A policy is a syntactic specification of a user permission set, which accurately describes the authorized resource set, operation set, and authorization conditions.
{
"version":"2.0",
"statement":
[
{
"effect":"effect",
"action":["action"],
"resource":["resource"],
"condition": {"key":{"value"}}
}
]
}
The following table describes policy statements.
|
version | N/A | Yes | Currently, only the value 2.0 is allowed. |
statement | effect | Yes | It describes the result of a statement. The result can be "allow" or an "explicit deny". |
| action | Yes | It describes the allowed or denied operation which can be an API or a feature set (a set of specific APIs prefixed with permid). |
| resource | Yes | It describes the details of authorization. All resources can be described in the six-segment format. Each service has its own resources and detailed resource definition. |
| condition | Yes | It describes the condition for the policy to take effect. A condition consists of operator, action key, and action value. A condition value may contain information such as time and IP address. A condition value may be the time, IP address, etc. Some services allow you to specify additional values in a condition. |
Note:
The statement element describes the details of one or more permissions. This element contains a permission or permission set of other elements such as effect, action, resource, and condition. One policy has only one statement.
In a CAM policy statement, you can specify any API operation from any service that supports CAM. APIs prefixed with mongodb: should be used for TencentDB for MongoDB, such as mongodb:BackupDBInstance or mongodb:CreateAccountUser.
To specify multiple operations in a single statement, separate them by comma:
"action":["mongodb:action1","mongodb:action2"]
You can also specify multiple operations by using a wildcard. For example, you can specify all operations beginning with "Describe" in the name as shown below:
"action":["mongodb:Describe*"]
If you want to specify all operations in MongoDB, use a wildcard "*" as shown below:
Each CAM policy statement has its own applicable resources. Resource paths are generally in the following format:
qcs:project_id:service_type:region:account:resource
Project_id describes the project information, which is only used to enable compatibility with legacy CAM logic and can be left empty.
service_type describes the product abbreviation, such as mongodb.
region describes the region information, such as bj.
account describes the root account of the resource owner, such as uin/12345678.
resource describes the detailed resource information of each product, such as instance/instance_id or instance/*.
You can set resource to an instance ID (cmgo-aw6g1g0z) in a statement as shown below:
"resource":[ "qcs::mongodb:bj:uin/12345678:instance/cmgo-aw6g1g0z"]
You can also use the wildcard "*" to specify all instances that belong to a specific account as shown below:
"resource":[ "qcs::mongodb:bj:uin/12345678:instance/*"]
If you want to specify all resources or if a specific API operation does not support resource-level permission control, you can use the wildcard "*" in the resource element as shown below:
If you want to specify multiple resources in a single command, separate them by comma. In the following example, two resources are specified:
"resource":["resource1","resource2"]
The table below describes the resources that can be used by MongoDB and the corresponding resource description methods, where words prefixed with $ are placeholders, region refers to a region, and account refers to an account ID.
|
| qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
|
| qcs::vpc:$region:$account:vpc/$vpcId
|
| qcs::cvm:$region:$account:sg/$sgId
|
Default Permission Policy of TencentDB for MongoDB
TencentDB for MongoDB supports the following system permission policies.
|
| TencentDB for MongoDB management permission. A Tencent Cloud sub-account granted with this permission has the same permissions as the root account, including all permissions of console and API operations. |
QcloudMongoDBReadOnlyAccess
| Read-only permission. A Tencent Cloud sub-account granted with this permission has only the read-only permission of all resources under the Tencent Cloud root account but not operation permissions of the console and APIs. |
The system permission policy QcloudMongoDFullAccess is as follows:
{
"version": "2.0",
"statement": [
{
"action": [
"monitor:GetMonitorData",
"monitor:DescribeBaseMetrics",
"mongodb:*"
],
"resource": "*",
"effect": "allow"
}
]
}
The system permission policy QcloudMongoDBReadOnlyAccess is as follows:
{
"version": "2.0",
"statement": [
{
"action": [
"monitor:GetMonitorData",
"monitor:DescribeBaseMetrics",
"mongodb:Describe*"
],
"resource": "*",
"effect": "allow"
}
]
}
Custom Permission Policy of TencentDB for MongoDB
Currently, TencentDB for MongoDB supports custom policies for the following resource-level permissions.
Note:
TencentDB API operations not listed here do not support resource-level permissions. You can still authorize a user to perform such a TencentDB API operation, but you must specify * as the resource element of the policy statement.
|
BackupDBInstance | Backs up a database instance | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
CreateAccountUser | Creates an account | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
CreateDBInstanceHour | Creates a pay-as-you-go TencentDB for MongoDB instance | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
DeleteAccountUser | Deletes an account | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
DescribeAccountUsers | Queries the user information of an account | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
DescribeBackupAccess | Gets the permission to download an instance backup | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
DescribeBackupRules | Gets the backup rules of a TencentDB instance | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
DescribeClientConnections | Gets the number of client connections | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
DescribeDBBackups | Queries the list of backups of an instance | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
DescribeDBInstances | Queries the list of database instances | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
DescribeInstanceDB | Queries the collection/database information of an instance | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
DescribeSlowLog | Gets the slow log information | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
DescribeSlowLogPattern | Gets the slow log statistics | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
DescribeSpecInfo | Queries purchasable instance specifications | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
ExchangeInstance | Replaces the original instance with a temp instance | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
IsolateDBInstance | Isolates a TencentDB instance | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
ModifyDBInstanceSpec | Adjusts the configurations of a TencentDB instance | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
OfflineIsolatedDBInstance | Deactivates an isolated TencentDB instance | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
RemoveCloneInstance | Deletes a temp instance | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
RenameInstance | Renames an instance | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
RenewInstance | Renews a TencentDB instance | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
ResizeOplog | Adjusts the oplog size of an instance | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
RestartInstance | Restarts an instance | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
RestoreDBInstance | Restores a database instance | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
SetAccountUserPrivilege | Sets user permissions | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
SetAutoRenew | Sets auto-renewal | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
SetBackupRules | Sets backup rules | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
SetInstanceFormal | Promotes a temp instance to the primary instance | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
SetInstanceMaintenance | Sets the instance maintenance time | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
SetPassword | Sets password | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
SetReadOnlyToNormal | Promotes a read-only instance to the primary instance | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
TerminateDBInstanceHour | Terminates a pay-as-you-go instance | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
UpgradeDBInstanceHour | Upgrades a pay-as-you-go instance | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
Custom permission policy example
If you want to grant an account the CreateDBInstance and CreateAccountUser permissions on the "cmgo-aw6g****" instance, you can create a policy as follows:
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"mongodb:CreateDBInstance",
"mongodb:CreateAccountUser"
],
"resource": [
"qcs::mongodb::uin/100001540306:instanceId/cmgo-aw6g****"
],
"condition": {
"ip_equal": {
"qcs:ip": [
"10.0.0.4"
]
}
}
}
]
}
Creating a custom permission policy
