Access Control (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions.You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM used Permission Policy to describe the specific content for authorization.
This topic describes the elements, such as Action, Resource, and Condition, that are defined by Elasticsearch .You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate Elasticsearch 's RAM code (RamCode) is elasticsearch. You can grant permissions on resource level。
Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:View Details...
Elasticsearch resources that can be specified in the Resource policy element to grant the permissions to perform specific operations on this resource.
An Alibaba Cloud Resource Name (ARN) is the unique identifier of a resource on Alibaba Cloud. Description:
- {#} is a variable and must be replaced with the actual value. Example: {#ramcode} must be replaced with the actual RAM code of the cloud service.
- *) is used as a wildcard. Examples:
- {#resourceType}/*: indicates all resources.
- {#regionId} is set to *, all regions are specified.
- {#accountId} is set to *, all Alibaba Cloud accounts are specified.
Elasticsearch defines the values that you can use in the Condition element of a policy statement. The following table describes the values. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to Generic Condition Keyword. For more information about the common condition keys, see Elasticsearch 。
The data type determines the conditional operators that you can use to compare the value in a request with the value in a policy statement. You must use conditional operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the conditional operators that are supported by each data type, see Policy elements。
You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: