Project Policy是日志服务推出的针对Project的授权策略,您可以通过Project Policy授权其他用户访问您指定的日志服务资源。
使用前须知
通过策略语法的方式配置Project Policy前,您需要先了解Action、Resource以及Condition分类信息。更多信息,请参见资源列表、动作列表和鉴权规则。
配置Project Policy时,如果授权用户选择了匿名账号(*),且不包含Condition的情况下,则Project Policy仅对Project Owner以外的所有用户生效。如果授权用户选择了匿名账号(*),且包含Condition的情况下,则Project Policy会对包含Project Owner在内的所有用户生效。
您可以添加多条Project Policy,但所有Project Policy的大小不允许超过16 KB。
使用示例
示例一:仅允许指定VPC ID的用户访问某个Project资源。
下述权限策略表示仅允许来自VPC ID为t4nlw426y44rd3iq4****的请求访问名为example-project的Project 。
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": [ "log:*" ], "Principal": [ "*" ], "Resource": "acs:log:*:*:project/example-project/*", "Condition": { "StringNotEquals": { "acs:SourceVpc": [ "vpc-t4nlw426y44rd3iq4****" ] } } } ] }示例二:拒绝通过公网写入日志到Project。
下述权限策略表示拒绝使用公网写入日志到名为exampleproject的Project。
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": [ "log:PostLogStoreLogs" ], "Principal": [ "*" ], "Resource": "acs:log:*:*:project/exampleproject/*", "Condition": { "StringNotEquals": { "acs:SourceVpc": [ "vpc-*" ] } } } ] }示例三:限制访问来源IP地址。
下述权限策略表示只能通过192.168.0.0/16和172.16.215.218这两个IP地址访问名为exampleproject的Project。
{ "Version":"1", "Statement":[ { "Effect":"Deny", "Action":[ "*" ], "Principal":[ "*" ], "Resource":"acs:log:*:*:project/exampleproject/*", "Condition":{ "NotIpAddress":{ "acs:SourceIp":[ "192.168.0.0/16", "172.16.215.218" ] } } } ] }
使用Java SDK操作Project Policy
使用Java SDK创建、删除、获取创建的Project Policy。示例如下:
public class ProjectPolicyDemo { // 本示例从环境变量中获取AccessKey ID和AccessKey Secret static String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"); static String accessKey = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"); static String endPoint = "your-endpoint"; static String projectName = "your-project"; // Policy内容。 static String policyText = "{\"Version\":\"1\",\"Statement\":[{\"Action\":[\"log:Post*\"],\"Resource\":\"acs:log:*:*:project/" + projectName + "/*\",\"Effect\":\"Deny\"}]}"; static Client client = new Client(endPoint, accessKeyId, accessKey); public static void main(String[] args) throws LogException { client.CreateProject(projectName, ""); client.setProjectPolicy(projectName, policyText); client.getProjectPolicy(projectName); Assert.assertEquals(policyText, client.getProjectPolicy(projectName).getPolicyText()); client.deleteProjectPolicy(projectName); Assert.assertEquals("", client.getProjectPolicy(projectName).getPolicyText()); client.DeleteProject(projectName); } }限制公网访问。示例如下:
public class ProjectPolicyDemo { // 本示例从环境变量中获取AccessKey ID和AccessKey Secret static String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"); static String accessKey = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"); static String endPoint = "your-endpoint"; static String projectName = "your-project"; static Client client = new Client(endPoint, accessKeyId, accessKey); public static void main(String[] args) throws LogException { client.CreateProject(projectName, ""); try { client.GetProject(projectName); } catch (LogException e) { Assert.fail("should not fail : " + e.GetErrorCode()); } String policyText = "{ \"Version\": \"1\",\n" + " \"Statement\": [{" + " \"Action\": [\"log:*\"]," + " \"Resource\": \"*\",\n" + " \"Condition\": {\"StringNotLike\": {\"acs:SourceVpc\":[\"vpc-*\"]}}," + " \"Effect\": \"Deny\"}] }"; client.setProjectPolicy(projectName, policyText); try { client.GetProject(projectName); Assert.fail("should fail"); } catch (LogException e) { Assert.assertEquals("Unauthorized", e.getErrorCode()); } } }