ACL
ACL Management
Initialization
Confirm Endpoint
When you confirm the use of SDK and need to configure the Endpoint, please understood Endpoint related concepts. At present, Baidu AI Cloud provides multi-region support. For more information, please refer to Region Selection Introduction. Currently, the six regions are supported: "North China - Beijing", "South China- Guangzhou", "East China - Suzhou", "Hong Kong", "Finance Central China - Wuhan" and "North China - Baoding". The corresponding Endpoint information is:
| Access region | Corresponding Endpoint |
|---|---|
| North China - Beijing | bcc.bj.baidubce.com |
| South China - Guangzhou | bcc.gz.baidubce.com |
| East China - Suzhou | bcc.su.baidubce.com |
| Hong Kong | bcc.hkg.baidubce.com |
| Finance Central China - Wuhan | bcc.fwh.baidubce.com |
| North China - Baoding | bcc.bd.baidubce.com |
Get the Key
To use Baidu AI Cloud ACL, you need to have a valid AK (Access Key ID) and SK (Secret Access Key) for signature authentication. AK/SK is assigned to users by the system and is a string to identify users and verify signatures for accessing BOS. You can obtain and understand your AK/SK information through the following steps: Register Baidu AI Cloud Account Create AK/SK
Create AclClient
Being the client of the ACL service, AclClient provides a series of methods for developers to interact with the ACL service.
Access to ACL via AK/SK
1.Before creation of AclClient, first create a configuration file to configure AclClient, and in the following, configuration file is named as acl_sample_conf.py, with specific configuration information as follows:
#!/usr/bin/env python
#coding=utf-8
# Import Python standard log module
import logging
# Import ACL configuration management module and security authentication module from Python SDK
from baidubce.bce_client_configuration import BceClientConfiguration
from baidubce.auth.bce_credentials import BceCredentials
# Set Host, Access Key ID and Secret Access Key of AclClient
acl_host = "bj.bcebos.com"
access_key_id = "AK"
secret_access_key = "SK"
# Set handle and log level of log file
logger = logging.getLogger('baidubce.http.bce_http_client')
fh = logging.FileHandler("sample.log")
fh.setLevel(logging.DEBUG)
# Set output sequence, structure and contents of log file.
formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
fh.setFormatter(formatter)
logger.setLevel(logging.DEBUG)
logger.addHandler(fh)
# Create BceClientConfiguration
config = BceClientConfiguration(credentials=BceCredentials(access_key_id, secret_access_key), endpoint = acl_host)Note: For the log file, logging has the following levels: DEBUG, INFO, WARNING, ERROR, CRITICAL.
In the codes above, ACCESS_KEY_ID corresponds to "Access Key ID" in the console, SECRET_ACCESS_KEY corresponds to "Access Key Secret" in the console, for the way of obtaining, please see "Operation Guideline Manage ACCESSKEY".
For the method above, you need to specify service domain name of BOS by themselves, which can be specified by assigning a value to bos_host variable. If not configured, it is not needed to introduce endpoint parameter, and the default is Beijing region http://bos.bj.bcebos.com
2.After completing the configuration above, create a AclClient by reference to the following codes.
# Import AclClient configuration file
import acl_sample_conf
# Import ACL related module
from baidubce import exception
from baidubce.services import vpc
from baidubce.services.vpc.acl_client import AclClient
#Create AclClient
acl_client = AclClient(acl_sample_conf.config)Configure HTTPS to Access ACL
You can access to ACL service with HTTPS in ACL Python SDK in the following 2 ways:
- Specify HTTPS in endpoint.
config = bce_client_configuration.BceClientConfiguration(
credentials = bce_credentials.BceCredentials(
access_key_id = 'your-ak',
secret_access_key = 'your-sk'
),
endpoint = 'https://bj.bcebos.com'
)
client = acl_client.AclClient(config)- Set HTTPS protocol by specifying https in protocol.
config = bce_client_configuration.BceClientConfiguration(
credentials = bce_credentials.BceCredentials(
access_key_id = 'your-ak',
secret_access_key = 'your-sk'
),
endpoint = 'bj.bcebos.com',
protocol = baidubce.protocol.HTTPS
)
client = acl_client.AclClient(config)Note: If you specify scheme of endpoint while specifying protocol parameter, endpoint should prevail.
Manage ACL
The ACL (Access Control List) is a fire wall component in VPC, and used for control of the subnet-level security policy. The traffic of one or more subnets is set flexibly to satisfy the security requirements of different network deployments of the users. Before ACL management, you need to pay attention to the following contents:
| Entry | ACL rule |
|---|---|
| ACL range | ACL is subordinate to VPC, and the valid object is the subnet under VPC. |
| Control instance type | The ACL access control policy is valid for all instances under the subnet, including BCC, DCC, BBC, RDS and SCS. |
| Default ACL rule | The system creates a default ACL for each subnet, there is one default rule in ACL, and all rules are allowed. The default rules cannot be edited. |
| Ingress or egress | The direction of ingress and egress refers to the direction seen from the perspective of instances under the subnet. |
| Maximum rule limit | For the rules under the same ACL, a maximum of 256 rules are supported in each direction. |
| Rule trigging | Once the traffic matches a rule in ACL, namely, triggers the access control policy (allow or deny), the traffic will not continue to match other rules. |
| ACL status | ACL is stateless, makes access control for the traffic in the specified direction of one data stream, and will not automatically control the return traffic of the data flow. |
Create ACL
The following code can be used to create an ACL:
acl_rule_list = [{
'subnetId':'$subnetId',
'protocol':'udp',
'sourceIpAddress':'10.0.0.0/16',
'destinationIpAddress':'172.16.0.0/24',
'sourcePort':'80',
'destinationPort':'80',
'position':3,
'direction':'ingress',
'action':'allow',
'description':'test'
}]
acl_client = AclClient(acl_sample_conf.config)
response = acl_client.create_acl(rule_list=acl_rule_list)
print (response)The create_acl parameter includes rule_list: The list type can include multiple acl rules. The acl rule parameter is as follows:
| Parameter name | Type | Required or not | Description |
|---|---|---|---|
| subnetId | String | Yes | Subnet ID |
| protocol | String | Yes | Protocol, including all tcp udp icmp |
| sourceIpAddress | String | Yes | Source IP |
| destinationIpAddress | String | Yes | Destination IP |
| sourcePort | String | Yes | Source port, e.g. 1-65535 or 8080 |
| destinationPort | String | Yes | Destination port , e.g. 1-65535 or 8080 |
| position | Integer | Yes | Priority 1-5000, no repetition with existing items The smaller the value is, the higher the priority is. The rule matching sequence is matched according to the priority from high to low. |
| direction | String | Yes | Ingress and egress of rules |
| action | String | Yes | Policy, including allow and deny |
| description | String | No | Comments |
Note:
- The ACL rules are matched according to the priority level from high to low. For example, the rules with a priority level of 50 have priority over the rules with a priority level of 100.
- The input range of priority level is from1 to 32768.As the best practice, it is recommended that the priority value range between two adjacent rules is wide, which is convenient for later adjustment, such as 100, 200 and 300.
- In the same ingress or egress direction, the priority levels of different rules cannot be the same.
- As for setting of ingress rules, the destinationIpAddress needs to be within the subnet cidr range; as for setting of egress rules, the sourceIpAddress needs to be within the subnet cidr range.
List ACL
To list ACL can be divided into two dimensions: to list all ACL rules in vpc and all ACL rules in subnet.
List All ACLs in vpc
The following code can be used to list all ACL rules in one vpc:
acl_client = AclClient(acl_sample_conf.config)
response = acl_client.list_acl_entrys(vpc_id='$vpc_id')
print (response.acl_entrys)The list_acl_entrys parameter includes vpc_id. The vpc ID with the ACL rules to be listed is filled in.
Note: The return information includes acl_entrys, and the acl_entrys is a list including the ACL rules of different subnets in vpc.
List All ACLs in Subnet
The following code can be used to list all ACL rules in one subnet:
response = acl_client.list_subnet_acl(subnet_id='$subnet_id')
for acl_rule in response.acl_rules:
print (acl_rule)The list_subnet_acl parameter includes subnet_id. The subnet ID with the ACL rules to be listed is filled in.
Update ACL
The following code can be used to update an ACL rule:
response = acl_client.update_acl(acl_rule_id='$acl_rule_id', source_ip_address='10.10.0.0/16')
print (response)The update_acl parameter includes all fields of acl_rule_id and Acl rules. The acl_rule_id specifies an ACL to be updated, and other fields specify the rule contents to be updated. The list of created ACL parameters can be seen in the field contents, and other fields except subnetId can be all updated.
Note: When the ACL rule fields are updated, the filling requirements of all fields still need to be met.
Delete ACL
The following code can be used to delete an ACL rule:
response = acl_client.delete_acl(acl_rule_id='ar-fzfvhxdzrkxn')
print (response)The delete_acl parameter mainly includes acl_rule_id to confirm the ACL rules to be deleted.
Note: The acl_rule_id can be obtained by listing ACLs. The default ACL rules don't display the acl_rule_id, and the default ACL rules cannot be updated and deleted.