权限指在某种条件下 ,允许 (Allow) 或 拒绝 (Deny) 对某些资源执行某些操作。
权限的载体是授权策略。自定义权限,即在自定义授权策略时定义某些权限。在 RAM 控制台,策略管理页面,单击新建授权策略开始创建自定义授权策略。创建自定义授权策略时,请选择模板为空白模板。
授权策略是 JSON 格式的字符串,需包含以下参数:
-
Action:表示要授权的操作。IoT 操作都以iot: 开头。定义方式和示例,请参见本文档中Action 定义。
-
Effect : 表示授权类型,取值:Allow、Deny。
-
Resource :物联网平台目前暂不支持资源粒度的授权,请填写
*。 -
Condition :表示鉴权条件。详细信息,请参见本文档中 Condition 定义。
Action 定义
Action是 API 的名称。在创建 IoT 的授权策略时,每个 Action 前缀均为iot:,多个 Action 以逗号分隔。并且,支持使用星号通配符。IoT API 名称定义,请参见IoT API 授权映射表 。
下面介绍一些典型的 Action 定义示例。
- 定义单个 API。
"Action": "iot:CreateProduct" - 定义多个API。
"Action": [ "iot:UpdateProduct", "iot:QueryProduct" ] - 定义所有只读 API。
{ "Version": "1", "Statement": [ { "Action": [ "iot:Query*", "iot:List*", "iot:Get*", "iot:BatchGet*", "iot:Check*" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "rds:DescribeDBInstances", "rds:DescribeDatabases", "rds:DescribeAccounts", "rds:DescribeDBInstanceNetInfo" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:ListRoles", "Resource": "*", "Effect": "Allow" }, { "Action": [ "mns:ListTopic", "mns:GetTopicRef" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "dhs:ListProject", "dhs:GetProject", "dhs:ListTopic", "dhs:GetTopic" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ots:ListInstance", "ots:GetInstance", "ots:ListTable", "ots:DescribeTable" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ons:OnsRegionList", "ons:OnsInstanceInServiceList", "ons:OnsTopicList", "ons:OnsTopicGet" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "hitsdb:DescribeRegions", "hitsdb:DescribeHiTSDBInstanceList", "hitsdb:DescribeHiTSDBInstance" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "fc:ListServices", "fc:GetService", "fc:GetFunction", "fc:ListFunctions" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "log:ListShards", "log:ListLogStores", "log:ListProject" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cms:QueryMetricList" ], "Resource": "*", "Effect": "Allow" } ] } - 定义所有读写 API。
{ "Version": "1", "Statement": [ { "Action": "iot:*", "Resource": "*", "Effect": "Allow" }, { "Action": [ "rds:DescribeDBInstances", "rds:DescribeDatabases", "rds:DescribeAccounts", "rds:DescribeDBInstanceNetInfo", "rds:ModifySecurityIps" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:ListRoles", "Resource": "*", "Effect": "Allow" }, { "Action": [ "mns:ListTopic", "mns:GetTopicRef" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "dhs:ListProject", "dhs:ListTopic", "dhs:GetProject", "dhs:GetTopic" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ots:ListInstance", "ots:ListTable", "ots:DescribeTable", "ots:GetInstance" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ons:OnsRegionList", "ons:OnsInstanceInServiceList", "ons:OnsTopicList", "ons:OnsTopicGet" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "hitsdb:DescribeRegions", "hitsdb:DescribeHiTSDBInstanceList", "hitsdb:DescribeHiTSDBInstance", "hitsdb:ModifyHiTSDBInstanceSecurityIpList" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "fc:ListServices", "fc:GetService", "fc:GetFunction", "fc:ListFunctions" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "log:ListShards", "log:ListLogStores", "log:ListProject" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:PassRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "acs:Service": "iot.aliyuncs.com" } } }, { "Action": [ "cms:QueryMetricList" ], "Resource": "*", "Effect": "Allow" } ] }
Condition 定义
目前 RAM 授权策略支持访问 IP 限制、是否通过 HTTPS 访问、是否通过 MFA(多因素认证)访问、访问时间限制等多种鉴权条件。物联网平台的所有 API 均支持这些条件。
访问 IP 限制
访问控制可以限制访问 IoT 的源 IP 地址,并且支持根据网段进行过滤。以下是典型的使用场景示例。
- 限制单个 IP 地址和 IP 网段。例如,只允许 IP 地址为 10.101.168.111 或 10.101.169.111/24 网段的请求访问。
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": [ "10.101.168.111", "10.101.169.111/24" ] } } } ], "Version": "1" } - 限制多个 IP 地址。例如,只允许 IP 地址为 10.101.168.111 和 10.101.169.111 的请求访问。
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": [ "10.101.168.111", "10.101.169.111" ] } } } ], "Version": "1" }
HTTPS 访问限制
访问控制可以限制是否通过 HTTPS 访问。
示例:限制必须通过 HTTPS 请求访问。
{
"Statement": [
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": "*",
"Condition": {
"Bool": {
"acs:SecureTransport": "true"
}
}
}
],
"Version": "1"
}
MFA 访问限制
访问控制可以限制是否通过 MFA(多因素认证)访问。MFA访问适用于控制台登录,使用API访问无需MFA码。
示例:限制必须通过 MFA 请求访问。
{
"Statement": [
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": "*",
"Condition": {
"Bool": {
"acs:MFAPresent ": "true"
}
}
}
],
"Version": "1"
}
访问时间限制
访问控制可以限制请求的访问时间,即只允许或拒绝在某个时间点范围之前的请求。
示例:用户可以在北京时间 2019 年 1 月 1 号凌晨之前访问,之后则不能访问。
{
"Statement": [
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": "*",
"Condition": {
"DateLessThan": {
"acs:CurrentTime": "2019-01-01T00:00:00+08:00"
}
}
}
],
"Version": "1"
}典型使用场景
结合以上对 Action、Resource 和 Condition 的定义,下面介绍一些典型使用场景的授权策略定义和授权方法。
允许访问的授权策略示例
场景:定义访问 IP 地址为 10.101.168.111/24 网段的用户访问 IoT 的权限,且要求只能在 2019-01-01 00:00:00 之前访问和通过 HTTPS 访问。
{
"Statement": [
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:SourceIp": [
"10.101.168.111/24"
]
},
"DateLessThan": {
"acs:CurrentTime": "2019-01-01T00:00:00+08:00"
},
"Bool": {
"acs:SecureTransport": "true"
}
}
}
],
"Version": "1"
}
拒绝访问的授权策略示例
场景:拒绝访问 IP 地址为 10.101.169.111 的用户对 IoT 执行读操作。
{
"Statement": [
{
"Effect": "Deny",
"Action": [
"iot:Query*",
"iot:List*",
"iot:Get*",
"iot:BatchGet*"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:SourceIp": [
"10.101.169.111"
]
}
}
}
],
"Version": "1"
}授权策略创建成功后,在访问控制 RAM 控制台,用户管理页面,将此权限授予子账号用户。获得授权的子账号用户就可以进行权限中定义的操作。创建子账号和授权操作帮助,请参见子账号访问。
在文档使用中是否遇到以下问题
更多建议
匿名提交