Set Permission through API

Last updated: 2020-02-17 17:45:25

PDF

Sub-user key

Log in to the Access Management console using the sub-account [ Cloud API Key ], find The key of the sub-user . The key is used to generate the signature. After passing Verification, you can have Access-related Tencent Cloud resources.

The function of signature :

  • Authentication request user identity: confirmed by the user key.
  • Prevent the content from being tampered with: by using the hash algorithm to sign the request content, we can determine whether the content is ready for tampering by the consistency of the signature.
  • Prevent replay attacks: Signing information includes request time, signature time and validity period, which can avoid Expire's request for replay. At the same time, Tencent Cloud services can also refuse Expire's request by asking for time.

Example of API call

Interface Protocol

  • Encoding type: UTF8
  • Encoding format: JSON
  • Transmission method: POST
  • Request Protocol: HTTP

Example of the invocation specification:

{
    "version": 1,
    "componentName": "MC",
    "eventId": 123456,
    "interface": {
        "interfaceName": "interfaceName",
        "para": {
            Interface corresponding parameters
        }
    }
}

Returned result:

{
    "version": 1,
    "eventId": 123456,
    "componentName": "CONSOLE_LOGICAL_SERVER",
    "returnValue": 0,
    "returnCode": 0,
    "returnMessage": "OK",
    "data": {
        "ownerUin": 123,
        "uin": 124,
        "ownerAppid": 323
    }
}

When there is an error in the returned result, the returnCode is not 0. The content of message is an error message.
For more information, please see the interfaceName and para in the input parameters and the data in the output parameters. [Call description](#Call description) .

Interface description

For more information about CAM users and Permission's introduction to API, please see CAM API Documentation .

Invocation example

New Policy (CreateCamStrategy)

Policy example: set Permission of a sub-user (Uin is "3232") with all the queue under the list account, and Permission who consumes messages and deletes messages in batch to the horacetest1 of Beijing region.

  • Field parsing
Parameters Description Sample value
StrategyName Policy Name. Strategy1
StrategyInfo The content of the policy description (here to pass a JSON string ). See Sample code
Remark Comments on the strategy. Hello test
Resource Six-segment description of resources for CMQ, such as qcs::cmqqueue:bj:uin/1238423:queueName/uin/3232/myqueue
The first paragraph is a fixed format qcs;
The second paragraph is empty;
The third paragraph indicates the type of message queue. The queue model is cmqqueue, and topic's model is cmqtopic;.
The fourth paragraph is the region information. For example, gz, bj and sh are empty if they are all regions.
The fifth paragraph is the main account. uin/{root account uin} (a);
The sixth paragraph is the description of the resource, and when it is in queue mode, then queueName/uin/{Creator Uin}/{Queue name} This value should be taken when it is in topic mode topicName/uin/{Creator Uin}/{Subject name} . The creator's Uin can be obtained through the console details page, or through the yunapi API GetQueueAttributes or the returned value createUin of GetTopicAttributes.
*
  • Sample code:
{
"strategyName":"strategy1",
"strategyInfo":{"version":"2.0","principal":{"qcs":["qcs::cam::uin/1238423:uin/3232/myqueue","qcs::cam::uin/1238423:groupid/13"]},"statement":[{"effect":"allow","action":"name/cmqqueue:ListQueue","resource":"*"},{"effect":"allow","action":["name/cmqqueue:ReceiveMessage","name/cmqqueue:BatchDeleteMessage"],"resource":["qcs::cmqqueue:bj:uin/1238423:queueName/uin/3232/myqueue","qcs::cmqqueue:bj:uin/1238423:queueName/uin/3232/*"]}]},
"remark":"horace test"
}

In the description of the resources in paragraph 6, uin/ The creator ID after can be viewed when the policy is created.

Sub-account Associate / remove Policy (OperateCamStrategy)

This API allows users or users to associate / remove policies.

  • Policy example: change the user Associate whose UIN is "123456" to the policy with the policy ID of "666".

  • Field resolution:

Parameters Description Sample value
GroupId If it is a Associate user, send-1 on groupId.
If it is a Associate user group, send a specific group ID on groupId.
-1
RelateUin If it is a Associate user, relateUin will send a specific user uin;. If it is a Associate user group, then relateUin will pass-1. 123456
StrategyId Need Associate's strategy ID. six hundred and sixty six
ActionType A value of "1" indicates the Associate policy; a value of "2" indicates the removal of the policy. 1
  • Sample code:
{
    "groupId":-1,
    "relateUin":123456,
    "strategyId":666,
    "actionType":1
}

Call description

This description is applicable to all kinds of business users and Permission management. When setting up CMQ business, please judge the relevant value of CMQ according to the following instructions.

  1. Principal can be left empty, followed by Associate users through Associate policy interface.
  2. Principal, action, resource, can not be added when there is only one element [] .
  3. The resource (resource) description format is usually six-segment, and the format is qcs:project:serviceType:region:account:resource .
    • Project: can be used id/0* or id/* Represents all items. When authorized, project is empty to indicate id/0 If project is empty during authentication, it can appear in any project. The default is empty.
    • ServiceType: is cos, cdn, vpc, etc. * Represents all business. Cannot be empty.
    • Region: is a region, with an empty value, indicating all regions. Other regions are "gz", "st", "tj", "sh", "hk", "ca", "shjr" and "bj". The default is empty.
    • Account: is expressed as uin/${uin} or uid/${uid} . When empty, for resources such as CDN services and VPC services, fill in the uin/${uin} For the resources of the COS business, populate to uid/${uid} , ${uin} or ${uid} Represents the uin or uid of the visitor. The default is empty.
      There is also a special case. uin/-1 Generally speaking, the default policy appears. After expanding the table, show more will change-1 into the developer's uin,. In addition, the default policy only allows authorization of sub-accounts or roles, so you can directly replace-1 with the root account uin to which the sub-accounts or roles belong.
    • Resource consists of name/value. Name represents the definition of resources by the business. For example, cmq is queueName and topicName. Cos is described in prefix, cdn is described in host, and so on. * Represents all resources, normalized to */* The form of. Cannot be empty.
    • Users and policies are also a kind of resource. The CAM root account is described as qcs::cam::uin/1238423: uin/1238423 The CAM sub-account is described as qcs::cam::uin/1238423: uin/3236671 Described by anonymous users as qcs::cam::anonymous:anonymous .
    • If resource is empty, no Associate object is required for the operation. Normalized in the system to * .
    • Whether uin or uid is really the owner of the resource in the resource description needs to be verified by the business. It is mandatory that the business must be verified after the authentication is passed, and it is recommended to verify it at the time of authorization.