vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/umn/obs_03_0110.html
zhangyue b55201d729 OBS UMN DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2024-03-18 15:39:30 +00:00

87 lines
8.6 KiB
HTML
Raw Blame History

<a name="obs_03_0110"></a><a name="obs_03_0110"></a>
<h1 class="topictitle1">IAM Policies</h1>
<div id="body1557026128761"><p id="obs_03_0110__p1214113528254">You can create IAM users under a registered cloud service account, and then use IAM policies to control users' access permissions to cloud resources.</p>
<p id="obs_03_0110__p1917517275013"><span id="obs_03_0110__ph9419171385810">IAM policies</span> define the actions that can be performed on your cloud resources. In other words, <span id="obs_03_0110__ph236280132513">IAM policies</span> specify what actions are allowed or denied.</p>
<p id="obs_03_0110__p05651517436"><span id="obs_03_0110__ph1176871632515">IAM policies</span> with OBS permissions take effect on all OBS buckets and objects. To grant an IAM user the permission to operate OBS resources, you need to assign one or more OBS permission sets to the user group to which the user belongs.</p>
<p id="obs_03_0110__p91962611510">For details about OBS permissions controlled by IAM policies, see <a href="obs_03_0045.html">Permissions Management</a>.</p>
<div class="section" id="obs_03_0110__section01904185241"><h4 class="sectiontitle"><span id="obs_03_0110__ph6172205042519">IAM policies</span> Application Scenarios</h4><p id="obs_03_0110__p101714434165"><span id="obs_03_0110__ph547719516292">IAM policies</span> are used to authorize IAM users under an account.</p>
<ul id="obs_03_0110__ul319124042416"><li id="obs_03_0110__li244101111715">Controlling permissions to cloud resources as a whole under an account</li><li id="obs_03_0110__li81911640122419">Controlling permissions to all OBS buckets and objects under an account</li></ul>
</div>
<div class="section" id="obs_03_0110__section9268135516548"><h4 class="sectiontitle">Policy Structure and Syntax</h4><p id="obs_03_0110__p232429165515">A policy consists of a version and statements. Each policy can have multiple statements.</p>
<div class="fignone" id="obs_03_0110__fig378124416551"><span class="figcap"><b>Figure 1 </b>Policy structure</span><br><span><img id="obs_03_0110__image1778118444554" src="en-us_image_0170580428.png" title="Click to enlarge" class="imgResize"></span></div>
<p id="obs_03_0110__p88641011565">Policy syntax example:</p>
<pre class="screen" id="obs_03_0110__screen66912516336">{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"obs:bucket:ListAllMybuckets",
"obs:bucket:HeadBucket",
"obs:bucket:ListBucket",
"obs:bucket:GetBucketLocation"
]
}
]
}</pre>
<pre class="screen" id="obs_03_0110__screen1733411319613">{
"Version": "1.0",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:HeadBucket",
"s3:GetBucketLocation",
"s3:ListBucket"
]
}
]
}</pre>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_03_0110__table987212714414" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Policy syntax parameters</caption><thead align="left"><tr id="obs_03_0110__row19873102713411"><th align="left" class="cellrowborder" valign="top" width="22.07%" id="mcps1.3.6.7.2.3.1.1"><p id="obs_03_0110__p178737272043">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="77.92999999999999%" id="mcps1.3.6.7.2.3.1.2"><p id="obs_03_0110__p1887302718414">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_03_0110__row17873027842"><td class="cellrowborder" valign="top" width="22.07%" headers="mcps1.3.6.7.2.3.1.1 "><p id="obs_03_0110__p48732027743">Version</p>
</td>
<td class="cellrowborder" valign="top" width="77.92999999999999%" headers="mcps1.3.6.7.2.3.1.2 "><div class="p" id="obs_03_0110__p829912213615">The version number of a policy.<ul id="obs_03_0110__ul1484412128619"><li id="obs_03_0110__li577602617611"><strong id="obs_03_0110__b11365145614458">1.0</strong>: RBAC policies. An RBAC policy consists of permissions for an entire service. Users in a group with such a policy assigned are granted all of the permissions required for that service.</li><li id="obs_03_0110__li18445129618"><strong id="obs_03_0110__b38718110461">1.1</strong>: Fine-grained policies. A fine-grained policy consists of API-based permissions for operations on specific resource types. Fine-grained policies, as the name suggests, allow for more fine-grained control than RBAC policies. Users with such fine-grained permissions can only perform authorized operations on specific services.</li></ul>
</div>
</td>
</tr>
<tr id="obs_03_0110__row187317273414"><td class="cellrowborder" valign="top" width="22.07%" headers="mcps1.3.6.7.2.3.1.1 "><p id="obs_03_0110__p108731927249">Statement</p>
</td>
<td class="cellrowborder" valign="top" width="77.92999999999999%" headers="mcps1.3.6.7.2.3.1.2 "><p id="obs_03_0110__p10869111617713">Permissions defined by a policy, including <strong id="obs_03_0110__b1953163904712">Effect</strong> and <strong id="obs_03_0110__b15171134334712">Action</strong>.</p>
<div class="p" id="obs_03_0110__p151471577233"><ul id="obs_03_0110__ul1802181615716"><li id="obs_03_0110__li480221610716"><strong id="obs_03_0110__b8423527069271">Effect</strong><p id="obs_03_0110__p1880291618711">The valid values for <strong id="obs_03_0110__b453725310478">Effect</strong> are <strong id="obs_03_0110__b1496385664715">Allow</strong> and <strong id="obs_03_0110__b172848592477">Deny</strong>. System policies contain only <strong id="obs_03_0110__b132351212154812">Allow</strong> statements. For custom policies containing both <strong id="obs_03_0110__b9311023104815">Allow</strong> and <strong id="obs_03_0110__b5127182694813">Deny</strong> statements, the <strong id="obs_03_0110__b7952103014481">Deny</strong> statements take precedence.</p>
</li><li id="obs_03_0110__li980219163715"><strong id="obs_03_0110__b53451317470">Action</strong><p id="obs_03_0110__p14803201610710">Permissions of specific operations on resources in the format of <em id="obs_03_0110__i527618533489">Service name</em>:<em id="obs_03_0110__i527745320487">Resource type</em>:<em id="obs_03_0110__i227875320483">Operation</em>. A policy can contain one or more permissions. The wildcard (*) is allowed to indicate all of the services, resource types, or operations depending on its location in the action. OBS has two resource types: bucket and object.</p>
</li></ul>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section" id="obs_03_0110__section477513429495"><h4 class="sectiontitle">Authentication of <span id="obs_03_0110__ph34931313182620">IAM policies</span></h4><p id="obs_03_0110__p15598157105013">The authentication of <span id="obs_03_0110__ph594911718268">IAM policies</span> starts from the Deny statements. The following figure shows the authentication logic for resource access.</p>
<div class="fignone" id="obs_03_0110__fig1757455075016"><span class="figcap"><b>Figure 2 </b>Authentication logic</span><br><span><img id="obs_03_0110__image957465075018" src="en-us_image_0170555653.png"></span></div>
<div class="note" id="obs_03_0110__note45325275118"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_03_0110__p874985965112">The actions in each policy are in the OR relationship.</p>
</div></div>
<ol id="obs_03_0110__ol1830433816514"><li id="obs_03_0110__li530413865118">A user accesses the system and makes an operation request.</li><li id="obs_03_0110__li83046389517">The system evaluates all the permission policies assigned to the user.</li><li id="obs_03_0110__li1630423818518">In these policies, the system looks for explicit deny permissions. If the system finds an explicit deny that applies, it returns a decision of Deny, and the authentication ends.</li><li id="obs_03_0110__li330413810512">If no explicit deny is found, the system looks for allow permissions that would apply to the request. If the system finds an explicit allow permission that applies, it returns a decision of Allow, and the authentication ends.</li><li id="obs_03_0110__li1130463812513">If no explicit allow permission is found, IAM returns a decision of Deny, and the authentication ends.</li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_03_0109.html">Permission Control Mechanisms</a></div>
</div>
</div>
<script language="JavaScript">
<!--
image_size('.imgResize');
var msg_imageMax = "view original image";
var msg_imageClose = "close";
//--></script>
View Git Blame Copy Permalink