A.18. 用于操作角色的 REST API
除了 ctlplane -admin 角色 命令外,您还可以使用 REST API 来操作角色。
若要调用 REST admin API,创建一个具有 admin 上限的用户。
示例
[root@host01 ~]# radosgw-admin --uid TESTER --display-name "TestUser" --access_key TESTER --secret test123 user create [root@host01 ~]# radosgw-admin caps add --uid="TESTER" --caps="roles=*"
创建角色:
语法
POST “<hostname>?Action=CreateRole&RoleName=ROLE_NAME&Path=PATH_TO_FILE&AssumeRolePolicyDocument=TRUST_RELATIONSHIP_POLICY_DOCUMENT”
示例
POST “<hostname>?Action=CreateRole&RoleName=S3Access&Path=/application_abc/component_xyz/&AssumeRolePolicyDocument={"Version":"2022-06-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/TESTER"]},"Action":["sts:AssumeRole"]}]}”响应示例
<role> <id>8f41f4e0-7094-4dc0-ac20-074a881ccbc5</id> <name>S3Access</name> <path>/application_abc/component_xyz/</path> <arn>arn:aws:iam:::role/application_abc/component_xyz/S3Access</arn> <create_date>2022-06-23T07:43:42.811Z</create_date> <max_session_duration>3600</max_session_duration> <assume_role_policy_document>{"Version":"2022-06-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/TESTER"]},"Action":["sts:AssumeRole"]}]}</assume_role_policy_document> </role>获取角色:
语法
POST “<hostname>?Action=GetRole&RoleName=ROLE_NAME”示例
POST “<hostname>?Action=GetRole&RoleName=S3Access”
响应示例
<role> <id>8f41f4e0-7094-4dc0-ac20-074a881ccbc5</id> <name>S3Access</name> <path>/application_abc/component_xyz/</path> <arn>arn:aws:iam:::role/application_abc/component_xyz/S3Access</arn> <create_date>2022-06-23T07:43:42.811Z</create_date> <max_session_duration>3600</max_session_duration> <assume_role_policy_document>{"Version":"2022-06-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/TESTER"]},"Action":["sts:AssumeRole"]}]}</assume_role_policy_document> </role>列出角色:
语法
POST “<hostname>?Action=GetRole&RoleName=ROLE_NAME&PathPrefix=PATH_PREFIX”
请求示例
POST “<hostname>?Action=ListRoles&RoleName=S3Access&PathPrefix=/application”
响应示例
<role> <id>8f41f4e0-7094-4dc0-ac20-074a881ccbc5</id> <name>S3Access</name> <path>/application_abc/component_xyz/</path> <arn>arn:aws:iam:::role/application_abc/component_xyz/S3Access</arn> <create_date>2022-06-23T07:43:42.811Z</create_date> <max_session_duration>3600</max_session_duration> <assume_role_policy_document>{"Version":"2022-06-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/TESTER"]},"Action":["sts:AssumeRole"]}]}</assume_role_policy_document> </role>更新假定角色策略文档:
语法
POST “<hostname>?Action=UpdateAssumeRolePolicy&RoleName=ROLE_NAME&PolicyDocument=TRUST_RELATIONSHIP_POLICY_DOCUMENT”
示例
POST “<hostname>?Action=UpdateAssumeRolePolicy&RoleName=S3Access&PolicyDocument={"Version":"2022-06-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/TESTER2"]},"Action":["sts:AssumeRole"]}]}”更新附加到角色的策略:
语法
POST “<hostname>?Action=PutRolePolicy&RoleName=ROLE_NAME&PolicyName=POLICY_NAME&PolicyDocument=TRUST_RELATIONSHIP_POLICY_DOCUMENT”
示例
POST “<hostname>?Action=PutRolePolicy&RoleName=S3Access&PolicyName=Policy1&PolicyDocument={"Version":"2022-06-17","Statement":[{"Effect":"Allow","Action":["s3:CreateBucket"],"Resource":"arn:aws:s3:::example_bucket"}]}”列出附加到角色的权限策略名称:
语法
POST “<hostname>?Action=ListRolePolicies&RoleName=ROLE_NAME”示例
POST “<hostname>?Action=ListRolePolicies&RoleName=S3Access” <PolicyNames> <member>Policy1</member> </PolicyNames>
获取附加到角色的权限策略:
语法
POST “<hostname>?Action=GetRolePolicy&RoleName=ROLE_NAME&PolicyName=POLICY_NAME”
示例
POST “<hostname>?Action=GetRolePolicy&RoleName=S3Access&PolicyName=Policy1” <GetRolePolicyResult> <PolicyName>Policy1</PolicyName> <RoleName>S3Access</RoleName> <Permission_policy>{"Version":"2022-06-17","Statement":[{"Effect":"Allow","Action":["s3:CreateBucket"],"Resource":"arn:aws:s3:::example_bucket"}]}</Permission_policy> </GetRolePolicyResult>删除附加到角色的策略:
语法
POST “hostname>?Action=DeleteRolePolicy&RoleName=ROLE_NAME&PolicyName=POLICY_NAME“
示例
POST “<hostname>?Action=DeleteRolePolicy&RoleName=S3Access&PolicyName=Policy1”
删除角色:
注意只有在角色没有附加任何权限策略时,才能删除角色。
语法
POST “<hostname>?Action=DeleteRole&RoleName=ROLE_NAME"示例
POST “<hostname>?Action=DeleteRole&RoleName=S3Access"
其它资源
- 详情请参阅 Red Hat Ceph Storage Object Gateway Guide 中的角色 管理 一节。
