分配对目录的访问权
作为帐户所有者,您将根据用户正在执行的任务向其分配特定目录管理访问权。 要简化分配访问权的过程,您可以使用访问组将一组用户组织到单个实体中。 这样,您可以一次性将单个策略分配给组,然后根据需要在组中添加或除去用户。
有关更多详细信息,请参阅 在 IBM Cloud中管理访问权。
在控制台中设置访问组
请参阅以下部分,以获取有关创建访问组以及向每个访问组分配特定 IAM 策略的详细信息。
控制台管理员权限
需要管理员访问权才能将帐户级别过滤器设置为 IBM Cloud 目录。
- 登录到 IBM Cloud 帐户。
- 转至 IBM Cloud 控制台中的 管理 > 访问 (IAM) > 访问组。
- 单击创建。
- 输入
private-catalog-admins作为组名,然后单击 创建。 - 点击 “访问”> “分配访问权限”。
- 从服务列表中选择 目录管理。
- 选择您希望用户访问的目录。
- 在“平台访问”部分,选择 “管理员”角色。
- 单击 添加 > 分配。
控制台中的编辑权限
需要编辑者访问权才能创建专用目录,在专用目录级别设置过滤器,将软件添加到专用目录以及更新,废弃和复原软件。
- 转至 访问组,然后单击 创建。
- 输入
private-catalog-editors作为组名,然后单击 创建。 - 点击 “访问”> “分配访问权限”。
- 从服务列表中选择 目录管理。
- 选择您希望用户访问的目录。
- 在“平台访问”部分,选择 “编辑”角色。
- 单击添加。
- 从服务列表中选择 Kubernetes Service。
- 选择集群,然后选择 管理员 和 管理者 角色。
- 单击添加。
- 从服务列表中选择 Schematics。
- 选择经理角色。
- 单击 添加 > 分配。
控制台中的查看器访问权限
查看专用目录,已过滤的 IBM Cloud 目录以及过滤器设置需要查看者访问权。
- 转至 访问组,然后单击 创建。
- 输入
private-catalog-viewers作为组名,然后单击 创建。 - 点击 “访问”> “分配访问权限”。
- 从服务列表中选择 目录管理。
- 选择您希望用户访问的目录。
- 在“平台访问权”部分中,选择 查看者 角色。
- 单击 添加 > 分配。
您还需要对专用目录所分配到的资源组具有查看者访问权。 完成创建专用目录的步骤时,可以将专用目录分配给资源组。 有关更多信息,请参阅 为所有帐户用户定制 IBM Cloud 目录。
要分配对专用目录的资源组的查看者访问权,请执行以下步骤:
- 转至 用户 并选择用户。
- 选择访问权限 > 分配访问权限。
- 从服务列表中选择 所有启用身份和访问权的服务。
- 根据所选属性确定对 特定资源 的访问范围,然后选择专用目录资源组。
- 对于“平台”访问权,请选择 查看者 角色。
- 单击 添加 > 分配。
在控制台中向访问组添加用户
设置访问组后,请完成以下步骤以将用户添加到组:
- 转至 用户,然后单击 邀请用户。
- 指定用户的电子邮件地址。 如果是使用单个邀请来邀请多个用户,那么将为所有用户分配相同的访问权。
- 选择您先前创建的三个访问组之一,然后单击 添加 > 邀请。
- 重复这些步骤以将用户添加到其他访问组。
或者,您可以通过向访问组添加可信概要文件来授予用户访问权。 有关更多信息,请参阅 什么是好的可信概要文件策略? 和 创建可信概要文件。
使用CLI设置访问组
要分配访问权,请运行 ibmcloud iam user-policy-create 命令。
使用CLI进行管理员访问
运行以下命令以分配管理员访问权:
ibmcloud iam user-policy-create USER_NAME --roles Administrator --service-name globalcatalog-collection
使用CLI编辑访问
运行以下命令以分配编辑者访问权:
ibmcloud iam user-policy-create USER_NAME --roles Editor --service-name globalcatalog-collection
使用CLI访问查看器
运行以下命令以设置查看者访问权:
ibmcloud iam user-policy-create USER_NAME --roles Viewer --service-name globalcatalog-collection
使用 CLI 将用户添加到访问组
要使用 CLI 将用户添加到访问组,请运行 ibmcloud iam access-group-user-add 命令。
ibmcloud iam access-group-user-add GROUP_NAME USER_NAME [USER_NAME2...]
例如,以下命令将用户 name@example.com 添加到 example_group 访问组。
ibmcloud iam access-group-user-add example_group name@example.com
或者,您可以通过向访问组添加可信概要文件来授予用户访问权。 有关更多信息,请参阅 什么是好的可信概要文件策略? 和 创建可信概要文件。
使用API设置访问组
要分配访问权,请调用 IAM 策略管理 API,如以下示例中所示。 将 role_id vaiable 替换为要分配的角色: Viewer,Editor 或 Administrator。
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
"type": "access",
"description": "Editor role for SERVICE_NAME RESOURCE_NAME",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles":[
{
"role_id": "crn:v1:bluemix:public:iam::::role:Editor"
}
],
"resources":[
{
"attributes": [
{
"name": "accountId",
"value": "$ACCOUNT_ID"
},
{
"name": "serviceName",
"value": "$SERVICE_NAME"
},
{
"name": "resource",
"value": "$RESOURCE_NAME",
"operator": "stringEquals"
}
]
}
]
}'
SubjectAttribute subjectAttribute = new SubjectAttribute.Builder()
.name("iam_id")
.value(EXAMPLE_USER_ID)
.build();
PolicySubject policySubjects = new PolicySubject.Builder()
.addAttributes(subjectAttribute)
.build();
PolicyRole policyRoles = new PolicyRole.Builder()
.roleId("crn:v1:bluemix:public:iam::::role:Viewer")
.build();
ResourceAttribute accountIdResourceAttribute = new ResourceAttribute.Builder()
.name("accountId")
.value(exampleAccountId)
.operator("stringEquals")
.build();
ResourceAttribute serviceNameResourceAttribute = new ResourceAttribute.Builder()
.name("serviceType")
.value("service")
.operator("stringEquals")
.build();
ResourceTag policyResourceTag = new ResourceTag.Builder()
.name("project")
.value("prototype")
.operator("stringEquals")
.build();
PolicyResource policyResources = new PolicyResource.Builder()
.addAttributes(accountIdResourceAttribute)
.addAttributes(serviceNameResourceAttribute)
.addTags(policyResourceTag)
.build();
CreatePolicyOptions options = new CreatePolicyOptions.Builder()
.type("access")
.subjects(Arrays.asList(policySubjects))
.roles(Arrays.asList(policyRoles))
.resources(Arrays.asList(policyResources))
.build();
Response<Policy> response = service.createPolicy(options).execute();
Policy policy = response.getResult();
System.out.println(policy);
const policySubjects = [
{
attributes: [
{
name: 'iam_id',
value: exampleUserId,
},
],
},
];
const policyRoles = [
{
role_id: 'crn:v1:bluemix:public:iam::::role:Viewer',
},
];
const accountIdResourceAttribute = {
name: 'accountId',
value: exampleAccountId,
operator: 'stringEquals',
};
const serviceNameResourceAttribute = {
name: 'serviceType',
value: 'service',
operator: 'stringEquals',
};
const policyResourceTag = {
name: 'project',
operator: 'stringEquals',
value: 'prototype',
};
const policyResources = [
{
attributes: [accountIdResourceAttribute, serviceNameResourceAttribute],
tags: [policyResourceTag],
},
];
const params = {
type: 'access',
subjects: policySubjects,
roles: policyRoles,
resources: policyResources,
};
iamPolicyManagementService.createPolicy(params)
.then(res => {
examplePolicyId = res.result.id;
console.log(JSON.stringify(res.result, null, 2));
})
.catch(err => {
console.warn(err)
});
policy_subjects = PolicySubject(
attributes=[SubjectAttribute(name='iam_id', value=example_user_id)])
policy_roles = PolicyRole(
role_id='crn:v1:bluemix:public:iam::::role:Viewer')
account_id_resource_attribute = ResourceAttribute(
name='accountId', value=example_account_id)
service_name_resource_attribute = ResourceAttribute(
name='serviceType', value='service')
policy_resource_tag = ResourceTag(
name='project', value='prototype')
policy_resources = PolicyResource(
attributes=[account_id_resource_attribute,
service_name_resource_attribute],
tags=[policy_resource_tag])
policy = iam_policy_management_service.create_policy(
type='access',
subjects=[policy_subjects],
roles=[policy_roles],
resources=[policy_resources]
).get_result()
print(json.dumps(policy, indent=2))
subjectAttribute := &iampolicymanagementv1.SubjectAttribute{
Name: core.StringPtr("iam_id"),
Value: &exampleUserID,
}
policySubjects := &iampolicymanagementv1.PolicySubject{
Attributes: []iampolicymanagementv1.SubjectAttribute{*subjectAttribute},
}
policyRoles := &iampolicymanagementv1.PolicyRole{
RoleID: core.StringPtr("crn:v1:bluemix:public:iam::::role:Viewer"),
}
accountIDResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
Name: core.StringPtr("accountId"),
Value: core.StringPtr(exampleAccountID),
Operator: core.StringPtr("stringEquals"),
}
serviceNameResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
Name: core.StringPtr("serviceType"),
Value: core.StringPtr("service"),
Operator: core.StringPtr("stringEquals"),
}
policyResourceTag := &iampolicymanagementv1.ResourceTag{
Name: core.StringPtr("project"),
Value: core.StringPtr("prototype"),
Operator: core.StringPtr("stringEquals"),
}
policyResources := &iampolicymanagementv1.PolicyResource{
Attributes: []iampolicymanagementv1.ResourceAttribute{
*accountIDResourceAttribute, *serviceNameResourceAttribute},
Tags: []iampolicymanagementv1.ResourceTag{*policyResourceTag},
}
options := iamPolicyManagementService.NewCreatePolicyOptions(
"access",
[]iampolicymanagementv1.PolicySubject{*policySubjects},
[]iampolicymanagementv1.PolicyRole{*policyRoles},
[]iampolicymanagementv1.PolicyResource{*policyResources},
)
policy, response, err := iamPolicyManagementService.CreatePolicy(options)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(policy, "", " ")
fmt.Println(string(b))
设置访问预期响应
{
"id": "12345678-abcd-1a2b-a1b2-1234567890ab",
"type": "access",
"description": "Viewer role access for all instances of SERVICE_NAME in the account.",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles": [
{
"roles_id": "crn:v1:bluemix:public:iam::::role:Viewer"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "ACCOUNT_ID",
"operator": "stringEquals"
},
{
"name": "serviceName",
"value": "SERVICE_NAME",
"operator": "stringEquals"
}
]
},
{
"tags": [
{
"name": "project",
"value": "moonshot",
"operator": "stringEquals"
},
{
"name": "pipeline",
"value": "test",
"operator": "stringEquals"
}
]
}
],
"href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
"created_at": "2018-08-30T14:09:09.907Z",
"created_by_id": "USER_ID",
"last_modified_at": "2018-08-30T14:09:09.907Z",
"last_modified_by_id": "USER_ID",
"state": "active"
}
{
"id": "12345678-abcd-1a2b-a1b2-1234567890ab",
"type": "access",
"description": "Viewer role access for all instances of SERVICE_NAME in the account.",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles": [
{
"roles_id": "crn:v1:bluemix:public:iam::::role:Viewer"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "ACCOUNT_ID",
"operator": "stringEquals"
},
{
"name": "serviceName",
"value": "SERVICE_NAME",
"operator": "stringEquals"
}
]
},
{
"tags": [
{
"name": "project",
"value": "moonshot",
"operator": "stringEquals"
},
{
"name": "pipeline",
"value": "test",
"operator": "stringEquals"
}
]
}
],
"href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
"created_at": "2018-08-30T14:09:09.907Z",
"created_by_id": "USER_ID",
"last_modified_at": "2018-08-30T14:09:09.907Z",
"last_modified_by_id": "USER_ID",
"state": "active"
}
{
"id": "12345678-abcd-1a2b-a1b2-1234567890ab",
"type": "access",
"description": "Viewer role access for all instances of SERVICE_NAME in the account.",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles": [
{
"roles_id": "crn:v1:bluemix:public:iam::::role:Viewer"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "ACCOUNT_ID",
"operator": "stringEquals"
},
{
"name": "serviceName",
"value": "SERVICE_NAME",
"operator": "stringEquals"
}
]
},
{
"tags": [
{
"name": "project",
"value": "moonshot",
"operator": "stringEquals"
},
{
"name": "pipeline",
"value": "test",
"operator": "stringEquals"
}
]
}
],
"href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
"created_at": "2018-08-30T14:09:09.907Z",
"created_by_id": "USER_ID",
"last_modified_at": "2018-08-30T14:09:09.907Z",
"last_modified_by_id": "USER_ID",
"state": "active"
}
{
"id": "12345678-abcd-1a2b-a1b2-1234567890ab",
"type": "access",
"description": "Viewer role access for all instances of SERVICE_NAME in the account.",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles": [
{
"roles_id": "crn:v1:bluemix:public:iam::::role:Viewer"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "ACCOUNT_ID",
"operator": "stringEquals"
},
{
"name": "serviceName",
"value": "SERVICE_NAME",
"operator": "stringEquals"
}
]
},
{
"tags": [
{
"name": "project",
"value": "moonshot",
"operator": "stringEquals"
},
{
"name": "pipeline",
"value": "test",
"operator": "stringEquals"
}
]
}
],
"href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
"created_at": "2018-08-30T14:09:09.907Z",
"created_by_id": "USER_ID",
"last_modified_at": "2018-08-30T14:09:09.907Z",
"last_modified_by_id": "USER_ID",
"state": "active"
}
{
"id": "12345678-abcd-1a2b-a1b2-1234567890ab",
"type": "access",
"description": "Viewer role access for all instances of SERVICE_NAME in the account.",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles": [
{
"roles_id": "crn:v1:bluemix:public:iam::::role:Viewer"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "ACCOUNT_ID",
"operator": "stringEquals"
},
{
"name": "serviceName",
"value": "SERVICE_NAME",
"operator": "stringEquals"
}
]
},
{
"tags": [
{
"name": "project",
"value": "moonshot",
"operator": "stringEquals"
},
{
"name": "pipeline",
"value": "test",
"operator": "stringEquals"
}
]
}
],
"href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
"created_at": "2018-08-30T14:09:09.907Z",
"created_by_id": "USER_ID",
"last_modified_at": "2018-08-30T14:09:09.907Z",
"last_modified_by_id": "USER_ID",
"state": "active"
}
使用 API 将用户添加到访问组
要使用 API 将用户添加到访问组,请调用 IAM 访问组 API,如以下示例中所示。
curl -X PUT -H "Authorization: {iam_token}" -H "Accept: application/json" -H "Content-Type: application/json" -d '{"members": [ {"iam_id": "IBMid-user1", "type": "user"}, {"iam_id": "iam-ServiceId-123", "type": "service"} ]}' "{base_url}/groups/{access_group_id}/members"
AddGroupMembersRequestMembersItem member1 = new AddGroupMembersRequestMembersItem.Builder()
.iamId("IBMid-user1")
.type("user")
.build();
AddGroupMembersRequestMembersItem member2 = new AddGroupMembersRequestMembersItem.Builder()
.iamId("iam-ServiceId-123")
.type("service")
.build();
AddMembersToAccessGroupOptions addMembersToAccessGroupOptions = new AddMembersToAccessGroupOptions.Builder()
.accessGroupId(testGroupId)
.addMembers(member1)
.addMembers(member2)
.build();
Response<AddGroupMembersResponse> response = service.addMembersToAccessGroup(addMembersToAccessGroupOptions).execute();
AddGroupMembersResponse addGroupMembersResponse = response.getResult();
System.out.println(addGroupMembersResponse);
const groupMember1 = {
iam_id: 'IBMid-user1',
type: 'user',
};
const groupMember2 = {
iam_id: 'iam-ServiceId-123',
type: 'service',
};
const params = {
accessGroupId: testGroupId,
members: [groupMember1, groupMember2],
};
iamAccessGroupsService.addMembersToAccessGroup(params)
.then(res => {
console.log(JSON.stringify(res.result, null, 2));
})
.catch(err => {
console.warn(err)
});
member1 = AddGroupMembersRequestMembersItem(
iam_id='IBMid-user1', type='user')
member2 = AddGroupMembersRequestMembersItem(
iam_id='iam-ServiceId-123', type='service')
members = [member1, member2]
add_group_members_response = iam_access_groups_service.add_members_to_access_group(
access_group_id=test_group_id,
members=members
).get_result()
print(json.dumps(add_group_members_response, indent=2))
groupMembers := []iamaccessgroupsv2.AddGroupMembersRequestMembersItem{
iamaccessgroupsv2.AddGroupMembersRequestMembersItem{
IamID: core.StringPtr("IBMid-user1"),
Type: core.StringPtr("user"),
},
iamaccessgroupsv2.AddGroupMembersRequestMembersItem{
IamID: core.StringPtr("iam-ServiceId-123"),
Type: core.StringPtr("service"),
},
}
addMembersToAccessGroupOptions := iamAccessGroupsService.NewAddMembersToAccessGroupOptions(testGroupID)
addMembersToAccessGroupOptions.SetMembers(groupMembers)
addGroupMembersResponse, response, err := iamAccessGroupsService.AddMembersToAccessGroup(addMembersToAccessGroupOptions)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(addGroupMembersResponse, "", " ")
fmt.Println(string(b))
或者,您可以通过向访问组添加可信概要文件来授予用户访问权。 有关更多信息,请参阅 什么是好的可信概要文件策略? 和 创建可信概要文件。
添加用户期望的响应
{
"members": [
{
"iam_id": "$IBM_ID",
"type": "user",
"created_at": "2019-01-01T01:01:00Z",
"created_by_id": "CREATOR_ID",
"status_code": 200
},
{
"iam_id": "$SERVICE_ID",
"status_code": 400,
"trace": "12345678-abcd-1a2b-a1b2-1234567890ab",
"errors": [
{
"code": "error_occurred",
"message": "The service id is missing or incorrect"
}
]
}
]
}
{
"members": [
{
"iam_id": "$IBM_ID",
"type": "user",
"created_at": "2019-01-01T01:01:00Z",
"created_by_id": "CREATOR_ID",
"status_code": 200
},
{
"iam_id": "$SERVICE_ID",
"status_code": 400,
"trace": "12345678-abcd-1a2b-a1b2-1234567890ab",
"errors": [
{
"code": "error_occurred",
"message": "The service id is missing or incorrect"
}
]
}
]
}
{
"members": [
{
"iam_id": "$IBM_ID",
"type": "user",
"created_at": "2019-01-01T01:01:00Z",
"created_by_id": "CREATOR_ID",
"status_code": 200
},
{
"iam_id": "$SERVICE_ID",
"status_code": 400,
"trace": "12345678-abcd-1a2b-a1b2-1234567890ab",
"errors": [
{
"code": "error_occurred",
"message": "The service id is missing or incorrect"
}
]
}
]
}
{
"members": [
{
"iam_id": "$IBM_ID",
"type": "user",
"created_at": "2019-01-01T01:01:00Z",
"created_by_id": "CREATOR_ID",
"status_code": 200
},
{
"iam_id": "$SERVICE_ID",
"status_code": 400,
"trace": "12345678-abcd-1a2b-a1b2-1234567890ab",
"errors": [
{
"code": "error_occurred",
"message": "The service id is missing or incorrect"
}
]
}
]
}
{
"members": [
{
"iam_id": "$IBM_ID",
"type": "user",
"created_at": "2019-01-01T01:01:00Z",
"created_by_id": "CREATOR_ID",
"status_code": 200
},
{
"iam_id": "$SERVICE_ID",
"status_code": 400,
"trace": "12345678-abcd-1a2b-a1b2-1234567890ab",
"errors": [
{
"code": "error_occurred",
"message": "The service id is missing or incorrect"
}
]
}
]
}
使用 Terraform 将用户添加到访问组
在使用 Terraform 将用户添加到访问组之前,请确保已完成以下操作:
- 安装 Terraform CLI 并为 Terraform 配置 IBM Cloud 提供程序插件。 有关更多信息,请参阅 Terraform on IBM Cloud®入门 教程。 该插件对用于完成此任务的 IBM Cloud API 进行抽象。
- 创建一个名为
main.tf的Terraform配置文件。 在此文件中,您使用 HashiCorp 配置语言来定义资源。 有关更多信息,请参阅 Terraform 文档。
使用以下步骤将用户添加到访问组
-
在 Terraform 配置文件中,找到用于 创建访问组 的 Terraform 代码,并记下分配给您的访问组的
access_group_id。 -
将成员添加到访问组中。
resource "ibm_iam_access_group_members" "accgroupmem" { access_group_id = ibm_iam_access_group.accgroup.id ibm_ids = ["test@in.ibm.com"] }有关更多信息,请参阅 Terraform Identity and Access Management(IAM) 页面上的参数参考详细信息。
-
完成构建配置文件后,初始化 Terraform CLI。 有关更多信息,请参阅 初始化工作目录。
terraform init -
从
main.tf文件供应资源。 有关更多信息,请参阅 使用 Terraform 供应基础架构。-
运行
terraform plan以生成 Terraform 执行计划来预览建议的操作。terraform plan -
运行
terraform apply以创建计划中定义的资源。terraform apply
-