百度智能云

All Product Document

          Identity and Access Management

          Policy Syntax

          Introduction to ACL Syntax

          Background

          Baidu AI Cloud supports the user role-based and resource-based permission verification. For the user's request, the accessControlList associated with the user role is obtained according to the request identity for authentication; ACL (Access Control List) associated with the resources is obtained according to the resource path of the user's request for authentication.

          Glossary

          Access Control List (ACL): A permission control list appended to a user role or resource. The user's permission control over the resource can be resource-based or user-based. The user can control the fine grain over the access to the service by setting ACL. ACL is a list, and consists of one or more entries.

          User-based ACL: permission control list appended to the user. Add a user or group to a specific permission policy in which you specify the permission of such specified role on different resources. When the request arrives, traverse the permission description for authentication by the set of permission list appended to the user and the group where the user is located.

          Resource-based ACL: permission control list appended to the resource. For specific level of resource (such as bucket-level of BOS), specify applicable policies while creating resources, and specify the permission to different users in the policy description. When the user requests the resource, the user obtains the permission policy associated with the resource, and transverse the permission description in the policies for authentication.

          IAM ACL Syntax

          IAM ACL uses the policy description language with JSON format for fine-grained access control based on user or resource. The CamelCase that the first letter is lowercase is used as the naming method.

          Field overview

          Field name Is it required Field meaning
          Id Optional The identifier of this ACL is used to mark the ID of this ACL or describe the ACL
          accessControlList Required The main element of ACL, which identifies the beginning of ACL body, consists of a set of statement
          eid Optional It identifies the id of acl entry, or describes the entry
          service Required The service component affected by this entry, "*" indicates all services
          region Required The region affected by this entry, \_ indicates all regions (serve the globe, with mandatory to be \_)
          effect Required Specify whether the request that can match this entry is allowed to continue
          grantee Optional Refer to the person affected by this entry, which applies only to the resource ACL and is required
          permission Required Specify the permission affected by this entry
          resource Required Specify the resource affected by this entry
          condition Optional Specify the condition under which the policy take effect, and a son field exists under this field
          • Son field of Grantee:
          Son field of grantee Field meaning Example
          id Accounted authorized (or prohibited) b124deeaf6f641c9ac27700b41a350a8
          user User authorized (or prohibited) bob
          group Group authorized (or prohibited) developers
          saml-provider IDP name uploaded developers
          • Son field of Condition:
          Son field of Condition Field meaning
          ipAddress Range of ip address that this statement takes effect
          Time Time range that this statement takes effect
          Referer Referer that this statement takes effect

          Relationship between ACL and entry:

          • Each resource has an independent ACL
          • Each ACL consists of one or more entries

          Relationship between entries:

          • The entries are independent of each other
          • The meaning of mutual independence means that: Each entry is independent of the other, and the entry logic judgment is irrelevant to the location in ACL

          Synthesis example

          {
              "id": "id or description",
              "accessControlList": [
                  {
                      "eid": "eid or description",
                      "service": "bce:bos",
                      "region": "bj",
                      "effect": "Allow",
                      "permission": [
                          "CreateBucket",
                          "READ"
                      ],
                      "resource": [
                          "bucketname/objectname"
                      ],
                      "grantee": [
                          {
                              "id": "accountid",
                              "user": "bob",
                              "saml-provider":"saml.xml"
                          }
                      ],
                      "condition": {
                          "ipAddress": [
                              "192.168.0.0/16",
                              "192.169.0.0/16"
                          ],
                          "time": {
                          "in": [
                                  {
                                      "greaterThan":"2010-06-01T23:00:00Z",
                                      "lessThan":"2010-07-01T23:00:00Z "
                                  },
                                  {
                                      "greaterThan":"2010-08-01T23:00:00Z "
                                  }
                              ] 
                          },
                          "referer": {
                              "stringEquals": [
                                  "www.abc.com",
                                  "www.example.com"
                              ],
                              "stringLike": [
                                  "www.baidu.com/*"
                              ] 
                          }
                      }
                  }
              ] 
          }
          Previous
          Tag-based Authorization and Authentication
          Next
          External Account Access