Identity and Access Management
Basic Concepts
CFS has been connected to IAM. Users can create sub-users in IAM to perform fine-grained management and use of services in the cloud.
IAM sub-users have the following features:
1.All IAM sub-user resources belong to the root user. Although sub-users with certain privileges can create resources, the billing principal is still the root user. 2.Sub-users can use the management console and API independently. 3.The root user can authorize sub-users. Authorization in IAM is accomplished by associating policies with sub-users. One sub-account can be associated with multiple policies.
IAM Sub-user Application Scenarios
Users can use CFS resources flexibly through the master-sub-user system in Baidu AI Cloud.
-
Management and decentralization of enterprise sub-users
Enterprise A uses Baidu AI Cloud account to purchase a variety of cloud resources (such as BCC instance / CFS instance / BLB instance / BOS storage /...). Employees of Enterprise A need to operate these cloud resources, including purchase, Operations, online application, etc. The job duties of employees in different positions are different, and the required privileges are different. For security, A does not want to publish the key of the primary account directly to employees, but wants to create corresponding user sub-accounts for employees of different positions. The sub-account of the user can only operate resources under the premise of privilege without independent measurement and billing, and all resource fees belong to the master account. Master account of Enterprise A can revoke the privilege of sub-account at any time, or delete the created sub account at any time.
-
Resource operation and privilege management between enterprises
A and B represent different enterprises. Enterprise A purchases a variety of cloud resources (such as BCC instance / CFS instance / BLB instance / BOS storage /...) to carry out business. Enterprise A hopes to focus on business system and entrust or authorize tasks such as cloud resource operations monitoring management to Enterprise B. Enterprise B can further assign the operations task to employees of Enterprise B, that is, B creates corresponding user sub-accounts for the employees to use. Enterprise B can exactly control the operation privilege of Enterprise A cloud resource by employees of Enterprise B In case of termination of such agent operations contract between Enterprise A and Enterprise B, Enterprise A may revoke the authorization to Enterprise B at any time.
Policy Description
CFS provides two policy modes: system policy and custom policy in the Cloud.
System policies. After the root user grants sub-users, the sub-users can perform corresponding operations on all CFS resources under the name of the root user. There are three system policies:
- CFSFullControlAccessPolicy: privilege to manage CFS.
- CFSOperateAccessPolicy: privilege to operate and maintain CFS.
- CFSReadOnlyAccessPolicy: privilege to read-only CFS.
The privileges of the three system policies correspond to the API of CFS as follows:
| System policy | Operational API |
|---|---|
| Management | All APIs of CFS |
| Operations | Updatefilesystem Describefilesystem Creatmounttarget Deletemounttarget Describemounttarget |
| Read only | Describefilesystem Describemounttarget |
Custom policy, the root user can authorize sub-users by region and by fine-grained resources. The following two types of privileges can be granted:
| Custum policy | Operational API |
|---|---|
| Operations | Updatefilesystem Describefilesystem Creatmounttarget Deletemounttarget Describemounttarget |
| Read only | Describefilesystem Describemounttarget |
Operation Steps
-
Create policy
Go to "Management Console" and Select "Identity and Access Management"
Select "Policy Management" and search for CFS. You can see CFS related system policy.
When you expect to use a custom policy, go to the policy management page and select "Create Policy".
After you name the custom policy in its creation page, you need to filter "Service Type" to CFS and select the corresponding privilege for the expected authorized instance.
In terms of resource selection, the root user can view the existing CFS instances in the list and select the instance that is expected to be authorized.
After that, you can see the new custom policy in the custom policy list.
Note: When using CFS products, if you need to add/modify a mount target for a CFS instance, you will need to filter from the list of existing VPCs and subnets under the name as the mount information for the mount target. Therefore, when the root user grants a system policy or a custom policy with management, operations privileges to the sub-user, the sub-user must also be granted read-only or higher privileges to the VPC and subnet products In IAM.
-
Authorize sub-users
When the policy is created, you can grant the policy to sub-users.
Add privileges for the sub-users on the "User Management" tab.
Select "System Policy" or "Custom Policy" to get the policy list. Select the privileges you want to grant to the sub-user, and click "OK" to grant the privileges to the sub-user.
Delete sub-user authorization: Click on the user name to enter the "Sub-User Details Page". You can see the privileges owned by this user at "Privilege Information". Click "Delete" to remove the privilege from the user privileges.
