- Release Notes and Announcements
- User Tutorial
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practice
- Ops and Development Guide
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance APIs
- RenameInstance
- OfflineIsolatedDBInstance
- ModifyDBInstanceSpec
- IsolateDBInstance
- DescribeSpecInfo
- DescribeDBInstances
- DescribeClientConnections
- CreateDBInstanceHour
- CreateDBInstance
- AssignProject
- RenewDBInstances
- DescribeSlowLogs
- DescribeSlowLogPatterns
- InquirePriceRenewDBInstances
- InquirePriceModifyDBInstanceSpec
- InquirePriceCreateDBInstances
- DescribeDBInstanceDeal
- DescribeSecurityGroup
- DescribeInstanceParams
- ModifyDBInstanceSecurityGroup
- ModifyDBInstanceNetworkAddress
- Backup APIs
- Account APIs
- Task APIs
- Other APIs
- Data Types
- Error Codes
- Instance Connection
- FAQs
- Service Agreement
- Performance Data
- Glossary
- Contact Us
- Release Notes and Announcements
- User Tutorial
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practice
- Ops and Development Guide
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance APIs
- RenameInstance
- OfflineIsolatedDBInstance
- ModifyDBInstanceSpec
- IsolateDBInstance
- DescribeSpecInfo
- DescribeDBInstances
- DescribeClientConnections
- CreateDBInstanceHour
- CreateDBInstance
- AssignProject
- RenewDBInstances
- DescribeSlowLogs
- DescribeSlowLogPatterns
- InquirePriceRenewDBInstances
- InquirePriceModifyDBInstanceSpec
- InquirePriceCreateDBInstances
- DescribeDBInstanceDeal
- DescribeSecurityGroup
- DescribeInstanceParams
- ModifyDBInstanceSecurityGroup
- ModifyDBInstanceNetworkAddress
- Backup APIs
- Account APIs
- Task APIs
- Other APIs
- Data Types
- Error Codes
- Instance Connection
- FAQs
- Service Agreement
- Performance Data
- Glossary
- Contact Us
A policy is a syntactic specification of a user permission set, which accurately describes the authorized resource set, operation set, and authorization conditions.
CAM Policy Syntax
{
"version":"2.0",
"statement":
[
{
"effect":"effect",
"action":["action"],
"resource":["resource"],
"condition": {"key":{"value"}}
}
]
}
The following table describes policy statements.
| Parameter | Sub-parameter | Required | Description |
|---|---|---|---|
| version | N/A | Yes | The only valid value is "2.0". |
| statement | effect | Yes | It describes whether the statement results in an "allow" or an explicit "deny". |
| action | Yes | It describes the allowed or denied operation which can be an API or a feature set (a set of specific APIs prefixed with "permid"). | |
| resource | Yes | It describes the details of authorization. All resources can be described in the six-segment format. Each service has its own resources and detailed resource definition. | |
| condition | Yes | It specifies the condition for the policy to take effect. A condition consists of the operator, action key, and action value. A condition value may be the time, IP address, etc. Some services allow you to specify additional values in a condition. |
Note:The statement element describes the details of one or more permissions. This element contains a permission or permission set of other elements such as
effect,action,resource, andcondition. One policy has only onestatement.
Defining action
In a CAM policy statement, you can specify any API operation from any service that supports CAM. APIs prefixed with "mongodb:" should be used for MongoDB, such as mongodb:BackupDBInstance or mongodb:CreateAccountUser.
To specify multiple operations in a single statement, separate them with commas as shown below:
"action":["mongodb:action1","mongodb:action2"]
You can also specify multiple operations using a wildcard. For example, you can specify all operations whose names begin with "Describe" as shown below:
"action":["mongodb:Describe*"]
If you want to specify all operations in MongoDB, use a wildcard "*" as shown below:
"action":["mongodb:*"]
Defining resource
Each CAM policy statement is resource-specific with a resource path as shown below:
qcs:project_id:service_type:region:account:resource
- project_id: project information, which is only used to enable compatibility with legacy CAM logic and can be left empty.
- service_type: product’s abbreviation, for example,
mongodb. - region: region information, for example,
bj. - account: the root account of the resource owner, for example,
uin/12345678. - resource: detailed resource information of each product, for example,
instance/instance_idorinstance/*.
You can set resource to an instance ID (cmgo-aw6g1g0z) in a statement as shown below:
"resource":[ "qcs::mongodb:bj:uin/12345678:instance/cmgo-aw6g1g0z"]
You can also use the wildcard "*" to specify all instances that belong to a specific account as shown below:
"resource":[ "qcs::mongodb:bj:uin/12345678:instance/*"]
If you want to specify all resources or if a specific API operation does not support resource-level permission control, you can use the wildcard "*" in the resource element as shown below:
"resource": ["*"]
If you want to specify multiple resources in a single command, separate them with commas. In the following example, two resources are specified:
"resource":["resource1","resource2"]
The table below describes the resources that can be used by MongoDB and the corresponding resource description methods, where words prefixed with $ are placeholders, region refers to a region, and account refers to an account ID.
| Resource Type | Resource Description Method in Authorization Policy |
|---|---|
| Instance | qcs::mongodb:$region:$account:instance/*qcs::mongodb:$region:$account:instance/$instanceId |
| VPC | qcs::vpc:$region:$account:vpc/$vpcId |
| Security group | qcs::cvm:$region:$account:sg/$sgId |
Default Permission Policy of TencentDB for MongoDB
TencentDB for MongoDB supports the following system permission policies.
| Policy | Description |
|---|---|
QcloudMongoDBFullAccess |
TencentDB for MongoDB management permission. A Tencent Cloud sub-account granted with this permission has the same permissions as the root account, including all permissions of console and API operations. |
QcloudMongoDBReadOnlyAccess |
Read-Only permission. A Tencent Cloud sub-account granted with this permission only has the read-only permission on all resources of the root account, but does not have any permission of console and API operations. |
The system permission policy QcloudMongoDFullAccess is as follows:
{
"version": "2.0",
"statement": [
{
"action": [
"monitor:GetMonitorData",
"monitor:DescribeBaseMetrics",
"mongodb:*"
],
"resource": "*",
"effect": "allow"
}
]
}
The system permission policy QcloudMongoDBReadOnlyAccess is as follows:
{
"version": "2.0",
"statement": [
{
"action": [
"monitor:GetMonitorData",
"monitor:DescribeBaseMetrics",
"mongodb:Describe*"
],
"resource": "*",
"effect": "allow"
}
]
}
Custom Permission Policy of TencentDB for MongoDB
Currently, TencentDB for MongoDB supports custom policies for the following resource-level permissions.
Note:TencentDB API operations not listed here do not support resource-level permissions. You can still authorize a user to perform such a TencentDB API operation, but you must specify * as the resource element of the policy statement.
| action Name | Permission | resource Description |
|---|---|---|
| BackupDBInstance | Back up a database instance |
|
| CreateAccountUser | Create an account |
|
| CreateDBInstanceHour | Create a pay-as-you-go TencentDB instance |
|
| DeleteAccountUser | Delete an account |
|
| DescribeAccountUsers | Query user information of an account |
|
| DescribeBackupAccess | Get the permission to download instance backups |
|
| DescribeBackupRules | Query the backup rules of a TencentDB instance |
|
| DescribeClientConnections | Query the number of client connections |
|
| DescribeDBBackups | Query the instance backup list |
|
| DescribeDBBackups | Query the instance backup list |
|
| DescribeDBInstances | Query the database instance list |
|
| DescribeInstanceDB | Query the database table information of an instance |
|
| DescribeSlowLog | Query the information of slow query logs |
|
| DescribeSlowLogPattern | Query the statistics of slow query logs |
|
| DescribeSpecInfo | Query the purchasable specifications of TencentDB instances |
|
| ExchangeInstance | Replace an instance with a temp instance |
|
| IsolateDBInstance | Isolate a TencentDB instance |
|
| ModifyDBInstanceSpec | Adjust the configuration of a TencentDB instance |
|
| OfflineIsolatedDBInstance | Eliminate an isolated TencentDB instance |
|
| RemoveCloneInstance | Delete a temp instance |
|
| RenameInstance | Rename an instance |
|
| ResizeOplog | Resize the oplog of an instance |
|
| RestartInstance | Restart an instance |
|
| RestoreDBInstance | Restore a database instance |
|
| SetAccountUserPrivilege | Set user permissions |
|
| SetInstanceFormal | Promote a temp instance to primary instance |
|
| SetInstanceMaintenance | Set maintenance time for an instance |
|
| SetPassword | Set a password |
|
| SetReadOnlyToNormal | Promote a read-only instance to primary instance |
|
| TerminateDBInstanceHour | Terminate a pay-as-you-go instance |
|
| UpgradeDBInstanceHour | Upgrade a pay-as-you-go instance |
|
Custom permission policy example
If you want to grant an account the CreateDBInstance and CreateAccountUser permissions on the "cmgo-aw6g****" instance, you can create a policy as follows:
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"mongodb:CreateDBInstance",
"mongodb:CreateAccountUser"
],
"resource": [
"qcs::mongodb::uin/100001540306:instanceId/cmgo-aw6g****"
],
"condition": {
"ip_equal": {
"qcs:ip": [
"10.0.0.4"
]
}
}
}
]
}
Creating a custom permission policy
You can create a custom policy on the Policy page in the CAM console. For detailed directions, see Creating Custom Policy.
Yes
No
Was this page helpful?