当子用户通过MongoDB OpenAPI进行资源访问时,MongoDB后台向RAM进行权限检查,以确保调用者拥有响应权限。

每个不同的MongoDB API会根据涉及到的资源以及API的语义来确定需要检查哪些资源的权限。具体每个API的鉴权规则见下表。

Action 鉴权规则
dds:CreateDBInstance acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:ModifyDBInstanceSpec acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:DeleteDBInstance acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:RenewDBInstance acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:CreateShardingDBInstance acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:DeleteNode acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:CreateNode acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:ModifyNodeSpec acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:DescribeDBInstances acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:RestartDBInstance acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:ModifyDBInstanceMaintainTime acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:ModifyDBInstanceDescription acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:DescribeDBInstanceAttribute acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:DescribeReplicaSetRole acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:DescribeShardingNetworkAddress acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:ModifyDBInstanceNetworkType acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:ModifyDBInstanceNetExpireTime acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:DescribeDBInstancePerformance acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:DescribeAccounts acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:ResetAccountPassword acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:DescribeSecurityIps acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:ModifySecurityIps acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:DescribeAuditRecords acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:DescribeAuditFiles acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:DescribeBackupPolicy acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:ModifyBackupPolicy acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:CreateBackup acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:RestoreDBInstance acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:DescribeBackups acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid
dds:DescribeDBInstancePerformance acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid