From 29daae80a9d56c4605efe13acd18d10fb47e34f6 Mon Sep 17 00:00:00 2001 From: OpenTelekomCloud Proposal Bot Date: Wed, 12 Feb 2025 15:31:23 +0000 Subject: [PATCH] Update content --- umn/source/service_overview/permission.rst | 258 ++++++++++++--------- 1 file changed, 153 insertions(+), 105 deletions(-) diff --git a/umn/source/service_overview/permission.rst b/umn/source/service_overview/permission.rst index a6607ea..c3dafc0 100644 --- a/umn/source/service_overview/permission.rst +++ b/umn/source/service_overview/permission.rst @@ -100,117 +100,165 @@ The following table lists fine-grained actions and dependencies for RFS. .. table:: **Table 3** RFS fine-grained actions - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | System-defined Permission | Description | Dependencies | Scenario | - +========================================+===================================================================================================================+=====================================================+=================================================================================================================+ - | rf:privateTemplate:create | Grant permissions to create a template | None | Create a template | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:privateTemplate:createVersion | Grant permissions to create a template version | - rf:privateTemplate:list | Create a template version | - | | | - rf:privateTemplate:listVersions | | - | | | - rf:privateTemplate:showVersionContent | | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:privateTemplate:delete | Grant permissions to delete a template | - rf:privateTemplate:list | Delete a template | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:privateTemplate:deleteVersion | Grant permissions to delete a template version | - rf:privateTemplate:list | Delete a template version | - | | | - rf:privateTemplate:listVersions | | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:privateTemplate:list | Grant permissions to list templates | None | List templates | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:privateTemplate:listVersions | Grant permissions to list template versions | - rf:privateTemplate:list | List template versions | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:privateTemplate:showMetadata | Grant permissions to show template metadata | - rf:privateTemplate:list | Show template properties such as template name, ID and description | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:privateTemplate:showVersionContent | Grant permissions to show template version content | - rf:privateTemplate:list | Show template version content | - | | | - rf:privateTemplate:listVersions | | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:privateTemplate:showVersionMetadata | Grant permissions to show template version metadata | - rf:privateTemplate:list | Show template version properties such as template version ID and description | - | | | - rf:privateTemplate:listVersions | | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:privateTemplate:updateMetadata | Grant permissions to update template metadata | - rf:privateTemplate:list | Update template properties such as template description | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:template:parseTemplateVariables | Grant permissions to parse template variables | None | Parse and return all variable blocks in the template | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:applyExecutionPlan | Grant permissions to apply execution plan | - rf:stack:listStacks | Deploy a stack via applying an execution plan | - | | | - rf:stack:getStackMetadata | | - | | | - rf:stack:listExecutionPlans | | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:createExecutionPlan | Grant permissions to create execution plan | None | Create an execution plan | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:deleteExecutionPlan | Grant permissions to delete execution plan | - rf:stack:listStacks | Delete an execution plan | - | | | - rf:stack:getStackMetadata | | - | | | - rf:stack:listExecutionPlans | | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:getExecutionPlan | Grant permissions to get execution plan | - rf:stack:listStacks | Get an execution plan which provides a preview of stack changes such as operations to be performed on resources | - | | | - rf:stack:getStackMetadata | | - | | | - rf:stack:listExecutionPlans | | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:getExecutionPlanMetadata | Grant permissions to get execution plan metadata | - rf:stack:listStacks | Get execution plan properties such as execution plan name, ID and description | - | | | - rf:stack:getStackMetadata | | - | | | - rf:stack:listExecutionPlans | | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:listExecutionPlans | Grant permissions to list execution plans | - rf:stack:listStacks | List execution plans | - | | | - rf:stack:getStackMetadata | | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:createStack | Grant permissions to create stack | Required for creating stack from a private template | Create a stack | - | | | | | - | | | - rf:privateTemplate:list | | - | | | - rf:privateTemplate:listVersions | | - | | | - rf:privateTemplate:showVersionContent | | - | | | | | - | | | Required for configuring template variables | | - | | | | | - | | | - rf:template:parseTemplateVariables | | - | | | | | - | | | Required for template resource encryption | | - | | | | | - | | | - kms:cmk:list | | - | | | - kms:dek:create | | - | | | | | - | | | Required for configuring agency | | - | | | | | - | | | - iam:agencies:listAgencies | | - | | | | | - | | | Required for stack creation using direct deployment | | - | | | | | - | | | - rf:stack:deployStack | | - | | | | | - | | | Required for stack creation using execution plan | | - | | | | | - | | | - rf:stack:createExecutionPlan | | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:deleteStack | Grant permissions to delete stack | - rf:stack:listStacks | Delete a stack | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:deployStack | Grant permissions to deploy stack | None | Deploy stack directly | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:continueDeployStack | Grant permissions to continue to deploy stack | - rf:stack:listStacks | Retry failed stack deployment | - | | | - rf:stack:deployStack | | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:continueRollbackStack | Grant permissions to continue to rollback stack. Currently this functionality is only available at the API level. | - rf:stack:listStacks | Retry failed stack rollback | - | | | - rf:stack:deployStack | | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:getStackMetadata | Grant permissions to get stack metadata | - rf:stack:listStacks | Get stack properties such as stack ID, name and description | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:getStackTemplate | Grant permissions to get stack template | - rf:stack:listStacks | Get stack template | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:listStackEvents | Grant permissions to list stack events | None | List stack events | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:listStackOutputs | Grant permissions to list stack outputs | None | List stack outputs | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:listStackResources | Grant permissions to list stack resources | None | List stack resources | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:listStacks | Grant permissions to list stacks | None | List stacks | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:updateStack | Grant permissions to update stack | - rf:stack:listStacks | Update stack properties such as description, auto-rollback and deletion protection | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | System-defined Permission | Description | Dependencies | Scenario | + +========================================+===================================================================================================================+=================================================================+=================================================================================================================+ + | rf:privateTemplate:create | Grant permissions to create a template | None | Create a template | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:privateTemplate:createVersion | Grant permissions to create a template version | - rf:privateTemplate:list | Create a template version | + | | | - rf:privateTemplate:listVersions | | + | | | - rf:privateTemplate:showVersionContent | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:privateTemplate:delete | Grant permissions to delete a template | - rf:privateTemplate:list | Delete a template | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:privateTemplate:deleteVersion | Grant permissions to delete a template version | - rf:privateTemplate:list | Delete a template version | + | | | - rf:privateTemplate:listVersions | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:privateTemplate:list | Grant permissions to list templates | None | List templates | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:privateTemplate:listVersions | Grant permissions to list template versions | - rf:privateTemplate:list | List template versions | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:privateTemplate:showMetadata | Grant permissions to show template metadata | - rf:privateTemplate:list | Show template properties such as template name, ID and description | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:privateTemplate:showVersionContent | Grant permissions to show template version content | - rf:privateTemplate:list | Show template version content | + | | | - rf:privateTemplate:listVersions | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:privateTemplate:showVersionMetadata | Grant permissions to show template version metadata | - rf:privateTemplate:list | Show template version properties such as template version ID and description | + | | | - rf:privateTemplate:listVersions | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:privateTemplate:updateMetadata | Grant permissions to update template metadata | - rf:privateTemplate:list | Update template properties such as template description | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:template:parseTemplateVariables | Grant permissions to parse template variables | None | Parse and return all variable blocks in the template | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:applyExecutionPlan | Grant permissions to apply execution plan | - rf:stack:listStacks | Deploy a stack via applying an execution plan | + | | | - rf:stack:getStackMetadata | | + | | | - rf:stack:listExecutionPlans | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:createExecutionPlan | Grant permissions to create execution plan | Required to locate the desired stack | Create an execution plan | + | | | | | + | | | - rf:stack:listStacks | | + | | | | | + | | | Required for creating an execution plan from a private template | | + | | | | | + | | | - rf:privateTemplate:list | | + | | | - rf:privateTemplate:listVersions | | + | | | - rf:privateTemplate:showVersionContent | | + | | | | | + | | | Required for configuring template variables | | + | | | | | + | | | - rf:template:parseTemplateVariables | | + | | | | | + | | | Required for template resource encryption | | + | | | | | + | | | - kms:cmk:list | | + | | | - kms:dek:create | | + | | | - kms:dek:crypto | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:deleteExecutionPlan | Grant permissions to delete execution plan | - rf:stack:listStacks | Delete an execution plan | + | | | - rf:stack:getStackMetadata | | + | | | - rf:stack:listExecutionPlans | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:getExecutionPlan | Grant permissions to get execution plan | - rf:stack:listStacks | Get an execution plan which provides a preview of stack changes such as operations to be performed on resources | + | | | - rf:stack:getStackMetadata | | + | | | - rf:stack:listExecutionPlans | | + | | | - rf:stack:getExecutionPlanMetadata | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:getExecutionPlanMetadata | Grant permissions to get execution plan metadata | - rf:stack:listStacks | Get execution plan properties such as execution plan name, ID and description | + | | | - rf:stack:getStackMetadata | | + | | | - rf:stack:listExecutionPlans | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:listExecutionPlans | Grant permissions to list execution plans | - rf:stack:listStacks | List execution plans | + | | | - rf:stack:getStackMetadata | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:createStack | Grant permissions to create stack | Required for creating stack from a private template | Create a stack | + | | | | | + | | | - rf:privateTemplate:list | | + | | | - rf:privateTemplate:listVersions | | + | | | - rf:privateTemplate:showVersionContent | | + | | | | | + | | | Required for configuring template variables | | + | | | | | + | | | - rf:template:parseTemplateVariables | | + | | | | | + | | | Required for template resource encryption | | + | | | | | + | | | - kms:cmk:list | | + | | | - kms:dek:create | | + | | | | | + | | | Required for configuring agency | | + | | | | | + | | | - iam:agencies:listAgencies | | + | | | | | + | | | Required for stack creation using direct deployment | | + | | | | | + | | | - rf:stack:deployStack | | + | | | | | + | | | Required for stack creation using execution plan | | + | | | | | + | | | - rf:stack:createExecutionPlan | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:deleteStack | Grant permissions to delete stack | - rf:stack:listStacks | Delete a stack | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:deployStack | Grant permissions to deploy stack | Required to locate the desired stack | Deploy stack directly | + | | | | | + | | | - rf:stack:listStacks | | + | | | | | + | | | Required for directly deploy a private template | | + | | | | | + | | | - rf:privateTemplate:list | | + | | | - rf:privateTemplate:listVersions | | + | | | - rf:privateTemplate:showVersionContent | | + | | | | | + | | | Required for configuring template variables | | + | | | | | + | | | - rf:template:parseTemplateVariables | | + | | | | | + | | | Required for template resource encryption | | + | | | | | + | | | - kms:cmk:list | | + | | | - kms:dek:create | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:continueDeployStack | Grant permissions to continue to deploy stack | - rf:stack:listStacks | Retry failed stack deployment | + | | | | | + | | | Required for template resource encryption | | + | | | | | + | | | - kms:dek:crypto | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:continueRollbackStack | Grant permissions to continue to rollback stack. Currently this functionality is only available at the API level. | None | Retry failed stack rollback | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:getStackMetadata | Grant permissions to get stack metadata | - rf:stack:listStacks | Get stack properties such as stack ID, name and description | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:getStackTemplate | Grant permissions to get stack template | - rf:stack:listStacks | Get stack template | + | | | - rf:stack:getStackMetadata | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:listStackEvents | Grant permissions to list stack events | - rf:stack:listStacks | List stack events | + | | | - rf:stack:getStackMetadata | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:listStackOutputs | Grant permissions to list stack outputs | - rf:stack:listStacks | List stack outputs | + | | | - rf:stack:getStackMetadata | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:listStackResources | Grant permissions to list stack resources | - rf:stack:listStacks | List stack resources | + | | | - rf:stack:getStackMetadata | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:listStacks | Grant permissions to list stacks | None | List stacks | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:updateStack | Grant permissions to update stack | - rf:stack:listStacks | Update stack properties such as description, auto-rollback and deletion protection | + | | | - rf:stack:getStackMetadata | | + | | | | | + | | | Required for configuring agency | | + | | | | | + | | | - iam:agencies:listAgencies | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ .. note:: - If an agency is configured for the stack, make sure that all necessary permissions are configured for the agency, which are required for stack deployment. - If there is no configured agency for the stack, make sure that all necessary permissions are assigned to the user, which are required for stack deployment. - - These permissions can be: - - Different cloud service specific permissions depending on the resources and the operations described in the terraform template. - - If the resource encryption is enabled in the terraform template, the **kms:dek:crypto** permission must be assigned to the user. + These permissions can be: + + - Different cloud service specific permissions depending on the resources and the operations described in the terraform template. + - If the resource encryption is enabled in the terraform template, the **kms:dek:crypto** permission must be granted. Related Documents -----------------