tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
TencentDB for MongoDB
    Documentation
    Download PDF

    Authorization Policy Syntax

    Last updated: 2024-01-15 14:40:06
    Download PDF
      A policy is a syntactic specification of a user permission set, which accurately describes the authorized resource set, operation set, and authorization conditions.

      CAM Policy Syntax

      {     
              "version":"2.0", 
              "statement": 
              [ 
                 { 
                    "effect":"effect", 
                    "action":["action"], 
                    "resource":["resource"], 
                     "condition": {"key":{"value"}} 
                 } 
             ] 
      }
      The following table describes policy statements.
      Parameter
      Subparameter
      Required
      Description
      version
      N/A
      Yes
      Currently, only the value 2.0 is allowed.
      statement
      effect
      Yes
      It describes the result of a statement. The result can be "allow" or an "explicit deny".
      action
      Yes
      It describes the allowed or denied operation which can be an API or a feature set (a set of specific APIs prefixed with permid).
      resource
      Yes
      It describes the details of authorization. All resources can be described in the six-segment format. Each service has its own resources and detailed resource definition.
      condition
      Yes
      It describes the condition for the policy to take effect. A condition consists of operator, action key, and action value. A condition value may contain information such as time and IP address. A condition value may be the time, IP address, etc. Some services allow you to specify additional values in a condition.
      Note:
      The statement element describes the details of one or more permissions. This element contains a permission or permission set of other elements such as effect, action, resource, and condition. One policy has only one statement.

      Defining an action

      In a CAM policy statement, you can specify any API operation from any service that supports CAM. APIs prefixed with mongodb: should be used for TencentDB for MongoDB, such as mongodb:BackupDBInstance or mongodb:CreateAccountUser. To specify multiple operations in a single statement, separate them by comma:
      "action":["mongodb:action1","mongodb:action2"]
      You can also specify multiple operations by using a wildcard. For example, you can specify all operations beginning with "Describe" in the name as shown below:
      "action":["mongodb:Describe*"]
      If you want to specify all operations in MongoDB, use a wildcard "*" as shown below:
      "action"["mongodb:*"]

      Defining a resource

      Each CAM policy statement has its own applicable resources. Resource paths are generally in the following format:
      qcs:project_id:service_type:region:account:resource
      Project_id describes the project information, which is only used to enable compatibility with legacy CAM logic and can be left empty.
      service_type describes the product abbreviation, such as mongodb.
      region describes the region information, such as bj.
      account describes the root account of the resource owner, such as uin/12345678.
      resource describes the detailed resource information of each product, such as instance/instance_id or instance/*.
      You can set resource to an instance ID (cmgo-aw6g1g0z) in a statement as shown below:
      "resource":[ "qcs::mongodb:bj:uin/12345678:instance/cmgo-aw6g1g0z"]
      You can also use the wildcard "*" to specify all instances that belong to a specific account as shown below:
      "resource":[ "qcs::mongodb:bj:uin/12345678:instance/*"]
      If you want to specify all resources or if a specific API operation does not support resource-level permission control, you can use the wildcard "*" in the resource element as shown below:
      "resource": ["*"]
      If you want to specify multiple resources in a single command, separate them by comma. In the following example, two resources are specified:
      "resource":["resource1","resource2"]
      The table below describes the resources that can be used by MongoDB and the corresponding resource description methods, where words prefixed with $ are placeholders, region refers to a region, and account refers to an account ID.
      Resource Type
      Resource Description Method in Authorization Policy
      Instance
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      VPC
      qcs::vpc:$region:$account:vpc/$vpcId
      Security Group
      qcs::cvm:$region:$account:sg/$sgId

      Default Permission Policy of TencentDB for MongoDB

      TencentDB for MongoDB supports the following system permission policies.
      Policy Name
      Note
      QcloudMongoDBFullAccess
      TencentDB for MongoDB management permission. A Tencent Cloud sub-account granted with this permission has the same permissions as the root account, including all permissions of console and API operations.
      QcloudMongoDBReadOnlyAccess
      Read-only permission. A Tencent Cloud sub-account granted with this permission has only the read-only permission of all resources under the Tencent Cloud root account but not operation permissions of the console and APIs.
      The system permission policy QcloudMongoDFullAccess is as follows:
      {
          "version": "2.0",
          "statement": [
              {
                  "action": [
                      "monitor:GetMonitorData",
                      "monitor:DescribeBaseMetrics",
                      "mongodb:*"
                  ],
                  "resource": "*",
                  "effect": "allow"
              }
          ]
      }
      The system permission policy QcloudMongoDBReadOnlyAccess is as follows:
      {
          "version": "2.0",
          "statement": [
              {
                  "action": [
                      "monitor:GetMonitorData",
                      "monitor:DescribeBaseMetrics",
                      "mongodb:Describe*"
                  ],
                  "resource": "*",
                  "effect": "allow"
              }
          ]
      }

      Custom Permission Policy of TencentDB for MongoDB

      Currently, TencentDB for MongoDB supports custom policies for the following resource-level permissions.
      Note:
      TencentDB API operations not listed here do not support resource-level permissions. You can still authorize a user to perform such a TencentDB API operation, but you must specify * as the resource element of the policy statement.
      Action Name
      Permission Description
      Resource Description
      BackupDBInstance
      Backs up a database instance
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      CreateAccountUser
      Creates an account
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      CreateDBInstanceHour
      Creates a pay-as-you-go TencentDB for MongoDB instance
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      DeleteAccountUser
      Deletes an account
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      DescribeAccountUsers
      Queries the user information of an account
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      DescribeBackupAccess
      Gets the permission to download an instance backup
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      DescribeBackupRules
      Gets the backup rules of a TencentDB instance
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      DescribeClientConnections
      Gets the number of client connections
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      DescribeDBBackups
      Queries the list of backups of an instance
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      DescribeDBInstances
      Queries the list of database instances
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      DescribeInstanceDB
      Queries the collection/database information of an instance
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      DescribeSlowLog
      Gets the slow log information
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      DescribeSlowLogPattern
      Gets the slow log statistics
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      DescribeSpecInfo
      Queries purchasable instance specifications
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      ExchangeInstance
      Replaces the original instance with a temp instance
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      IsolateDBInstance
      Isolates a TencentDB instance
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      ModifyDBInstanceSpec
      Adjusts the configurations of a TencentDB instance
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      OfflineIsolatedDBInstance
      Deactivates an isolated TencentDB instance
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      RemoveCloneInstance
      Deletes a temp instance
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      RenameInstance
      Renames an instance
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      RenewInstance
      Renews a TencentDB instance
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      ResizeOplog
      Adjusts the oplog size of an instance
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      RestartInstance
      Restarts an instance
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      RestoreDBInstance
      Restores a database instance
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      SetAccountUserPrivilege
      Sets user permissions
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      SetAutoRenew
      Sets auto-renewal
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      SetBackupRules
      Sets backup rules
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      SetInstanceFormal
      Promotes a temp instance to the primary instance
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      SetInstanceMaintenance
      Sets the instance maintenance time
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      SetPassword
      Sets password
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      SetReadOnlyToNormal
      Promotes a read-only instance to the primary instance
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      TerminateDBInstanceHour
      Terminates a pay-as-you-go instance
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      UpgradeDBInstanceHour
      Upgrades a pay-as-you-go instance
      qcs::mongodb:$region:$account:instance/*
      qcs::mongodb:$region:$account:instance/$instanceId
      

      Custom permission policy example

      If you want to grant an account the CreateDBInstance and CreateAccountUser permissions on the "cmgo-aw6g****" instance, you can create a policy as follows:
      {
          "version": "2.0",
          "statement": [
              {
                  "effect": "allow",
                  "action": [
                      "mongodb:CreateDBInstance",
                      "mongodb:CreateAccountUser"
                  ],
                  "resource": [
                      "qcs::mongodb::uin/100001540306:instanceId/cmgo-aw6g****"
                  ],
                  "condition": {
                      "ip_equal": {
                          "qcs:ip": [
                              "10.0.0.4"
                          ]
                      }
                  }
              }
          ]
      }

      Creating a custom permission policy

      You can create a custom policy on the Policies page in the CAM console. For detailed directions, see Creating Custom Policy.
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy