Cloud Log Service
- Release Notes and Announcements
- Announcements
- Product Introduction
- Limits
- Log Collection
- Purchase Guide
- Pay-as-You-Go
- Getting Started
- Operation Guide
- Resource Management
- Permission Management
- Log Collection
- Collection by LogListener
- LogListener Installation and Deployment
- Collecting Text Log
- Collecting Logs in Self-Built Kubernetes Cluster
- Importing Data
- Metric Collection
- Log Storage
- Search and Analysis (Log Topic)
- Statistical Analysis (SQL)
- SQL Syntax
- SQL Functions
- Search and Analysis (Metric Topic)
- Dashboard
- Creating Statistical Charts
- Data Processing documents
- Data Processing
- Data Processing Functions
- Scheduled SQL Analysis
- Shipping and Consumption
- Shipping to COS
- Shipping to CKafka
- Shipping to ES
- Log Shipping
- Consumption over Kafka
- Monitoring Alarm
- Managing Alarm Policies
- Channels to Receive Alarm Notifications
- Historical Documentation
- Practical Tutorial
- Search and Analysis
- Monitoring Alarm
- Shipping and Consumption
- Developer Guide
- API Documentation
- Making API Requests
- Topic Management APIs
- Log Set Management APIs
- Topic Partition APIs
- Machine Group APIs
- Collection Configuration APIs
- Log APIs
- Metric APIs
- Alarm Policy APIs
- Data Processing APIs
- Kafka Protocol Consumption APIs
- CKafka Shipping Task APIs
- Kafka Data Subscription APIs
- COS Shipping Task APIs
- SCF Delivery Task APIs
- Scheduled SQL Analysis APIs
- COS Data Import Task APIs
- FAQs
- Health Check
- Collection
- Log Search
Access Policy Templates
Last updated: 2024-12-17 20:53:57
For custom permission policies, the following permission policy templates can be used based on the scenario.
Module | Application Scenario |
Overall Operation (Best Practices) | Classify topics, machine groups, and dashboards by using tags, and configure permissions by tag: |
Data collection | |
Topic management and search/analysis | Viewing/Managing Topics and Performing Search/Analysis Using APIs to Perform Search and Analysis |
Dashboard | |
Monitoring alarm | |
Data Processing | Data Processing Performing Scheduled SQL Analysis |
Data shipping and consumption | Shipping to CKafka Shipping to COS Shipping to SCF Kafka Protocol Consumption Shipping Metric Topics Custom Consumption |
Independent DataSight console | Manage DataSight consoles: |
Developer | Using CLS Through Grafana |
Overall operation (best practices)
Users can classify topics, machine groups, and dashboards by using tags and configure permissions by tag. Tags are required for resources during resource creation. Users have management or read-only permissions only for resources with specified tags, which helps them manage various types of resources in CLS in batches.
Management Permission for Resources with Specified Tags
Note:
Delete comments to use this policy.
{"statement": [{"action": [ //Required read-only permission for related products"monitor:GetMonitorData","monitor:DescribeBaseMetrics","cam:ListGroups","cam:GetGroup","cam:DescribeSubAccountContacts","cam:ListAttachedRolePolicies","cam:GetRole","vpc:DescribeSubnetEx",//Required for creating DataSight consoles accessed via the private network"vpc:DescribeVpcEx",//Required for creating DataSight consoles accessed via the private network"tag:TagResources","tag:DescribeResourceTagsByResourceIds","tag:GetTags","tag:GetTagKeys","tag:GetTagValues","kms:GetServiceStatus"],"effect": "allow","resource": "*"},{"action": [ //Specify that tags such as testCAM:test1 are required for creating dashboards, logsets, topics, alarm policies, notification channel groups, machine groups, and DataSight consoles. Tags are not supported for creating other types of resources."cls:CreateDashboard","cls:CreateLogset","cls:CreateTopic","cls:CreateAlarm","cls:CreateAlarmNotice","cls:CreateMachineGroup","cls:CreateConsole"],"condition": {"for_any_value:string_equal": {"qcs:request_tag": ["testCAM&test1"]}},"effect": "allow","resource": "*"},{"action": [ //Grant permission on all related APIs if tags are specified for resources. (APIs should support permission control by tag.)"cls:*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["testCAM&test1"]}},"effect": "allow","resource": "*"},{"action": [ //Some APIs do not support permission control by tag or resource scope limit. Most of the APIs below involve read operations, while some APIs of auxiliary features involve write operations. All these APIs do not affect the core data security of products."cls:CheckAlarmChannel","cls:CheckAlarmRule","cls:CheckDomainRepeat","cls:CheckFunction","cls:CheckRechargeKafkaServer","cls:DescribeClsPrePayDetails","cls:DescribeClsPrePayInfos","cls:DescribeConfigMachineGroups","cls:DescribeConfigs","cls:DescribeAgentConfigs","cls:DescribeTopicExtendConfig","cls:DescribeDataTransformFailLogInfo","cls:DescribeDataTransformInfo","cls:DescribeDataTransformPreviewDataInfo","cls:DescribeDataTransformPreviewInfo","cls:DescribeDataTransformProcessInfo","cls:DescribeDemonstrations","cls:DescribeExceptionResources","cls:DescribeExternalDataSourcePreview","cls:DescribeFunctions","cls:DescribeResources","cls:DescribeShipperPreview","cls:DescribeScheduledSqlProcessInfo","cls:DescribeConfigurationTemplates","cls:DescribeFolders","cls:GetClsService","cls:GetConfigurationTemplateApplyLog","cls:PreviewKafkaRecharge","cls:agentHeartBeat","cls:CreateDemonstrations","cls:DeleteDemonstrations","cls:DescribeNoticeContents","cls:DescribeWebCallbacks"],"effect": "allow","resource": "*"},{"action": [ //Some APIs do not support permission control by tag or resource scope limit. The APIs below involve write operations of core features. It is recommended to grant permissions only to certain users as required. APIs require no permission grants can be deleted."cls:RealtimeProducer", //Upload data by using Kafka"cls:CreateConfigurationTemplate", //Configuration template API"cls:ModifyConfigurationTemplate","cls:DeleteConfigurationTemplate","cls:CreateFolder", //Folder API"cls:ModifyFolder","cls:DeleteFolder","cls:ModifyResourceAndFolderRelation","cls:CreateDataTransform",//Data processing API"cls:ModifyDataTransform","cls:DeleteDataTransform","cls:RetryShipperTask",//COS shipping API"cls:ModifyDashboardSubscribeAck",//Dashboard subscription API"cls:DeleteDashboardSubscribe","cls:ModifyConfigExtra",//Collection configuration API"cls:DeleteConfigExtra","cls:RemoveMachine",//Machine group API"cls:UpgradeAgentNormal","cls:CreateNoticeContent",//API related to alarm notification templates"cls:DeleteNoticeContent","cls:ModifyNoticeContent","cls:CreateWebCallback",//API related to alarm integration configuration"cls:ModifyWebCallback","cls:DeleteWebCallback"],"effect": "allow","resource": "*"}],"version": "2.0"}
Read-Only Permission for Resources with Specified Tags
Note:
Delete comments to use this policy.
{"statement": [{"action": [ //Required read-only permission for related products"monitor:GetMonitorData","monitor:DescribeBaseMetrics","cam:ListGroups","cam:GetGroup","cam:DescribeSubAccountContacts","cam:ListAttachedRolePolicies","tag:DescribeResourceTagsByResourceIds","tag:GetTags","tag:GetTagKeys","tag:GetTagValues"],"effect": "allow","resource": "*"},{"action": [ //Grant read-only permission on related APIs if tags are specified for resources."cls:DescribeConsumer","cls:DescribeConsumerPreview","cls:DescribeCosRecharges","cls:DescribeDashboardSubscribes","cls:DescribeDashboards","cls:DescribeExports","cls:DescribeIndex","cls:DescribeIndexs","cls:DescribeKafkaConsume","cls:DescribeKafkaConsumer","cls:DescribeKafkaRecharges","cls:DescribeLatestJsonLog","cls:DescribeLatestUserLog","cls:DescribeLogContext","cls:DescribeLogFastAnalysis","cls:DescribeLogHistogram","cls:DescribeMachineGroupConfigs","cls:DescribeMachines","cls:DescribePartitions","cls:DescribeScheduledSqlInfo","cls:DescribeScheduledSqlProcessInfo","cls:DescribeShipperPreview","cls:DescribeTopics","cls:EstimateRebuildIndexTask","cls:GetAlarm","cls:GetAlarmLog","cls:GetMetricLabelValues","cls:GetMetricSeries","cls:MetricsLabelValues","cls:MetricsLabels","cls:MetricsQuery","cls:MetricsQueryExemplars","cls:MetricsQueryRange","cls:MetricsSeries","cls:QueryMetric","cls:QueryRangeMetric","cls:SearchCosRechargeInfo","cls:SearchDashboardSubscribe","cls:SearchLog","cls:DescribeAlarmNotices","cls:DescribeAlarms","cls:DescribeAlertRecordHistory","cls:DescribeExternalDataSources","cls:DescribeLogsets","cls:DescribeMachineGroups","cls:DescribeConsoles","cls:DescribeShipperTasks","cls:DescribeShippers","cls:DescribeRebuildIndexTasks"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["testCAM&test1"]}},"effect": "allow","resource": "*"},{"action": [ //Some APIs do not support permission control by tag or resource scope limit. Most of the APIs below involve read operations, while some APIs of auxiliary features involve write operations. All these APIs do not affect the core data security of products."cls:CheckAlarmChannel","cls:CheckAlarmRule","cls:CheckDomainRepeat","cls:CheckFunction","cls:CheckRechargeKafkaServer","cls:DescribeClsPrePayDetails","cls:DescribeClsPrePayInfos","cls:DescribeConfigMachineGroups","cls:DescribeConfigs","cls:DescribeAgentConfigs","cls:DescribeTopicExtendConfig","cls:DescribeDataTransformFailLogInfo","cls:DescribeDataTransformInfo","cls:DescribeDataTransformPreviewDataInfo","cls:DescribeDataTransformPreviewInfo","cls:DescribeDataTransformProcessInfo","cls:DescribeDemonstrations","cls:DescribeExceptionResources","cls:DescribeExternalDataSourcePreview","cls:DescribeFunctions","cls:DescribeResources","cls:DescribeShipperPreview","cls:DescribeScheduledSqlProcessInfo","cls:DescribeConfigurationTemplates","cls:DescribeFolders","cls:GetClsService","cls:GetConfigurationTemplateApplyLog","cls:PreviewKafkaRecharge","cls:CreateDemonstrations","cls:DeleteDemonstrations","cls:CreateExport","cls:DeleteExport""cls:DescribeNoticeContents","cls:DescribeWebCallbacks"],"effect": "allow","resource": "*"}],"version": "2.0"}
Data Collection
Server Data Collection by Using LogListener
Users can use LogListener on Agent to collect and upload log data. (The sample code below demonstrates the minimum permission for data upload by using LogListener installed on Agent.)
{"version": "2.0","statement": [{"action": ["cls:pushLog","cls:getConfig","cls:agentHeartBeat"],"resource": "*","effect": "allow"}]}
Note:
If the LogListener version is earlier than 2.6.5, add cls:listLogset to the code.
Self-built Kubernetes Data Collection by Using LogListener
Users can use Logagent to collect and upload log data from self-built Kubernetes clusters. (The sample code below demonstrates the minimum permission for data upload from a self-built Kubernetes cluster.)
{"version": "2.0","statement": [{"action": ["cls:pushLog","cls:agentHeartBeat","cls:getConfig","cls:CreateConfig","cls:DeleteConfig","cls:ModifyConfig","cls:DescribeConfigs","cls:DescribeMachineGroupConfigs","cls:DeleteConfigFromMachineGroup","cls:ApplyConfigToMachineGroup","cls:DescribeConfigMachineGroups","cls:ModifyTopic","cls:DeleteTopic","cls:CreateTopic","cls:DescribeTopics","cls:CreateLogset","cls:DeleteLogset","cls:DescribeLogsets","cls:CreateIndex","cls:ModifyIndex","cls:CreateMachineGroup","cls:DeleteMachineGroup","cls:DescribeMachineGroups","cls:ModifyMachineGroup","cls:CreateConfigExtra","cls:DeleteConfigExtra","cls:ModifyConfigExtra"],"resource": "*","effect": "allow"}]}
Data Upload by Using APIs/SDKs
Users can use APIs/SDKs to upload data to CLS. (The sample code below demonstrates the minimum permission for data upload by using APIs/SDKs.)
{"version": "2.0","statement": [{"action": ["cls:pushLog","cls:UploadLog","cls:MetricsRemoteWrite"],"resource": "*","effect": "allow"}]}
Data Upload by Using Kafka
Users can upload log data to CLS over Kafka protocol. (The sample code below demonstrates the minimum permission for data upload over Kafka protocol.)
{"version": "2.0","statement": [{"action": ["cls:RealtimeProducer"],"resource": "*","effect": "allow"}]}
Data Upload Through Cloud Product Metric Subscription
Users can upload metric data to CLS through cloud product metric subscription. (The sample code below demonstrates the minimum permission for data upload through cloud product metric subscription.)
{"version": "2.0","statement": [{"action": ["cls:CreateMetricSubscribe","cls:DescribeMetricCorrectDimension","cls:DescribeMetricSubscribePreview","monitor:DescribeBaseMetrics","monitor:DescribeProductList"],"resource": "*","effect": "allow"}]}
Subscription to MySQL Binlog Data
Users can upload MySQL binlog data to CLS through subscription. (The sample code below demonstrates the minimum permission for MySQL binlog data upload through subscription.)
{"version": "2.0","statement": [{"action": ["cls:CreateBinlogSubscribe","cls:DescribeBinlogSubscribes","cls:ModifyBinlogSubscribe","cls:DescribeBinlogSubscribeConnectivity","cls:DescribeBinlogSubscribePreview",],"resource": "*","effect": "allow"}]}
Subscription to Kafka Data
Users can upload Kafka cluster data to CLS through subscription. (The sample code below demonstrates the minimum permission for Kafka cluster data upload through subscription.)
{"version": "2.0","statement": [{"action": ["cls:PreviewKafkaRecharge","cls:CreateKafkaRecharge","cls:ModifyKafkaRecharge",],"resource": "*","effect": "allow"}]}
FluentBit Log Uploading
Users can upload Fluent Bit data to CLS by using Fluent Bit plugins in Go. (The sample code below demonstrates the minimum permission for data upload by using Fluent Bit plugins in Go.)
{"version": "2.0","statement": [{"action": ["cls:pushLog",],"resource": "*","effect": "allow"}]}
Logstash Log Upload
Users can upload Logstash data to CLS by using Logstash plugins. (The sample code below demonstrates the minimum permission for data upload by using Logstash plugins.)
{"version": "2.0","statement": [{"action": ["cls:pushLog",],"resource": "*","effect": "allow"}]}
Managing Collection Configurations and Machine Groups
Related operations include creation, modification, and deletion of collection configurations and machine groups.
Config-related APIs correspond to resources related to collection configurations.
MachineGroup-related APIs correspond to resources related to machine groups.
The three ConfigExtra-related APIs are used to manage the cluster configuration for uploading self-built Kubernetes cluster data. They can be ignored if no self-built Kubernetes cluster data is uploaded.
{"version": "2.0","statement": [{"action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:CreateConfig","cls:CreateConfig","cls:DeleteConfig","cls:DescribeConfigs","cls:ModifyConfig","cls:CreateConfigExtra","cls:DeleteConfigExtra","cls:ModifyConfigExtra","cls:CreateMachineGroup","cls:DeleteMachineGroup","cls:DescribeMachineGroups","cls:DeleteConfigFromMachineGroup","cls:ApplyConfigToMachineGroup","cls:ModifyMachineGroup"],"resource": "*","effect": "allow"}]}
Topic Management and Search/Analysis
View/manage topics and perform search/analysis:
Management Permission: Operations on All Topics
Users can search for and manage all topics. Related operations include topic creation, topic deletion, and index configuration modification but exclude collection configuration, log shipping, and log processing.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:CreateLogset","cls:CreateTopic","cls:CreateExport","cls:CreateIndex","cls:DeleteLogset","cls:DeleteTopic","cls:DeleteExport","cls:DeleteIndex","cls:ModifyLogset","cls:ModifyTopic","cls:ModifyIndex","cls:MergePartition","cls:SplitPartition","cls:DescribeLogsets","cls:DescribeTopics","cls:DescribeExports","cls:DescribeIndex","cls:DescribeIndexs","cls:DescribePartitions","cls:SearchLog","cls:DescribeLogHistogram","cls:DescribeLogContext","cls:DescribeLogFastAnalysis","cls:DescribeLatestJsonLog","cls:DescribeRebuildIndexTasks","cls:CreateRebuildIndexTask","cls:EstimateRebuildIndexTask","cls:CancelRebuildIndexTask","cls:MetricsLabelValues","cls:MetricsLabels","cls:MetricsQuery","cls:MetricsQueryRange","cls:MetricsSeries","cls:MetricsQueryExemplars","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": ["*"]}]}
Management Permission: Operations on Specified Topics
Users can search for and manage specific topics. Related operations include topic creation, topic deletion, and index configuration modification but exclude collection configuration, log shipping, and log processing.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:CreateLogset","cls:CreateTopic","cls:CreateExport","cls:CreateIndex","cls:DeleteLogset","cls:DeleteTopic","cls:DeleteExport","cls:DeleteIndex","cls:ModifyLogset","cls:ModifyTopic","cls:ModifyIndex","cls:MergePartition","cls:SplitPartition","cls:DescribeLogsets","cls:DescribeTopics","cls:DescribeExports","cls:DescribeIndex","cls:DescribeIndexs","cls:DescribePartitions","cls:SearchLog","cls:DescribeLogHistogram","cls:DescribeLogContext","cls:DescribeLogFastAnalysis","cls:DescribeLatestJsonLog","cls:DescribeRebuildIndexTasks","cls:CreateRebuildIndexTask","cls:EstimateRebuildIndexTask","cls:CancelRebuildIndexTask","cls:MetricsLabelValues","cls:MetricsLabels","cls:MetricsQuery","cls:MetricsQueryRange","cls:MetricsSeries","cls:MetricsQueryExemplars","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": ["qcs::cls:ap-guangzhou:100007*827:logset/1c012db7-2cfd-4418-**-7342c7a42516","qcs::cls:ap-guangzhou:100007*827:topic/380fe1f1-0c7b-4b0d-**-d514959db1bb"]}]}
Management Permission: Operations on Topics with Specified Tags
Users can search for and manage topics with specific tags. Related operations include topic creation, topic deletion, and index configuration modification but exclude collection configuration, log shipping, and log processing. Tags are required for both topics and their logsets.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:CreateLogset","cls:CreateTopic","cls:CreateExport","cls:CreateIndex","cls:DeleteLogset","cls:DeleteTopic","cls:DeleteExport","cls:DeleteIndex","cls:ModifyLogset","cls:ModifyTopic","cls:ModifyIndex","cls:MergePartition","cls:SplitPartition","cls:DescribeLogsets","cls:DescribeTopics","cls:DescribeExports","cls:DescribeIndex","cls:DescribeIndexs","cls:DescribePartitions","cls:SearchLog","cls:DescribeLogHistogram","cls:DescribeLogContext","cls:DescribeLogFastAnalysis","cls:DescribeLatestJsonLog","cls:DescribeRebuildIndexTasks","cls:CreateRebuildIndexTask","cls:EstimateRebuildIndexTask","cls:CancelRebuildIndexTask","cls:MetricsLabelValues","cls:MetricsLabels","cls:MetricsQuery","cls:MetricsQueryRange","cls:MetricsSeries","cls:MetricsQueryExemplars","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": ["*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["testCAM&test1"]}}}]}
Read-Only Permission: Operations on All Topics
Users can search for all topics.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:DescribeExports","cls:DescribeIndex","cls:DescribeIndexs","cls:DescribePartitions","cls:SearchLog","cls:DescribeLogHistogram","cls:DescribeLogContext","cls:DescribeLogFastAnalysis","cls:DescribeLatestJsonLog","cls:DescribeRebuildIndexTasks","cls:MetricsLabelValues","cls:MetricsLabels","cls:MetricsQuery","cls:MetricsQueryRange","cls:MetricsSeries","cls:MetricsQueryExemplars","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": ["*"]}]}
Read-Only Permission: Operations on Specified Topics
Users can search for specified topics.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:DescribeExports","cls:DescribeIndex","cls:DescribeIndexs","cls:DescribePartitions","cls:SearchLog","cls:DescribeLogHistogram","cls:DescribeLogContext","cls:DescribeLogFastAnalysis","cls:DescribeLatestJsonLog","cls:DescribeRebuildIndexTasks","cls:MetricsLabelValues","cls:MetricsLabels","cls:MetricsQuery","cls:MetricsQueryRange","cls:MetricsSeries","cls:MetricsQueryExemplars","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": ["qcs::cls:ap-guangzhou:100007*827:logset/1c012db7-2cfd-4418-**-7342c7a42516","qcs::cls:ap-guangzhou:100007*827:topic/380fe1f1-0c7b-4b0d-**-d514959db1bb"]}]}
Read-Only Permission: Operations on Topics with Specified Tags
Users can search for topics with specified tags.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:DescribeExports","cls:DescribeIndex","cls:DescribeIndexs","cls:DescribePartitions","cls:SearchLog","cls:DescribeLogHistogram","cls:DescribeLogContext","cls:DescribeLogFastAnalysis","cls:DescribeLatestJsonLog","cls:DescribeRebuildIndexTasks","cls:MetricsLabelValues","cls:MetricsLabels","cls:MetricsQuery","cls:MetricsQueryRange","cls:MetricsSeries","cls:MetricsQueryExemplars","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": ["*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["testCAM&test1"]}}}]}
Use APIs to perform search and analysis:
Read-Only Permission: Search and Analysis on All Topics
Users can perform search and analysis on all topics by using APIs.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:SearchLog","cls:MetricsLabelValues","cls:MetricsLabels","cls:MetricsQuery","cls:MetricsQueryRange","cls:MetricsSeries","cls:MetricsQueryExemplars","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries","cls:MetricsRemoteRead"],"resource": ["*"]}]}
Read-Only Permission: Search and Analysis on Specified Topics
Users can perform search and analysis on specified topics by using APIs.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:SearchLog","cls:MetricsLabelValues","cls:MetricsLabels","cls:MetricsQuery","cls:MetricsQueryRange","cls:MetricsSeries","cls:MetricsQueryExemplars","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries","cls:MetricsRemoteRead"],"resource": ["qcs::cls:ap-guangzhou:100007*827:logset/1c012db7-2cfd-4418-**-7342c7a42516","qcs::cls:ap-guangzhou:100007*827:topic/380fe1f1-0c7b-4b0d-**-d514959db1bb"]}]}
Read-Only Permission: Search and Analysis on Topics with Specified Tags
Users can perform search and analysis on topics with specified tags by using APIs.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:SearchLog","cls:MetricsLabelValues","cls:MetricsLabels","cls:MetricsQuery","cls:MetricsQueryRange","cls:MetricsSeries","cls:MetricsQueryExemplars","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries","cls:MetricsRemoteRead"],"resource": ["*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["testCAM&test1"]}}}]}
Dashboard
Management Permission: Operations on All Dashboards
Users can manage all dashboards. Related operations include creation, deletion, editing, viewing, and subscription. Dashboards can use data of all topics.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:GetChart","cls:GetDashboard","cls:ListChart","cls:CreateChart","cls:CreateDashboard","cls:DeleteChart","cls:DeleteDashboard","cls:ModifyChart","cls:ModifyDashboard","cls:DescribeDashboards","cls:CreateFolder","cls:DeleteFolder","cls:DescribeFolders","cls:ModifyFolder","cls:ModifyResourceAndFolderRelation","cls:SearchDashboardSubscribe","cls:CreateDashboardSubscribe","cls:ModifyDashboardSubscribe","cls:DescribeDashboardSubscribes","cls:DeleteDashboardSubscribe","cls:ModifyDashboardSubscribeAck"],"resource": "*"},{"effect": "allow","action": ["cls:SearchLog","cls:DescribeTopics","cls:DescribeLogFastAnalysis","cls:DescribeIndex","cls:DescribeLogsets","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": "*"}]}
Management Permission: Operations on Dashboards with Specified Tags
Users can manage dashboards with specified tags. Related operations include creation, deletion, editing, viewing, and subscription. Dashboards can use data of topics with specified tags.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:GetChart","cls:GetDashboard","cls:ListChart","cls:CreateChart","cls:CreateDashboard","cls:DeleteChart","cls:DeleteDashboard","cls:ModifyChart","cls:ModifyDashboard","cls:DescribeDashboards","cls:CreateFolder","cls:DeleteFolder","cls:DescribeFolders","cls:ModifyFolder","cls:ModifyResourceAndFolderRelation","cls:SearchDashboardSubscribe","cls:CreateDashboardSubscribe","cls:ModifyDashboardSubscribe","cls:DescribeDashboardSubscribes","cls:DeleteDashboardSubscribe","cls:ModifyDashboardSubscribeAck"],"resource": "*","condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}},{"effect": "allow","action": ["cls:SearchLog","cls:DescribeTopics","cls:DescribeLogFastAnalysis","cls:DescribeIndex","cls:DescribeLogsets","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": "*","condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}}]}
Management Permission: Operations on Specified Dashboards
Users can manage specified dashboards. Related operations include creation, deletion, editing, viewing, and subscription. Dashboards can use data of specified topics.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:GetChart","cls:GetDashboard","cls:ListChart","cls:CreateChart","cls:CreateDashboard","cls:DeleteChart","cls:DeleteDashboard","cls:ModifyChart","cls:ModifyDashboard","cls:DescribeDashboards","cls:CreateFolder","cls:DeleteFolder","cls:DescribeFolders","cls:ModifyFolder","cls:ModifyResourceAndFolderRelation","cls:SearchDashboardSubscribe","cls:CreateDashboardSubscribe","cls:ModifyDashboardSubscribe","cls:DescribeDashboardSubscribes","cls:DeleteDashboardSubscribe","cls:ModifyDashboardSubscribeAck"],"resource": ["qcs::cls::uin/100000*001:dashboard/dashboard-0769a3ba-2514-409d-**-f65b20b23736"]},{"effect": "allow","action": ["cls:SearchLog","cls:DescribeTopics","cls:DescribeLogFastAnalysis","cls:DescribeIndex","cls:DescribeLogsets","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": ["qcs::cls::uin/100000*001:topic/174ca473-50d0-4fdf-**-2ef681a1e02a"]}]}
Read-Only Permission: Operations on All Dashboards
Users can view all dashboards, and the dashboards can use data of all topics.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:GetChart","cls:GetDashboard","cls:ListChart","cls:DescribeDashboards","cls:DescribeFolders","cls:SearchDashboardSubscribe","cls:DescribeDashboardSubscribes"],"resource": "*"},{"effect": "allow","action": ["cls:SearchLog","cls:DescribeTopics","cls:DescribeLogFastAnalysis","cls:DescribeIndex","cls:DescribeLogsets","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": "*"}]}
Read-Only Permission: Operations on Dashboards with Specified Tags
Users can view dashboards with specified tags, and the dashboards can use data of topics with specified tags.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:GetChart","cls:GetDashboard","cls:ListChart","cls:DescribeDashboards","cls:DescribeFolders","cls:SearchDashboardSubscribe","cls:DescribeDashboardSubscribes"],"resource": "*","condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}},{"effect": "allow","action": ["cls:SearchLog","cls:DescribeTopics","cls:DescribeLogFastAnalysis","cls:DescribeIndex","cls:DescribeLogsets","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": "*","condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}}]}
Read-Only Permission: Operations on Specified Dashboards
Users can view specified dashboards, and the dashboards can use data of specified topics.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:GetChart","cls:GetDashboard","cls:ListChart","cls:DescribeDashboards","cls:DescribeFolders","cls:SearchDashboardSubscribe","cls:DescribeDashboardSubscribes"],"resource": ["qcs::cls::uin/100000*001:dashboard/dashboard-0769a3ba-2514-409d-**-f65b20b23736"]},{"effect": "allow","action": ["cls:SearchLog","cls:DescribeTopics","cls:DescribeLogFastAnalysis","cls:DescribeIndex","cls:DescribeLogsets","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": ["qcs::cls::uin/100000*001:topic/174ca473-50d0-4fdf-**-2ef681a1e02a"]}]}
Monitoring and Alarm
Management Permission: Operations on All Alarm Policies
Users can manage all alarm policies. Related operations include creating alarm policies, creating notification channel groups, and viewing alarm policies.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:SearchLog","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": ["*"]},{"effect": "allow","action": ["cls:DescribeAlarms","cls:CreateAlarm","cls:ModifyAlarm","cls:DeleteAlarm","cls:DescribeAlarmNotices","cls:CreateAlarmNotice","cls:ModifyAlarmNotice","cls:DeleteAlarmNotice","cam:ListGroups","cam:DescribeSubAccountContacts","cam:GetGroup","cls:GetAlarmLog","cls:DescribeAlertRecordHistory","cls:CheckAlarmRule","cls:CheckAlarmChannel"],"resource": "*"}]}
Management Permission: Operations on Alarm Policies with Specified Tags
Users can manage alarm policies with specified tags. Related operations include modifying alarm policies, modifying notification channel groups, and viewing alarm policies.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:SearchLog","cam:ListGroups","cam:DescribeSubAccountContacts","cam:GetGroup","cls:CheckAlarmRule","cls:CheckAlarmChannel","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": ["*"]},{"effect": "allow","action": ["cls:DescribeAlarms","cls:ModifyAlarm","cls:DeleteAlarm","cls:DescribeAlarmNotices","cls:ModifyAlarmNotice","cls:DeleteAlarmNotice","cls:GetAlarmLog","cls:DescribeAlertRecordHistory"],"resource": ["*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}}]}
Management Permission: Operations on Specified Alarm Policies
Users can manage specified alarm policies. Related operations include modifying alarm policies, modifying notification channel groups, and viewing alarm policies.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:SearchLog","cam:ListGroups","cam:DescribeSubAccountContacts","cam:GetGroup","cls:CheckAlarmRule","cls:CheckAlarmChannel","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": ["*"]},{"effect": "allow","action": ["cls:DescribeAlarms","cls:ModifyAlarm","cls:DeleteAlarm","cls:DescribeAlarmNotices","cls:ModifyAlarmNotice","cls:DeleteAlarmNotice","cls:GetAlarmLog","cls:DescribeAlertRecordHistory"],"resource": ["qcs::cls:ap-guangzhou:100007***827:alarm/alarm-xxx-9bbe-4625-ac29-b5e66bf643cf","qcs::cls:ap-guangzhou:100007***827:alarmNotice/notice-xxx-ec2c-410f-924f-4ee8a7cd028e"]}]}
Read-Only Permission: Operations on All Alarm Policies
Users can view all alarm policies.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics"],"resource": ["*"]},{"effect": "allow","action": ["cls:DescribeAlarms","cls:DescribeAlarmNotices","cls:GetAlarmLog","cls:DescribeAlertRecordHistory","cam:ListGroups","cam:DescribeSubAccountContacts","cam:GetGroup"],"resource": "*"}]}
Read-Only Permission: Operations on Alarm Policies with Specified Tags
Users can view alarm policies with specified tags.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cam:ListGroups","cam:DescribeSubAccountContacts","cam:GetGroup"],"resource": ["*"]},{"effect": "allow","action": ["cls:DescribeAlarms","cls:DescribeAlarmNotices","cls:GetAlarmLog","cls:DescribeAlertRecordHistory"],"resource": ["*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}}]}
Read-Only Permission: Operations on Specified Alarm Policies
Users can view specified alarm policies.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cam:ListGroups","cam:DescribeSubAccountContacts","cam:GetGroup"],"resource": ["*"]},{"effect": "allow","action": ["cls:DescribeAlarms","cls:DescribeAlarmNotices","cls:GetAlarmLog","cls:DescribeAlertRecordHistory"],"resource": ["qcs::cls:ap-guangzhou:100007***827:alarm/alarm-xxx-9bbe-4625-ac29-b5e66bf643cf","qcs::cls:ap-guangzhou:100007***827:alarmNotice/notice-xxx-ec2c-410f-924f-4ee8a7cd028e"]}]}
Data Processing
Data Processing
Management Permission: Operations on All Data Processing Tasks
Users can manage data processing tasks of all log topics.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeDataTransformPreviewDataInfo","cls:DescribeTopics","cls:DescribeIndex","cls:CreateDataTransform"],"resource": ["*"]},{"effect": "allow","action": ["cls:DescribeFunctions","cls:CheckFunction","cls:DescribeDataTransformFailLogInfo","cls:DescribeDataTransformInfo","cls:DescribeDataTransformPreviewInfo","cls:DescribeDataTransformProcessInfo","cls:DeleteDataTransform","cls:ModifyDataTransform"],"resource": ["*"]}]}
Read-Only Permission: Operations on All Data Processing Tasks
Users can view data processing tasks of all log topics. DSL function authorization is not required.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics"],"resource": ["*"]},{"effect": "allow","action": ["cls:DescribeDataTransformFailLogInfo","cls:DescribeDataTransformInfo","cls:DescribeDataTransformPreviewDataInfo","cls:DescribeDataTransformPreviewInfo","cls:DescribeDataTransformProcessInfo"],"resource": ["*"]}]}
Perform scheduled SQL analysis:
Management permission: Scheduled SQL Analysis on All Log Topics
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:CreateScheduledSql","cls:SearchLog","cls:DescribeScheduledSqlInfo","cls:DescribeScheduledSqlProcessInfo","cls:DeleteScheduledSql","cls:ModifyScheduledSql","cls:RetryScheduledSqlTask"],"resource": ["*"]},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies"],"resource": ["*"]}]}
Management Permission: Scheduled SQL Analysis on Log Topics with Specified Tags
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:SearchLog","cls:DescribeScheduledSqlProcessInfo","cls:CreateScheduledSql","cls:DeleteScheduledSql","cls:ModifyScheduledSql","cls:RetryScheduledSqlTask"],"resource": ["*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies","cls:DescribeScheduledSqlInfo"],"resource": ["*"]}]}
Data Shipping and Consumption
Ship to CKafka:
Management Permission: Shipping All Log Topics to CKafka
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets","cls:CreateConsumer","cls:ModifyConsumer","cls:DeleteConsumer","cls:DescribeConsumer","cls:DescribeConsumerPreview"],"resource": "*"},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies","cam:AttachRolePolicy","cam:CreateRole","cam:DescribeRoleList","ckafka:DescribeInstances","ckafka:DescribeTopic","ckafka:DescribeInstanceAttributes","ckafka:CreateToken","ckafka:AuthorizeToken"],"resource": "*"}]}
Management Permission: Shipping Log Topics with Specified Tags to CKafka
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets","cls:CreateConsumer","cls:ModifyConsumer","cls:DeleteConsumer","cls:DescribeConsumer","cls:DescribeConsumerPreview"],"resource": "*","condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["age&13","name&vinson"]}}},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies","cam:AttachRolePolicy","cam:CreateRole","cam:DescribeRoleList","ckafka:DescribeInstances","ckafka:DescribeTopic","ckafka:DescribeInstanceAttributes","ckafka:CreateToken","ckafka:AuthorizeToken"],"resource": "*"}]}
Read-Only Permission: Shipping All Log Topics to CKafka
Users can perform read-only operations for shipping all log topics to CKafka.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets","cls:DescribeConsumer","cls:DescribeConsumerPreview"],"resource": "*"},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies","ckafka:DescribeInstances","ckafka:DescribeTopic","ckafka:DescribeInstanceAttributes","ckafka:CreateToken","ckafka:AuthorizeToken"],"resource": "*"}]}
Read-Only Permission: Shipping Log Topics with Specified Tags to CKafka
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets","cls:DescribeConsumer","cls:DescribeConsumerPreview"],"resource": "*","condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies","ckafka:DescribeInstances","ckafka:DescribeTopic","ckafka:DescribeInstanceAttributes","ckafka:CreateToken","ckafka:AuthorizeToken"],"resource": "*"}]}
Ship to COS:
Management Permission: Shipping All Log Topics to COS
Users can perform all operations for shipping all log topics to COS.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets","cls:DescribeIndex","cls:CreateShipper"],"resource": "*"},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cls:ModifyShipper","cls:DescribeShippers","cls:DeleteShipper","cls:DescribeShipperTasks","cls:RetryShipperTask","cls:DescribeShipperPreview","cos:GetService","cam:ListAttachedRolePolicies","cam:AttachRolePolicy","cam:CreateRole","cam:DescribeRoleList"],"resource": "*"}]}
Management Permission: Shipping Log Topics with Specified Tags to COS
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets","cls:DescribeIndex","cls:CreateShipper"],"resource": "*","condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cls:ModifyShipper","cls:DescribeShippers","cls:DeleteShipper","cls:DescribeShipperTasks","cls:RetryShipperTask","cls:DescribeShipperPreview","cos:GetService","cam:ListAttachedRolePolicies","cam:AttachRolePolicy","cam:CreateRole","cam:DescribeRoleList"],"resource": "*"}]}
Read-Only Permission: Shipping All Log Topics to COS
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets" ],"resource": "*"},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cls:DescribeShippers","cls:DescribeShipperTasks","cls:RetryShipperTask","cls:DescribeShipperPreview","cam:ListAttachedRolePolicies"],"resource": "*"}]}
Read-Only Permission: Shipping Log Topics with Specified Tags to COS
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets"],"resource": "*","condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cls:DescribeShippers","cls:DescribeShipperTasks","cls:RetryShipperTask","cls:DescribeShipperPreview","cam:ListAttachedRolePolicies"],"resource": "*"}]}
Ship to SCF:
Management Permission: Shipping All Log Topics to SCF
Users can perform all operations for shipping all log topics to SCF.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets"],"resource": "*"},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies","cls:CreateDeliverFunction","cls:DeleteDeliverFunction","cls:ModifyDeliverFunction","cls:GetDeliverFunction","scf:ListFunctions","scf:ListAliases","scf:ListVersionByFunction"],"resource": "*"}]}
Management Permission: Shipping Log Topics with Specified Tags to SCF
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets"],"resource": "*","condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies","cls:CreateDeliverFunction","cls:DeleteDeliverFunction","cls:ModifyDeliverFunction","cls:GetDeliverFunction","scf:ListFunctions","scf:ListAliases","scf:ListVersionByFunction"],"resource": "*"}]}
Read-Only Permission: Shipping All Log Topics to SCF
Users can perform read-only operations for shipping all log topics to SCF.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets"],"resource": "*"},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies","cls:GetDeliverFunction","scf:ListFunctions","scf:ListAliases","scf:ListVersionByFunction"],"resource": "*"}]}
Read-Only Permission: Shipping Log Topics with Specified Tags to SCF
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets"],"resource": "*","condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies","cls:GetDeliverFunction","scf:ListFunctions","scf:ListAliases","scf:ListVersionByFunction"],"resource": "*"}]}
Kafka Protocol Consumption
Management Permission: Consuming All Log Topics over Kafka Protocol
Users can consume all log topics over Kafka protocol.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:DescribeKafkaConsumer","cls:CloseKafkaConsumer","cls:ModifyKafkaConsumer","cls:OpenKafkaConsumer"],"resource": ["*"]},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies"],"resource": ["*"]}]}
Management Permission: Consuming Log Topics with Specific Tags over Kafka Protocol
Users can consume log topics with specific tags over Kafka protocol.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:DescribeKafkaConsumer","cls:CloseKafkaConsumer","cls:ModifyKafkaConsumer","cls:OpenKafkaConsumer"],"resource": ["*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies"],"resource": ["*"]}]}
Management Permission: Consuming Specific Resources over Kafka Protocol
{"statement": [{"action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:DescribeKafkaConsumer","cls:CloseKafkaConsumer","cls:ModifyKafkaConsumer","cls:OpenKafkaConsumer"],"effect": "allow","resource": ["qcs::cls:ap-chengdu:100001127XXX:logset/axxxxxx-772e-4971-ad9a-ddcfcfff691b","qcs::cls:ap-chengdu:100001127XXX:topic/590xxxxxxx-36c4-447b-a84f-172ee7340b22"]},{"action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies"],"effect": "allow","resource": ["*"]}],"version": "2.0"}
Minimum Permission for Consumption over Kafka Protocol (Not for Console but for API Calls)
{"version": "2.0","statement": [{"action": ["cls:OpenKafkaConsumer"],"effect": "allow","resource": ["*"]}]}
Ship metric topics:
Management Permission: Shipping All Metric Topics
{"statement": [{"action": ["cls:DescribeRemoteWriteTask","cls:DescribeTopics","cls:CreateRemoteWriteTask","cls:ModifyRemoteWriteTask","cls:DescribeLogsets","cls:DeleteRemoteWriteTask","cls:CheckRemoteWriteTaskConnect"],"effect": "allow","resource": ["*"]}],"version": "2.0"}
Management Permission: Shipping Metric Topics with Specific Tags
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeRemoteWriteTask","cls:DescribeTopics","cls:CreateRemoteWriteTask","cls:ModifyRemoteWriteTask","cls:DescribeLogsets","cls:DeleteRemoteWriteTask","cls:CheckRemoteWriteTaskConnect"],"resource": ["*"],"condition": {"string_equal": {"qcs:resource_tag": "key:value"}}}]}
Custom Consumption
Management Permission: Custom Consumption of All Metric Topics
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:CreateConsumerGroup","cls:ModifyConsumerGroup","cls:DescribeConsumerGroups","cls:DeleteConsumerGroup","cls:DescribeConsumerOffsets","cls:CommitConsumerOffsets","cls:SendConsumerHeartbeat","cls:pullLog"],"resource": ["*"]}]}
DataSight Permissions
Management Permission: Operations on All Independent DataSight Consoles
Users can create, modify, view, and delete DataSight consoles in the Tencent Cloud console.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:CreateConsole","cls:DeleteConsole","cls:DescribeConsoles","vpc:DescribeSubnetEx","vpc:DescribeVpcEx","cls:ModifyConsole"],"resource": ["*"]}]}
Management Permission: Operations on Specific Independent DataSight Consoles
Users can create, modify, view, and delete specific DataSight consoles in the Tencent Cloud console.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:CreateConsole","cls:DeleteConsole","cls:DescribeConsoles","vpc:DescribeSubnetEx","vpc:DescribeVpcEx","cls:ModifyConsole"],"resource": ["qcs::cls::uin/100******123:datasight/clsconsole-1234abcd"]}]}
Management Permission: Operations on Independent DataSight Consoles with Specific Tags
Users can create, modify, view, and delete DataSight consoles with specific tags in the Tencent Cloud console.
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:CreateConsole","cls:DeleteConsole","cls:DescribeConsoles","vpc:DescribeSubnetEx","vpc:DescribeVpcEx","cls:ModifyConsole"],"resource": ["*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}}]}
Read-Only Permission: Operations on All Independent DataSight Consoles
Users can view relevant information on DataSight consoles in the Tencent Cloud console.
{"statement": [{"action": ["cls:DescribeConsoles"],"effect": "allow","resource": ["*"]}],"version": "2.0"}
Read-Only Permission: Operations on Specific Independent DataSight Consoles
Users can view relevant information on specific DataSight consoles in the Tencent Cloud console.
{"statement": [{"action": ["cls:DescribeConsoles"],"effect": "allow","resource": ["qcs::cls::uin/100******123:datasight/clsconsole-1234abcd"]}],"version": "2.0"}
Read-Only Permission: Operations on Independent DataSight Consoles with Specific Tags
Users can view relevant information on DataSight consoles with specific tags in the Tencent Cloud console.
{"statement": [{"action": ["cls:DescribeConsoles"],"effect": "allow","resource": ["*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}}],"version": "2.0"}
Developer
Use CLS through Grafana:
Displaying Data of All Topics Through Grafana
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:SearchLog","cls:MetricsSeries","cls:MetricsQueryExemplars","cls:MetricsLabelValues","cls:MetricsQueryRange","cls:MetricsLabels","cls:MetricsQuery"],"resource": ["*"]}]}
Displaying Data of Topics with Specified Tags Through Grafana
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:SearchLog","cls:MetricsSeries","cls:MetricsQueryExemplars","cls:MetricsLabelValues","cls:MetricsQueryRange","cls:MetricsLabels","cls:MetricsQuery"],"resource": ["*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}}]}
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No