当子账号通过日志服务OpenAPI对主账号的资源进行访问时,日志服务后台对RAM进行权限检查,以确保资源拥有者的确将相关资源的相关权限授予了调用者。本文档为您列举日志服务API发生子账号访问主账号资源时的鉴权规则。
Logstore
每个不同的日志服务API会根据涉及到的资源以及API的语义来确定需要检查哪些资源的权限。具体各类API的鉴权规则见下表。
| Action |
Resource |
| log:GetLogStore |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName} |
| log:ListLogStores |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/* |
| log:CreateLogStore |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/* |
| log:DeleteLogStore |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName} |
| log:UpdateLogStore |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName} |
loghub
数据写入以及消费类API,其中获取数据游标API GetCursor以及获取数据API GetLogs共用同一个 Action(log:GetCursorOrData)。
| Action |
Resource |
| log:GetCursorOrData |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName} |
| log:ListShards |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName} |
| log:PostLogStoreLogs |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName} |
config
| Action |
Resource |
| log:CreateConfig |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/* |
| log:UpdateConfig |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName} |
| log:DeleteConfig |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName} |
| log:GetConfig |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName} |
| log:ListConfig |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/* |
machinegroup
| Actions |
Resources |
| log:CreateMachineGroup |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/* |
| log:UpdateMachineGroup |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName} |
| log:DeleteMachineGroup |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName} |
| log:GetMachineGroup |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName} |
| log:ListMachineGroup |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/* |
| log:ListMachines |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName} |
config和machinegroup交互类API
| Actions |
Resources |
| log:ApplyConfigToGroup |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName} acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName} |
| log:RemoveConfigFromGroup |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName} acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName} |
| log:GetAppliedMachineGroups |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName} |
| log:GetAppliedConfigs |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName} |
