- Releases Notes and Announcements
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practices
- API Documentation
- Troubleshooting
- FAQs
- CFS Service Level Agreement
- Contact Us
- Glossary
- Releases Notes and Announcements
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practices
- API Documentation
- Troubleshooting
- FAQs
- CFS Service Level Agreement
- Contact Us
- Glossary
Overview
Cloud File Storage (CFS) supports access management at the resource level, i.e., allowing the root account to grant users and user groups permissions to manipulate specified resources. After authorization, specified users will be allowed or forbidden to perform operations using the CFS console or APIs based on the permissions granted.
This document describes how to configure read-only, read/write, and custom policies for CFS users. For more information on how Cloud Access Management (CAM) works and can be used, see CAM Overview.
Directions
Creating an access control policy
To grant users permissions quickly, search for "CFS", select the preset read-only or read/write permissions, and associate them with the specified user group.
If you need to grant users permissions for specific operations, you can create a custom policy and associate it with the specified user group.
Full read/write permission policy
If you want to authorize users to perform all operations such as CRUD, associate them with the
QcloudCFSFullAccess policy. Below is the policy syntax for using the preset QcloudCFSFullAccess policy to grant collaborators or sub-users full read/write access to all CFS resources and VPC/subnet query permission:{"version": "2.0","statement": [{"action":["cfs:*"],"resource": "*",“effect": "allow"},{"action":["vpc:DescribeVpcEx","vpc:DescribeSubnetEx"],"resource": "*",“effect": "allow"}]}
Read-only permission policy
If you want to grant users permission to query but not create, modify, or delete resources, associate them with the
QcloudCFSReadOnlyAccess policy. Below is the policy syntax for using the preset QcloudCFSReadOnlyAccess policy to grant collaborators or sub-users read-only access to all CFS resources and VPC/subnet query permission:{"version": "2.0","statement": [{"action":["cfs:Describe*"],"resource": "*",“effect": "allow"},{"action":["vpc:DescribeVpcEx","vpc:DescribeSubnetEx"],"resource": "*",“effect": "allow"}]}
Custom policy
Custom policies allow more flexibility in permission management. The CAM console offers multiple methods for generating custom policies. This example shows you how to create a custom policy by using a Policy Generator. For other methods, please see Creating Custom Policies.
The CAM policy generator is very user friendly. You simply need to select the desired parameters, and policy code will be generated automatically. This is especially suitable for first-time CAM users.
Log in to the CAM Policies page, and select Create Custom Policy > Create by policy generator. Use the policy generator to create a custom policy to which you can add multiple statements. The configurations are described as below:
Parameter | Options and Effect |
Effect | Allow or Reject |
Sevice | Select CFS here |
Action | All CFS-supported actions |
Resource | Specify the resources in six-segment format: For all resources in CFS, enter *.For all resources in a specified region, use the format qcs::cfs:ap-guangzhou::*.For all resources in all regions under a specified user account, use the format qcs::cfs::uin/27700000:*.For all file systems in a specified region under a specified user account, use the format qcs::cfs:ap-guangzhou:uin/27700000:filesystem/*.For file systems in a specified user group under a specified user account, use the format qcs::cfs::uin/27700000:pgroup/pgroup-doxpcqh.Note: The UIN in a policy must be a root account UIN. The file systems or permission group resources must belong to the root account. If a policy generator is used: Service: You can only enter "cfs". Region: Select a region from the drop-down list box as needed. Account: The current account information will be auto filled. If it is not filled, you can enter uin/xxxxxxx, where xxxxxxx is the UIN.Resource prefix: You can enter filesystem, snap, or resource, which represents file system instances, snapshot instances, or storage resource unit instances, respectively.Resource: Enter a resource ID, such as cfs-xxxxx. |
Condition |
The APIs, API features, and notes for authorization are listed in the table below. You can set your resource permissions accordingly.
API Category | API Name | API Description | Permission Type | Note |
Service APIs | SignUpCfsService | Activates the CFS service | Write | You do not need to specify resources when authorizing this API. |
| DescribeCfsServiceStatus | Queries whether the CFS service is activated | Read | You do not need to specify resources when authorizing this API. |
File system APIs | DescribeCfsFileSystems | Lists file systems | Read | You need to specify the resources as * when authorizing this API. |
| CreateCfsFileSystem | Creates a file system | Write | You do not need to specify file system resources when authorizing this API. |
| UpdateCfsFileSystemName | Updates the file system name | Write | You need to specify file system resources when authorizing this API. |
| UpdateCfsFileSystemPGroup | Updates the permission group for a file system | Write | You need to specify file system resources when authorizing this API. |
| UpdateCfsFileSystemSizeLimit | Updates the file system quota | Write | You need to specify file system resources when authorizing this API. |
| DeleteCfsFileSystem | Deletes a file system | Write | You need to specify file system resources when authorizing this API. |
| DescribeMountTargets | Queries mount targets | Read | You need to specify file system resources when authorizing this API. |
| AddMountTarget | Creates a mount target | Write | You need to specify file system resources when authorizing this API. |
| DeleteMountTarget | Deletes a mount target | Write | You need to specify file system resources when authorizing this API. |
Permission group APIs | DescribeCfsPGroups | Lists permission groups | Read | You need to specify the resources as * when authorizing this API. |
| CreateCfsPGroup | Creates a permission group | Write | You do not need to specify resources when authorizing this API. |
| UpdateCfsPGroup | Updates the information of a permission group | Write | You need to specify permission group resources when authorizing this API. |
| DeleteCfsPGroup | Deletes a permission group | Write | You need to specify permission group resources when authorizing this API. |
| DescribeCfsRules | Lists permission group rules | Read | You need to specify permission group resources when authorizing this API. |
| CreateCfsRule | Creates a permission group rule | Write | You need to specify permission group resources when authorizing this API. |
| UpdateCfsRule | Updates the information of a permission group rule | Write | You need to specify permission group resources when authorizing this API. |
| DeleteCfsRule | Deletes a permission group rule | Write | You need to specify permission group resources when authorizing this API. |
Key APIs | DescribeKmsKeys | Queries KMS keys | Read | You need to specify the resources as * when authorizing this API. |
Note:
As CFS file systems use VPC IPs, permissions for "vpc:DescribeVpcEx" and "vpc:DescribeSubnetEx" APIs are needed to create, list, and query file systems. We strongly recommend granting all VPC resources permissions for these two APIs in all your CFS authorization polices. See the
QcloudCFSReadOnlyAccess policy statement to learn how to write the policy.After configuring the above parameters, click Add Statement to add a statement to the custom policy. You can repeat this operation to add multiple statements. In case that a policy already exists or conflicts with other policies, see Syntax Structure for more information on whether and how they will take effect.
A policy should be written in the following format. There can be multiple statements in one policy.
{"version": "2.0","statement": [{"effect": "Effect","action":["Action"],"resource": "Resource"}]}
For example, the policy syntax for prohibiting users from deleting certain file systems and updating quotas is as follows:
{"version": "2.0","statement": [{"effect": "deny","action":["name/cfs:DeleteCfsFileSystem","name/cfs:UpdateCfsFileSystemSizeLimit"],"resource": ["qcs::cfs::uin/2779643970:filesystem/cfs-11111111","qcs::cfs::uin/2779643970:filesystem/cfs-22222222","qcs::cfs::uin/2779643970:filesystem/cfs-33333333"]}]}
Authorizing a user or user group
If you want to grant an existing permission, you can search for
QcloudCFSFullAccess, QcloudCFSReadOnlyAccess, or a custom policy and click Bind User/Group in the Operation column. Then, locate and select the user or user group that needs to be authorized and click OK.Deauthorizing a user or user group
If you need to deauthorize a user or user group, click the policy name to go to the policy details page. Select the user or user group under the User/User Group tab and click Remove User or Remove Group. Click OK in the pop-up window. The CFS permissions of the user or user group will be revoked.
Yes
No
Was this page helpful?