当子账号通过日志服务OpenAPI对主账号的资源进行访问时,日志服务后台对RAM进行权限检查,以确保资源拥有者的确将相关资源的相关权限授予了调用者。本文档为您列举日志服务API发生子账号访问主账号资源时的鉴权规则。
Logstore
每个不同的日志服务API会根据涉及到的资源以及API的语义来确定需要检查哪些资源的权限。具体各类API的鉴权规则见下表。
Action |
Resource |
log:GetLogStore |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName} |
log:ListLogStores |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/* |
log:CreateLogStore |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/* |
log:DeleteLogStore |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName} |
log:UpdateLogStore |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName} |
loghub
数据写入以及消费类API,其中获取数据游标API GetCursor以及获取数据API GetLogs共用同一个 Action(log:GetCursorOrData)。
Action |
Resource |
log:GetCursorOrData |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName} |
log:ListShards |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName} |
log:PostLogStoreLogs |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName} |
config
Action |
Resource |
log:CreateConfig |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/* |
log:UpdateConfig |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName} |
log:DeleteConfig |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName} |
log:GetConfig |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName} |
log:ListConfig |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/* |
machinegroup
Actions |
Resources |
log:CreateMachineGroup |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/* |
log:UpdateMachineGroup |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName} |
log:DeleteMachineGroup |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName} |
log:GetMachineGroup |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName} |
log:ListMachineGroup |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/* |
log:ListMachines |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName} |
config和machinegroup交互类API
Actions |
Resources |
log:ApplyConfigToGroup |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName} acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName} |
log:RemoveConfigFromGroup |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName} acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName} |
log:GetAppliedMachineGroups |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName} |
log:GetAppliedConfigs |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName} |