Conditions for Taking Effect

Last updated: 2020-02-25 16:26:55

PDF

Use Cases

In many scenarios, we need to further constrain the condition condition that takes effect on the created policy.
Scenario 1: when CAM users call cloud API, the source of user Access needs to be restricted, and IP conditions are required on the basis of the existing policy.
Scenario 2: when CAM users call VPC peering connection API, in addition to Access Permission, who determines whether CAM users own peering connection API and peering connection resources, they also need to confirm whether CAM users have Access Permission of Associate's peering connection VPC.

Grammatical structure

The syntax structure of the effective condition is shown in the following figure. A condition block can be composed of several sub-condition blocks sub block, each sub-condition block sub block corresponds to a condition operator and several condition keys, and each condition key corresponds to several condition values.

Evaluation logic

The evaluation logic for the entry into force of the condition is as follows:

  1. The conditional key corresponds to multiple conditional values, and the condition takes effect as long as the corresponding key value in the context information satisfies any one of the conditional values under the action of Associate's conditional operator.

  2. In the case of multiple condition keys in a sub-condition block, the sub-condition block takes effect only when the conditions corresponding to each condition key are in effect.

  3. In the case of multiple sub-condition blocks, the entire condition takes effect only if each sub-condition block takes effect.

  4. For inclusion _ The conditional operator of the if_exist suffix, which takes effect even if the context information does not contain the conditional key of the conditional operator Associate.

  5. For for_all_value: conditional operators constrained by qualifiers, this applies to scenarios where the conditional key in the context information includes multiple values. The entire condition takes effect only if each value of the conditional key in the context information takes effect under the action of Associate's conditional operator.

  6. For for_any_value: conditional operators constrained by qualifiers, this applies to scenarios where the conditional key in the context information includes multiple values. As long as any value of the conditional key in the context information takes effect under the action of Associate's conditional operator, the whole condition can take effect.

Usage Examples

  1. The following example indicates that the user must be in the 10.217.182.3/24 or 111.21.33.72/24 IP range can call Cloud API Access cos:PutObject.
{
    "version": "2.0",
    "statement":[
    {
        "effect": "allow",
        "action": "cos:PutObject",
        "resource": "*",
        "condition": {
            "ip_equal": {
                "qcs:ip": [
                    "10.217.182.3/24",
                    "111.21.33.72/24"
                ]
            }
        }
    }
  ]  
}
  1. The following example describes how to allow VPC to bind a specified peering connection. The region of VPC must be Shanghai.
{
    "version": "2.0",
    "statement": [
    {
        "effect": "allow",
        "action": "name/vpc:AcceptVpcPeeringConnection",
        "resource": "qcs::vpc:sh::pcx/2341",
        "condition": {
            "string_equal_if_exist": {
                "vpc:region": "sh"
            }
        }
    }
   ]
}

List of conditional operators

The following table shows the information about the conditional operator, the conditional name, and the example. For the condition keys customized by each product, please refer to the corresponding product documentation.

Conditional operator Meaning Condition name Examples
String_equal The string is equal to (case sensitive) Qcs:tag {"string_equal": {"qcs:tag/tag_name1": "tag_value1"}}
String_not_equal String is not equal to (case sensitive) Qcs:tag {"string_not_equal": {"qcs:tag/tag_name1": "tag_value1"}}
String_equal_ignore_case The string is equal to (case-insensitive) Qcs:tag {"string_equal_ignore_case": {"qcs:tag/tag_name1": "tag_value1"}}
String_not_equal_ignore_case The string is not equal to (case-insensitive) Qcs:tag {"string_not_equal_ignore_case": {"qcs:tag/tag_name1": "tag_value1"}}
String_like String matching (case sensitive) Qcs:tag {"string_like": {"qcs:tag/tag_name1": "tag_value1"}}
String_not_like String mismatch (case sensitive) Qcs:tag {"string_not_like": {"qcs:tag/tag_name1": "tag_value1"}}
Date_not_equal Time is not equal to Qcs:current_time {"date_not_equal": {"qcs:current_time": "2016-06-01T00:01:00Z"}}
Date_greater_than The time is greater than Qcs:current_time {"date_greater_than": {"qcs:current_time": "2016-06-01T00:01:00Z"}}
Date_greater_than_equal Time greater than or equal to Qcs:current_time {"date_greater_than_equal": {"qcs:current_time": "2016-06-01T00:01:00Z"}}
Date_less_than The time is less than Qcs:current_time {"date_less_than": {"qcs:current_time": "2016 Mui 06Mui 01T 00V 01V 00Z"}}
Date_less_than_equal Time is less than or equal to Qcs:current_time {"date_less_than": {"qcs:current_time": "2016 Mui 06Mui 01T 00V 01V 00Z"}}
Date_less_than_equal Time is less than or equal to Qcs:current_time {"date_less_than_equal": {"qcs:current_time": "2016-06-01T00:01:00Z"}}
Ip_equal IP equals Qcs:ip {"ip_equal": {"qcs:ip": "10.121.2.10 take 24"}}
Ip_not_equal IP is not equal to Qcs:ip {"ip_not_equal": {"qcs:ip": [ "10.121.2.10 Compact 24", "10.121.2.20 Universe 24"]}}
Numeric_not_equal The numerical value is not equal to Qcs:mfa {"numeric_not_equal": {"mfa": 1}}
Numeric_greater_than The value is greater than - {"numeric_greater_than": {"cvm_system_disk_size": 10}}
Numeric_greater_than_equal The value is greater than or equal to - {"numeric_greater_than_equal": {"cvm_system_disk_size": 10}}
Numeric_less_than The value is less than - {"numeric_less_than": {"cvm_system_disk_size": 10}}
Numeric_less_than_equal The value is less than or equal to - {"numeric_less_than_equal": {"cvm_system_disk_size": 10}}
Numeric_equal The value is equal to Qcs:mfa {"numeric_equal": {"mfa": 1}}
Bool_equal Boolean value matching - -
Null_equal The conditional key is empty matching - -

Note:

  1. The date format is expressed in accordance with the ISO8601 standard and requires the use of UTC time.

  2. The IP format should conform to the CIDR specification.

  3. Conditional operator (except null_equal) with suffix _ If_exist, means that the context information still takes effect even if the corresponding key value is not included.

  4. For_all_value: the qualifier is used with the conditional operator to indicate that each value of the conditional key in the context message meets the requirement.

  5. For_any_value: the qualifier is used with the conditional operator to indicate that any value of the conditional key in the context message will take effect when it meets the requirement.

  6. Some businesses do not support conditions, or only some conditions are supported. For more information, please refer to the business documentation.