Overview
Access policies can be used to grant permissions related to PTS. Access policies use a JSON-based access policy language. Through this policy language, you can authorize specific principals to perform designated operations on specified PTS resources.
The access policy language describes the basic elements and usage of policies. For explanations regarding the policy language, see CAM Policy Management. Policy Syntax
CAM Policy
{
"version":"2.0",
"statement":
[
{
"effect":"effect",
"action":["action"],
"resource":["resource"],
"condition": {"key":{"value"}}
}
]
}
Element Usage
version: Required. Currently, only the value "2.0" is allowed.
statement: Describes the detailed information of one or more permissions. This element includes several other elements such as effect, action, resource, and condition, forming a set of permissions or a permission collection. A policy has only one statement element.
effect: This required element describes whether the statement results in "allow" or "explicitly deny". It includes two possible values: allow (allow) and deny (explicitly deny).
action: This required element describes the allowed or denied actions. Actions can be APIs (described with the prefix name) or feature sets (a group of specific APIs, described with the prefix permid).
resource: This required element describes the specific data being authorized. Resources are described using a six-segment format. The details of resource definitions vary by product. For information on how to specify resources, see the product documentation corresponding to the resource statement you write.
condition: This optional element describes the constraints under which the policy is effective. A condition consists of an operator, a key, and a value. Condition values can include information such as time or IP address. Some services allow you to specify additional values in the condition.
Specifying Effect
If access to a resource is not explicitly granted (allow), it is implicitly denied. Additionally, access to a resource can be explicitly denied (deny) to ensure that users cannot access the resource, even if other policies grant access. Below is an example specifying the effect of allowing:
Specifying Actions
PTS defines a set of console operations that can be specified in a policy. The specified operations are categorized into read-only APIs pts:Describe\\* and all APIs pts:\\*.
Examples of specifying allowed operations are as follows:
"action": [
"name/pts:Describe*"
]
Specifying Resources
The resource element describes one or more operation objects, such as a performance testing service. All resources can be described using the following six-segment format.
qcs:project_id:service_type:region:account:resource
The parameters are described as follows:
|
qcs | The abbreviation of qcloud service, indicating that it is the cloud service of Tencent Cloud. | Yes |
project_id | The description of the project information. It is usually left blank as it is only for compatibility with the early logic of CAM. | No |
service_type | Product abbreviation. It is PTS here. | Yes |
account | Description of the root account information of the resource owner, namely the ID of the root account, represented as uin/${OwnerUin}, such as uin/100000000001. | Yes |
resource | Description of details of a specific resource, with the prefix instance. | Yes |
Below is an example of a four-segment description of the performance testing service:
"resource":["qcs::pts:uin/1250000000:ProjectId/project-bx123456"]
Examples
Based on the resource ID, assign read/write permissions for the specified resource. The root account ID is 1250000000.
Example: Assign the sub-account permissions to query the project (ID: project-bx123456).
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"pts:DescribeProjects"
],
"resource": [
"qcs::pts:uin/1250000000:ProjectId/project-bx123456"
]
}
]
}
List of APIs that Support Resource-Level Authorization
|
API Operations | API Description |
AbortJob | Stops a task. |
CreateProject | Creates a project. |
CreateScenario | Creates scenarios. |
DeleteJobs | Delete Task |
DeleteProjects | Delete Project |
DeleteScenarios | Deletes scenarios. |
DescribeAllLabels | Queries all metrics' labels. |
DescribeCheckSummary | Queries checkpoint summary information. |
DescribeJobs | Queries the task list. |
DescribeLabelValues | Queries tag content. |
DescribeProjects | Queries project lists. |
DescribeRegions | Querying region list. |
DescribeSampleBatchQuery | Queries metrics in batches, returning metric content at fixed time points. |
DescribeSampleQuery | Queries metrics, returning metric content at fixed time points. |
DescribeSampleStreamBatchQuery | Queries metric sequences in batches. |
DescribeSampleStreamQuery | Queries metric sequences within a time range. |
DescribeScenarioWithJobs | Queries scenario configurations and include the content of executed tasks. |
DescribeScenarios | Queries scenario lists. |
DescribeServiceSummary | Queries service summary information. |
DescribeZones | Querying availablity zone list. |
GenerateTmpKey | Generates temporary COS credentials. |
StartJob | Creates and starts tasks. |
UpdateJob | Updates tasks. |
UpdateProject | Updates projects. |
UpdateScenario | Updates scenarios. |
List of APIs That Do not Support Resource-Level Authorization
For PTS API operations that do not support resource-level permissions, you can still grant users permissions to conduct these operations, but the resource element of the policy statement should be specified as *.
|
CreateProject | Creates PTS service instances. |