Identity¶
Table of contents
- Identity
- Overview
- Permission Control
- Admin Account
- Shared Resources
- Operations
- Create Account
- Create Users
- Create Groups
- Create Polices
- Add Users into Groups
- Attach Polices to Groups
- Attach Polices to Users
- Detach Polices from Groups
- Detach Polices from Users
- Reset Account Password
- Reset User Password
- Delete Groups
- Delete Users
- Delete Policies
- Delete Accounts
- Update Account Quota
- Share Resources
- Revoke Shared Resources
- Query Accounts
- Query Users
- Query Policy
- Query Groups
- Reference
Overview¶
ZStack’s identity service provides access control to ZStack resources for users. The system consists of concepts of account, user, group, policy, and quota. A global picture of the identity system is like:
Account¶
To manipulate resources, people need to create accounts that are the root identity to own all their resources. There are two types of accounts: admin and normal. Admin accounts, which have unlimited permissions, are owned by administrators. Normal accounts, which have only permissions to VM, instance offerings, disk offerings, L3 networks, images and so on, are created by admin accounts to allow people to manipulate those resources.
APIs are categorized in to admin-only APIs and non-admin APIs. A list of admin-only APIs can be found at admin-only APIs, and a list of non-admin APIs can be found at non-admin APIs.
Account Inventory¶
Name | Description | Optional | Choices | Since |
---|---|---|---|---|
uuid | see Resource Properties | 0.8 | ||
name | account name. see Resource Properties | 0.8 | ||
description | see Resource Properties | true | 0.8 | |
createDate | see Resource Properties | 0.8 | ||
lastOpDate | see Resource Properties | 0.8 |
Note
The password will not be shown in the API returns for security reason.
Users¶
As an non-admin account has unlimited permissions to all resources it owns, people may create users to have finely-grained permission control. Users can only perform APIs assigned by policies.
User Inventory¶
Name | Description | Optional | Choices | Since |
---|---|---|---|---|
uuid | see Resource Properties | 0.8 | ||
name | user name, see Resource Properties | 0.8 | ||
description | see Resource Properties | true | 0.8 | |
accountUuid | uuid of the owner account | 0.8 | ||
createDate | see Resource Properties | 0.8 | ||
lastOpDate | see Resource Properties | 0.8 |
Note
The password will not be shown in the API returns for security reason.
Groups¶
Accounts can create groups to aggregate users. By assigning policies to groups, accounts can grant the same permissions to a group of users.
Group Inventory¶
Name | Description | Optional | Choices | Since |
---|---|---|---|---|
uuid | see Resource Properties | 0.8 | ||
name | group name, see Resource Properties | 0.8 | ||
description | see Resource Properties | true | 0.8 | |
accountUuid | uuid of the owner account | 0.8 | ||
createDate | see Resource Properties | 0.8 | ||
lastOpDate | see Resource Properties | 0.8 |
Policies¶
Polices are permissions that define what APIs users can perform. A policy consists of an array of statements each of which defines permissions to APIs.
Policy Inventory¶
Name | Description | Optional | Choices | Since |
---|---|---|---|---|
uuid | see Resource Properties | 0.8 | ||
name | policy name, see Resource Properties | 0.8 | ||
description | see Resource Properties | true | 0.8 | |
accountUuid | uuid of the owner account, see account | 0.8 | ||
statements | a list of statements defining API permissions | 0.8 | ||
createDate | see Resource Properties | 0.8 | ||
lastOpDate | see Resource Properties | 0.8 |
Example¶
{
"inventories": [
{
"accountUuid": "3153a08ab21f46ca9e8b40ecfeec4255",
"name": "DEFAULT-READ-3153a08ab21f46ca9e8b40ecfeec4255",
"statements": [
{
"actions": [
".*:read"
],
"effect": "Allow",
"name": "read-permission-for-account-3153a08ab21f46ca9e8b40ecfeec4255"
}
],
"uuid": "b5169828533b47988a0d09f262b5769c"
}
]
}
Statements:¶
A statement is a JSON text, containing a list of string matching API identities and an effect: Allow or Deny. A statement looks like:
{
"actions": [
".*:read",
"instance:APICreateVmInstanceMsg"
],
"effect": "Allow",
"name": "read-permission-for-account-3153a08ab21f46ca9e8b40ecfeec4255"
}
actions is a list of action strings that match one or more API identities. An API identity is a string in format of *api_category:api_name* that uniquely identifies an API. An action string can be a full identity like instance:APICreateVmInstanceMsg that only matches one API, or a regular expression that matches multiple APIs, for example, *instance:.** will match all APIs under the category *instance*. Most of APIs have only one identity that is *api_category:api_name*; some APIs have more identities so people can use regular expressions to match a group of APIs.
effect tells the decision when a action string matches an API call, allow or deny.
Note
In this version, all *read* APIs have an extra identity in format of *api_category:read*, for example, instance:read. The read APIs are those not performing operations but getting information from ZStack. For example, all query APIs are read APIs; for example, the API APIQueryVmInstanceMsg has a default identity instance:APIQueryVmInstanceMsg and an extra identity instance:read.
A category may have many read APIs. For example, the VM category(‘instance’) has APIQueryVmInstanceMsg, APIQueryVmNicMsg, APIGetVmAttachableDataVolumeMsg and so forth. They all have an API identity *instance:read*. So a statement containing such action string can grant all read APIs in VM category to users and groups.
A list of API identities can be found at API identities.
Statement Inventory¶
Name | Description | Optional | Choices | Since |
---|---|---|---|---|
name | statement name | 0.8 | ||
effect | permission decision |
|
0.8 | |
actions | a list of strings to match API identities | 0.8 |
Quota¶
Admin accounts can use quotas to limit how many resources non-admin accounts can create. When creating a non-admin account, ZStack automatically assigns default quotas to it, and admins can change them by the API UpdateQuota. A list of default quotas can be found at default quotas.
Permission Control¶
The most exciting thing of identity system is that you can control API permissions, deciding what people can call what APIs. When people login into ZStack, depending on the way they login, they can get different permissions regarding APIs.
Administrators: When login as an admin account, the people can call any APIs.
Non-admin Account: When login as a non-admin account, the people can perform any non-admin APIs.
User: When login as a user under an account, the people can only perform APIs granted by polices attached to the user or groups the user is in.
Using users and groups¶
The best way to limit people’s permission in ZStack is only allowing they to login as users. Let’s say you are a manager in a team that needs to apply some VMs in your company’s IT infrastructure managed by ZStack. The first thing is to ask ZStack administrators in your company to create a non-admin account for you; once you get the account, you can create multiple users and groups with proper polices attached; then you can give those users to your team members , who can manipulate ZStack resources under the permissions you granted by polices.
An example helps to understand all those stuff, say you want to create below organization for your team:
In this organization, you have an infrastructure group responsible for managing VMs; the group has three members: David, Tony, Frank; you have another operation group for operating the VMs, which also has three users: Lucy, Arhbi, Jeff. The infrastructure group has permissions to manage VMs’ lifecycle while the operation group can only use VMs by accessing their consoles. In addition, you as the manager have all API permissions of your team’s account(ops-team). To create such an organization:
Create the account ops-team:
>>>CreateAccount name=ops-team password=password
Note
make sure you login as the admin account to create the account
Login using the account ops-team:
>>>LogInByAccount accountName=ops-team password=password
Create users:
>>>CreateUser name=david password=password
repeat the step to create all users (tony, frank, lucy, arhbi, jeff, mgr)
Create groups:
>>>CreateUserGroup name=infra
repeat the step to create another group(ops)
Add users to groups:
>>>AddUserToGroup userUuid=d7646ae8af2140c0a3ccef2ad8da816d groupUuid=92c523a43651442489f8d2d598c7c3da
Note
The userUuid and groupUuid are printed on the screen when you create users and groups
repeat the step to add users into proper groups. infra group(david, tony, frank), ops group(lucy, arhbi, jeff).
Create polices
create the first policy allowing to call all VM related APIs:
>>>CreatePolicy name=vm-management statements='[{"actions":["instance:.*"], "effect":"Allow"}]'
create the second policy only allowing to access VM’s console:
>>>CreatePolicy name=vm-console statements='[{"actions":["instance:APIRequestConsoleAccessMsg"], "effect":"Allow"}]'
create the third policy allowing all APIs:
>>>CreatePolicy name=all statements='[{"actions":[".*"], "effect":"Allow"}]'
Warning
Please note the statements field is a JSON string encompassed by single quotes, and its contents are using double quotes. Please follow this convention otherwise the JSON string may not be able to be correctly parsed.
Attach policies to groups
attach the policy vm-management to the infrastructure group:
>>>AttachPolicyToUserGroup groupUuid=92c523a43651442489f8d2d598c7c3da policyUuid=afb3bfbb911a42e0a662286728e49891
attach the policy vm-console to the operation group:
>>>AttachPolicyToUserGroup groupUuid=0939fc6f772d44d6a8f9d45c89c2a716 policyUuid=3bddf41e2ba6469881a65287879e5d58
Note
The policyUuid and groupUuid are printed on the screen when you create groups and policies
Attach policies to user manager(mgr)
attach the policy all to the manager(user: mgr):
>>>AttachPolicyToUser userUuid=d55c5fba4d1b4533961db9952dc15b00 policyUuid=36c27e8ff05c4780bf6d2fa65700f22e
Note
The policyUuid and userUuid are printed on the screen when you create the policy and the user
Now your organization is created successfully, your team members can use user credentials to login.
Permission Evaluation¶
A policy consists of a list of statements each of which defines permissions(Allow or Deny) to APIs; users can have multiple polices attached either to themselves or to groups they are in. When users call APIs, it always evaluates from their polices then to group polices until a decision is made(Allow or Deny). If there is no policy matching an API, the API will be denied by default.
Default Read Policy¶
When creating a user, a default read policy (action: .*:read, effect: Allow) is attached to the new user so the user can query resources(e.g. VMs, L3 networks).
Admin Account¶
After installing ZStack, an admin account(account name: admin, password: password) is created by default. Administrators can use this account to create admin users which will have unlimited permissions just like the admin account, in order to allow different administrators to use own credentials to login. The password of the admin account can be changed by the API UpdateAccount.
Operations¶
Create Account¶
After login, the admin account can use CreateAccount create non-admin accounts. For example:
CreateAccount name=frank password=123456
Parameters¶
Name | Description | Optional | Choices | Since |
---|---|---|---|---|
name | resource name, see Resource Properties | 0.8 | ||
resourceUuid | resource uuid, see Create Resources | true | 0.8 | |
description | resource description, see Resource Properties | true | 0.8 | |
name | account name | 0.8 | ||
password | account password | 0.8 |
Create Users¶
An account can user CreateUser to create a user. For example:
>>>CreateUser name=david password=123456
Parameters¶
Name | Description | Optional | Choices | Since |
---|---|---|---|---|
name | resource name, see Resource Properties | 0.8 | ||
resourceUuid | resource uuid, see Create Resources | true | 0.8 | |
description | resource description, see Resource Properties | true | 0.8 | |
name | user name | 0.8 | ||
password | user password | 0.8 |
Create Groups¶
An account can use CreateUserGroup to create a group. For example:
>>>CreateUserGroup name=group
Parameters¶
Name | Description | Optional | Choices | Since |
---|---|---|---|---|
name | resource name, see Resource Properties | 0.8 | ||
resourceUuid | resource uuid, see Create Resources | true | 0.8 | |
description | resource description, see Resource Properties | true | 0.8 | |
name | group name | 0.8 |
Create Polices¶
An account can use CreatePolicy to create a policy. For example:
>>>CreatePolicy name=all statements='[{"actions":[".*"], "effect":"Allow"}]'
Parameters¶
Name | Description | Optional | Choices | Since |
---|---|---|---|---|
name | resource name, see Resource Properties | 0.8 | ||
resourceUuid | resource uuid, see Create Resources | true | 0.8 | |
name | policy name | 0.8 | ||
statements | a JSON string representing statements | 0.8 |
Add Users into Groups¶
An account can use AddUserToGroup to add a user into a group. For example:
>>>AddUserToGroup userUuid=d7646ae8af2140c0a3ccef2ad8da816d groupUuid=92c523a43651442489f8d2d598c7c3da
Parameters¶
Name | Description | Optional | Choices | Since |
---|---|---|---|---|
userUuid | user uuid | 0.8 | ||
groupUuid | group uuid | 0.8 |
Attach Polices to Groups¶
An account can use AttachPolicyToUserGroup to attach a policy to a group. For example:
>>>AttachPolicyToUserGroup groupUuid=92c523a43651442489f8d2d598c7c3da policyUuid=afb3bfbb911a42e0a662286728e49891
Parameters¶
Name | Description | Optional | Choices | Since |
---|---|---|---|---|
groupUuid | group uuid | 0.8 | ||
policyUuid | policy uuid | 0.8 |
Attach Polices to Users¶
An account can use AttachPolicyToUser to attach a policy to a user. For example:
>>>AttachPolicyToUser userUuid=d55c5fba4d1b4533961db9952dc15b00 policyUuid=36c27e8ff05c4780bf6d2fa65700f22e
Parameters¶
Name | Description | Optional | Choices | Since |
---|---|---|---|---|
userUuid | user uuid | 0.8 | ||
policyUuid | policy uuid | 0.8 |
Detach Polices from Groups¶
An account can use DetachPolicyFromUserGroup to detach a policy from a group. For example:
>>>DetachPolicyFromUserGroup groupUuid=f1a092c6914840c9895c564abbc55375 policyUuid=afb3bfbb911a42e0a662286728e49891
Parameters¶
Name | Description | Optional | Choices | Since |
---|---|---|---|---|
groupUuid | group uuid | 0.8 | ||
policyUuid | policy uuid | 0.8 |
Detach Polices from Users¶
An account can use DetachPolicyFromUser to detach a policy from a user. For example:
>>>DetachPolicyFromUser policyUuid=36c27e8ff05c4780bf6d2fa65700f22e userUuid=d7646ae8af2140c0a3ccef2ad8da816d
Parameters¶
Name | Description | Optional | Choices | Since |
---|---|---|---|---|
policyUuid | policy uuid | 0.8 | ||
userUuid | user uuid | 0.8 |
Reset Account Password¶
An account can use UpdateAccount to reset its password. For example:
>>>UpdateAccount password=password
Parameters¶
Name | Description | Optional | Choices | Since |
---|---|---|---|---|
password | the new password | 0.8 | ||
uuid | the uuid of account to reset the password. It’s mainly used by the admin account to reset passwords of other accounts. For non-admin accounts, this field is ignored as ZStack can figure out the account uuid by the current session. | true | 0.8 |
Reset User Password¶
An account or a user can use UpdateUser to reset the password. For example:
>>>UpdateUser password=password
Parameters¶
Name | Description | Optional | Choices | Since |
---|---|---|---|---|
password | the new password | 0.8 | ||
uuid | the user uuid. It’s mainly used by the account to change passwords of users. For user changing own password, this field is ignored as ZStack can figure out the user uuid by the current session. | true | 0.8 |
Delete Groups¶
An account can use DeleteUserGroup to delete a group. For example:
>>>DeleteUserGroup uuid=bb0e50fe0cfa4ec1af1835f9c210ae8e
Parameters¶
Name | Description | Optional | Choices | Since |
---|---|---|---|---|
deleteMode | see Delete Resources | true |
|
0.8 |
uuid | group uuid | 0.8 |
Delete Users¶
An account can use DeleteUser to delete a user. For example:
>>>DeleteUser uuid=fa4ec1af1835f9c210ae8e
Parameters¶
Name | Description | Optional | Choices | Since |
---|---|---|---|---|
deleteMode | see Delete Resources | true |
|
0.8 |
uuid | user uuid | 0.8 |
Delete Policies¶
An account can use DeletePolicy to delete a policy. For example:
>>>DeletePolicy uuid=bb0e50fe0cfa4ec1af1835f9c210ae8e
Parameters¶
Name | Description | Optional | Choices | Since |
---|---|---|---|---|
deleteMode | see Delete Resources | true |
|
0.8 |
uuid | policy uuid | 0.8 |
Delete Accounts¶
The admin account can use DeleteAccount to delete an non-admin account. For example:
>>>DeleteAccount uuid=bb0e50fe0cfa4ec1af1835f9c210ae8e
Parameters¶
Name | Description | Optional | Choices | Since |
---|---|---|---|---|
deleteMode | see Delete Resources | true |
|
0.8 |
uuid | account uuid | 0.8 |
Warning
After deleting, all resources owned by the account will be deleted as well
Update Account Quota¶
The admin account can use UpdateQuota to update an account’s quotas. For example:
>>>UpdateQuota identityUuid=bb0e50fe0cfa4ec1af1835f9c210ae8e name=vm.num value=100
Parameters¶
Name | Description | Optional | Choices | Since |
---|---|---|---|---|
identityUuid | the account uuid | 0.8 | ||
name | quota name |
|
0.8 |
Query Accounts¶
An account can use QueryAccount query its own, or the admin account can query all accounts. For example:
>>>QueryAccount name=test
>>>QueryAccount group.name=group1
see account inventory
Field | Inventory | Description | Since |
---|---|---|---|
group | group inventory | child group | 0.6 |
user | user inventory | child user | 0.6 |
policy | policy inventory | child policy | 0.6 |
quota | child quota | 0.6 |
Query Users¶
An account can use QueryUser to query users. For example:
>>>QueryUser name=frank
>>>QueryUser name=frank policy.name=allow
see user inventory
Field | Inventory | Description | Since |
---|---|---|---|
account | see account inventory | the parent account | 0.6 |
group | see group inventory | the group the user is in | 0.6 |
policy | see policy inventory | the policy attached to the user | 0.6 |
Query Policy¶
An account can use QueryPolicy to query policies. For example:
>>>QueryPolicy name=vm-management
>>>QueryPolicy user.name=frank
see policy inventory
Field | Inventory | Description | Since |
---|---|---|---|
account | see account inventory | the parent account | 0.6 |
group | see group inventory | groups the policy attached | 0.6 |
user | see user inventory | users the policy attached | 0.6 |
Query Groups¶
An account can use QueryUserGroup to query groups. For example:
>>>QueryUserGroup name=group1
>>>QueryUserGroup user.name=frank
see group inventory
Field | Inventory | Description | Since |
---|---|---|---|
account | see account inventory | the parent account | 0.6 |
user | see user inventory | users in the group | 0.6 |
policy | see policy inventory | the policy attached to the group | 0.6 |
Reference¶
Admin-only APIs¶
QueryGlobalConfig
GetGlobalConfig
UpdateGlobalConfig
GetHostAllocatorStrategies
GetCpuMemoryCapacity
ChangeInstanceOffering
IsReadyToGo
GetPrimaryStorageTypes
AttachPrimaryStorageToCluster
GetPrimaryStorageCapacity
UpdatePrimaryStorage
QueryPrimaryStorage
ChangePrimaryStorageState
SyncPrimaryStorageCapacity
DeletePrimaryStorage
ReconnectPrimaryStorage
DetachPrimaryStorageFromCluster
GetPrimaryStorageAllocatorStrategies
GetVolumeSnapshotTree
QueryBackupStorage
AttachBackupStorageToZone
GetBackupStorageTypes
ChangeBackupStorageState
GetBackupStorageCapacity
DetachBackupStorageFromZone
UpdateBackupStorage
DeleteBackupStorage
AddNetworkServiceProvider
AttachNetworkServiceProviderToL2Network
DetachNetworkServiceProviderFromL2Network
AttachL2NetworkToCluster
QueryL2VlanNetwork
CreateL2VlanNetwork
DetachL2NetworkFromCluster
DeleteL2Network
CreateL2NoVlanNetwork
UpdateL2Network
GetL2NetworkTypes
DeleteSearchIndex
SearchGenerateSqlTrigger
CreateSearchIndex
QueryManagementNode
CreateMessage
QueryCluster
DeleteCluster
UpdateCluster
CreateCluster
ChangeClusterState
CreateAccount
LogInByUser
SessionMessage
UpdateQuota
QueryAccount
LogInByAccount
ValidateSession
LogOut
UpdateZone
DeleteZone
CreateZone
QueryZone
ChangeZoneState
ChangeHostState
ReconnectHost
UpdateHost
DeleteHost
GetHypervisorTypes
QueryHost
QueryApplianceVm
AddIscsiFileSystemBackendPrimaryStorage
QueryIscsiFileSystemBackendPrimaryStorage
UpdateIscsiFileSystemBackendPrimaryStorage
AddLocalPrimaryStorage
UpdateKVMHost
AddKVMHost
AddNfsPrimaryStorage
QuerySftpBackupStorage
ReconnectSftpBackupStorage
UpdateSftpBackupStorage
AddSftpBackupStorage
Non-admin APIs¶
UpdateVmInstance
GetVmAttachableL3Network
MigrateVm
StopVmInstance
GetVmAttachableDataVolume
QueryVmNic
AttachL3NetworkToVm
DestroyVmInstance
GetVmMigrationCandidateHosts
QueryVmInstance
DetachL3NetworkFromVm
RebootVmInstance
CreateVmInstance
StartVmInstance
ChangeImageState
UpdateImage
DeleteImage
CreateDataVolumeTemplateFromVolume
CreateRootVolumeTemplateFromRootVolume
QueryImage
CreateRootVolumeTemplateFromVolumeSnapshot
AddImage
RequestConsoleAccess
BackupDataVolume
AttachDataVolumeToVm
UpdateVolume
QueryVolume
CreateDataVolumeFromVolumeSnapshot
CreateDataVolumeFromVolumeTemplate
DetachDataVolumeFromVm
CreateDataVolume
GetDataVolumeAttachableVm
GetVolumeFormat
DeleteDataVolume
CreateVolumeSnapshot
ChangeVolumeState
DeleteDiskOffering
QueryInstanceOffering
UpdateInstanceOffering
CreateInstanceOffering
CreateDiskOffering
DeleteInstanceOffering
ChangeInstanceOfferingState
QueryDiskOffering
UpdateDiskOffering
ChangeDiskOfferingState
QueryVolumeSnapshotTree
DeleteVolumeSnapshot
UpdateVolumeSnapshot
DeleteVolumeSnapshotFromBackupStorage
QueryVolumeSnapshot
RevertVolumeFromSnapshot
BackupVolumeSnapshot
AddDnsToL3Network
CreateL3Network
GetFreeIp
UpdateL3Network
DeleteIpRange
ChangeL3NetworkState
AddIpRange
GetL3NetworkTypes
AddIpRangeByNetworkCidr
QueryIpRange
RemoveDnsFromL3Network
GetIpAddressCapacity
DeleteL3Network
UpdateIpRange
QueryL3Network
AttachNetworkServiceToL3Network
QueryNetworkServiceL3NetworkRef
QueryNetworkServiceProvider
GetNetworkServiceTypes
QueryL2Network
QueryUserTag
QuerySystemTag
DeleteTag
CreateUserTag
CreateSystemTag
QueryTag
AttachPolicyToUserGroup
RemoveUserFromGroup
AttachPolicyToUser
UpdateUser
AddUserToGroup
QueryQuota
ShareResource
DeleteAccount
CreateUserGroup
CreateUser
DetachPolicyFromUserGroup
QueryPolicy
QueryUser
DeletePolicy
RevokeResourceSharing
UpdateAccount
DeleteUser
DeleteUserGroup
CreatePolicy
DetachPolicyFromUser
QueryUserGroup
ReconnectVirtualRouter
QueryVirtualRouterOffering
CreateVirtualRouterOffering
QueryVirtualRouterVm
AttachPortForwardingRule
DetachPortForwardingRule
GetPortForwardingAttachableVmNics
ChangePortForwardingRuleState
UpdatePortForwardingRule
CreatePortForwardingRule
QueryPortForwardingRule
DeletePortForwardingRule
DetachEip
GetEipAttachableVmNics
UpdateEip
QueryEip
ChangeEipState
DeleteEip
CreateEip
AttachEip
ChangeSecurityGroupState
DetachSecurityGroupFromL3Network
DeleteSecurityGroupRule
CreateSecurityGroup
QueryVmNicInSecurityGroup
QuerySecurityGroup
AddSecurityGroupRule
QuerySecurityGroupRule
DeleteSecurityGroup
UpdateSecurityGroup
DeleteVmNicFromSecurityGroup
GetCandidateVmNicForSecurityGroup
AttachSecurityGroupToL3Network
AddVmNicToSecurityGroup
DeleteVip
UpdateVip
ChangeVipState
CreateVip
QueryVip
API Identities¶
ReconnectVirtualRouter: virtualRouter:APIReconnectVirtualRouterMsg
GetNetworkServiceProvider: l2Network:read, l2Network:APIGetNetworkServiceProviderMsg
AddDnsToL3Network: l3Network:APIAddDnsToL3NetworkMsg
DeleteSecurityGroup: securityGroup:APIDeleteSecurityGroupMsg
AddImage: image:APIAddImageMsg
QueryUser: identity:read, identity:APIQueryUserMsg
GetL3NetworkTypes: l3Network:read, l3Network:APIGetL3NetworkTypesMsg
ShareResource: identity:APIShareResourceMsg
QueryVirtualRouterOffering: virtualRouter:read, virtualRouter:APIQueryVirtualRouterOfferingMsg
QueryIpRange: l3Network:read, l3Network:APIQueryIpRangeMsg
AttachDataVolumeToVm: volume:APIAttachDataVolumeToVmMsg
QueryUserGroup: identity:read, identity:APIQueryUserGroupMsg
QueryVmNicInSecurityGroup: securityGroup:read, securityGroup:APIQueryVmNicInSecurityGroupMsg
CreateSystemTag: tag:APICreateSystemTagMsg
CreateVip: vip:APICreateVipMsg
DeleteDiskOffering: configuration:APIDeleteDiskOfferingMsg
StartVmInstance: instance:APIStartVmInstanceMsg
GetVmAttachableL3Network: instance:read, instance:APIGetVmAttachableL3NetworkMsg
DeleteVip: vip:APIDeleteVipMsg
GetDataVolumeAttachableVm: volume:read, volume:APIGetDataVolumeAttachableVmMsg
QuerySystemTag: tag:read, tag:APIQuerySystemTagMsg
AttachL3NetworkToVm: instance:APIAttachL3NetworkToVmMsg
CreateUserTag: tag:APICreateUserTagMsg
CreateVmInstance: instance:APICreateVmInstanceMsg
CreateSecurityGroup: securityGroup:APICreateSecurityGroupMsg
UpdateVolumeSnapshot: volumeSnapshot:APIUpdateVolumeSnapshotMsg
QueryDiskOffering: configuration:read, configuration:APIQueryDiskOfferingMsg
StopVmInstance: instance:APIStopVmInstanceMsg
CreateEip: eip:APICreateEipMsg
ChangePortForwardingRuleState: portForwarding:APIChangePortForwardingRuleStateMsg
UpdateL3Network: l3Network:APIUpdateL3NetworkMsg
ChangeDiskOfferingState: configuration:APIChangeDiskOfferingStateMsg
MigrateVm: instance:APIMigrateVmMsg
ChangeVipState: vip:APIChangeVipStateMsg
AddIpRange: l3Network:APIAddIpRangeMsg
CreateDataVolume: volume:APICreateDataVolumeMsg
CreateDataVolumeFromVolumeSnapshot: volume:APICreateDataVolumeFromVolumeSnapshotMsg
UpdateImage: image:APIUpdateImageMsg
QueryVmNic: instance:read, instance:APIQueryVmNicMsg
QueryTag: tag:read, tag:APIQueryTagMsg
GetPortForwardingAttachableVmNics: portForwarding:APIGetPortForwardingAttachableVmNicsMsg
DeleteInstanceOffering: configuration:APIDeleteInstanceOfferingMsg
AttachPortForwardingRule: portForwarding:APIAttachPortForwardingRuleMsg
DeletePortForwardingRule: portForwarding:APIDeletePortForwardingRuleMsg
CreatePortForwardingRule: portForwarding:APICreatePortForwardingRuleMsg
UpdateIpRange: l3Network:APIUpdateIpRangeMsg
GetFreeIp: l3Network:read, l3Network:APIGetFreeIpMsg
ChangeL3NetworkState: l3Network:APIChangeL3NetworkStateMsg
QueryVip: vip:read, vip:APIQueryVipMsg
UpdateEip: eip:APIUpdateEipMsg
QueryVolumeSnapshotTree: volumeSnapshot:read, volumeSnapshot:APIQueryVolumeSnapshotTreeMsg
DetachDataVolumeFromVm: volume:APIDetachDataVolumeFromVmMsg
RebootVmInstance: instance:APIRebootVmInstanceMsg
UpdateInstanceOffering: configuration:APIUpdateInstanceOfferingMsg
DestroyVmInstance: instance:APIDestroyVmInstanceMsg
UpdateUser: identity:APIUpdateUserMsg
QueryNetworkServiceL3NetworkRef: l3Network:read, l3Network:APIQueryNetworkServiceL3NetworkRefMsg
CreateL3Network: l3Network:APICreateL3NetworkMsg
GetNetworkServiceTypes: l3Network:read, l3Network:APIGetNetworkServiceTypesMsg
GetVmAttachableDataVolume: instance:read, instance:APIGetVmAttachableDataVolumeMsg
QueryL3Network: l3Network:read, l3Network:APIQueryL3NetworkMsg
CreateDataVolumeTemplateFromVolume: image:APICreateDataVolumeTemplateFromVolumeMsg
DeleteSecurityGroupRule: securityGroup:APIDeleteSecurityGroupRuleMsg
QueryUserTag: tag:read, tag:APIQueryUserTagMsg
DeleteVolumeSnapshotFromBackupStorage: volumeSnapshot:APIDeleteVolumeSnapshotFromBackupStorageMsg
CreateDiskOffering: configuration:APICreateDiskOfferingMsg
QuerySecurityGroup: securityGroup:read, securityGroup:APIQuerySecurityGroupMsg
QueryVolumeSnapshot: volumeSnapshot:read, volumeSnapshot:APIQueryVolumeSnapshotMsg
QueryPortForwardingRule: portForwarding:read, portForwarding:APIQueryPortForwardingRuleMsg
UpdateDiskOffering: configuration:APIUpdateDiskOfferingMsg
GetCandidateVmNicForSecurityGroup: securityGroup:read, securityGroup:APIGetCandidateVmNicForSecurityGroupMsg
QueryPolicy: identity:read, identity:APIQueryPolicyMsg
GetEipAttachableVmNics: eip:APIGetEipAttachableVmNicsMsg
CreateInstanceOffering: configuration:APICreateInstanceOfferingMsg
AddIpRangeByNetworkCidr: l3Network:APIAddIpRangeByNetworkCidrMsg
UpdateVmInstance: instance:APIUpdateVmInstanceMsg
QueryVirtualRouterVm: virtualRouter:read, virtualRouter:APIQueryVirtualRouterVmMsg
RequestConsoleAccess: console:APIRequestConsoleAccessMsg
ChangeEipState: eip:APIChangeEipStateMsg
QuerySecurityGroupRule: securityGroup:read, securityGroup:APIQuerySecurityGroupRuleMsg
DetachSecurityGroupFromL3Network: securityGroup:APIDetachSecurityGroupFromL3NetworkMsg
CreateDataVolumeFromVolumeTemplate: volume:APICreateDataVolumeFromVolumeTemplateMsg
DeleteDataVolume: volume:APIDeleteDataVolumeMsg
AddVmNicToSecurityGroup: securityGroup:APIAddVmNicToSecurityGroupMsg
DeleteVolumeSnapshot: volumeSnapshot:APIDeleteVolumeSnapshotMsg
DetachEip: eip:APIDetachEipMsg
DetachPortForwardingRule: portForwarding:APIDetachPortForwardingRuleMsg
CreateVirtualRouterOffering: virtualRouter:APICreateVirtualRouterOfferingMsg
RevertVolumeFromSnapshot: volumeSnapshot:APIRevertVolumeFromSnapshotMsg
DeleteIpRange: l3Network:APIDeleteIpRangeMsg
UpdateVip: vip:APIUpdateVipMsg
AttachNetworkServiceToL3Network: l3Network:APIAttachNetworkServiceToL3NetworkMsg
DeleteTag: tag:APIDeleteTagMsg
RemoveDnsFromL3Network: l3Network:APIRemoveDnsFromL3NetworkMsg
DeleteL3Network: l3Network:APIDeleteL3NetworkMsg
UpdatePortForwardingRule: portForwarding:APIUpdatePortForwardingRuleMsg
ChangeVolumeState: volume:APIChangeVolumeStateMsg
QueryVmInstance: instance:read, instance:APIQueryVmInstanceMsg
GetVmMigrationCandidateHosts: instance:read, instance:APIGetVmMigrationCandidateHostsMsg
UpdateVolume: volume:APIUpdateVolumeMsg
QueryL2Network: l2Network:read, l2Network:APIQueryL2NetworkMsg
BackupVolumeSnapshot: volumeSnapshot:APIBackupVolumeSnapshotMsg
QueryQuota: identity:read, identity:APIQueryQuotaMsg
QueryImage: image:read, image:APIQueryImageMsg
RevokeResourceSharing: identity:APIRevokeResourceSharingMsg
UpdateSecurityGroup: securityGroup:APIUpdateSecurityGroupMsg
ChangeImageState: image:APIChangeImageStateMsg
AddSecurityGroupRule: securityGroup:APIAddSecurityGroupRuleMsg
QueryVolume: volume:read, volume:APIQueryVolumeMsg
AttachSecurityGroupToL3Network: securityGroup:APIAttachSecurityGroupToL3NetworkMsg
DeleteEip: eip:APIDeleteEipMsg
QueryEip: eip:read, eip:APIQueryEipMsg
DeleteImage: image:APIDeleteImageMsg
GetIpAddressCapacity: l3Network:read, l3Network:APIGetIpAddressCapacityMsg
ChangeInstanceOfferingState: configuration:APIChangeInstanceOfferingStateMsg
DeleteVmNicFromSecurityGroup: securityGroup:APIDeleteVmNicFromSecurityGroupMsg
CreateVolumeSnapshot: volumeSnapshot:APICreateVolumeSnapshotMsg
CreateRootVolumeTemplateFromRootVolume: image:APICreateRootVolumeTemplateFromRootVolumeMsg
GetVolumeFormat: volume:read, volume:APIGetVolumeFormatMsg
BackupDataVolume: volume:APIBackupDataVolumeMsg
CreateRootVolumeTemplateFromVolumeSnapshot: image:APICreateRootVolumeTemplateFromVolumeSnapshotMsg
QueryInstanceOffering: configuration:read, configuration:APIQueryInstanceOfferingMsg
ChangeSecurityGroupState: securityGroup:APIChangeSecurityGroupStateMsg
QueryNetworkServiceProvider: l3Network:read, l3Network:APIQueryNetworkServiceProviderMsg
AttachEip: eip:APIAttachEipMsg
DetachL3NetworkFromVm: instance:APIDetachL3NetworkFromVmMsg
Default Quotas¶
Name | Description | Value | Since |
---|---|---|---|
vip.num | max number of VIPs | 20 | 0.8 |
securityGroup.num | max number of security groups | 20 | 0.8 |
l3.num | max number of L3 networks | 20 | 0.8 |
portForwarding.num | max number of port forwarding rules | 20 | 0.8 |
vm.num | max number of VMs | 20 | 0.8 |
vm.cpuNum | max number of VCPU cores | 80 | 0.8 |
vm.memorySize | total size of memory | 85899345920 bytes (80G) | 0.8 |
volume.data.num | max number of data volumes | 40 | 0.8 |
volume.capacity | total volume capacity of both data volumes and root volumes | 10995116277760 bytes (10T) | 0.8 |
eip.num | max number of EIPs | 20 | 0.8 |