resource": [ "acs:ots:*:*:instance/online-01", "acs:ots:*:*:instance/online-01/table*", "acs:ots:*:*:instance/online-02", "acs:ots:*:*:instance/online-02/table*" ], "Condition": { "IpAddress": { "acs:SourceIp": [ "10.10.XX.XX/24" ] }, "DateLessThan": { "acs:CurrentTime": "2016-01-01T00:00:00+08:00" }, "Bool": { "acs:SecureTransport": "true" } } } ], "Version": "1" }Click Next to edit policy information. In the Basic information section, enter the name and description of the policy.
Click OK.
Attach the policy to a RAM user.
In the left-side navigation pane, choose .
On the Users page, find the RAM user to whom you want to attach the policy. In the Actions column, click Add Permissions.
In the Grant Permission panel, select Custom Policy, search for the name of the policy you created, and select the check box next to the policy to add the policy to the Selected Policies column.
Click Grant permissions.
Click Close.
Scenario 2: Reject requests
In this scenario, RAM users who use the IP address 10.10.XX.XX cannot write data to tables that belong to instances whose names contain the online or product prefix in the China (Beijing) region. This policy does not take effect for operations on instances.
Log on to the RAM console. Take note that you must activate the RAM service.
Create a custom policy.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab. On the JSON tab, enter the following code in the policy document:
{ "Statement": [ { "Effect": "Deny", "Action": [ "ots:Create*", "ots:Insert*", "ots:Put*", "ots:Update*", "ots:Delete*", "ots:BatchWrite*" ], "Resource": [ "acs:ots:cn-beijing:*:instance/online*/table*", "acs:ots:cn-beijing:*:instance/product*/table*" ], "Condition": { "IpAddress": { "acs:SourceIp": [ "10.10.XX.XX" ] } } } ], "Version": "1" }Click Next to edit policy information. In the Basic information section, enter the name and description of the policy.
Click OK.
Attach the policy to a RAM user.
In the left-side navigation pane, choose .
On the Users page, find the RAM user to whom you want to attach the policy. In the Actions column, click Add Permissions.
In the Grant Permission panel, select Custom Policy, search for the name of the policy you created, and select the check box next to the policy to add the policy to the Selected Policies column.
Click Grant permissions.
Click Close.