youjiageng1/doc-exports
1
0
Fork 0
forked from laiweijian4/doc-exports
Code Pull Requests Activity
doc-exports/docs/css/umn/css_04_0014.html
Zheng, Xiu 5b5876528a CSS UMN 22.5.1 Version 
Reviewed-by: Pruthi, Vineet <vineet.pruthi@t-systems.com>
Co-authored-by: Zheng, Xiu <zhengxiu@huawei.com>
Co-committed-by: Zheng, Xiu <zhengxiu@huawei.com>
2023-03-29 17:17:49 +00:00

33 KiB
Raw Blame History

Permissions Management

If you need to assign different permissions to employees in your enterprise to access your CSS resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access your resources.

With IAM, you can use your account to create IAM users for your employees, and assign permissions to the users to control their access to specific resource types. For example, you may need to grant some software developers in your enterprise access to CSS resources but do not want them to be able to delete them or perform any high-risk operations. To this end, you can create IAM users for the software developers and grant them only the permissions required for using CSS resources.

If you do not need to create IAM users, you can skip this section.

IAM is a free service. You pay only for the resources in your account.

Permissions Management

By default, new IAM users do not have any permissions assigned. You need to add the user to one or more groups, and apply permissions policies or roles to these groups. Users inherit permissions from the groups they are added to and can perform specified operations on cloud services based on these permissions.

CSS is a project-level service deployed in specific physical regions. CSS permissions are assigned to users in specific regions and only take effect for these regions. If you want the permissions to take effect for all regions, you need to assign the permissions to the users in each region. When accessing CSS, the users need to switch to a region where they have been authorized to use cloud services.

You can use roles and policies to grant users permissions.

  • Roles are a type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. There are only a limited number of service-level roles for granting permissions to users. When using roles to grant permissions, you need to also assign other roles on which the permissions depend to take effect. Roles are not ideal for fine-grained authorization and secure access control.
  • Policies are a type of fine-grained authorization mechanism that defines the permissions for performing operations on specific cloud resources under certain conditions. This mechanism allows for more flexible authorization. Policies allow you to meet requirements for more secure access control. For example, CSS administrators can grant CSS users only the permissions needed for managing a certain type of CSS.

Table 1 lists all the system roles supported by CSS. For example, some CSS roles are dependent on the roles of other services. When assigning CSS roles to users, you need to also assign dependent roles for the CSS permissions to take effect.

Table 1 System-defined roles and policies supported by CSS

Role Name

Description

Dependency

Elasticsearch Administrator

CSS administrator

Dependent on the Tenant Guest and Server Administrator roles.

  • Tenant Guest: A global role, which must be assigned in the global project.
  • Server Administrator: A project-level role, which must be assigned in the same project.
Table 2 Relationship between user permissions and roles

Permission Type

Description

Type

Required Role

Permission 1

Permissions:

  • Creating, deleting, and expanding CSS clusters
  • Manually and automatically backing up CSS cluster data
  • Restoring CSS cluster data
  • Creating an IAM agency
  • Creating an OBS bucket
  • Creating a VPC and security group
  • Kibana
  • Customizing a word dictionary

System-defined role
  • Elasticsearch Administrator
  • Server Administrator
  • Tenant Guest
  • VPC Administrator
  • Security Administrator
  • OBS Administrator

Permission 2

Permissions:

  • Creating, deleting, and expanding CSS clusters
  • Manually backing up CSS cluster data
  • Restoring CSS cluster data
  • Kibana
  • Customizing a word dictionary

System-defined role
  • Elasticsearch Administrator
  • Server Administrator
  • Tenant Guest

Permission 3

Permissions:

  • Viewing the cluster list
  • Viewing the Overview page
  • Kibana

System-defined role

This permission is dependent on the Tenant Guest role,

which must be assigned in the same project as Permission 3.

Table 3 lists the common operations supported by each system permission of CSS. Please choose proper system policies according to this table.

Table 3 Common operations supported by each system-defined policy

Operation

CSS FullAccess

CSS ReadOnlyAccess

Elasticsearch Administrator

Remarks

Creating a cluster

x

-

Querying a cluster list

-

Querying cluster details

-

Deleting a cluster

x

-

Restarting a cluster

x

-

Expanding cluster capacity

x

-

Adding instances and expanding instance storage capacity

x

-

Querying tags of a specified cluster

-

Querying all tags

-

Loading a custom word dictionary

x

Depends on OBS and IAM permissions

Querying the status of a custom word dictionary

-

Deleting a custom word dictionary

x

-

Automatically setting basic configurations of a cluster snapshot

x

Depends on OBS and IAM permissions

Modifying basic configurations of a cluster snapshot

x

Depends on OBS and IAM permissions

Setting the automatic snapshot creation policy

x

-

Querying the automatic snapshot creation policy

-

Manually creating a snapshot

x

-

Querying the snapshot list

-

Restoring a snapshot

x

-

Deleting a snapshot

x

-

Disabling the snapshot function

x

-
Parent topic: Overview