主账号如何对RAM账号进行授权_云数据库 OceanBase 版(OceanBase)-阿里云帮助中心

在使用 RAM 账号调用阿里云 API 前，需要主账号通过创建授权策略对 RAM 账号进行授权。

资源授权

默认子账号没有权限通过调用阿里云 API 去创建、修改云资源。使用子账号调用 API 时，您需要先创建一个授权策略，然后将这个授权策略关联给对应的子账号完成资源授权。

在创建授权策略时，您可以通过 ARN (Aliyun Resource Name) 指定要授权的资源。ARN 是阿里云为每个资源定义的一个全局的阿里云资源名称。

ARN 格式如下：

acs: 
service-name: 
region: 
account-id: 
resource-relative-id:

其中：

acs：Alibaba Cloud Service 的首字母缩写，表示阿里云的公共云平台。
service-name：阿里云云服务的名称，如 OceanBase,ECS, OSS, SLB 等。
region：地域信息。如果不支持该项，可以使用通配符星号（*）来代替。
account-id ：账号 ID，例如 123456789***。
resource-relative-id：具体的资源描述，不同的云产品的资源描述也不同，详情参见各云产品的开发文档。
比如acs:oceanbase:cn-shanghai:123456789***:instance/obtestid**表示 OceanBase 服务中对象名称是 instance/obtestid** 的资源，对象的所有者 UID 为123456789***。

可授权的 OceanBase 资源类型

权限是分级别划分的，从高到低是 instance，tenant，database，高权限包含低权限。

权限可以使用“*”来做通配符，兼容所有的字段。

资源类型	授权策略中的资源描述方法
INSTANCE	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
	acs:oceanbase:{region}:{accountId}:instance/*
	acs:oceanbase:{region}:{accountId}:*
	acs:oceanbase:{region}::
	acs:oceanbase:::*
TENANT	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}/*
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/*
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
	acs:oceanbase:{region}:{accountId}:instance/*
	acs:oceanbase:{region}:{accountId}:*
	acs:oceanbase:{region}::
	acs:oceanbase:::*
DATABASE	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}/database/{databaseName}
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}/database/*
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}/*
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/*
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
	acs:oceanbase:{region}:{accountId}:instance/*
	acs:oceanbase:{region}:{accountId}:*
	acs:oceanbase:{region}::
	acs:oceanbase:::*

可授权的 OceanBase 云服务接口

下表列举了 OceanBase 云服务可授权的 API 及其描述方式：

集群操作

API	资源描述
CreateInstance	无，通过PayOrderCallBack回调
DescribeInstances	acs:oceanbase:{region}:{accountId}:instance/*
DescribeInstance	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
DescribeInstance	acs:oceanbase:{region}:{accountId}:instance/*
DescribeInstanceTopology	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
DescribeInstanceTopology	acs:oceanbase:{region}:{accountId}:instance/*

租户操作

API	资源描述
CreateTenant	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
CreateTenant	acs:oceanbase:{region}:{accountId}:instance/*
DescribeTenant	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/*
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
	acs:oceanbase:{region}:{accountId}:instance/*
CreateTenantReadOnlyConnection	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/*
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
	acs:oceanbase:{region}:{accountId}:instance/*
ModifyTenantPrimaryZone	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/*
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
	acs:oceanbase:{region}:{accountId}:instance/*
DeleteTenants	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/*
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
	acs:oceanbase:{region}:{accountId}:instance/*
ModifyTenantResource	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/*
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
	acs:oceanbase:{region}:{accountId}:instance/*
DescribeInstanceCreatableZone	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
DescribeInstanceCreatableZone	acs:oceanbase:{region}:{accountId}:instance/*
DescribeAvailableCpuResource	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
DescribeAvailableCpuResource	acs:oceanbase:{region}:{accountId}:instance/*
DescribeAvailableMemResource	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
DescribeAvailableMemResource	acs:oceanbase:{region}:{accountId}:instance/*
DescribeInstanceTenantModes	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
DescribeInstanceTenantModes	acs:oceanbase:{region}:{accountId}:instance/*

数据库操作

API	资源描述
DescribeDatabases	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/*
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
	acs:oceanbase:{region}:{accountId}:instance/*
CreateDatabase	cs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/*
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
	acs:oceanbase:{region}:{accountId}:instance/*
ModifyDatabaseUserRoles	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/*
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
	acs:oceanbase:{region}:{accountId}:instance/*
ModifyDatabaseDescription	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/*
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
	acs:oceanbase:{region}:{accountId}:instance/*
DeleteDatabases	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}/database/{databaseName}
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}/database/*
	acs:oceanbase:{region}: {accountId}:instance/{instanceId}/tenant/{tenantId}
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/*
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
	acs:oceanbase:{region}:{accountId}:instance/*

账号操作

API	资源描述
DescribeTenantUsers	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/*
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
	acs:oceanbase:{region}:{accountId}:instance/*
CreateTenantUser	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/*
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
	acs:oceanbase:{region}:{accountId}:instance/*
DescribeTenantUserRoles	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/*
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
	acs:oceanbase:{region}:{accountId}:instance/*
ModifyTenantUserDescription	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/*
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
	acs:oceanbase:{region}:{accountId}:instance/*
ModifyTenantUserPassword	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/*
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
	acs:oceanbase:{region}:{accountId}:instance/*
ModifyTenantUserRoles	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/*
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
	acs:oceanbase:{region}:{accountId}:instance/*
ModifyTenantUserStatus	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/*
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
	acs:oceanbase:{region}:{accountId}:instance/*
DeleteTenantUsers	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/{tenantId}
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}/tenant/*
	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
	acs:oceanbase:{region}:{accountId}:instance/*

参数管理

API	资源描述
DescribeParameters	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
DescribeParameters	acs:oceanbase:{region}:{accountId}:instance/*
DescribeParametersHistory	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
DescribeParametersHistory	acs:oceanbase:{region}:{accountId}:instance/*
ModifyParameters	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
ModifyParameters	acs:oceanbase:{region}:{accountId}:instance/*

安全

API	资源描述
CreateSecurityIpGroup	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
CreateSecurityIpGroup	acs:oceanbase:{region}:{accountId}:instance/*
ModifySecurityIps	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
ModifySecurityIps	acs:oceanbase:{region}:{accountId}:instance/*
DeleteSecurityIpGroup	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
DeleteSecurityIpGroup	acs:oceanbase:{region}:{accountId}:instance/*
DescribeSecurityIpGroups	acs:oceanbase:{region}:{accountId}:instance/{instanceId}
DescribeSecurityIpGroups	acs:oceanbase:{region}:{accountId}:instance/*