Conditions for Taking Effect

Last updated: 2019-12-25 16:44:06

PDF

Application scenario

In many cases, we need to add conditions for tighter policy control. Policies only take effect when configured conditions are met.
Scenario 1: if you want to restrict the access source of the user calling a cloud API, you can add an IP condition to the existing policy.
Scenario 2: when a CAM user calls the VPC peering connection API, other than determining if the user has the access permissions for peering connection API and resources, the user also needs to have access permission to the VPC associated with the peering connection.

Syntax structure

The syntax structure of condition is shown in the following figure. A condition block consists of multiple sub-blocks. Each sub-block corresponds to a conditional operator and a number of condition keys. Each condition key contains condition values.

Evaluation logic

The evaluation logic that enables a conditional policy to take effect is as follows:

  1. A condition key can contain multiple condition values. The condition is met only when the key in the context matches any one of these condition values upon execution of the associated conditional operator.

  2. If a sub-condition block has multiple condition keys, the sub-condition is met only when the condition that corresponds to all condition keys is satisfied.

  3. If a block contains multiple sub-condition blocks, the entire condition is met only when each sub-condition block is satisfied.

  4. For a conditional operator ending in _if_exist, the condition is met even if the context does not include the condition key associated to the conditional operator.

  5. "for_all_value" is a qualifier that restricts the conditional operator. This is applicable in situations where the condition key in the context contains multiple values. The entire condition is satisfied only when each value of the condition key is met upon execution of the associated conditional operator.

  6. "for_any_value" is a qualifier that restricts the conditional operator. This is applicable in situations where the condition key in the context contains multiple values. The entire condition is satisfied when any value of the condition key is met upon execution of the associated conditional operator.

Use case

In the following example, the user must be in the 10.217.182.3/24 or 111.21.33.72/24 IP ranges to invoke the cos:PutObject Cloud API call. This is shown in the following figure:

{
    "version": "2.0",
    "statement":[
    {
        "effect": "allow",
        "action": "cos:PutObject",
        "resource": "*",
        "condition": {
            "ip_equal": {
                "qcs:ip": [
                    "10.217.182.3/24",
                    "111.21.33.72/24"
                ]
            }
        }
    }
  ]  
}
  1. In the following example, VPC region must be Shanghai in order for it to be bound to a specified NAT gateway.
    {
     "version": "2.0",
     "statement": [
     {
         "effect": "allow",
         "action": "name/vpc:AcceptVpcPeeringConnection",
         "resource": "qcs::vpc:sh::pcx/2341",
         "condition": {
             "string_equal_if_exist": {
                 "vpc:region": "sh"
             }
         }
     }
    ]
    }

Conditional Operator List

The following table provides the information of conditional operators, condition names, and examples. For more information about customizing condition keys for individual products, see the corresponding product documentation.

Conditional Operator Description Condition Name Example
string_equal String is equal to (case-sensitive) qcs:tag {"string_equal":{"qcs:tag/tag_name1":"tag_value1"}}
string_not_equal String is not equal to (case-sensitive) qcs:tag {"string_not_equal":{"qcs:tag/tag_name1":"tag_value1"}}
string_equal_ignore_case String is equal to (case-insensitive) qcs:tag {"string_equal_ignore_case":{"qcs:tag/tag_name1":"tag_value1"}}
string_not_equal_ignore_case String is not equal to (case-insensitive) qcs:tag {"string_not_equal_ignore_case":{"qcs:tag/tag_name1":"tag_value1"}}
string_like String matches (case-sensitive) qcs:tag {"string_like":{"qcs:tag/tag_name1":"tag_value1"}}
string_not_like String does not match (case-sensitive) qcs:tag {"string_not_like":{"qcs:tag/tag_name1":"tag_value1"}}
date_not_equal Date is not equal to qcs:current_time {"date_not_equal":{"qcs:current_time":"2016-06-01T00:01:00Z"}}
date_greater_than Date is later than qcs:current_time {"date_greater_than":{"qcs:current_time":"2016-06-01T00:01:00Z"}}
date_greater_than_equal Date is later than or equal to qcs:current_time {"date_greater_than_equal":{"qcs:current_time":"2016-06-01T00:01:00Z"}}
date_less_than Date is earlier than qcs:current_time {"date_less_than":{"qcs:current_time":"2016-06-01T 00:01:00Z"}}
date_less_than_equal Date is earlier than or equal to qcs:current_time {"date_less_than":{"qcs:current_time":"2016-06-01T 00:01:00Z"}}
date_less_than_equal Date is earlier than or equal to qcs:current_time {"date_less_than_equal":{"qcs:current_time":"2016-06-01T00:01:00Z"}}
Ip_equal IP is equal to qcs:ip {"ip_equal":{"qcs:ip ":"10.121.2.10/24"}}
Ip_not_equal IP is not equal to qcs:ip {"ip_not_equal":{"qcs:ip":["10.121.2.10/24","10.121.2.20/24"]}}
numeric_not_equal Valueis not equal to qcs:mfa {"numeric_not_equal":{"mfa":1}}
numeric_greater_than Value is greater than - {"numeric_greater_than":{"cvm_system_disk_size":10}}
numeric_greater_than_equal Value is greater than or equal to - {"numeric_greater_than_equal":{"cvm_system_disk_size":10}}
numeric_less_than Value is less than - {"numeric_less_than":{"cvm_system_disk_size":10}}
numeric_less_than_equal Value is less than or equal to - {"numeric_less_than_equal":{"cvm_system_disk_size":10}}
numeric_not_equal Value is equal to qcs:mfa {"numeric_not_equal":{"mfa":1}}
bool_equal Boolean matches - -
null_equal Condition key matches empty string - -

Notes:

  1. Date is displayed in a format that conforms to the ISO8601 standard, and UTC time is used.

  2. The IP format must comply with the CIDR standard.

  3. A conditional operator (excluding null_equal) ending in _if_exist indicates that the condition is met even if the context does not include the corresponding key value.

  4. "for_all_value" is a qualifier that needs to be used with the conditional operator, which means that a condition is satisfied when each value of the conditional key in the context meets the requirement of the condition.

  5. "for_any_value" is a qualifier that needs to be used with the conditional operator, which means that a condition is satisfied when any value of the conditional key in the context meets the requirement of the condition.

  6. Some services do not support or only partially support conditions. For more information, see the product documentation.