Access Management

Last updated: 2020-06-05 11:00:35

    Overview

    CFS supports access management at the resource level, i.e., allowing the root account to grant users and user groups permissions to manipulate specified resources. After authorization, the CFS Console and APIs will allow or forbid operations performed by specified users based on permissions granted.
    This document describes how to configure read-only, read/write, and custom policies for CFS users. For more information on how Cloud Access Management (CAM) works and can be used, please see CAM Overview.

    Creating an Access Control Policy

    Log in to the CAM Console and enter the policy management page.

    • To grant users permissions quickly, do a search for CFS, select the preset read-only or read/write permissions and associate them with the specified user group.
    • If you need to grant users permissions for specific operations, you can create a custom policy and associate it with the specified user group.

    Full read/write permission policy

    If you want to authorize users to perform all operations such as CRUD, you can associate them with the QcloudCFSFullAccess policy. Below is the policy syntax for using the preset QcloudCFSFullAccess policy to grant collaborators or subusers full read/write access to all CFS resources and VPC/subnet query permission:

    {
        "version": "2.0",
        "statement": [
            {
                "action": [
                    "cfs:*"
                ],
                "resource": "*",
                "effect": "allow"
            },
            {
                "action": [
                    "vpc:DescribeVpcEx",
                    "vpc:DescribeSubnetEx"
                ],
                "resource": "*",
                "effect": "allow"
            }
        ]
    }

    Read-only permission policy

    If you want to grant users permission to query but not create, modify, or delete resources, you can associate them with the QcloudCFSReadOnlyAccess policy. Below is the policy syntax for using the preset QcloudCFSReadOnlyAccess policy to grant collaborators or subusers read-only access to all CFS resources and VPC/subnet query permission:

    {
        "version": "2.0",
        "statement": [
            {
                "action": [
                    "cfs:Describe*"
                ],
                "resource": "*",
                "effect": "allow"
            },
            {
                "action": [
                    "vpc:DescribeVpcEx",
                    "vpc:DescribeSubnetEx"
                ],
                "resource": "*",
                "effect": "allow"
            }
        ]
    }

    Custom policy

    Custom policies allow more flexibility in permission management. The CAM Console offers multiple methods for generating custom policies. This example shows you how to create a custom policy by using a Policy Generator. For other methods, please see Creating Custom Policies.

    The CAM policy generator is very user friendly. You simply need to select the desired parameters, and policy code will be generated automatically. This is especially suitable for first-time CAM users.

    Log in to the CAM Policies Console, and select Create Custom Policy > Create by policy generator. Use the policy generator to create a custom policy to which you can add multiple statements. The configurations are described as below:

    | Parameter | Options and Effect |
    | ---- | ------------ | ------------------------------------------------------------ |
    | Effect | Allow or Reject |
    | Service | Select CFS here |
    | Action | All CFS-supported actions |
    | Resource | All resources that can be manipulated:

  • For all resources in CFS, enter *
  • For all resources in a specified region, use the format: qcs::cfs:ap-guangzhou::*
  • For all resources in all regions under a specified user account, use the format qcs::cfs::uin/27700000:*
  • For all file systems in a specified region under a specified user account, use the format qcs::cfs:ap-guangzhou:uin/27700000:filesystem/*
  • For file systems in a specified user group under a specified user account, use the format qcs::cfs::uin/27700000:pgroup/pgroup-doxpcqh
  • Note: the UIN in a policy must be a root account UIN. The file systems or permission group resources must belong to the root account. |
    | Condition | Sets the condition that must be met for the created policy to take effect, please see Condition |

    The APIs, API features, and notes for authorization are listed in the table below. You can set your resource permissions accordingly.

    API Category API Name API Description Permission Type Note
    Service APIs SignUpCfsService Activates the CFS service Write permission You do not need to specify resources when authorizing this API
    DescribeCfsServiceStatus Queries whether the CFS service is activated Read permission You do not need to specify resources when authorizing this API
    File system APIs DescribeCfsFileSystems Lists file systems Read permission You need to specify the resources as * when authorizing this API
    CreateCfsFileSystem Creates a file system Write permission You do not need to specify file system resources when authorizing this API
    UpdateCfsFileSystemName Updates the file system name Write permission You need to specify file system resources when authorizing this API
    UpdateCfsFileSystemPGroup Updates the permission group for a file system Write permission You need to specify file system resources when authorizing this API
    UpdateCfsFileSystemSizeLimit Updates the file system quota Write permission You need to specify file system resources when authorizing this API
    DeleteCfsFileSystem Deletes a file system Write permission You need to specify file system resources when authorizing this API
    DescribeMountTargets Queries mount targets Read permission You need to specify file system resources when authorizing this API
    AddMountTarget Creates a mount target Write permission You need to specify file system resources when authorizing this API
    DeleteMountTarget Deletes a mount target Write permission You need to specify file system resources when authorizing this API
    Permission group APIs DescribeCfsPGroups Lists permission groups Read permission You need to specify the resources as * when authorizing this API
    CreateCfsPGroup Creates a permission group Write permission You do not need to specify resources when authorizing this API
    UpdateCfsPGroup Updates the information of a permission group Write permission You need to specify permission group resources when authorizing this API
    DeleteCfsPGroup Deletes a permission group Write permission You need to specify permission group resources when authorizing this API
    DescribeCfsRules Lists permission group rules Read permission You need to specify permission group resources when authorizing this API
    CreateCfsRule Creates a permission group rule Write permission You need to specify permission group resources when authorizing this API
    UpdateCfsRule Updates the information of a permission group rule Write permission You need to specify permission group resources when authorizing this API
    DeleteCfsRule Deletes a permission group rule Write permission You need to specify permission group resources when authorizing this API
    Key APIs DescribeKmsKeys Queries KMS keys Read permission You need to specify the resources as * when authorizing this API

    As CFS file systems use the VPC IPs, permissions for "vpc:DescribeVpcEx" and "vpc:DescribeSubnetEx" APIs are needed to create, list and query file systems. We strongly recommend granting all VPC resources permissions for these two APIs in all your CFS authorization polices. See the QcloudCFSReadOnlyAccess policy statement to learn how to write the policy.

    After setting the above parameters, click Add Statement to add a statement to the custom policy. Repeat these steps to add multiple statements. If the policy already exists or conflicts with other policies, see Syntax Structure.

    A policy should be written in the following format. There can be multiple statements in one policy.

    {
        "version": "2.0",
        "statement": [{
            "effect": "Effect",
            "action": [
                "Action"
            ],
            "resource": "Resource"
    
        }]
    }

    For example, the policy syntax for prohibiting users from deleting certain file systems and updating quotas is as follows:

    {
        "version": "2.0",
        "statement": [{
            "effect": "deny",
            "action": [
                "name/cfs:DeleteCfsFileSystem",
                "name/cfs:UpdateCfsFileSystemSizeLimit"
            ],
            "resource": [
                "qcs::cfs::uin/2779643970:filesystem/cfs-11111111",
                "qcs::cfs::uin/2779643970:filesystem/cfs-22222222",
                "qcs::cfs::uin/2779643970:filesystem/cfs-33333333"
            ]
        }]
    }

    Authorizing a User/User Group

    If you wish to grant an existing permission, you can do a search for QcloudCFSFullAccess, QcloudCFSReadOnlyAccess, or a custom policy and click Bind User/Group in the "Operation" column. Then, locate and select the user or user group that needs to be authorized and click OK.

    Deauthorizing a User/User Group

    If you need to deauthorize a user/user group, click the policy name to go to the policy details page. Select the user or user group under the User/User Group tab and click Remove User or Remove Group. Click OK in the pop-up confirmation box. The user/user group’s CFS permissions will be revoked.