A policy is a syntactic specification of a user permission set, which accurately describes the authorized resource set, operation set, and authorization conditions.
{
"version":"2.0",
"statement":
[
{
"effect":"effect",
"action":["action"],
"resource":["resource"],
"condition": {"key":{"value"}}
}
]
}
The following table describes policy statements.
Parameter | Sub-parameter | Required | Description |
---|---|---|---|
version | N/A | Yes | The only valid value is "2.0". |
statement | effect | Yes | It describes whether the statement results in an "allow" or an explicit "deny". |
action | Yes | It describes the allowed or denied operation which can be an API or a feature set (a set of specific APIs prefixed with "permid"). | |
resource | Yes | It describes the details of authorization. All resources can be described in the six-segment format. Each service has its own resources and detailed resource definition. | |
condition | Yes | It specifies the condition for the policy to take effect. A condition consists of the operator, action key, and action value. A condition value may be the time, IP address, etc. Some services allow you to specify additional values in a condition. |
Note:The statement element describes the details of one or more permissions. This element contains a permission or permission set of other elements such as
effect
,action
,resource
, andcondition
. One policy has only onestatement
.
In a CAM policy statement, you can specify any API operation from any service that supports CAM. APIs prefixed with "mongodb:" should be used for MongoDB, such as mongodb:BackupDBInstance or mongodb:CreateAccountUser.
To specify multiple operations in a single statement, separate them with commas as shown below:
"action":["mongodb:action1","mongodb:action2"]
You can also specify multiple operations using a wildcard. For example, you can specify all operations whose names begin with "Describe" as shown below:
"action":["mongodb:Describe*"]
If you want to specify all operations in MongoDB, use a wildcard "*" as shown below:
"action":["mongodb:*"]
Each CAM policy statement is resource-specific with a resource path as shown below:
qcs:project_id:service_type:region:account:resource
mongodb
.bj
.uin/12345678
.instance/instance_id
or instance/*
.You can set resource
to an instance ID (cmgo-aw6g1g0z) in a statement as shown below:
"resource":[ "qcs::mongodb:bj:uin/12345678:instance/cmgo-aw6g1g0z"]
You can also use the wildcard "*" to specify all instances that belong to a specific account as shown below:
"resource":[ "qcs::mongodb:bj:uin/12345678:instance/*"]
If you want to specify all resources or if a specific API operation does not support resource-level permission control, you can use the wildcard "*" in the resource
element as shown below:
"resource": ["*"]
If you want to specify multiple resources in a single command, separate them with commas. In the following example, two resources are specified:
"resource":["resource1","resource2"]
The table below describes the resources that can be used by MongoDB and the corresponding resource description methods, where words prefixed with $
are placeholders, region
refers to a region, and account
refers to an account ID.
Resource Type | Resource Description Method in Authorization Policy |
---|---|
Instance | qcs::mongodb:$region:$account:instance/* qcs::mongodb:$region:$account:instance/$instanceId |
VPC | qcs::vpc:$region:$account:vpc/$vpcId |
Security group | qcs::cvm:$region:$account:sg/$sgId |
TencentDB for MongoDB supports the following system permission policies.
Policy | Description |
---|---|
QcloudMongoDBFullAccess |
TencentDB for MongoDB management permission. A Tencent Cloud sub-account granted with this permission has the same permissions as the root account, including all permissions of console and API operations. |
QcloudMongoDBReadOnlyAccess |
Read-Only permission. A Tencent Cloud sub-account granted with this permission only has the read-only permission on all resources of the root account, but does not have any permission of console and API operations. |
The system permission policy QcloudMongoDFullAccess
is as follows:
{
"version": "2.0",
"statement": [
{
"action": [
"monitor:GetMonitorData",
"monitor:DescribeBaseMetrics",
"mongodb:*"
],
"resource": "*",
"effect": "allow"
}
]
}
The system permission policy QcloudMongoDBReadOnlyAccess
is as follows:
{
"version": "2.0",
"statement": [
{
"action": [
"monitor:GetMonitorData",
"monitor:DescribeBaseMetrics",
"mongodb:Describe*"
],
"resource": "*",
"effect": "allow"
}
]
}
Currently, TencentDB for MongoDB supports custom policies for the following resource-level permissions.
Note:TencentDB API operations not listed here do not support resource-level permissions. You can still authorize a user to perform such a TencentDB API operation, but you must specify * as the resource element of the policy statement.
action Name | Permission | resource Description |
---|---|---|
BackupDBInstance | Back up a database instance |
|
CreateAccountUser | Create an account |
|
CreateDBInstanceHour | Create a pay-as-you-go TencentDB instance |
|
DeleteAccountUser | Delete an account |
|
DescribeAccountUsers | Query user information of an account |
|
DescribeBackupAccess | Get the permission to download instance backups |
|
DescribeBackupRules | Query the backup rules of a TencentDB instance |
|
DescribeClientConnections | Query the number of client connections |
|
DescribeDBBackups | Query the instance backup list |
|
DescribeDBBackups | Query the instance backup list |
|
DescribeDBInstances | Query the database instance list |
|
DescribeInstanceDB | Query the database table information of an instance |
|
DescribeSlowLog | Query the information of slow query logs |
|
DescribeSlowLogPattern | Query the statistics of slow query logs |
|
DescribeSpecInfo | Query the purchasable specifications of TencentDB instances |
|
ExchangeInstance | Replace an instance with a temp instance |
|
IsolateDBInstance | Isolate a TencentDB instance |
|
ModifyDBInstanceSpec | Adjust the configuration of a TencentDB instance |
|
OfflineIsolatedDBInstance | Eliminate an isolated TencentDB instance |
|
RemoveCloneInstance | Delete a temp instance |
|
RenameInstance | Rename an instance |
|
ResizeOplog | Resize the oplog of an instance |
|
RestartInstance | Restart an instance |
|
RestoreDBInstance | Restore a database instance |
|
SetAccountUserPrivilege | Set user permissions |
|
SetInstanceFormal | Promote a temp instance to primary instance |
|
SetInstanceMaintenance | Set maintenance time for an instance |
|
SetPassword | Set a password |
|
SetReadOnlyToNormal | Promote a read-only instance to primary instance |
|
TerminateDBInstanceHour | Terminate a pay-as-you-go instance |
|
UpgradeDBInstanceHour | Upgrade a pay-as-you-go instance |
|
If you want to grant an account the CreateDBInstance
and CreateAccountUser
permissions on the "cmgo-aw6g****" instance, you can create a policy as follows:
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"mongodb:CreateDBInstance",
"mongodb:CreateAccountUser"
],
"resource": [
"qcs::mongodb::uin/100001540306:instanceId/cmgo-aw6g****"
],
"condition": {
"ip_equal": {
"qcs:ip": [
"10.0.0.4"
]
}
}
}
]
}
You can create a custom policy on the Policy page in the CAM console. For detailed directions, see Creating Custom Policy.
Was this page helpful?