权限策略示例
完全访问所有资源
{
"statement": [
{
"resources": [
"<.*>"
],
"actions": [
"<.*>"
],
"effect": "allow"
}
]
}
只读所有资源
{
"statement": [
{
"resources": [
"<.*>"
],
"actions": [
"<.*>Get<.*>"
],
"effect": "allow"
}
]
}
只读指定网关组
{
"statement": [
{
"resources": [
"arn:api7:gateway:gatewaygroup/{gateway group id}",
"arn:api7:gateway:gatewaygroup/{gateway group id}"
],
"actions": [
"<.*>Get<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/{gateway group id}/publishedservice/<.*>",
"arn:api7:gateway:gatewaygroup/{gateway group id}/publishedservice/<.*>"
],
"actions": [
"<.*>"
],
"effect": "allow"
}
]
}
完全访问指定网关组
{
"statement": [
{
"resources": [
"arn:api7:gateway:gatewaygroup/{gateway group id}",
"arn:api7:gateway:gatewaygroup/{gateway group id}"
],
"actions": [
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/{gateway group id}/publishedservice/<.*>"
],
"actions": [
"<.*>"
],
"effect": "allow"
}
]
}
服务管理员
- 直接在所有网关组上修改特定服务;
- 修改服务中心中特定服务的模板,然后发布到所有网关组;
- 将特定服务从一个网关组同步到另一个网关组。
{
"statement": [
{
"resources": [
"arn:api7:gateway:servicetemplate/{service id}"
],
"actions": [
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/<.*>/publishedservice/{service id}"
],
"actions": [
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/<.*>"
],
"actions": [
"gateway:GetGatewayGroup"
],
"effect": "allow"
}
]
}
你也可以使用标签,如果你需要管理多个具有同样标签的服务:
{
"statement": [
{
"resources": [
"arn:api7:gateway:servicetemplate/<.*>"
],
"actions": [
"<.*>"
],
"conditions": {
"service_label": {
"type": "MatchLabel",
"options": {
"key": "team",
"operator": "exact_match",
"value": "enterprise"
}
}
},
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/<.*>/publishedservice/<.*>"
],
"actions": [
"<.*>"
],
"conditions": {
"service_label": {
"type": "MatchLabel",
"options": {
"key": "team",
"operator": "exact_match",
"value": "enterprise"
}
}
},
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/<.*>"
],
"actions": [
"gateway:GetGatewayGroup"
],
"effect": "allow"
}
]
}