如果系统预置的MRS权限,不满足您的授权要求,可以创建自定义策略。
目前支持以下两种方式创建自定义策略:
- 可视化视图创建自定义策略:无需了解策略语法,按可视化视图导航栏选择云服务、操作、资源、条件等策略内容,可自动生成策略。
- JSON视图创建自定义策略:可以在选择策略模板后,根据具体需求编辑策略内容;也可以直接在编辑框内编写JSON格式的策略内容。
本章为您介绍常用的MRS自定义策略样例。
MRS自定义策略样例
- 示例1:授权用户仅有创建MRS集群的权限。
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mrs:cluster:create",
"ecs:*:*",
"bms:*:*",
"evs:*:*",
"vpc:*:*",
"smn:*:*"
]
}
]
}
示例2:授权用户调整MRS集群。
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mrs:cluster:resize"
]
}
]
}
示例3:授权用户创建集群、创建并执行作业、删除单个作业,但不允许用户删除集群的权限。
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mrs:cluster:create",
"mrs:job:submit",
"mrs:job:delete"
]
},
{
"Effect": "Deny",
"Action": [
"mrs:cluster:delete"
]
}
]
}
示例4:授权用户最小权限,创建ECS规格的集群。
说明
创建集群时如果使用秘钥对,增加权限:ecs:serverKeypairs:get和ecs:serverKeypairs:list
创集群时使用数据盘加密,增加权限:kms:cmk:list
创建集群时开启告警功能,增加权限:mrs:alarm:subscribe
创建集群时使用外置数据源,增加权限:rds:instance:list
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mrs:cluster:create"
]
},
{
"Effect": "Allow",
"Action": [
"ecs:cloudServers:updateMetadata",
"ecs:cloudServerFlavors:get",
"ecs:cloudServerQuotas:get",
"ecs:servers:list",
"ecs:servers:get",
"ecs:cloudServers:delete",
"ecs:cloudServers:list",
"ecs:serverInterfaces:get",
"ecs:serverGroups:manage",
"ecs:servers:setMetadata",
"ecs:cloudServers:get",
"ecs:cloudServers:create"
]
},
{
"Effect": "Allow",
"Action": [
"vpc:securityGroups:create",
"vpc:securityGroupRules:delete",
"vpc:vpcs:create",
"vpc:ports:create",
"vpc:securityGroups:get",
"vpc:subnets:create",
"vpc:privateIps:delete",
"vpc:quotas:list",
"vpc:networks:get",
"vpc:publicIps:list",
"vpc:securityGroups:delete",
"vpc:securityGroupRules:create",
"vpc:privateIps:create",
"vpc:ports:get",
"vpc:ports:delete",
"vpc:publicIps:update",
"vpc:subnets:get",
"vpc:publicIps:get",
"vpc:ports:update",
"vpc:vpcs:list"
]
},
{
"Effect": "Allow",
"Action": [
"evs:quotas:get",
"evs:types:get"
]
},
{
"Effect": "Allow",
"Action": [
"bms:serverFlavors:get"
]
}
]
}
示例5:授权用户最小权限,创建BMS规格的集群。
说明
创建集群时如果使用秘钥对,增加权限:ecs:serverKeypairs:get和ecs:serverKeypairs:list
创集群时使用数据盘加密,增加权限:kms:cmk:list
创建集群时开启告警功能,增加权限:mrs:alarm:subscribe
创建集群时使用外置数据源,增加权限:rds:instance:list
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mrs:cluster:create"
]
},
{
"Effect": "Allow",
"Action": [
"ecs:servers:list",
"ecs:servers:get",
"ecs:cloudServers:delete",
"ecs:serverInterfaces:get",
"ecs:serverGroups:manage",
"ecs:servers:setMetadata",
"ecs:cloudServers:create",
"ecs:cloudServerFlavors:get",
"ecs:cloudServerQuotas:get"
]
},
{
"Effect": "Allow",
"Action": [
"vpc:securityGroups:create",
"vpc:securityGroupRules:delete",
"vpc:vpcs:create",
"vpc:ports:create",
"vpc:securityGroups:get",
"vpc:subnets:create",
"vpc:privateIps:delete",
"vpc:quotas:list",
"vpc:networks:get",
"vpc:publicIps:list",
"vpc:securityGroups:delete",
"vpc:securityGroupRules:create",
"vpc:privateIps:create",
"vpc:ports:get",
"vpc:ports:delete",
"vpc:publicIps:update",
"vpc:subnets:get",
"vpc:publicIps:get",
"vpc:ports:update",
"vpc:vpcs:list"
]
},
{
"Effect": "Allow",
"Action": [
"evs:quotas:get",
"evs:types:get"
]
},
{
"Effect": "Allow",
"Action": [
"bms:servers:get",
"bms:servers:list",
"bms:serverQuotas:get",
"bms:servers:updateMetadata",
"bms:serverFlavors:get"
]
}
]
}
示例6:授权用户最小权限,创建ECS和BMS混合集群。
说明
创建集群时如果使用秘钥对,增加权限:ecs:serverKeypairs:get和ecs:serverKeypairs:list
创集群时使用数据盘加密,增加权限:kms:cmk:list
创建集群时开启告警功能,增加权限:mrs:alarm:subscribe
创建集群时使用外置数据源,增加权限:rds:instance:list
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mrs:cluster:create"
]
},
{
"Effect": "Allow",
"Action": [
"ecs:cloudServers:updateMetadata",
"ecs:cloudServerFlavors:get",
"ecs:cloudServerQuotas:get",
"ecs:servers:list",
"ecs:servers:get",
"ecs:cloudServers:delete",
"ecs:cloudServers:list",
"ecs:serverInterfaces:get",
"ecs:serverGroups:manage",
"ecs:servers:setMetadata",
"ecs:cloudServers:get",
"ecs:cloudServers:create"
]
},
{
"Effect": "Allow",
"Action": [
"vpc:securityGroups:create",
"vpc:securityGroupRules:delete",
"vpc:vpcs:create",
"vpc:ports:create",
"vpc:securityGroups:get",
"vpc:subnets:create",
"vpc:privateIps:delete",
"vpc:quotas:list",
"vpc:networks:get",
"vpc:publicIps:list",
"vpc:securityGroups:delete",
"vpc:securityGroupRules:create",
"vpc:privateIps:create",
"vpc:ports:get",
"vpc:ports:delete",
"vpc:publicIps:update",
"vpc:subnets:get",
"vpc:publicIps:get",
"vpc:ports:update",
"vpc:vpcs:list"
]
},
{
"Effect": "Allow",
"Action": [
"evs:quotas:get",
"evs:types:get"
]
},
{
"Effect": "Allow",
"Action": [
"bms:servers:get",
"bms:servers:list",
"bms:serverQuotas:get",
"bms:servers:updateMetadata",
"bms:serverFlavors:get"
]
}
]
}
