Policy Syntax
Introduction to ACL Syntax
Background
Baidu AI Cloud supports the user role-based and resource-based permission verification. For the user's request, the accessControlList associated with the user role is obtained according to the request identity for authentication; ACL (Access Control List) associated with the resources is obtained according to the resource path of the user's request for authentication.
Glossary
Access Control List (ACL): A permission control list appended to a user role or resource. The user's permission control over the resource can be resource-based or user-based. The user can control the fine grain over the access to the service by setting ACL. ACL is a list, and consists of one or more entries.
User-based ACL: permission control list appended to the user. Add a user or group to a specific permission policy in which you specify the permission of such specified role on different resources. When the request arrives, traverse the permission description for authentication by the set of permission list appended to the user and the group where the user is located.
Resource-based ACL: permission control list appended to the resource. For specific level of resource (such as bucket-level of BOS), specify applicable policies while creating resources, and specify the permission to different users in the policy description. When the user requests the resource, the user obtains the permission policy associated with the resource, and transverse the permission description in the policies for authentication.
IAM ACL Syntax
IAM ACL uses the policy description language with JSON format for fine-grained access control based on user or resource. The CamelCase that the first letter is lowercase is used as the naming method.
Field overview
Field name | Is it required | Field meaning |
---|---|---|
Id | Optional | The identifier of this ACL is used to mark the ID of this ACL or describe the ACL |
accessControlList | Required | The main element of ACL, which identifies the beginning of ACL body, consists of a set of statement |
eid | Optional | It identifies the id of acl entry, or describes the entry |
service | Required | The service component affected by this entry, "*" indicates all services |
region | Required | The region affected by this entry, \_ indicates all regions (serve the globe, with mandatory to be \_ ) |
effect | Required | Specify whether the request that can match this entry is allowed to continue |
grantee | Optional | Refer to the person affected by this entry, which applies only to the resource ACL and is required |
permission | Required | Specify the permission affected by this entry |
resource | Required | Specify the resource affected by this entry |
condition | Optional | Specify the condition under which the policy take effect, and a son field exists under this field |
- Son field of Grantee:
Son field of grantee | Field meaning | Example |
---|---|---|
id | Accounted authorized (or prohibited) | b124deeaf6f641c9ac27700b41a350a8 |
user | User authorized (or prohibited) | bob |
group | Group authorized (or prohibited) | developers |
saml-provider | IDP name uploaded | developers |
- Son field of Condition:
Son field of Condition | Field meaning |
---|---|
ipAddress | Range of ip address that this statement takes effect |
Time | Time range that this statement takes effect |
Referer | Referer that this statement takes effect |
Relationship between ACL and entry:
- Each resource has an independent ACL
- Each ACL consists of one or more entries
Relationship between entries:
- The entries are independent of each other
- The meaning of mutual independence means that: Each entry is independent of the other, and the entry logic judgment is irrelevant to the location in ACL
Synthesis example
{
"id": "id or description",
"accessControlList": [
{
"eid": "eid or description",
"service": "bce:bos",
"region": "bj",
"effect": "Allow",
"permission": [
"CreateBucket",
"READ"
],
"resource": [
"bucketname/objectname"
],
"grantee": [
{
"id": "accountid",
"user": "bob",
"saml-provider":"saml.xml"
}
],
"condition": {
"ipAddress": [
"192.168.0.0/16",
"192.169.0.0/16"
],
"time": {
"in": [
{
"greaterThan":"2010-06-01T23:00:00Z",
"lessThan":"2010-07-01T23:00:00Z "
},
{
"greaterThan":"2010-08-01T23:00:00Z "
}
]
},
"referer": {
"stringEquals": [
"www.abc.com",
"www.example.com"
],
"stringLike": [
"www.baidu.com/*"
]
}
}
}
]
}