通過瞭解資源描述,明確每種資源的特性和訪問方式。您可以制定相應的鑒權規則,來有效地管理系統中的各種資源。
資源描述
在通過RAM進行授權時,資源的描述方式如下表所示:
資源類型 | 授權策略中的資源描述 |
* | acs:cr:$regionid:$accountid:* |
instance | acs:cr:$regionid:$accountid:instance/$instanceid |
repository | acs:cr:$regionid:$accountid:repository/$instanceid/* acs:cr:$regionid:$accountid:repository/$instanceid acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/* acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename |
chart | acs:cr:$regionid:$accountid:chart/$instanceid/* acs:cr:$regionid:$accountid:chart/$instanceid acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/* acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/<br>$chartrepositoryname |
參數說明如下表所示:
參數名稱 | 說明 |
regionid | 地區ID,可用*代替。 |
accountid | 雲帳號數字ID,可用*代替。 |
instanceid | Container Registry企業版執行個體ID。 |
namespacename | 命名空間名稱。 |
repositoryname | 鏡像倉庫名稱。 |
chartnamespacename | Chart鏡像命名空間名稱。 |
chartrepositoryname | Chart鏡像倉庫名稱。 |
鑒權規則
RAM使用者或者STS方式訪問鏡像服務API時,鏡像服務會向RAM進行許可權檢查,以確保調用者擁有相應許可權。每個API會根據涉及到的資源以及API的語義來確定需要檢查哪些資源的許可權。每個API的鑒權規則如下表所示:
*表示萬用字元。
API | 鑒權Action | 鑒權Resource |
GetAuthorizationToken | cr:GetAuthorizationToken | * |
GetChartNamespace | cr:GetNamespace | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename |
GetChartRepository | cr:GetRepository | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
GetInstance | cr:GetInstance | acs:cr:$regionid:$accountid:instance/$instanceid |
GetInstanceCount | cr:ListInstance | * |
GetInstanceEndpoint | cr:GetInstanceEndpoint | acs:cr:$regionid:$accountid:instance/$instanceid |
GetInstanceUsage | cr:GetInstanceUsage | acs:cr:$regionid:$accountid:instance/$instanceid |
GetInstanceVpcEndpoint | cr:GetInstanceVpcEndpoint | acs:cr:$regionid:$accountid:instance/$instanceid |
GetNamespace | cr:GetNamespace | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename |
GetRepoBuildRecord | cr:GetRepositoryBuildRecord | acs:cr:$regionid:$accountid:repository/$instanceid |
GetRepoBuildRecordStatus | cr:GetBuildRepositoryStatus | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetRepoSyncTask | cr:GetRepositorySync | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetRepoTagLayers | cr:GetRepositoryLayers | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetRepoTagManifest | cr:GetRepositoryManifest | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetRepoTagScanTask | cr:GetScan | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetRepository | cr:GetRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListChartNamespace | cr:ListNamespace | acs:cr:$regionid:$accountid:chart/$instanceid/* |
ListChartRelease | cr:ListChartRelease | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
ListChartRepository | cr:ListRepository | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/* |
ListInstance | cr:ListInstance | * |
ListInstanceEndpoint | cr:ListInstanceEndpoint | acs:cr:$regionid:$accountid:repository/$instanceid |
ListNamespace | cr:ListNamespace | acs:cr:$regionid:$accountid:repository/$instanceid/* |
ListRepoBuildRecord | cr:ListRepositoryBuild | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoBuildRecordLog | cr:GetRepositoryBuildLog | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoBuildRule | cr:ListRepositoryBuildRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoSyncRule | cr:ListSyncRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoSyncTask | cr:GetRepositorySync | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoTag | cr:ListRepositoryTag | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoTrigger | cr:ListWebHook | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoTriggerLog | cr:GetWebHookLog | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoTriggerRecord | cr:GetWebHookLog | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepository | cr:ListRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/* |
CancelRepoBuildRecord | cr:CancelBuildRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateBuildRecordByRule | cr:BuildRepositoryByRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateChartNamespace | cr:CreateNamespace | acs:cr:$regionid:$accountid:chart/$instanceid |
CreateInstanceEndpointAclPolicy | cr:CreateInstanceEndpointAclPolicy | acs:cr:$regionid:$accountid:instance/$instanceid |
CreateInstanceVpcEndpointLinkedVpc | cr:CreateInstanceVpcEndpointLinkedVpc | acs:cr:$regionid:$accountid:instance/$instanceid |
CreateNamespace | cr:CreateNamespace | acs:cr:$regionid:$accountid:repository/$instanceid |
CreateRepoBuildRule | cr:CreateRepositoryBuildRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateRepoSyncRule | cr:CreateSyncRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateRepoSyncTaskByRule | cr:CreateRepositorySync | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateRepoTrigger | cr:CreateWebHook | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateRepository | cr:CreateRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename |
DeleteChartNamespace | cr:DeleteNamespace | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename |
DeleteChartRelease | cr:DeleteChartRelease | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
DeleteChartRepository | cr:DeleteRepository | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
DeleteInstanceEndpointAclPolicy | cr:DeleteInstanceEndpointAclPolicy | acs:cr:$regionid:$accountid:instance/$instanceid |
DeleteInstanceVpcEndpointLinkedVpc | cr:DeleteInstanceVpcEndpointLinkedVpc | acs:cr:$regionid:$accountid:instance/$instanceid |
DeleteNamespace | cr:DeleteNamespace | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename |
DeleteRepoBuildRule | cr:DeleteRepositoryBuildRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
DeleteRepoSyncRule | cr:DeleteSyncRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
DeleteRepoTag | cr:DeleteRepositoryTag | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
DeleteRepoTrigger | cr:DeleteWebHook | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
DeleteRepository | cr:DeleteRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
UpdateChartNamespace | cr:UpdateNamespace | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename |
UpdateChartRepository | cr:UpdateRepository | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
UpdateInstanceEndpointStatus | cr:UpdateInstanceEndpointStatus | acs:cr:$regionid:$accountid:instance/$instanceid |
UpdateNamespace | cr:UpdateNamespace | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename |
UpdateRepoBuildRule | cr:UpdateRepositoryBuildRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
UpdateRepoTrigger | cr:UpdateWebHook | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
UpdateRepository | cr:UpdateRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
PullRepository | cr:PullRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
PushRepository | cr:PushRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
PullChart | cr:PullChart | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
PushChart | cr:PushChart | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
PutScan | cr:PutScan | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetScan | cr:GetScan | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetScanStatus | cr:GetScanStatus | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListScanResult | cr:ListScanResult | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetScanCount | cr:GetScanCount | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetArtifactBuildRule | cr:GetArtifactBuildRule | acs:cr:$regionid:$accountid:instance/$instanceid |
GetPersonalInstanceDomainAccessStatus | cr:GetPersonalInstanceDomainAccessStatus | acs:cr:$regionid:$accountid:instance/$instanceid |
ListRepositoryVulTagCount | cr:ListRepoVulTagCount | acs:cr:$regionid:$accountid:instance/$instanceid |