forked from docs/cloud-connect
Changes to ccn_api-ref from docs/doc-exports#1451 (CCN API 20250121 version)
Reviewed-by: Hajba, László Antal <laszlo-antal.hajba@t-systems.com> Co-authored-by: OpenTelekomCloud Proposal Bot <proposalbot@otc-service.com> Co-committed-by: OpenTelekomCloud Proposal Bot <proposalbot@otc-service.com>
This commit is contained in:
@ -0,0 +1,82 @@
|
||||
:original_name: cc_02_0003.html
|
||||
|
||||
.. _cc_02_0003:
|
||||
|
||||
Actions Supported by Policy-based Authorization
|
||||
===============================================
|
||||
|
||||
This topic describes the actions supported by Cloud Connect in policy-based authorization.
|
||||
|
||||
Supported Actions
|
||||
-----------------
|
||||
|
||||
Cloud Connect provides system-defined policies that can be directly used in IAM. You can also create custom policies to supplement system-defined policies for more refined access control. Operations supported by policies are specific to APIs. The following are common concepts related to policies:
|
||||
|
||||
- Permissions: allow or deny operations on specified resources under specific conditions.
|
||||
- APIs: REST APIs that can be called by a user who has been granted specific permissions.
|
||||
- Actions: specific operations that are allowed or denied.
|
||||
- Related actions: actions on which a specific action depends to take effect. When assigning permissions for the action to a user, you also need to assign permissions for the related actions.
|
||||
- IAM or enterprise projects: type of projects for which an action will take effect. Policies that contain actions for both IAM and enterprise projects can be used and take effect for both IAM and Enterprise Management. Policies that only contain actions for IAM projects can be used and only take effect for IAM. Administrators can check whether an action supports IAM projects or enterprise projects in the action list. "Y" indicates that the action supports the project and "x" indicates that the action does not support the project.
|
||||
|
||||
Cloud Connect supports the following actions in custom policies:
|
||||
|
||||
- :ref:`Central Networks <cc_02_0003__section1554071374415>`: actions supported by all central network APIs, such as the APIs for creating, updating, and deleting a central network, querying central network details, and querying the central network list
|
||||
- :ref:`Central Network Policies <cc_02_0003__section1096015764615>`: actions supported by all central network policy APIs, such as the APIs for adding, applying, deleting a central network policy, querying central network policy details, querying the central network policy list, and querying policy changes
|
||||
- :ref:`Central Network Connections <cc_02_0003__section13988959134617>`: actions supported by all central network connection APIs, such as the APIs for querying the central network connection list and updating a central network connection
|
||||
|
||||
.. _cc_02_0003__section1554071374415:
|
||||
|
||||
Central Networks
|
||||
----------------
|
||||
|
||||
.. table:: **Table 1** Actions supported for central networks
|
||||
|
||||
+-----------------------------------+------------------------------------------------------------------+--------------------------+----------------+-------------+--------------------+
|
||||
| Permission | API | Action | Related Action | IAM Project | Enterprise Project |
|
||||
+===================================+==================================================================+==========================+================+=============+====================+
|
||||
| Creating a central network | POST /v3/{domain_id}/gcn/central-networks | cc:centralNetwork:create | ``-`` | Y | Y |
|
||||
+-----------------------------------+------------------------------------------------------------------+--------------------------+----------------+-------------+--------------------+
|
||||
| Updating a central network | PUT /v3/{domain_id}/gcn/central-networks/{central_network_id} | cc:centralNetwork:update | ``-`` | Y | Y |
|
||||
+-----------------------------------+------------------------------------------------------------------+--------------------------+----------------+-------------+--------------------+
|
||||
| Deleting a central network | DELETE /v3/{domain_id}/gcn/central-networks/{central_network_id} | cc:centralNetwork:delete | ``-`` | Y | Y |
|
||||
+-----------------------------------+------------------------------------------------------------------+--------------------------+----------------+-------------+--------------------+
|
||||
| Querying central network details | GET /v3/{domain_id}/gcn/central-networks/{central_network_id} | cc:centralNetwork:get | ``-`` | Y | Y |
|
||||
+-----------------------------------+------------------------------------------------------------------+--------------------------+----------------+-------------+--------------------+
|
||||
| Querying the central network list | GET /v3/{domain_id}/gcn/central-networks | cc:centralNetwork:list | ``-`` | Y | Y |
|
||||
+-----------------------------------+------------------------------------------------------------------+--------------------------+----------------+-------------+--------------------+
|
||||
|
||||
.. _cc_02_0003__section1096015764615:
|
||||
|
||||
Central Network Policies
|
||||
------------------------
|
||||
|
||||
.. table:: **Table 2** Actions supported for central network policies
|
||||
|
||||
+-----------------------------------+----------------------------------------------------------------------------------------------+---------------------------------+----------------+-------------+--------------------+
|
||||
| Permission | API | Action | Related Action | IAM Project | Enterprise Project |
|
||||
+===================================+==============================================================================================+=================================+================+=============+====================+
|
||||
| Adding a central network policy | POST /v3/{domain_id}/gcn/central-network/{central_network_id}/policies | cc:centralNetwork:createPolicy | ``-`` | Y | Y |
|
||||
+-----------------------------------+----------------------------------------------------------------------------------------------+---------------------------------+----------------+-------------+--------------------+
|
||||
| Applying a central network policy | POST /v3/{domain_id}/gcn/central-network/{central_network_id}/policies/{policy_id}/apply | cc:centralNetwork:applyPolicy | ``-`` | Y | Y |
|
||||
+-----------------------------------+----------------------------------------------------------------------------------------------+---------------------------------+----------------+-------------+--------------------+
|
||||
| Deleting a central network policy | DELETE /v3/{domain_id}/gcn/central-network/{central_network_id}/policies/{policy_id} | cc:centralNetwork:deletePolicy | ``-`` | Y | Y |
|
||||
+-----------------------------------+----------------------------------------------------------------------------------------------+---------------------------------+----------------+-------------+--------------------+
|
||||
| Querying the central network list | GET /v3/{domain_id}/gcn/central-network/{central_network_id}/policies | cc:centralNetwork:listPolicies | ``-`` | Y | Y |
|
||||
+-----------------------------------+----------------------------------------------------------------------------------------------+---------------------------------+----------------+-------------+--------------------+
|
||||
| Querying policy changes | GET /v3/{domain_id}/gcn/central-network/{central_network_id}/policies/{policy_id}/change-set | cc:centralNetwork:listChangeSet | ``-`` | Y | Y |
|
||||
+-----------------------------------+----------------------------------------------------------------------------------------------+---------------------------------+----------------+-------------+--------------------+
|
||||
|
||||
.. _cc_02_0003__section13988959134617:
|
||||
|
||||
Central Network Connections
|
||||
---------------------------
|
||||
|
||||
.. table:: **Table 3** Actions supported for central network connections
|
||||
|
||||
+----------------------------------------------+------------------------------------------------------------------------------------------+------------------------------------+----------------+-------------+--------------------+
|
||||
| Permission | API | Action | Related Action | IAM Project | Enterprise Project |
|
||||
+==============================================+==========================================================================================+====================================+================+=============+====================+
|
||||
| Querying the central network connection list | GET /v3/{domain_id}/gcn/central-network/{central_network_id}/connections | cc:centralNetwork:listConnections | ``-`` | Y | Y |
|
||||
+----------------------------------------------+------------------------------------------------------------------------------------------+------------------------------------+----------------+-------------+--------------------+
|
||||
| Updating a central network connection | PUT /v3/{domain_id}/gcn/central-network/{central_network_id}/connections/{connection_id} | cc:centralNetwork:updateConnection | ``-`` | Y | Y |
|
||||
+----------------------------------------------+------------------------------------------------------------------------------------------+------------------------------------+----------------+-------------+--------------------+
|
||||
16
api-ref/source/permissions_and_supported_actions/index.rst
Normal file
16
api-ref/source/permissions_and_supported_actions/index.rst
Normal file
@ -0,0 +1,16 @@
|
||||
:original_name: cc_02_0001.html
|
||||
|
||||
.. _cc_02_0001:
|
||||
|
||||
Permissions and Supported Actions
|
||||
=================================
|
||||
|
||||
- :ref:`Introduction <cc_02_0002>`
|
||||
- :ref:`Actions Supported by Policy-based Authorization <cc_02_0003>`
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
:hidden:
|
||||
|
||||
introduction
|
||||
actions_supported_by_policy-based_authorization
|
||||
@ -0,0 +1,31 @@
|
||||
:original_name: cc_02_0002.html
|
||||
|
||||
.. _cc_02_0002:
|
||||
|
||||
Introduction
|
||||
============
|
||||
|
||||
You can use Identity and Access Management (IAM) for fine-grained permissions management of your Cloud Connect resources. If your account does not need individual IAM users, you can skip this topic.
|
||||
|
||||
With IAM, you can control access to specific cloud resources. IAM supports role/policy-based authorization and identity policy-based authorization.
|
||||
|
||||
The following table describes the differences between the two authorization models.
|
||||
|
||||
.. table:: **Table 1** Differences between role/policy-based and identity policy-based authorization
|
||||
|
||||
+---------------------+-------------------------------------+-------------------------------------+----------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| Authorization Model | Authorization Using | Permissions | Authorization Method | Scenario |
|
||||
+=====================+=====================================+=====================================+==============================================+============================================================================================================================================================================================================================================================================================================================+
|
||||
| Role/Policy | User-permission-authorization scope | - System-defined roles | Assigning roles or policies to principals | To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It is hard to provide fine-grained permissions control using authorization by user groups and a limited number of condition keys. This method is suitable for small- and medium-sized enterprises. |
|
||||
| | | - System-defined policies | | |
|
||||
| | | - Custom policies | | |
|
||||
+---------------------+-------------------------------------+-------------------------------------+----------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| Identity policy | User-policy | - System-defined identity policies | - Assigning identity policies to principals | You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises. |
|
||||
| | | - Custom identity policies | - Attaching identity policies to principals | |
|
||||
+---------------------+-------------------------------------+-------------------------------------+----------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
|
||||
Policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model.
|
||||
|
||||
If you use IAM users in your account to call an API, the IAM users must be granted the required permissions. The permissions required for calling an API are determined by the actions supported by the API. Only users who have been granted permissions allowing the actions can call the API successfully.
|
||||
|
||||
Assume that an IAM user wants to call an API to query central networks. With role/policy-based authorization, the IAM user must be granted the permissions allowing for action **cc:centralNetwork:list**. With identity policy-based authorization, the IAM user must be granted the permissions allowing for action **cc:centralNetwork:list**.
|
||||
Reference in New Issue
Block a user