使用自定义权限策略时,可按照使用场景采用如下的权限策略模板:
模块 | 使用场景 |
整体(最佳实践) | 使用标签对主题、机器组、仪表盘进行分类,并按标签配置权限 |
数据采集 | |
主题管理及检索分析 | 使用控制台查看/管理主题及检索分析 使用 API 检索分析 |
仪表盘 | |
监控告警 | |
数据处理 | 数据加工 定时 SQL 分析相关 |
数据投递/消费 | 投递 Ckafka 投递 COS 投递 SCF Kafka 协议消费 指标投递 自定义消费 |
DataSight 独立控制台 | 管理 DataSight |
开发者 | 通过 Grafana 使用 CLS |
整体(最佳实践)
使用标签对主题、机器组、仪表盘进行分类,并按标签配置权限。创建资源时需为资源指定标签,用户仅对具备指定标签的资源具备管理或只读权限,通过这种方式能够方便的批量管理日志服务中多种类型的资源。
对指定标签的资源具备管理权限
注意:
使用这个策略时请清空其中的注释说明。
{"statement": [{"action": [ //必要的相关产品只读权限"monitor:GetMonitorData","monitor:DescribeBaseMetrics","cam:ListGroups","cam:GetGroup","cam:DescribeSubAccountContacts","cam:ListAttachedRolePolicies","cam:GetRole","vpc:DescribeSubnetEx",//创建内网访问的DataSight时需要"vpc:DescribeVpcEx",//创建内网访问的DataSight时需要"tag:TagResources","tag:DescribeResourceTagsByResourceIds","tag:GetTags","tag:GetTagKeys","tag:GetTagValues","kms:GetServiceStatus"],"effect": "allow","resource": "*"},{"action": [ //限制用户创建仪表盘、日志集、主题、告警策略、通知渠道组、机器组和DataSight时,必须绑定指定的标签,例如testCAM:test1。创建其它类型资源暂不支持限定标签。"cls:CreateDashboard","cls:CreateLogset","cls:CreateTopic","cls:CreateAlarm","cls:CreateAlarmNotice","cls:CreateMachineGroup","cls:CreateConsole"],"condition": {"for_any_value:string_equal": {"qcs:request_tag": ["testCAM&test1"]}},"effect": "allow","resource": "*"},{"action": [ //资源具备指定标签时,用户即拥有所有相关接口的权限(需接口支持按标签限制权限)。"cls:*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["testCAM&test1"]}},"effect": "allow","resource": "*"},{"action": [ //部分接口不支持按标签限制权限,不能限制资源范围。以下接口主要为读操作,另有少部分辅助功能接口为写操作,均不影响产品核心数据安全性。"cls:CheckAlarmChannel","cls:CheckAlarmRule","cls:CheckDomainRepeat","cls:CheckFunction","cls:CheckRechargeKafkaServer","cls:DescribeClsPrePayDetails","cls:DescribeClsPrePayInfos","cls:DescribeConfigMachineGroups","cls:DescribeConfigs","cls:DescribeAgentConfigs","cls:DescribeTopicExtendConfig","cls:DescribeDataTransformFailLogInfo","cls:DescribeDataTransformInfo","cls:DescribeDataTransformPreviewDataInfo","cls:DescribeDataTransformPreviewInfo","cls:DescribeDataTransformProcessInfo","cls:DescribeDemonstrations","cls:DescribeExceptionResources","cls:DescribeExternalDataSourcePreview","cls:DescribeFunctions","cls:DescribeResources","cls:DescribeShipperPreview","cls:DescribeScheduledSqlProcessInfo","cls:DescribeConfigurationTemplates","cls:DescribeFolders","cls:GetClsService","cls:GetConfigurationTemplateApplyLog","cls:PreviewKafkaRecharge","cls:agentHeartBeat","cls:CreateDemonstrations","cls:DeleteDemonstrations","cls:DescribeNoticeContents","cls:DescribeWebCallbacks"],"effect": "allow","resource": "*"},{"action": [ //部分接口不支持按标签限制权限,不能限制资源范围。以下接口涉及核心功能的写操作,建议仅按需向少部分用户授权,可删除不需要授权的接口。"cls:RealtimeProducer", //使用 Kafka 上传数据"cls:CreateConfigurationTemplate", //配置模版相关功能接口"cls:ModifyConfigurationTemplate","cls:DeleteConfigurationTemplate","cls:CreateFolder",//文件夹相关功能接口"cls:ModifyFolder","cls:DeleteFolder","cls:ModifyResourceAndFolderRelation","cls:CreateDataTransform",//数据加工相关功能接口"cls:ModifyDataTransform","cls:DeleteDataTransform","cls:RetryShipperTask",//投递COS相关功能接口"cls:ModifyDashboardSubscribeAck",//仪表盘订阅相关功能接口"cls:DeleteDashboardSubscribe","cls:ModifyConfigExtra",//采集配置相关功能接口"cls:DeleteConfigExtra","cls:RemoveMachine",//机器组相关功能接口"cls:UpgradeAgentNormal","cls:CreateNoticeContent",//告警通知内容模版相关功能接口"cls:DeleteNoticeContent","cls:ModifyNoticeContent","cls:CreateWebCallback",//告警集成配置相关功能接口"cls:ModifyWebCallback","cls:DeleteWebCallback"],"effect": "allow","resource": "*"}],"version": "2.0"}
对指定标签的资源具备只读权限
注意:
使用这个策略时请清空其中的注释说明。
{"statement": [{"action": [ //必要的相关产品只读权限"monitor:GetMonitorData","monitor:DescribeBaseMetrics","cam:ListGroups","cam:GetGroup","cam:DescribeSubAccountContacts","cam:ListAttachedRolePolicies","tag:DescribeResourceTagsByResourceIds","tag:GetTags","tag:GetTagKeys","tag:GetTagValues"],"effect": "allow","resource": "*"},{"action": [ //资源具备指定标签时,用户即拥有相关只读接口的权限"cls:DescribeConsumer","cls:DescribeConsumerPreview","cls:DescribeCosRecharges","cls:DescribeDashboardSubscribes","cls:DescribeDashboards","cls:DescribeExports","cls:DescribeIndex","cls:DescribeIndexs","cls:DescribeKafkaConsume","cls:DescribeKafkaConsumer","cls:DescribeKafkaRecharges","cls:DescribeLatestJsonLog","cls:DescribeLatestUserLog","cls:DescribeLogContext","cls:DescribeLogFastAnalysis","cls:DescribeLogHistogram","cls:DescribeMachineGroupConfigs","cls:DescribeMachines","cls:DescribePartitions","cls:DescribeScheduledSqlInfo","cls:DescribeScheduledSqlProcessInfo","cls:DescribeShipperPreview","cls:DescribeTopics","cls:EstimateRebuildIndexTask","cls:GetAlarm","cls:GetAlarmLog","cls:GetMetricLabelValues","cls:GetMetricSeries","cls:MetricsLabelValues","cls:MetricsLabels","cls:MetricsQuery","cls:MetricsQueryExemplars","cls:MetricsQueryRange","cls:MetricsSeries","cls:QueryMetric","cls:QueryRangeMetric","cls:SearchCosRechargeInfo","cls:SearchDashboardSubscribe","cls:SearchLog","cls:DescribeAlarmNotices","cls:DescribeAlarms","cls:DescribeAlertRecordHistory","cls:DescribeExternalDataSources","cls:DescribeLogsets","cls:DescribeMachineGroups","cls:DescribeConsoles","cls:DescribeShipperTasks","cls:DescribeShippers","cls:DescribeRebuildIndexTasks"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["testCAM&test1"]}},"effect": "allow","resource": "*"},{"action": [ //部分接口不支持按标签限制权限,不能限制资源范围。以下接口主要为读操作,另有少部分辅助功能接口为写操作,均不影响产品核心数据安全性。"cls:CheckAlarmChannel","cls:CheckAlarmRule","cls:CheckDomainRepeat","cls:CheckFunction","cls:CheckRechargeKafkaServer","cls:DescribeClsPrePayDetails","cls:DescribeClsPrePayInfos","cls:DescribeConfigMachineGroups","cls:DescribeConfigs","cls:DescribeAgentConfigs","cls:DescribeTopicExtendConfig","cls:DescribeDataTransformFailLogInfo","cls:DescribeDataTransformInfo","cls:DescribeDataTransformPreviewDataInfo","cls:DescribeDataTransformPreviewInfo","cls:DescribeDataTransformProcessInfo","cls:DescribeDemonstrations","cls:DescribeExceptionResources","cls:DescribeExternalDataSourcePreview","cls:DescribeFunctions","cls:DescribeResources","cls:DescribeShipperPreview","cls:DescribeScheduledSqlProcessInfo","cls:DescribeConfigurationTemplates","cls:DescribeFolders","cls:GetClsService","cls:GetConfigurationTemplateApplyLog","cls:PreviewKafkaRecharge","cls:CreateDemonstrations","cls:DeleteDemonstrations","cls:CreateExport","cls:DeleteExport""cls:DescribeNoticeContents","cls:DescribeWebCallbacks"],"effect": "allow","resource": "*"}],"version": "2.0"}
数据采集相关
使用 Loglistener 采集数据
用户可以使用 Agent Loglistener 采集数据,且具备日志上传的能力(本示例展示机器安装 Loglistener 上传日志的最小权限)。
{"version": "2.0","statement": [{"action": ["cls:pushLog","cls:getConfig","cls:agentHeartBeat"],"resource": "*","effect": "allow"}]}
说明
如果您使用的 Loglistener 为2.6.5以前的版本,则需要加上 "cls:listLogset" 权限。
使用自建 k8s 上传数据
用户可以使用 Logagent 采集自建 k8s 环境的日志数据,且具备上传的能力(本示例展示自建 k8s 上传日志的最小权限)。
{"version": "2.0","statement": [{"action": ["cls:pushLog","cls:agentHeartBeat","cls:getConfig","cls:CreateConfig","cls:DeleteConfig","cls:ModifyConfig","cls:DescribeConfigs","cls:DescribeMachineGroupConfigs","cls:DeleteConfigFromMachineGroup","cls:ApplyConfigToMachineGroup","cls:DescribeConfigMachineGroups","cls:ModifyTopic","cls:DeleteTopic","cls:CreateTopic","cls:DescribeTopics","cls:CreateLogset","cls:DeleteLogset","cls:DescribeLogsets","cls:CreateIndex","cls:ModifyIndex","cls:CreateMachineGroup","cls:DeleteMachineGroup","cls:DescribeMachineGroups","cls:ModifyMachineGroup","cls:CreateConfigExtra","cls:DeleteConfigExtra","cls:ModifyConfigExtra"],"resource": "*","effect": "allow"}]}
使用 API/SDK 上传数据
用户可以通过 API/SDK 上传数据到 CLS(本示例展示使用 API/SDK 上传数据的最小权限)。
{"version": "2.0","statement": [{"action": ["cls:pushLog","cls:UploadLog","cls:MetricsRemoteWrite"],"resource": "*","effect": "allow"}]}
使用 Kafka 上传数据
用户可以通过 Kafka 协议上传日志到 CLS(本示例展示使用 Kafka 协议上传日志的最小权限)。
{"version": "2.0","statement": [{"action": ["cls:RealtimeProducer"],"resource": "*","effect": "allow"}]}
使用云产品指标订阅上传数据
用户可以通过云产品指标订阅上传指标到 CLS(本示例展示控制台配置云产品指标订阅时所需要的最小权限)。
{"version": "2.0","statement": [{"action": ["cls:CreateMetricSubscribe","cls:DescribeMetricCorrectDimension","cls:DescribeMetricSubscribePreview","monitor:DescribeBaseMetrics","monitor:DescribeProductList"],"resource": "*","effect": "allow"}]}
订阅 MySQL Binlog 日志
用户可以订阅 MySQL Binlog 日志至 CLS(本示例展示控制台配置 MySQL Binlog 订阅任务时所需要的最小权限)。
{"version": "2.0","statement": [{"action": ["cls:CreateBinlogSubscribe","cls:DescribeBinlogSubscribes","cls:ModifyBinlogSubscribe","cls:DescribeBinlogSubscribeConnectivity","cls:DescribeBinlogSubscribePreview",],"resource": "*","effect": "allow"}]}
使用 Kafka 订阅采集数据
用户可以订阅 Kafka 集群中的数据至 CLS(本示例展示控制台配置 Kafka 订阅任务时所需要的最小权限)。
{"version": "2.0","statement": [{"action": ["cls:PreviewKafkaRecharge","cls:CreateKafkaRecharge","cls:ModifyKafkaRecharge",],"resource": "*","effect": "allow"}]}
FluentBit 日志上传
用户可以通过 Fluent-bit Go 插件将 FluentBit 中的数据上传到 CLS(本示例展示使用 Fluent-bit Go 插件上传数据的最小权限)。
{"version": "2.0","statement": [{"action": ["cls:pushLog",],"resource": "*","effect": "allow"}]}
Logstash 日志上传
用户可以通过 Logstash 插件将 Logstash 中的数据上传到 CLS(本示例展示使用 Logstash 插件上传数据的最小权限)。
{"version": "2.0","statement": [{"action": ["cls:pushLog",],"resource": "*","effect": "allow"}]}
管理采集配置及机器组
包括创建/修改/删除采集配置及创建/修改/删除机器组。
Config 相关接口对应采集配置相关资源。
MachineGroup 相关接口对应机器组相关资源。
ConfigExtra 相关的三个接口权限用于管理自建 k8s 上传日志相关的集群配置信息,如不使用自建 k8s 上传日志相关功能可以忽略。
{"version": "2.0","statement": [{"action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:CreateConfig","cls:CreateConfig","cls:DeleteConfig","cls:DescribeConfigs","cls:ModifyConfig","cls:CreateConfigExtra","cls:DeleteConfigExtra","cls:ModifyConfigExtra","cls:CreateMachineGroup","cls:DeleteMachineGroup","cls:DescribeMachineGroups","cls:DeleteConfigFromMachineGroup","cls:ApplyConfigToMachineGroup","cls:ModifyMachineGroup"],"resource": "*","effect": "allow"}]}
主题管理及检索分析相关
使用控制台查看/管理主题及检索分析
管理权限:对所有主题具备管理权限
用户可以对所有的主题进行检索及管理,包括创建主题、删除主题和修改索引配置等,不包括采集配置、日志投递和日志加工等。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:CreateLogset","cls:CreateTopic","cls:CreateExport","cls:CreateIndex","cls:DeleteLogset","cls:DeleteTopic","cls:DeleteExport","cls:DeleteIndex","cls:ModifyLogset","cls:ModifyTopic","cls:ModifyIndex","cls:MergePartition","cls:SplitPartition","cls:DescribeLogsets","cls:DescribeTopics","cls:DescribeExports","cls:DescribeIndex","cls:DescribeIndexs","cls:DescribePartitions","cls:SearchLog","cls:DescribeLogHistogram","cls:DescribeLogContext","cls:DescribeLogFastAnalysis","cls:DescribeLatestJsonLog","cls:DescribeRebuildIndexTasks","cls:CreateRebuildIndexTask","cls:EstimateRebuildIndexTask","cls:CancelRebuildIndexTask","cls:MetricsLabelValues","cls:MetricsLabels","cls:MetricsQuery","cls:MetricsQueryRange","cls:MetricsSeries","cls:MetricsQueryExemplars","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": ["*"]}]}
管理权限:对指定主题具备管理权限
用户能够对指定的主题进行检索及管理,包括创建主题、删除主题和修改索引配置等,不包括采集配置、日志投递和日志加工等。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:CreateLogset","cls:CreateTopic","cls:CreateExport","cls:CreateIndex","cls:DeleteLogset","cls:DeleteTopic","cls:DeleteExport","cls:DeleteIndex","cls:ModifyLogset","cls:ModifyTopic","cls:ModifyIndex","cls:MergePartition","cls:SplitPartition","cls:DescribeLogsets","cls:DescribeTopics","cls:DescribeExports","cls:DescribeIndex","cls:DescribeIndexs","cls:DescribePartitions","cls:SearchLog","cls:DescribeLogHistogram","cls:DescribeLogContext","cls:DescribeLogFastAnalysis","cls:DescribeLatestJsonLog","cls:DescribeRebuildIndexTasks","cls:CreateRebuildIndexTask","cls:EstimateRebuildIndexTask","cls:CancelRebuildIndexTask","cls:MetricsLabelValues","cls:MetricsLabels","cls:MetricsQuery","cls:MetricsQueryRange","cls:MetricsSeries","cls:MetricsQueryExemplars","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": ["qcs::cls:ap-guangzhou:100007***827:logset/1c012db7-2cfd-4418-****-7342c7a42516","qcs::cls:ap-guangzhou:100007***827:topic/380fe1f1-0c7b-4b0d-****-d514959db1bb"]}]}
管理权限:对指定标签的主题具备管理权限
用户可以对包含指定标签的主题进行检索及管理,包括创建主题、删除主题和修改索引配置等,不包括采集配置、日志投递和日志加工等。为主题绑定标签时,需同时为其所属的日志集绑定标签。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:CreateLogset","cls:CreateTopic","cls:CreateExport","cls:CreateIndex","cls:DeleteLogset","cls:DeleteTopic","cls:DeleteExport","cls:DeleteIndex","cls:ModifyLogset","cls:ModifyTopic","cls:ModifyIndex","cls:MergePartition","cls:SplitPartition","cls:DescribeLogsets","cls:DescribeTopics","cls:DescribeExports","cls:DescribeIndex","cls:DescribeIndexs","cls:DescribePartitions","cls:SearchLog","cls:DescribeLogHistogram","cls:DescribeLogContext","cls:DescribeLogFastAnalysis","cls:DescribeLatestJsonLog","cls:DescribeRebuildIndexTasks","cls:CreateRebuildIndexTask","cls:EstimateRebuildIndexTask","cls:CancelRebuildIndexTask","cls:MetricsLabelValues","cls:MetricsLabels","cls:MetricsQuery","cls:MetricsQueryRange","cls:MetricsSeries","cls:MetricsQueryExemplars","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": ["*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["testCAM&test1"]}}}]}
只读权限:对所有主题具备只读权限
用户可以对所有的主题进行检索。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:DescribeExports","cls:DescribeIndex","cls:DescribeIndexs","cls:DescribePartitions","cls:SearchLog","cls:DescribeLogHistogram","cls:DescribeLogContext","cls:DescribeLogFastAnalysis","cls:DescribeLatestJsonLog","cls:DescribeRebuildIndexTasks","cls:MetricsLabelValues","cls:MetricsLabels","cls:MetricsQuery","cls:MetricsQueryRange","cls:MetricsSeries","cls:MetricsQueryExemplars","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": ["*"]}]}
只读权限:对指定主题具备只读权限
用户可以对指定的主题进行检索。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:DescribeExports","cls:DescribeIndex","cls:DescribeIndexs","cls:DescribePartitions","cls:SearchLog","cls:DescribeLogHistogram","cls:DescribeLogContext","cls:DescribeLogFastAnalysis","cls:DescribeLatestJsonLog","cls:DescribeRebuildIndexTasks","cls:MetricsLabelValues","cls:MetricsLabels","cls:MetricsQuery","cls:MetricsQueryRange","cls:MetricsSeries","cls:MetricsQueryExemplars","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": ["qcs::cls:ap-guangzhou:100007***827:logset/1c012db7-2cfd-4418-****-7342c7a42516","qcs::cls:ap-guangzhou:100007***827:topic/380fe1f1-0c7b-4b0d-****-d514959db1bb"]}]}
只读权限:对指定标签的主题具备只读权限
用户可以对包含指定标签的主题进行检索。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:DescribeExports","cls:DescribeIndex","cls:DescribeIndexs","cls:DescribePartitions","cls:SearchLog","cls:DescribeLogHistogram","cls:DescribeLogContext","cls:DescribeLogFastAnalysis","cls:DescribeLatestJsonLog","cls:DescribeRebuildIndexTasks","cls:MetricsLabelValues","cls:MetricsLabels","cls:MetricsQuery","cls:MetricsQueryRange","cls:MetricsSeries","cls:MetricsQueryExemplars","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": ["*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["testCAM&test1"]}}}]}
使用 API 检索分析
只读权限:对所有主题具备检索分析只读权限
用户可以通过 API 对所有的主题进行检索分析。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:SearchLog","cls:MetricsLabelValues","cls:MetricsLabels","cls:MetricsQuery","cls:MetricsQueryRange","cls:MetricsSeries","cls:MetricsQueryExemplars","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries","cls:MetricsRemoteRead"],"resource": ["*"]}]}
只读权限:对指定主题具备检索分析只读权限
用户可以通过 API 对指定的主题进行检索分析。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:SearchLog","cls:MetricsLabelValues","cls:MetricsLabels","cls:MetricsQuery","cls:MetricsQueryRange","cls:MetricsSeries","cls:MetricsQueryExemplars","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries","cls:MetricsRemoteRead"],"resource": ["qcs::cls:ap-guangzhou:100007***827:logset/1c012db7-2cfd-4418-****-7342c7a42516","qcs::cls:ap-guangzhou:100007***827:topic/380fe1f1-0c7b-4b0d-****-d514959db1bb"]}]}
只读权限:对指定标签的主题具备检索分析只读权限
用户可以通过 API 对包含指定标签的的主题进行检索分析。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:SearchLog","cls:MetricsLabelValues","cls:MetricsLabels","cls:MetricsQuery","cls:MetricsQueryRange","cls:MetricsSeries","cls:MetricsQueryExemplars","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries","cls:MetricsRemoteRead"],"resource": ["*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["testCAM&test1"]}}}]}
仪表盘相关
管理权限:对所有仪表盘具备管理权限
用户可以管理所有的仪表盘,包括创建、删除、编辑、查看、订阅所有仪表盘。仪表盘可以使用所有主题的数据。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:GetChart","cls:GetDashboard","cls:ListChart","cls:CreateChart","cls:CreateDashboard","cls:DeleteChart","cls:DeleteDashboard","cls:ModifyChart","cls:ModifyDashboard","cls:DescribeDashboards","cls:CreateFolder","cls:DeleteFolder","cls:DescribeFolders","cls:ModifyFolder","cls:ModifyResourceAndFolderRelation","cls:SearchDashboardSubscribe","cls:CreateDashboardSubscribe","cls:ModifyDashboardSubscribe","cls:DescribeDashboardSubscribes","cls:DeleteDashboardSubscribe","cls:ModifyDashboardSubscribeAck"],"resource": "*"},{"effect": "allow","action": ["cls:SearchLog","cls:DescribeTopics","cls:DescribeLogFastAnalysis","cls:DescribeIndex","cls:DescribeLogsets","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": "*"}]}
管理权限:对指定标签的仪表盘具备管理权限
用户可以管理指定标签的仪表盘,包括创建、删除、编辑、查看、订阅携带指定标签的仪表盘。仪表盘可以使用指定标签主题的数据。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:GetChart","cls:GetDashboard","cls:ListChart","cls:CreateChart","cls:CreateDashboard","cls:DeleteChart","cls:DeleteDashboard","cls:ModifyChart","cls:ModifyDashboard","cls:DescribeDashboards","cls:CreateFolder","cls:DeleteFolder","cls:DescribeFolders","cls:ModifyFolder","cls:ModifyResourceAndFolderRelation","cls:SearchDashboardSubscribe","cls:CreateDashboardSubscribe","cls:ModifyDashboardSubscribe","cls:DescribeDashboardSubscribes","cls:DeleteDashboardSubscribe","cls:ModifyDashboardSubscribeAck"],"resource": "*","condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}},{"effect": "allow","action": ["cls:SearchLog","cls:DescribeTopics","cls:DescribeLogFastAnalysis","cls:DescribeIndex","cls:DescribeLogsets","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": "*","condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}}]}
管理权限:对指定资源的仪表盘具备管理权限
用户可以管理指定仪表盘,包括创建、删除、编辑、查看、订阅指定的仪表盘资源。仪表盘可以使用指定主题的数据。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:GetChart","cls:GetDashboard","cls:ListChart","cls:CreateChart","cls:CreateDashboard","cls:DeleteChart","cls:DeleteDashboard","cls:ModifyChart","cls:ModifyDashboard","cls:DescribeDashboards","cls:CreateFolder","cls:DeleteFolder","cls:DescribeFolders","cls:ModifyFolder","cls:ModifyResourceAndFolderRelation","cls:SearchDashboardSubscribe","cls:CreateDashboardSubscribe","cls:ModifyDashboardSubscribe","cls:DescribeDashboardSubscribes","cls:DeleteDashboardSubscribe","cls:ModifyDashboardSubscribeAck"],"resource": ["qcs::cls::uin/100000***001:dashboard/dashboard-0769a3ba-2514-409d-****-f65b20b23736"]},{"effect": "allow","action": ["cls:SearchLog","cls:DescribeTopics","cls:DescribeLogFastAnalysis","cls:DescribeIndex","cls:DescribeLogsets","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": ["qcs::cls::uin/100000***001:topic/174ca473-50d0-4fdf-****-2ef681a1e02a"]}]}
只读权限:对所有仪表盘具备只读权限
用户可以查看所有的仪表盘。仪表盘可以查看所有主题的数据。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:GetChart","cls:GetDashboard","cls:ListChart","cls:DescribeDashboards","cls:DescribeFolders","cls:SearchDashboardSubscribe","cls:DescribeDashboardSubscribes"],"resource": "*"},{"effect": "allow","action": ["cls:SearchLog","cls:DescribeTopics","cls:DescribeLogFastAnalysis","cls:DescribeIndex","cls:DescribeLogsets","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": "*"}]}
只读权限:对指定标签的仪表盘具备只读权限
用户可以查看携带指定标签的仪表盘资源。仪表盘可以查看携带指定标签的主题的数据。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:GetChart","cls:GetDashboard","cls:ListChart","cls:DescribeDashboards","cls:DescribeFolders","cls:SearchDashboardSubscribe","cls:DescribeDashboardSubscribes"],"resource": "*","condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}},{"effect": "allow","action": ["cls:SearchLog","cls:DescribeTopics","cls:DescribeLogFastAnalysis","cls:DescribeIndex","cls:DescribeLogsets","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": "*","condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}}]}
只读权限:对指定资源的仪表盘具备只读权限
用户可以查看指定仪表盘。仪表盘可以查看指定主题的数据。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:GetChart","cls:GetDashboard","cls:ListChart","cls:DescribeDashboards","cls:DescribeFolders","cls:SearchDashboardSubscribe","cls:DescribeDashboardSubscribes"],"resource": ["qcs::cls::uin/100000***001:dashboard/dashboard-0769a3ba-2514-409d-****-f65b20b23736"]},{"effect": "allow","action": ["cls:SearchLog","cls:DescribeTopics","cls:DescribeLogFastAnalysis","cls:DescribeIndex","cls:DescribeLogsets","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": ["qcs::cls::uin/100000***001:topic/174ca473-50d0-4fdf-****-2ef681a1e02a"]}]}
监控告警相关
管理权限:对所有告警策略具备管理权限
用户可以对所有告警策略进行管理,包括创建告警策略、创建通知渠道组和查看告警策略等。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:SearchLog","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": ["*"]},{"effect": "allow","action": ["cls:DescribeAlarms","cls:CreateAlarm","cls:ModifyAlarm","cls:DeleteAlarm","cls:DescribeAlarmNotices","cls:CreateAlarmNotice","cls:ModifyAlarmNotice","cls:DeleteAlarmNotice","cam:ListGroups","cam:DescribeSubAccountContacts","cam:GetGroup","cls:GetAlarmLog","cls:DescribeAlertRecordHistory","cls:CheckAlarmRule","cls:CheckAlarmChannel"],"resource": "*"}]}
管理权限:对指定标签的告警策略具备管理权限
用户可以对包含执行标签的告警策略进行管理,包括修改告警策略、修改通知渠道组和查看告警策略等。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:SearchLog","cam:ListGroups","cam:DescribeSubAccountContacts","cam:GetGroup","cls:CheckAlarmRule","cls:CheckAlarmChannel","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": ["*"]},{"effect": "allow","action": ["cls:DescribeAlarms","cls:ModifyAlarm","cls:DeleteAlarm","cls:DescribeAlarmNotices","cls:ModifyAlarmNotice","cls:DeleteAlarmNotice","cls:GetAlarmLog","cls:DescribeAlertRecordHistory"],"resource": ["*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}}]}
管理权限:对指定资源的告警策略具备管理权限
用户可以对指定的告警策略进行管理,包括修改告警策略、修改通知渠道组和查看告警策略等。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:SearchLog","cam:ListGroups","cam:DescribeSubAccountContacts","cam:GetGroup","cls:CheckAlarmRule","cls:CheckAlarmChannel","cls:GetMetricLabelValues","cls:QueryMetric","cls:QueryRangeMetric","cls:GetMetricSeries"],"resource": ["*"]},{"effect": "allow","action": ["cls:DescribeAlarms","cls:ModifyAlarm","cls:DeleteAlarm","cls:DescribeAlarmNotices","cls:ModifyAlarmNotice","cls:DeleteAlarmNotice","cls:GetAlarmLog","cls:DescribeAlertRecordHistory"],"resource": ["qcs::cls:ap-guangzhou:100007***827:alarm/alarm-xxx-9bbe-4625-ac29-b5e66bf643cf","qcs::cls:ap-guangzhou:100007***827:alarmNotice/notice-xxx-ec2c-410f-924f-4ee8a7cd028e"]}]}
只读权限:对所有告警策略具备只读权限
用户可以查看所有告警策略。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics"],"resource": ["*"]},{"effect": "allow","action": ["cls:DescribeAlarms","cls:DescribeAlarmNotices","cls:GetAlarmLog","cls:DescribeAlertRecordHistory","cam:ListGroups","cam:DescribeSubAccountContacts","cam:GetGroup"],"resource": "*"}]}
只读权限:对指定标签的告警策略具备只读权限
用户可以查看包含指定标签的告警策略。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cam:ListGroups","cam:DescribeSubAccountContacts","cam:GetGroup"],"resource": ["*"]},{"effect": "allow","action": ["cls:DescribeAlarms","cls:DescribeAlarmNotices","cls:GetAlarmLog","cls:DescribeAlertRecordHistory"],"resource": ["*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}}]}
只读权限:对指定资源的告警策略具备只读权限
用户可以对指定的告警策略进行查看。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cam:ListGroups","cam:DescribeSubAccountContacts","cam:GetGroup"],"resource": ["*"]},{"effect": "allow","action": ["cls:DescribeAlarms","cls:DescribeAlarmNotices","cls:GetAlarmLog","cls:DescribeAlertRecordHistory"],"resource": ["qcs::cls:ap-guangzhou:100007***827:alarm/alarm-xxx-9bbe-4625-ac29-b5e66bf643cf","qcs::cls:ap-guangzhou:100007***827:alarmNotice/notice-xxx-ec2c-410f-924f-4ee8a7cd028e"]}]}
数据处理
数据加工相关
管理权限:对所有数据加工任务具备管理权限
所有日志主题的“数据加工任务”的管理权限。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeDataTransformPreviewDataInfo","cls:DescribeTopics","cls:DescribeIndex","cls:CreateDataTransform"],"resource": ["*"]},{"effect": "allow","action": ["cls:DescribeFunctions","cls:CheckFunction","cls:DescribeDataTransformFailLogInfo","cls:DescribeDataTransformInfo","cls:DescribeDataTransformPreviewInfo","cls:DescribeDataTransformProcessInfo","cls:DeleteDataTransform","cls:ModifyDataTransform"],"resource": ["*"]}]}
只读权限:对所有数据加工任务具备只读权限
所有日志主题的“数据加工任务”的只读权限。由于仅是查看,所以不需要对 DSL 函数进行授权。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics"],"resource": ["*"]},{"effect": "allow","action": ["cls:DescribeDataTransformFailLogInfo","cls:DescribeDataTransformInfo","cls:DescribeDataTransformPreviewDataInfo","cls:DescribeDataTransformPreviewInfo","cls:DescribeDataTransformProcessInfo"],"resource": ["*"]}]}
定时 SQL 分析相关
管理权限:对所有日志主题具备定时 SQL 分析的权限
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:CreateScheduledSql","cls:SearchLog","cls:DescribeScheduledSqlInfo","cls:DescribeScheduledSqlProcessInfo","cls:DeleteScheduledSql","cls:ModifyScheduledSql","cls:RetryScheduledSqlTask"],"resource": ["*"]},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies"],"resource": ["*"]}]}
管理权限:对指定标签日志主题具备定时 SQL 分析的权限
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:SearchLog","cls:DescribeScheduledSqlProcessInfo","cls:CreateScheduledSql","cls:DeleteScheduledSql","cls:ModifyScheduledSql","cls:RetryScheduledSqlTask"],"resource": ["*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies","cls:DescribeScheduledSqlInfo"],"resource": ["*"]}]}
数据投递/消费相关
投递 Ckafka
管理权限:对所有日志主题具备投递 Ckafka 管理权限
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets","cls:CreateConsumer","cls:ModifyConsumer","cls:DeleteConsumer","cls:DescribeConsumer","cls:DescribeConsumerPreview"],"resource": "*"},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies","cam:AttachRolePolicy","cam:CreateRole","cam:DescribeRoleList","ckafka:DescribeInstances","ckafka:DescribeTopic","ckafka:DescribeInstanceAttributes","ckafka:CreateToken","ckafka:AuthorizeToken"],"resource": "*"}]}
管理权限:对指定标签日志主题具备投递 Ckafka 管理权限
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets","cls:CreateConsumer","cls:ModifyConsumer","cls:DeleteConsumer","cls:DescribeConsumer","cls:DescribeConsumerPreview"],"resource": "*","condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["age&13","name&vinson"]}}},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies","cam:AttachRolePolicy","cam:CreateRole","cam:DescribeRoleList","ckafka:DescribeInstances","ckafka:DescribeTopic","ckafka:DescribeInstanceAttributes","ckafka:CreateToken","ckafka:AuthorizeToken"],"resource": "*"}]}
只读权限:对所有日志主题具备投递 Ckafka 只读权限
具备所有日志主题投递 Ckafka 的只读权限。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets","cls:DescribeConsumer","cls:DescribeConsumerPreview"],"resource": "*"},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies","ckafka:DescribeInstances","ckafka:DescribeTopic","ckafka:DescribeInstanceAttributes","ckafka:CreateToken","ckafka:AuthorizeToken"],"resource": "*"}]}
只读权限:对指定标签日志主题具备投递 Ckafka 只读权限
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets","cls:DescribeConsumer","cls:DescribeConsumerPreview"],"resource": "*","condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies","ckafka:DescribeInstances","ckafka:DescribeTopic","ckafka:DescribeInstanceAttributes","ckafka:CreateToken","ckafka:AuthorizeToken"],"resource": "*"}]}
投递 COS
管理权限:对所有日志主题具备投递 COS 管理权限
具备所有日志主题投递 COS 的管理权限。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets","cls:DescribeIndex","cls:CreateShipper"],"resource": "*"},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cls:ModifyShipper","cls:DescribeShippers","cls:DeleteShipper","cls:DescribeShipperTasks","cls:RetryShipperTask","cls:DescribeShipperPreview","cos:GetService","cam:ListAttachedRolePolicies","cam:AttachRolePolicy","cam:CreateRole","cam:DescribeRoleList"],"resource": "*"}]}
管理权限:对指定标签日志主题具备投递 COS 管理权限
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets","cls:DescribeIndex","cls:CreateShipper"],"resource": "*","condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cls:ModifyShipper","cls:DescribeShippers","cls:DeleteShipper","cls:DescribeShipperTasks","cls:RetryShipperTask","cls:DescribeShipperPreview","cos:GetService","cam:ListAttachedRolePolicies","cam:AttachRolePolicy","cam:CreateRole","cam:DescribeRoleList"],"resource": "*"}]}
只读权限:对所有日志主题具备投递 COS 只读权限
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets" ],"resource": "*"},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cls:DescribeShippers","cls:DescribeShipperTasks","cls:RetryShipperTask","cls:DescribeShipperPreview","cam:ListAttachedRolePolicies"],"resource": "*"}]}
只读权限:对指定标签日志主题具备投递 COS 只读权限
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets"],"resource": "*","condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cls:DescribeShippers","cls:DescribeShipperTasks","cls:RetryShipperTask","cls:DescribeShipperPreview","cam:ListAttachedRolePolicies"],"resource": "*"}]}
投递 SCF
管理权限:对所有日志主题具备投递 SCF 管理权限
具备所有日志主题投递 SCF 的管理权限。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets"],"resource": "*"},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies","cls:CreateDeliverFunction","cls:DeleteDeliverFunction","cls:ModifyDeliverFunction","cls:GetDeliverFunction","scf:ListFunctions","scf:ListAliases","scf:ListVersionByFunction"],"resource": "*"}]}
管理权限:对指定标签日志主题具备投递 SCF 管理权限
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets"],"resource": "*","condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies","cls:CreateDeliverFunction","cls:DeleteDeliverFunction","cls:ModifyDeliverFunction","cls:GetDeliverFunction","scf:ListFunctions","scf:ListAliases","scf:ListVersionByFunction"],"resource": "*"}]}
只读权限:对所有日志主题具备投递 SCF 只读权限
具备所有日志主题投递 SCF 的只读权限。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets"],"resource": "*"},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies","cls:GetDeliverFunction","scf:ListFunctions","scf:ListAliases","scf:ListVersionByFunction"],"resource": "*"}]}
只读权限:对指定标签日志主题具备投递 SCF 只读权限
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeTopics","cls:DescribeLogsets"],"resource": "*","condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies","cls:GetDeliverFunction","scf:ListFunctions","scf:ListAliases","scf:ListVersionByFunction"],"resource": "*"}]}
Kafka 协议消费
管理权限:对所有日志主题具备 Kafka 协议消费权限
具备所有日志主题 Kafka 协议消费权限。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:DescribeKafkaConsumer","cls:CloseKafkaConsumer","cls:ModifyKafkaConsumer","cls:OpenKafkaConsumer"],"resource": ["*"]},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies"],"resource": ["*"]}]}
管理权限:对指定标签日志主题具备 Kafka 协议消费权限
具备指定标签日志主题 Kafka 协议消费的管理权限。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:DescribeKafkaConsumer","cls:CloseKafkaConsumer","cls:ModifyKafkaConsumer","cls:OpenKafkaConsumer"],"resource": ["*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}},{"effect": "allow","action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies"],"resource": ["*"]}]}
管理权限:对指定资源具备 Kafka 协议消费权限
{"statement": [{"action": ["cls:DescribeLogsets","cls:DescribeTopics","cls:DescribeKafkaConsumer","cls:CloseKafkaConsumer","cls:ModifyKafkaConsumer","cls:OpenKafkaConsumer"],"effect": "allow","resource": ["qcs::cls:ap-chengdu:100001127XXX:logset/axxxxxx-772e-4971-ad9a-ddcfcfff691b","qcs::cls:ap-chengdu:100001127XXX:topic/590xxxxxxx-36c4-447b-a84f-172ee7340b22"]},{"action": ["tag:DescribeResourceTagsByResourceIds","tag:DescribeTagKeys","tag:DescribeTagValues","cam:ListAttachedRolePolicies"],"effect": "allow","resource": ["*"]}],"version": "2.0"}
Kafka 协议消费权限最小权限(非控制台,调用 API)
{"version": "2.0","statement": [{"action": ["cls:OpenKafkaConsumer"],"effect": "allow","resource": ["*"]}]}
指标投递
管理权限:对所有指标主题具备投递管理权限
{"statement": [{"action": ["cls:DescribeRemoteWriteTask","cls:DescribeTopics","cls:CreateRemoteWriteTask","cls:ModifyRemoteWriteTask","cls:DescribeLogsets","cls:DeleteRemoteWriteTask","cls:CheckRemoteWriteTaskConnect"],"effect": "allow","resource": ["*"]}],"version": "2.0"}
管理权限:对指定标签的指标主题具备投递管理权限
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:DescribeRemoteWriteTask","cls:DescribeTopics","cls:CreateRemoteWriteTask","cls:ModifyRemoteWriteTask","cls:DescribeLogsets","cls:DeleteRemoteWriteTask","cls:CheckRemoteWriteTaskConnect"],"resource": ["*"],"condition": {"string_equal": {"qcs:resource_tag": "key:value"}}}]}
自定义消费
管理权限:对所有日志主题具备自定义消费管理权限
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:CreateConsumerGroup","cls:ModifyConsumerGroup","cls:DescribeConsumerGroups","cls:DeleteConsumerGroup","cls:DescribeConsumerOffsets","cls:CommitConsumerOffsets","cls:SendConsumerHeartbeat","cls:pullLog"],"resource": ["*"]}]}
DataSight 管理权限
管理权限:对所有 DataSight 独立控制台具备管理权限
用户可以在腾讯云控制台上创建、修改、查看、删除 DataSight 控制台。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:CreateConsole","cls:DeleteConsole","cls:DescribeConsoles","vpc:DescribeSubnetEx","vpc:DescribeVpcEx","cls:ModifyConsole"],"resource": ["*"]}]}
管理权限:对指定 DataSight 独立控制台具备管理权限
用户可以在腾讯云控制台上创建、修改、查看、删除指定 DataSight 控制台。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:CreateConsole","cls:DeleteConsole","cls:DescribeConsoles","vpc:DescribeSubnetEx","vpc:DescribeVpcEx","cls:ModifyConsole"],"resource": ["qcs::cls::uin/100******123:datasight/clsconsole-1234abcd"]}]}
管理权限:对指定标签的 DataSight 独立控制台具备管理权限
用户可以在腾讯云控制台上创建、修改、查看、删除指定标签的 DataSight 控制台。
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:CreateConsole","cls:DeleteConsole","cls:DescribeConsoles","vpc:DescribeSubnetEx","vpc:DescribeVpcEx","cls:ModifyConsole"],"resource": ["*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}}]}
只读权限:对所有 DataSight 独立控制台具备只读权限
用户可以在腾讯云控制台上查看 DataSight 控制台的相关信息。
{"statement": [{"action": ["cls:DescribeConsoles"],"effect": "allow","resource": ["*"]}],"version": "2.0"}
只读权限:对指定 DataSight 独立控制台具备只读权限
用户可以在腾讯云控制台上查看指定 DataSight 控制台的相关信息。
{"statement": [{"action": ["cls:DescribeConsoles"],"effect": "allow","resource": ["qcs::cls::uin/100******123:datasight/clsconsole-1234abcd"]}],"version": "2.0"}
只读权限:对指定标签的 DataSight 独立控制台具备只读权限
用户可以在腾讯云控制台上查看指定标签的 DataSight 控制台的相关信息。
{"statement": [{"action": ["cls:DescribeConsoles"],"effect": "allow","resource": ["*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}}],"version": "2.0"}
开发者相关
通过 Grafana 使用 CLS
通过 Grafana 展示所有主题的数据
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:SearchLog","cls:MetricsSeries","cls:MetricsQueryExemplars","cls:MetricsLabelValues","cls:MetricsQueryRange","cls:MetricsLabels","cls:MetricsQuery"],"resource": ["*"]}]}
通过 Grafana 展示具备指定标签的主题的数据
{"version": "2.0","statement": [{"effect": "allow","action": ["cls:SearchLog","cls:MetricsSeries","cls:MetricsQueryExemplars","cls:MetricsLabelValues","cls:MetricsQueryRange","cls:MetricsLabels","cls:MetricsQuery"],"resource": ["*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["key&value"]}}}]}
