CAM Policy Syntax
{
"version":"2.0",
"statement":
[
{
"effect":"effect",
"action":["action"],
"resource":["resource"],
"condition": {"key":{"value"}}
}
]
}- Version Is required. Currently, only "2.0" is allowed.
- Statement Describes the details of one or more privileges. This element contains a privilege or privilege set of other elements such as effect, action, resource, and condition. One policy has only one statement.
- Effect Describes whether the result produced by the statement is "allowed" (allow) or "denied" (deny). This element is required.
- Action Describes the allowed or denied operation. An operation can be an API or a feature set (a set of specific APIs prefixed with "permid"). This element is required.
- Resource Describes the details of authorization. A resource is described in a six-piece format. Detailed resource definitions vary by product. This element is required.
- Condition Describes the condition for the policy to take effect. A condition consists of operator, action key, and action value. A condition value may contain information such as time and IP address. Some services allow you to specify additional values in a condition. This element is optional.
MongoDB Operations
In a CAM policy statement, you can specify any API operation from any service that supports CAM. APIs prefixed with "mongodb:" should be used for MongoDB, such as mongodb:BackupDBInstance or mongodb:CreateAccountUser.
- To specify multiple actions in a single statement, separate them with commas, as shown below:
"action":["mongodb:action1","mongodb:action2"]You can also specify multiple actions using a wildcard. For example, you can specify all actions whose name begins with "Describe", as shown below:
"action":["mongodb:Describe*"]If you want to specify all operations in MongoDB, use a wildcard " * "as shown below:
"action":["mongodb:*"]
MongoDB Resource Path
Each CAM policy statement has its own resources.
The general form of resource path is as follows:
qcs:project_id:service_type:region:account:resource- Project_id Describes the project information, which is only used to enable compatibility with legacy CAM logic and can be left empty.
- Service_type Describes the product abbreviation such as COS.
Region : region information, for example, bj. - File ext Is the root account of the resource owner, such as uin/653339763.
- Resource Describes detailed resource information of each product, such as instanceId/instance_id1 or instanceId/ * .
For example, you can specify a resource for a specific instance (cmgo-aw6g1g0z) in a statement as shown below:
"resource":[ "qcs::mongodb:bj:uin/12345678:instance/cmgo-aw6g1g0z"]You can also use the wildcard " * "to specify all instances that belong to a specific account as shown below:
"resource":[ "qcs::mongodb:bj:uin/12345678:instance/*"]If you want to specify all resources or if a specific API operation does not support resource-level permission control, you can use the wildcard " * "in the" resource "element as shown below:"
"resource": ["*"]To specify multiple resources in a single command, separate them with commas. Below is an example where two resources are specified:
"resource":["resource1","resource2"]The table below describes the resources that can be used by MongoDB and the corresponding resource description methods, where words prefixed with $are placeholders, "project" refers to a project ID, "region" refers to a region, and "account" refers to an account ID.
| Resource | Resource Description Method in Authorization Policy |
|---|---|
| Instance | qcs::cdb:$region:$account:instanceId/$instanceId |
| Security group | qcs::cvm:$region:$account:sg/$sgId |
