tencent cloud

Cloud File Storage

Releases Notes and Announcements
Release Notes
Announcements
Product Introduction
Overview
Strengths
Storage Classes and Performance
Use Cases
Recommended Regions
Use Limits
Service Regions and Service Providers
Purchase Guide
Billing Overview
Pricing Overview
General Series Billing
Turbo Series Billing
High-Throughput CFS Billing
Billing Mode
IA ‍Storage Billing
Storage Resource Units
Resource Purchase
Viewing Bills
Arrears Reminder
Getting Started
Creating File Systems and Mount Targets
Using CFS File Systems on Linux Clients
Using CFS File Systems on Windows Clients
Using CFS Turbo on Linux Clients
Using the CFS Client Assistant to Mount File Systems
Operation Guide
Access Management
Managing File Systems
Permission Management
Using Tags
Snapshot Management
Guide for Cross-AZ and Cross-Network Access
Automatically Mounting File Systems
Data Migration Service
User Permission Management
User Quotas
Data Encryption
Data Lifecycle Management
Upgrading Standard File Systems
Practical Tutorial
Selecting Kernels for NFS Clients
Managing Turbo CFS Directories
Terminating Compute Instances
Using CFS on TKE
Using CFS on SCF
Using CFS Turbo on TKE
Using CFS Turbo on TKE Serverless Cluster
Selecting a Network for Turbo CFS
Copying Data
CFS Storage Performance Testing
API Documentation
History
Introduction
API Category
Snapshot APIs
File system APIs
Lifecycle APIs
Other APIs
Data Flow APIs
Making API Requests
Permission Group APIs
Service APIs
Scaling APIs
Data Migration APIs
Data Types
Error Codes
Troubleshooting
Client Use Bottleneck due to Large Number of Small Files or Parallel Requests
FAQs
CFS Service Level Agreement
Contact Us
Glossary
DocumentaçãoCloud File StorageOperation GuideAccess Management

Access Management

PDF
Modo Foco
Tamanho da Fonte
Última atualização: 2024-01-22 22:15:48

Overview

Cloud File Storage (CFS) supports access management at the resource level, i.e., allowing the root account to grant users and user groups permissions to manipulate specified resources. After authorization, specified users will be allowed or forbidden to perform operations using the CFS console or APIs based on the permissions granted. This document describes how to configure read-only, read/write, and custom policies for CFS users. For more information on how Cloud Access Management (CAM) works and can be used, see CAM Overview.

Directions

Creating an access control policy

Log in to the CAM console and go to the policy management page.
To grant users permissions quickly, search for "CFS", select the preset read-only or read/write permissions, and associate them with the specified user group.
If you need to grant users permissions for specific operations, you can create a custom policy and associate it with the specified user group.

Full read/write permission policy

If you want to authorize users to perform all operations such as CRUD, associate them with the QcloudCFSFullAccess policy. Below is the policy syntax for using the preset QcloudCFSFullAccess policy to grant collaborators or sub-users full read/write access to all CFS resources and VPC/subnet query permission:
{

    "version": "2.0",

    "statement": [

        {

            "action":[

                "cfs:*"

            ],

            "resource": "*",

            “effect": "allow"

        },

        {

            "action":[

                "vpc:DescribeVpcEx",

                "vpc:DescribeSubnetEx"

            ],

            "resource": "*",

            “effect": "allow"

        }

    ]

}

Read-only permission policy

If you want to grant users permission to query but not create, modify, or delete resources, associate them with the QcloudCFSReadOnlyAccess policy. Below is the policy syntax for using the preset QcloudCFSReadOnlyAccess policy to grant collaborators or sub-users read-only access to all CFS resources and VPC/subnet query permission:
{

    "version": "2.0",

    "statement": [

        {

            "action":[

                "cfs:Describe*"

            ],

            "resource": "*",

            “effect": "allow"

        },

        {

            "action":[

                "vpc:DescribeVpcEx",

                "vpc:DescribeSubnetEx"

            ],

            "resource": "*",

            “effect": "allow"

        }

    ]

}

Custom policy

Custom policies allow more flexibility in permission management. The CAM console offers multiple methods for generating custom policies. This example shows you how to create a custom policy by using a Policy Generator. For other methods, please see Creating Custom Policies.
The CAM policy generator is very user friendly. You simply need to select the desired parameters, and policy code will be generated automatically. This is especially suitable for first-time CAM users.
Log in to the CAM Policies page, and select Create Custom Policy > Create by policy generator. Use the policy generator to create a custom policy to which you can add multiple statements. The configurations are described as below:
Parameter
Options and Effect
Effect
Allow or Reject
Sevice
Select CFS here
Action
All CFS-supported actions
Resource
Specify the resources in six-segment format:
For all resources in CFS, enter *.
For all resources in a specified region, use the format qcs::cfs:ap-guangzhou::*.
For all resources in all regions under a specified user account, use the format qcs::cfs::uin/27700000:*.
For all file systems in a specified region under a specified user account, use the format qcs::cfs:ap-guangzhou:uin/27700000:filesystem/*.
For file systems in a specified user group under a specified user account, use the format qcs::cfs::uin/27700000:pgroup/pgroup-doxpcqh.
Note: The UIN in a policy must be a root account UIN. The file systems or permission group resources must belong to the root account.
If a policy generator is used:
Service: You can only enter "cfs".
Region: Select a region from the drop-down list box as needed.
Account: The current account information will be auto filled. If it is not filled, you can enter uin/xxxxxxx, where xxxxxxx is the UIN.
Resource prefix: You can enter filesystem, snap, or resource, which represents file system instances, snapshot instances, or ‍storage resource unit instances, respectively.
Resource: Enter a resource ID, such as cfs-xxxxx.

Condition
Specifies under which condition this policy will take effect. For more information, see Conditions.
The APIs, API features, and notes for authorization are listed in the table below. You can set your resource permissions accordingly.
API Category
API Name
API Description
Permission Type
Note
Service APIs
SignUpCfsService
Activates the CFS service
Write
You do not need to specify resources when authorizing this API.
DescribeCfsServiceStatus
Queries whether the CFS service is activated
Read
You do not need to specify resources when authorizing this API.
File system APIs
DescribeCfsFileSystems
Lists file systems
Read
You need to specify the resources as * when authorizing this API.
CreateCfsFileSystem
Creates a file system
Write
You do not need to specify file system resources when authorizing this API.
UpdateCfsFileSystemName
Updates the file system name
Write
You need to specify file system resources when authorizing this API.
UpdateCfsFileSystemPGroup
Updates the permission group for a file system
Write
You need to specify file system resources when authorizing this API.
UpdateCfsFileSystemSizeLimit
Updates the file system quota
Write
You need to specify file system resources when authorizing this API.
DeleteCfsFileSystem
Deletes ‍a file system
Write
You need to specify file system resources when authorizing this API.
DescribeMountTargets
Queries mount targets
Read
You need to specify file system resources when authorizing this API.
AddMountTarget
Creates a mount target
Write
You need to specify file system resources when authorizing this API.
DeleteMountTarget
Deletes a mount target
Write
You need to specify file system resources when authorizing this API.
Permission group APIs
DescribeCfsPGroups
Lists permission groups
Read
You need to specify the resources as * when authorizing this API.
CreateCfsPGroup
Creates a permission group
Write
You do not need to specify resources when authorizing this API.
UpdateCfsPGroup
Updates the information of a permission group
Write
You need to specify permission group resources when authorizing this API.
DeleteCfsPGroup
Deletes a permission group
Write
You need to specify permission group resources when authorizing this API.
DescribeCfsRules
Lists permission group rules
Read
You need to specify permission group resources when authorizing this API.
CreateCfsRule
Creates a permission group rule
Write
You need to specify permission group resources when authorizing this API.
UpdateCfsRule
Updates the information of a permission group rule
Write
You need to specify permission group resources when authorizing this API.
DeleteCfsRule
Deletes a permission group rule
Write
You need to specify permission group resources when authorizing this API.
Key APIs
DescribeKmsKeys
Queries KMS keys
Read
You need to specify the resources as * when authorizing this API.
Note:
As CFS file systems use VPC IPs, permissions for "vpc:DescribeVpcEx" and "vpc:DescribeSubnetEx" APIs are needed to create, list, and query file systems. We strongly recommend granting all VPC resources permissions for these two APIs in all your CFS authorization polices. See the QcloudCFSReadOnlyAccess policy statement to learn how to write the policy.
After configuring the above parameters, click Add Statement to add a statement to the custom policy. You can repeat this operation to add multiple statements. In case that a policy already exists or conflicts with other policies, see Syntax Structure for more information on whether and how they will take effect.
A policy should be written in the following format. There can be multiple statements in one policy.
{

    "version": "2.0",

    "statement": [{

        "effect": "Effect",

        "action":[

            "Action"

        ],

        "resource": "Resource"



    }]

}
For example, the policy syntax for prohibiting users from deleting certain file systems and updating quotas is as follows:
{

    "version": "2.0",

    "statement": [{

        "effect": "deny",

        "action":[

            "name/cfs:DeleteCfsFileSystem",

            "name/cfs:UpdateCfsFileSystemSizeLimit"

        ],

        "resource": [

            "qcs::cfs::uin/2779643970:filesystem/cfs-11111111",

            "qcs::cfs::uin/2779643970:filesystem/cfs-22222222",

            "qcs::cfs::uin/2779643970:filesystem/cfs-33333333"

        ]

    }]

}

Authorizing a user or user group

If you want to grant an existing permission, you can search for QcloudCFSFullAccess, QcloudCFSReadOnlyAccess, or a custom policy and click Bind User/Group in the Operation column. Then, locate and select the user or user group that needs to be authorized and click OK.

Deauthorizing a user or user group

If you need to deauthorize a user or user group, click the policy name to go to the policy details page. Select the user or user group under the User/User Group tab and click Remove User or Remove Group. Click OK in the pop-up window. The CFS permissions of the user or user group will be revoked.
Anterior: Using the CFS Client Assistant to Mount File SystemsPróximo: Managing File Systems

Ajuda e Suporte

Esta página foi útil?

comentários