ACL
ACL management
Initialization
Confirm Endpoint
When confirming SDK usage and configuring endpoint, understand the related concepts of endpoint. Baidu AI Cloud currently supports multiple regions. Please refer toRegion Selection Guide. North China - Beijing, South China-Guangzhou, East China - Suzhou, Hong Kong, Central China-Wuhan (Financial) and North China - Baoding are supported currently. Corresponding endpoint details are as follows:
| Access region | Endpoint |
|---|---|
| North China-Beijing | bcc.bj.baidubce.com |
| South China-Guangzhou | bcc.gz.baidubce.com |
| East China-Suzhou | bcc.su.baidubce.com |
| Hong Kong | bcc.hkg.baidubce.com |
| Central China-Wuhan (Financial) | bcc.fwh.baidubce.com |
| North China-Baoding | bcc.bd.baidubce.com |
Retrieve access key
To use Baidu AI Cloud ACL, you need a valid AK (Access Key ID) and SK (Secret Access Key) for signature certification. AK/SK are system-assigned strings used to identify users and perform signature certification for BOS. Your AK/SK information can be obtained and understood through the following steps: Register a Baidu AI Cloud account Create AK/SK
Create ACL client
The ACL client serves as an interface for ACL services, providing developers with an array of methods to interact with these services.
Access ACL via AK/SK
- Before creating AclClient, a configuration file must be created to configure AclClient. Below, this configuration file is named acl_sample_conf.py, with the following specific configuration information:
1#!/usr/bin/env python
2#coding=utf-8
3 #Import Python standard logging module
4import logging
5 #Import ACL configuration management module and security certification module from Python SDK
6from baidubce.bce_client_configuration import BceClientConfiguration
7from baidubce.auth.bce_credentials import BceCredentials
8 #Set AclClient Host, Access Key ID, and Secret Access Key
9acl_host = "bj.bcebos.com"
10access_key_id = "AK"
11secret_access_key = "SK"
12 #Set log file handles and log levels
13logger = logging.getLogger('baidubce.http.bce_http_client')
14fh = logging.FileHandler("sample.log")
15fh.setLevel(logging.DEBUG)
16 #Set the order, structure and content of log file output
17formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
18fh.setFormatter(formatter)
19logger.setLevel(logging.DEBUG)
20logger.addHandler(fh)
21 #Create BceClientConfiguration instance
22config = BceClientConfiguration(credentials=BceCredentials(access_key_id, secret_access_key), endpoint = acl_host)Note: For log files, logging has the following levels: DEBUG, INFOm WARNINGm ERROR and CRITICAL.
In the code above, access_key_id corresponds to “Access Key ID” in the console. secret_access_key corresponds to “Access Key Secret” in the console. For the method to retrieve them, refer to Guide - Manage ACCESSKEY.
The above method requires users to manually specify the BOS server domain name, which can be assigned to the bos_host variable. If this is not specified, the endpoint parameter is optional, and the default domain is set to the Beijing Region: http://bos.bj.bcebos.com.
- Once the configurations above are completed, refer to the following code example to create an AclClient.
1#Import AclClient configuration file
2import acl_sample_conf
3
4 #Import related ACL modules
5from baidubce import exception
6from baidubce.services import vpc
7from baidubce.services.vpc.acl_client import AclClient
8
9 #Create AclClient
10acl_client = AclClient(acl_sample_conf.config)Configure HTTPS access to ACL
You can access ACL services via HTTPS in the ACL Python SDK in the following two ways:
- Specify HTTPS in the endpoint:
1config = bce_client_configuration.BceClientConfiguration(
2 credentials = bce_credentials.BceCredentials(
3 access_key_id = 'your-ak',
4 secret_access_key = 'your-sk'
5 ),
6 endpoint = 'https://bj.bcebos.com'
7)
8client = acl_client.AclClient(config)- Set the HTTPS protocol by specifying https in the protocol:
1config = bce_client_configuration.BceClientConfiguration(
2 credentials = bce_credentials.BceCredentials(
3 access_key_id = 'your-ak',
4 secret_access_key = 'your-sk'
5 ),
6 endpoint = 'bj.bcebos.com',
7 protocol = baidubce.protocol.HTTPS
8)
9client = acl_client.AclClient(config)Note: If you specify the protocol parameter while specifying the scheme of the endpoint, the endpoint shall prevail.
ACL management
Access control list (ACL) is a firewall component within VPC that controls subnet-level security group policies, thereby enabling flexible traffic configuration for one or multiple subnets to satisfy diverse network security demands. Before managing ACL, pay attention to the following:
| Entry | ACL rules |
|---|---|
| ACL scope | ACL belongs to the VPC and apply to the subnets within it |
| Control instance type | ACL access control policies apply to all instances under the subnet, including BCC, DCC, BBC, RDS, SCS, etc. |
| Default ACL rules | The system automatically creates a default ACL for each subnet, which includes a default rule that permits all traffic. Default rules cannot be modified. |
| Ingress or egress | Ingress and egress directions refer to the direction viewed from the perspective of an instance under the subnet |
| Maximum limit of rules | For rules under the same ACL, each direction supports up to 256 rules |
| Rule trigger | Once the traffic matches a rule in the ACL, the access control policy (allow/deny) is triggered without further matching against other rules |
| ACL status | ACL is stateless and performs access control on data flow traffic in the specified direction without automatically controlling the return traffic for the flow. |
Create ACL
Create ACL rules for access control of corresponding subnets. A maximum of 20 rules can be added at once. The creation functionality can be implemented through the following example function:
Function declaration
1def create_acl(self, rule_list, client_token=None, config=None):Parameter meaning
Please refer to the OpenAPI documentation Parameters for Creating ACL
Response value
-
Operation succeeded:
No response value
-
Operation failed:
Throw an exception. For the exception list, refer to ACL Exception List
Code example
For specific code examples, refer to example_create_acl_rule.py
List ACLs
To query all ACLs under the corresponding VPC, the ACL query functionality can be implemented using the following example function:
Function declaration
1def list_acl_entrys(self, vpc_id, config=None):Parameter meaning
Please refer to the OpenAPI documentation Parameters for Listing ACLs
Response value
-
Operation succeeded:
Plain Text1{ 2 "metadata": "For the public metadata return structure, refer to the appendix", 3 "vpcId": "vpc-0d7urd9fyxxx", 4 "vpcName": "v11", 5 "vpcCidr": "192.168.0.0/16", 6 "aclEntrys": [ 7 { 8 "subnetId": "sbn-nfqvsskw93zi", 9 "subnetName": "sbn-22", 10 "subnetCidr": "192.168.1.0/24", 11 "aclRules": [ 12 { 13 "id": "ar-621tcndunsce", 14 "subnetId": "sbn-nfqvsskw93zi", 15 "description": "", 16 "protocol": "tcp", 17 "sourceIpAddress": "192.168.1.0/24", 18 "destinationIpAddress": "1.2.3.4/32", 19 "sourcePort": "0-65535", 20 "destinationPort": "80", 21 "position": 100, 22 "direction": "egress", 23 "ipVersion": 4, 24 "action": "deny" 25 } 26 ] 27 } 28 ] 29} -
Operation failed:
Throw an exception. For the exception list, refer to ACL Exception List
Code example
For specific code examples, refer to example_list_acl.py
List ACL rules
To query all ACL rules for the corresponding subnet, use the following example function to implement ACL rule querying:
Function declaration
1def list_subnet_acl(self, subnet_id, marker=None, max_keys=None, config=None):Parameter meaning
Please refer to the OpenAPI documentation Parameters for Listing ACL Rules
Response value
-
Operation succeeded:
Plain Text1{ 2 "metadata": "For the public metadata return structure, refer to the appendix", 3 "maxKeys": 1000, 4 "isTruncated": false, 5 "aclRules": [ 6 { 7 "id": "ar-jjxp7g3dihfk", 8 "subnetId": "sbn-0317afqpxw41", 9 "description": "", 10 "protocol": "tcp", 11 "sourceIpAddress": "2400:da00:e003:4c11::/64", 12 "destinationIpAddress": "1::/64", 13 "sourcePort": "0-65535", 14 "destinationPort": "80", 15 "position": 12, 16 "direction": "egress", 17 "ipVersion": 6, 18 "action": "allow" 19 } 20 ] 21} -
Operation failed:
Throw an exception. For the exception list, refer to ACL Exception List
Code example
For specific code examples, refer to example_list_acl_rules.py
Update ACL
To update specific content of the corresponding ACL rule, thereby supporting changes to parameters such as source/destination IP and source/destination ports, the ACL update functionality can be implemented through the following example function:
Function declaration
1def update_acl(self, acl_rule_id, description=None,
2 protocol=None, source_ip_address=None,
3 destination_ip_address=None, source_port=None,
4 destination_port=None,
5 position=None, action=None,
6 client_token=None, config=None):Parameter meaning
Please refer to the OpenAPI documentation Parameters for Updating ACL
Response value
-
Operation succeeded:
No response value
-
Operation failed:
Throw an exception. For the exception list, refer to ACL Exception List
Code example
For specific code examples, refer to example_update_acl_rule.py
Delete ACL
To delete the corresponding ACL rule, the following sample function can be used to implement the ACL deletion:
Function declaration
1def delete_acl(self, acl_rule_id, client_token=None, config=None):Parameter meaning
Please refer to the OpenAPI documentation Parameters for Deleting ACL
Response value
-
Operation succeeded:
No response value
-
Operation failed:
Throw an exception. For the exception list, refer to ACL Exception List
Code example
For specific code examples, refer to example_delete_acl_rule.py