Release Notes and Announcements

Release Notes

Announcements

Product Introduction

Overview

Strengths

Use Cases

System Architecture

Instance Types

Instance Architecture

TDSQL Edition

Database Version

Purchase Guide

Billing Overview

Pricing

Refund

Payment Overdue

Upgrade Pricing

Backup Space Billing

Getting Started

Creating Instance

Managing Account

Accessing Instance

Operation Guide

Precautions

Instance Management

Disaster Recovery Read-Only Instance

Account Management

Read/Write Separation

Changing Networks

Backup and Rollback

Migrating Data

Database Sync(Legacy)

Security Management

Monitoring and Alarms

Killing Threads

Parameter Templates and Settings

Database Audit

Practical Tutorial

Programming and Usage Specification

Programming and Usage Specification of Distributed Version

Using Hotspot Update for Flash Sales

Security White Paper

Platform Security Features

Tenant Security Features

Development Guide

Functional Limitations

Performance Test

Intra-city Active-Active Solution

Binlog Consumption Format

Slow Query Analysis

Database Audit

Syntax Supported

API Documentation

History

Introduction

API Category

Making API Requests

Security Group APIs

Other APIs

Account APIs

Parameter Management APIs

Monitoring Management APIs

Instance Management APIs

Backup and Restoration APIs

Data Types

Error Codes

FAQs

Product

Account Login

Features

Performance

Backup

Ops

Disk Overuse

IO Metric Exception

General References

Standards and Certification

Main Specification Performance Description

Performance Comparison Data for Strong Sync

Glossary

Console Examples

PDF

Focus Mode

Font Size

Last updated: 2024-01-11 15:28:38

Sample CAM Policies for TencentDB
You can grant a user the permission to view and use specific resources in the TencentDB console by using a CAM policy. The sample below shows how to allow a user to use certain policies in the console. Currently, you can configure TencentDB for MariaDB to support the CAM feature only by using the creation by policy syntax method.
Note: 
The API keyword of TencentDB for MariaDB in CAM is mariadb.
Step 1. Create a custom policy
1. Enter the Policy Syntax configuration page and click Create Custom Policy.
2. Click Create by Policy Syntax in the pop-up window.
﻿
﻿
3. Select Blank Template and click Next.
﻿
﻿
4. Enter the corresponding policy syntax.
﻿
﻿
Step 2. Associate the sub-account/collaborator and verify
After the policy is created, associate it with a user/group. After the association is completed, use another browser (or server) to verify whether the sub-account/collaborator can work normally. If the policy syntax is written correctly, you can observe the following:
You can access the target products/resources and use all features as expected.
You will be prompted with "You have no permission for this operation" when accessing other unauthorized products or resources.
To avoid mutual impact of multiple policies, we recommend that you associate only one policy with a sub-account at a time.
The change to account access permission will take effect within 1 minute.
Appendix. Commonly Used Policy Syntax
Policy for authorizing the use of all features in all TencentDB instances
To grant a user permission to create and manage TencentDB instances, implement the policy named QcloudMariaDBFullAccess for the user.
The policy syntax is as follows:
{
    "version": "2.0",
    "statement": [
        {
            "action": [
                "mariadb:*"
            ],
            "resource": "*",
            "effect": "allow"
        }
    ]
}
Policy for authorizing the query of all TencentDB instances
To grant a user permission to view TencentDB instances but not create, delete, or modify them, implement the policy named QcloudMariaDBInnerReadOnlyAccess for the user.
The policy syntax is as follows:
{
    "version": "2.0",
    "statement": [
        {
            "action": [
                "mariadb:Describe*"
            ],
            "resource": "*",
            "effect": "allow"
        }
    ]
}
The above policy achieves its goal by allowing the user to separately authorize the use of all operations beginning with "Describe" in TencentDB with the CAM policy.
Note: 
Because not all functional APIs are now supported, a limited number of operations may be excluded from CAM, which is normal.
Policy for granting a user permission to manipulate TencentDB instances in one specific region
To grant a user permissions to manipulate TencentDB instances in a specific region, you can associate the following policy with the user. For example, the policy below allows the user to manipulate the TencentDB instances in Guangzhou.
{
    "version": "2.0",
    "statement": [
        {
            "action": "mariadb:*",
            "resource": "qcs::mariadb:ap-guangzhou::*",
            "effect": "allow"
        }
    ]
}
Policy for granting a user permission to manipulate TencentDB instances in multiple specific regions
To grant a user the permission to manipulate TencentDB instances in a specific region, associate the following policy with the user. For example, the policy below allows the user to manipulate the TencentDB instances in Guangzhou and Chengdu.
{
    "version": "2.0",
    "statement": [
        {
            "action": "mariadb:*",
            "resource": "qcs::mariadb:ap-guangzhou::*","qcs::mariadb:ap-chengdu::*",
            "effect": "allow"
        }
    ]
}
Policy for granting a user permission to manipulate one specific TencentDB instance
To grant a user the permission to manipulate a specific database, associate the following policy with the user. For example, the policy below allows the user to manipulate the TencentDB instance "tdsql-xxx" in Guangzhou.
{
    "version": "2.0",
    "statement": [
        {
            "action": [
                "mariadb:*"
            ],
            "resource": "qcs::mariadb:ap-guangzhou::instance/tdsql-xxx",
            "effect": "allow"
        }
    ]
}
Policy for granting a user permission to manipulate multiple TencentDB instances
To grant a user the permission to manipulate TencentDB instances in batches, associate the following policy with the user. For example, the policy below allows the user to manipulate the TencentDB instances "tdsql-xxx" and "tdsql-yyy" in Guangzhou and "tdsql-zzz" in Beijing.
{
    "version": "2.0",
    "statement": [
        {
            "action": "mariadb:*",
            "resource": ["qcs::mariadb:ap-guangzhou::instance/tdsql-xxx", "qcs::mariadb:ap-guangzhou::instance/tdsql-yyy", "qcs::mariadb:ap-beijing::instance/tdsql-zzz"],
            "effect": "allow"
        }
    ]
}
Policy for granting a user different permissions to manipulate multiple TencentDB instances
To grant a user the permission to manipulate TencentDB instances in batches, associate the following policy with the user. For example, the policy below allows the user to manipulate the TencentDB instances "tdsql-xxx" and "tdsql-yyy" in Guangzhou and "tdsql-zzz" in Beijing.
{
    "version": "2.0",
    "statement": [
        {
            "action": "mariadb:Describe*","mariadb:Create*",
            "resource": ["qcs::mariadb:ap-guangzhou::instance/tdsql-xxx", "qcs::mariadb:ap-guangzhou::instance/tdsql-yyy", "qcs::mariadb:ap-beijing::instance/tdsql-zzz"],
            "effect": "allow"
        }
    ]
}
Denying a user permission to create TencentDB accounts
To deny a user permission to create TencentDB accounts, configure "effect": "deny" as shown below.
{
    "version": "2.0",
    "statement": [
        {
            "action": "mariadb:CreateAccount",
            "resource": "*",
            "effect": "deny"
        }
    ]
}
Other custom policies
If preset policies cannot meet your requirements, you can create custom policies as shown below:
{
    "version": "2.0",
    "statement": [
        {
            "action": [
                "Action"
            ],
            "resource": "Resource",
            "effect": "Effect"
        }
    ]
}
Replace "Action" with the operation to be allowed or denied.
Replace "Resource" with the resources that you want to authorize the user to manipulate.
Replace "Effect" with "Allow" or "Deny".

Help and Support

Was this page helpful?

You can also Contact sales or Submit a Ticket for help.

Help us improve! Rate your documentation experience in 5 mins.

Feedback

tencent cloud

TencentDB for MariaDB

Console Examples

Sample CAM Policies for TencentDB

Step 1. Create a custom policy

Step 2. Associate the sub-account/collaborator and verify

Appendix. Commonly Used Policy Syntax

Policy for authorizing the use of all features in all TencentDB instances

Policy for authorizing the query of all TencentDB instances

Policy for granting a user permission to manipulate TencentDB instances in one specific region

Policy for granting a user permission to manipulate TencentDB instances in multiple specific regions

Policy for granting a user permission to manipulate one specific TencentDB instance

Policy for granting a user permission to manipulate multiple TencentDB instances

Policy for granting a user different permissions to manipulate multiple TencentDB instances

Denying a user permission to create TencentDB accounts

Other custom policies

Help and Support