概述
一个主账号下有多个子用户或者协作者,主账号希望不同团队成员通过子用户登录,可以看到和操作的资源不同。 针对该场景,您可以通过标签授权来实现资源的隔离访问。
场景说明
标签授权需要支持资源级权限控制,TI-ONE 的主要资源已支持,具体所有支持资源级的业务接口清单请查看 支持 CAM 的业务接口。下面以资源组、在线服务为例,假设主账号用户有两个团队使用 TI-ONE 产品,有两个资源组,两个在线服务,对应的信息如下:
资源组 id | 在线服务 | 所属标签 | 所属组织 |
rsg-wwb2hgrs | llm_text | team:llm_text | llm_text 团队 |
rsg-zbqrjvlz | llm_picture | team:llm_picture | llm_picture 团队 |
预期效果
资源组和在线服务均实现子用户之间资源隔离
1. 资源组
使用管理员账号查看上海地域资源组列表效果。
使用llm_text_user账号 查看上海地域资源组列表, 只能查看绑定 team:llm_text 标签的资源组:
2. 在线服务
使用管理员账号查看上海地域在线服务列表效果:
操作步骤
第一步:新建标签并为资源组添加标签
1. 新建标签
2. 给资源组添加标签
3. 给在线服务添加标签
在 模型服务-在线服务 页面选择要打标签的服务,单击编辑标签,在标签中选择之前建立的 team 标签键,分别绑定对应标签值,单击确定即可。
第二步:新建自定义策略
目前TI-ONE部分接口不支持标签鉴权,所以需要设置两个策略,Policy_llm_text_tag是标签策略,Policy_llm_text_nontag是不支持标签的TI-ONE接口, 以及依赖其他云产品接口的策略。
?
1. 新建自定义策略Policy_llm_text_tag
选择按标签授权。
?
编辑策略选择 json。
?
将策略内容,修改为如下内容,单击下一步。
{"version": "2.0","statement": [{"effect": "allow","action": ["tione:*"],"resource": "*","condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["team&llm_text"]}}}]}
策略名称修改为 Policy_llm_text_tag,单击完成。
?
2. 新建自定义策略 Policy_llm_text_nontag
{"version":"2.0","statement":[{"effect":"allow","action":["tione:CheckAlgoPlayer","tione:CheckAlgoVoucher","tione:CheckAutoMLTaskNameExist","tione:CheckDatasetName","tione:CheckModelAccTaskNameExist","tione:CheckPostPayInfo","tione:DescribeAlgoPlayerInfo","tione:DescribeAllModels","tione:DescribeAppStatus","tione:DescribeAutoMLIterationInstances","tione:DescribeAvailableRegions","tione:DescribeAvailableSWInstances","tione:DescribeBadcasePreviewStatus","tione:DescribeBatchJob","tione:DescribeBatchJobs","tione:DescribeBillingResourceInstanceRunningJobs","tione:DescribeBillingResourceInstanceRunningJobsBatch","tione:DescribeCodeRepositories","tione:DescribeCodeRepository","tione:DescribeComponentGroups","tione:DescribeCurrentTime","tione:DescribeDataPipelineConfig","tione:DescribeDataPipelineTask","tione:DescribeDataProcessConfig","tione:DescribeDatasetPreviewStatus","tione:DescribeDatasetSchema","tione:DescribeDemoDocument","tione:DescribeDemos","tione:DescribeExecutionJobLog","tione:DescribeExecutionJobs","tione:DescribeExecutionModel","tione:DescribeFavoriteJob","tione:DescribeFavoriteModels","tione:DescribeFavorites","tione:DescribeFileSystemsWithPathAccessibility","tione:DescribeFlowByDriveType","tione:DescribeFlowDataset","tione:DescribeFlowMetadata","tione:DescribeFlowOperatorCategories","tione:DescribeFlowOperators","tione:DescribeFlowParam","tione:DescribeFlowParamKeys","tione:DescribeFlowResource","tione:DescribeFlowScript","tione:DescribeFlowStatus","tione:DescribeHistoryFlows","tione:DescribeHistoryLogs","tione:DescribeHistoryParams","tione:DescribeInferTemplates","tione:DescribeInstanceLog","tione:DescribeInstanceSemiProgress","tione:DescribeInstanceTypes","tione:DescribeKmsAuthState","tione:DescribeLastExecution","tione:DescribeModel","tione:DescribeModelDeployInfo","tione:DescribeModelPath","tione:DescribeModels","tione:DescribeModules","tione:DescribeNotebookInstance","tione:DescribeNotebookInstances","tione:DescribeNotebookLifecycleScript","tione:DescribeNotebookLifecycleScripts","tione:DescribeNotebookSummary","tione:DescribeOutputPath","tione:DescribeOutputSample","tione:DescribeResourceInstances","tione:DescribeResultImage","tione:DescribeRunningFlow","tione:DescribeSavedModels","tione:DescribeSnapshot","tione:DescribeStatisticsOutputSample","tione:DescribeSubmitStatus","tione:DescribeSupportedInstanceType","tione:DescribeTAIJITemplate","tione:DescribeTAIJITemplateList","tione:DescribeTJResourceDetail","tione:DescribeTaskComparison","tione:DescribeTaskComparisons","tione:DescribeTensorBoardUrl","tione:DescribeTrainingJob","tione:DescribeTrainingJobs","tione:DescribeUserInfo","tione:DescribeVisualization","tione:GetComparedPredictions","tione:GetInstanceCredentials","tione:SendChatMessage","tione:AddFavor","tione:AddFavorModel","tione:CopyUserCosFile","tione:CreateAlgoNotebook","tione:CreateAlgoPlayer","tione:CreateAnnotateTask","tione:CreateAutoMLTask","tione:CreateBatchJob","tione:CreateBatchModelAccTasks","tione:CreateBatchTask","tione:CreateBillingResourceGroup","tione:CreateChatWhiteListUser","tione:CreateCodeRepo","tione:CreateCodeRepository","tione:CreateDataPipelineTask","tione:CreateDataProcessTask","tione:CreateDataset","tione:CreateFeedbackRecord","tione:CreateFlowResource","tione:CreateFlowScript","tione:CreateLifecycleScript","tione:CreateModelAccelerateTask","tione:CreateModelService","tione:CreateNotebook","tione:CreateNotebookImage","tione:CreateNotebookInstance","tione:CreateNotebookLifecycleScript","tione:CreatePresignedNotebookInstanceUrl","tione:CreatePrivateLink","tione:CreateProject","tione:CreateTaskComparison","tione:CreateTrainingJob","tione:CreateTrainingModel","tione:CreateTrainingTask","tione:DeleteBatchJob","tione:DeleteChatWhiteListUser","tione:DeleteCodeRepository","tione:DeleteDataPipelineTask","tione:DeleteDataProcessTask","tione:DeleteFavor","tione:DeleteFlowResource","tione:DeleteModel","tione:DeleteModelVersion","tione:DeleteNotebookImageRecord","tione:DeleteNotebookInstance","tione:DeleteNotebookLifecycleScript","tione:DeleteTaskComparison","tione:ForceKillFlow","tione:GrantAlgoVoucher","tione:ImportAlgo","tione:ModifyBadcasePreviewStatus","tione:ModifyDatasetPreviewStatus","tione:ModifyFavor","tione:ModifyFlowParam","tione:ModifyFlowResource","tione:ModifyFlowScript","tione:RebuildModelServicePod","tione:RenameFlow","tione:ResumeFlow","tione:RunHyperParameters","tione:SaveExecutionFlow","tione:SaveModel","tione:StartBatchJob","tione:StartNotebookInstance","tione:StopCreatingImage","tione:StopFlows","tione:StopNotebookInstance","tione:StopTaskComparison","tione:StopTrainingJob","tione:TransferResourceInstancesToResourceGroup","tione:UpdateAlgoPlayer","tione:UpdateBatchJob","tione:UpdateCodeRepository","tione:UpdateNotebookInstance","tione:UpdateNotebookLifecycleScript","tione:UpdateProject","tione:DescribeAPIConfigs","tione:DescribeDataPipelineTasks","tione:DescribeModelAccEngineVersions","tione:DescribePublicAlgoGroupList","tione:DescribePublicAlgoVersionList","tione:DescribeSceneList","cam:GetRole","cam:ListAttachedRolePolicies","vpc:DescribeVpcEx","vpc:DescribeSubnetEx","cls:DescribeLogsets","cls:DescribeTopics","tcr:DescribeInstances","tcr:DescribeNamespaces","tcr:DescribeRepositories","monitor:GetMonitorData","cos:GetService","cos:GetObject","cos:GetBucket","cos:HeadObject","cos:OptionsObject","tag:DescribeTagKeys","tag:DescribeTagValues","tag:AttachResourcesTag","tag:DetachResourcesTag","tag:GetResources","cfs:DescribeCfsFileSystems","emr:DescribeInstances","cvm:DescribeAddresses","emr:DescribeInstancesList","cfs:DescribeMountTargets","goosefs:DescribeFileSystems"],"resource":"*"}]}
策略名称修改为Policy_llm_text_nontag, 单击完成。
第三步:子用户关联策略
?
注意:
请确保子用户没有关联 TI-ONE 平台其他的 cam 策略。因 cam 策略是取并集操作,如果有其他 TI-ONE 策略可能会导致资源隔离失败。
第四步:验证
用关联策略的子用户 llm_text_user 身份登录 TI 控制台, 子用户仅能查看和操作关联标签 team:llm_text 的资源。符合预期效果。
?
针对 llm_picture 团队授权也参考上述的授权方法。
?
?