ACL
Introduction to ACL syntax
Background
Baidu AI Cloud offers permission verification through user roles and resource-based permissions. For user requests, authorization is conducted based on the accessControlList linked to the user's role. Additionally, it retrieves the Access Control List (ACL) tied to the requested resources for authorization via the resource path in the user request.
Terminology
Access Control List (ACL): A permission control list attached to user roles or resources. User permission control over resources can be either resource-based or user-based. Users can set the ACL to achieve fine-grained access control over various services. An ACL is a list composed of one or more entries.
User-based ACL: Permission control lists attached to users. Add users or groups to specific permission policies, specifying permissions of such role for different resources in the policy. When a request arrives, authentication is performed by traversing the permission descriptions attached to the user and the permission sets of the group.
Resource-based ACL: A permission control list attached to resources. For resources at specific levels (e.g., BOS bucket level), specify applicable policies during resource creation and define permissions for different users in the policy description. When users request resources, they obtain the permission policies associated with the resources, and authorization is performed by traversing the permission descriptions in the policies.
IAM ACL syntax
IAM ACL uses a JSON-formatted policy description language to enable fine-grained access control for users or resources, adhering to the lowerCamelCase naming convention.
Field overview
| Field name | Required or not | Field meanings |
|---|---|---|
| Id | Optional | This ACL identifier is used to identify the ACL ID or describe the ACL |
| accessControlList | Required | Primary ACL element marking the start of ACL body, composed of statement groups |
| eid | Optional | It identifies the ID of a sub-ACL entry or describes the entry |
| service | Required | The service components affected by this entry, where "*" indicates all services |
| region | Required | The affected regions for this entry, "" indicates all regions (for global services, it is mandatory as "") |
| effect | Required | Specify whether requests matching this entry should be allowed to proceed with execution |
| grantee | Optional | Specifies the affected party of this entry, mandatory for resource ACL only |
| permission | Required | Specify the permissions affected by this entry |
| resource | Required | Specify the resources affected by this entry |
| condition | Optional | Specify the conditions under which the policy takes effect. This field contains subfields |
- Grantee subfield:
| grantee subfield | Field meanings | Example |
|---|---|---|
| id | Authorized (or prohibited) accountid | b124deeaf6f641c9ac27700b41a350a8 |
| user | Authorized (or prohibited) user | bob |
| group | Authorized (or prohibited) group | developers |
| saml-provider | Uploaded IDP name | developers |
- Condition subfield:
| Condition subfield | Field meanings |
|---|---|
| ipAddress | The IP address segment where this statement takes effect |
| Time | The time range during which this statement takes effect |
| Referer | The referer where this statement takes effect |
Relationship between ACL and entry:
- Each resource has an independent ACL
- Each ACL consists of one or more entries
Relationship between entries:
- Entries are mutually independent
- Mutual independence means that each entry is independent, and the logical judgment of an entry is unrelated to its position in the ACL
Comprehensive example
1{
2 "id": "id or description",
3 "accessControlList": [
4 {
5 "eid": "eid or description",
6 "service": "bce:bos",
7 "region": "bj",
8 "effect": "Allow",
9 "permission": [
10 "CreateBucket",
11 "READ"
12 ],
13 "resource": [
14 "bucketname/objectname"
15 ],
16 "grantee": [
17 {
18 "id": "accountid",
19 "user": "bob",
20 "saml-provider":"saml.xml"
21 }
22 ],
23 "condition": {
24 "ipAddress": [
25 "192.168.0.0/16",
26 "192.169.0.0/16"
27 ],
28 "time": {
29 "in": [
30 {
31 "greaterThan":"2010-06-01T23:00:00Z",
32 "lessThan":"2010-07-01T23:00:00Z "
33 },
34 {
35 "greaterThan":"2010-08-01T23:00:00Z "
36 }
37 ]
38 },
39 "referer": {
40 "stringEquals": [
41 "www.abc.com",
42 "www.example.com"
43 ],
44 "stringLike": [
45 "www.baidu.com/*"
46 ]
47 }
48 }
49 }
50 ]
51}