权限指在特定条件下 ,允许(Allow)或拒绝(Deny)对指定资源执行的相关操作。
操作步骤
权限的载体是授权策略。自定义权限,即在自定义授权策略时定义某些权限。
Action 定义
Action是API的名称。在创建IoT授权策略时,每个Action前缀均为iot:,多个Action以英文逗号(,)分隔,支持使用星号(*)通配符。IoT API名称定义,请参见IoT API授权映射表。
下面介绍一些典型的Action定义示例。
- 定义单个API。
"Action": "iot:CreateProduct" - 定义多个API。
"Action": [ "iot:UpdateProduct", "iot:QueryProduct" ] - 定义所有只读API,包含规则引擎数据流转目标产品的权限。
{ "Version": "1", "Statement": [ { "Action": [ "iot:Query*", "iot:List*", "iot:Get*", "iot:BatchGet*", "iot:Check*" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "rds:DescribeDBInstances", "rds:DescribeDatabases", "rds:DescribeAccounts", "rds:DescribeDBInstanceNetInfo" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:ListRoles", "Resource": "*", "Effect": "Allow" }, { "Action": [ "mns:ListTopic", "mns:GetTopicRef" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "dhs:ListProject", "dhs:GetProject", "dhs:ListTopic", "dhs:GetTopic" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ots:ListInstance", "ots:GetInstance", "ots:ListTable", "ots:DescribeTable" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ons:OnsRegionList", "ons:OnsInstanceInServiceList", "ons:OnsTopicList", "ons:OnsTopicGet" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "hitsdb:DescribeRegions", "hitsdb:DescribeHiTSDBInstanceList", "hitsdb:DescribeHiTSDBInstance" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "fc:ListServices", "fc:GetService", "fc:GetFunction", "fc:ListFunctions" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "log:ListShards", "log:ListLogStores", "log:ListProject" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cms:QueryMetricList" ], "Resource": "*", "Effect": "Allow" } ] } - 定义所有读写API,包含规则引擎数据流转目标产品的权限。
{ "Version": "1", "Statement": [ { "Action": "iot:*", "Resource": "*", "Effect": "Allow" }, { "Action": [ "rds:DescribeDBInstances", "rds:DescribeDatabases", "rds:DescribeAccounts", "rds:DescribeDBInstanceNetInfo", "rds:ModifySecurityIps" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:ListRoles", "Resource": "*", "Effect": "Allow" }, { "Action": [ "mns:ListTopic", "mns:GetTopicRef" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "dhs:ListProject", "dhs:ListTopic", "dhs:GetProject", "dhs:GetTopic" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ots:ListInstance", "ots:ListTable", "ots:DescribeTable", "ots:GetInstance" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ons:OnsRegionList", "ons:OnsInstanceInServiceList", "ons:OnsTopicList", "ons:OnsTopicGet" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "hitsdb:DescribeRegions", "hitsdb:DescribeHiTSDBInstanceList", "hitsdb:DescribeHiTSDBInstance", "hitsdb:ModifyHiTSDBInstanceSecurityIpList" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "fc:ListServices", "fc:GetService", "fc:GetFunction", "fc:ListFunctions" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "log:ListShards", "log:ListLogStores", "log:ListProject" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:PassRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "acs:Service": "iot.aliyuncs.com" } } }, { "Action": [ "cms:QueryMetricList" ], "Resource": "*", "Effect": "Allow" } ] }
Condition定义
目前RAM用户授权策略支持访问IP限制、是否通过HTTPS访问、是否通过MFA(多因素认证)访问、访问时间限制等多种鉴权条件。物联网平台的所有API均支持上述条件。
- 访问IP限制。
访问控制可以限制访问IoT的源IP地址,并且支持根据网段进行过滤。以下是典型的使用场景示例。
- 限制单个IP地址和IP网段。例如,只允许IP地址为192.0.2.1或198.51.100.0/24网段的请求访问。
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": [ "192.0.2.1", "198.51.100.0/24" ] } } } ], "Version": "1" } - 限制多个IP地址。例如,只允许IP地址为192.0.2.1和198.51.100.1的请求访问。
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": [ "192.0.2.1", "198.51.100.1" ] } } } ], "Version": "1" }
- 限制单个IP地址和IP网段。例如,只允许IP地址为192.0.2.1或198.51.100.0/24网段的请求访问。
- HTTPS访问限制。
访问控制可以限制是否通过HTTPS访问。
示例:限制必须通过HTTPS请求访问。
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "Bool": { "acs:SecureTransport": "true" } } } ], "Version": "1" } - MFA访问限制。
访问控制可以限制是否通过MFA(多因素认证)访问。MFA访问适用于控制台登录,使用API访问无需MFA码。
示例:限制必须通过MFA请求访问。
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "Bool": { "acs:MFAPresent ": "true" } } } ], "Version": "1" } - 访问时间限制。
访问控制可以限制请求的访问时间,即只允许或拒绝在某个时间点范围之前的请求。
示例:用户可以在北京时间2019年01月01日凌晨之前访问,之后则不能访问。
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "DateLessThan": { "acs:CurrentTime": "2019-01-01T00:00:00+08:00" } } } ], "Version": "1" }
典型使用场景
结合以上对Action、Resource和Condition的定义,下面介绍一些典型使用场景的授权策略定义和授权方法。
- 允许访问的授权策略示例。
场景:定义访问IP地址为192.0.2.1/24网段的用户访问IoT的权限,且要求只能在2019-01-01 00:00:00之前访问和通过HTTPS访问。
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": [ "192.0.2.1/24" ] }, "DateLessThan": { "acs:CurrentTime": "2019-01-01T00:00:00+08:00" }, "Bool": { "acs:SecureTransport": "true" } } } ], "Version": "1" } - 拒绝访问的授权策略示例。
场景:拒绝访问IP地址为198.51.100.1的用户对IoT执行读操作。
{ "Statement": [ { "Effect": "Deny", "Action": [ "iot:Query*", "iot:List*", "iot:Get*", "iot:BatchGet*" ], "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": [ "198.51.100.1" ] } } } ], "Version": "1" }
授权策略创建成功后,将此权限授予RAM用户。获得授权的RAM用户就可以进行权限中定义的操作。创建RAM用户和授权操作帮助,请参见RAM用户访问。