Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to analyze the functions of ECS TAG. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Brief introduction of Tag

Tag (tag) is a way of tagging resources provided by Aliyun. By tagging resources, you can easily tag resources, thus facilitating the batch management of resources. Now there are mainly the following types of resources that can be tagged by ECS using Tag: instance, disk, image, snapshot, security group.

Tag Foundation

Each Tag is made up of two parts, Key and Value. Tag is a very open configuration, and Tag's Key and Value can take almost any string. Therefore, Tag is a tool that can easily tag and classify resources.

Tag usage restrictions

For more reasonable use, Tag has several limitations in terms of functionality.

First of all, there can be no more than 10 Tag on a resource. Too many tags will make it difficult to manage the tags themselves.

The Tag key cannot be the same on a resource. If you add a Tag with an existing key, the old Tag will be overwritten with the new Tag.

The number of resources of the same Tag and the same type is not recommended to exceed 500. if the number of resources of the same Tag is too large, it will weaken the resource classification function of Tag.

Tag Classic scene label Division

For general resource management requirements, they are all for a large number of users. When there are a large number of instances, it will become more difficult to manage the operation and maintenance of instances. Sometimes it is even necessary to split accounts to manage resources of different departments or for different purposes. If Tag is used for classified management of resources, this problem will be greatly simplified.

First of all, we can classify the use scenarios of examples. In general development scenarios, machines are generally classified into multiple categories: development and test environment, packaging environment, production environment, and so on. The operation and maintenance management of these machines is absolutely isolated, so it is necessary to distinguish them on the Tag. On the development and test machine, you can add the tag (see the next section for details) that key is env, value is test; on the production machine, and the label key is env and value is product. Form the machine classification of the following figure.

Then consider the classification of resources according to the users. For those who have a lot of resources, it is also very difficult for one person to manage all resources, so we need to divide resources based on personnel. We can add labels indicating departments on resources, which means that these resources belong to different departments. After adding the department classification, the machine classification is shown in the figure:

The way you use Tag

Next, the specific steps of the above operation are described in detail.

API operation

The changing process of resources can be seen more clearly from API operation resources, so it is recommended to use API for resource operations. The related documentation is here: https://help.aliyun.com/product/52507.html

For the next operation, you only need to install python SDK, and the packages you need to install are as follows (operations outside ECS, such as RAM, etc., are operated through the console)

Aliyun-python-sdk-corealiyun-python-sdk-ecs tagging page operation

To add tags, the main parameters required are resource id, resource type and tag. Be careful not to enter region incorrectly. The following is an example of code to tag a resource, with up to 5 tags added in a single call.

# common codes, do not add # coding=utf-8import loggingfrom aliyunsdkcore import clientfrom aliyunsdkcore.acs_exception.exceptions import ServerException next time, ClientExceptionfrom aliyunsdkecs.request.v20140526.AddTagsRequest import AddTagsRequestclint = client.AcsClient ('AK',' SK', 'cn-qingdao') # region fill in logging.basicConfig (level=logging.INFO, format='% (asctime) s% (filename) s [line:% (lineno) d]% (levelname) s% (message) s' Datefmt='%a,% d% b% Y% HGV% MVA% S') def _ get_response (request): try: ret = clint.do_action_with_exception (request) logging.info (ret) except ServerException, e: logging.error (e) except ClientException, e: logging.error (e) # common codes enddef add_tag (resource_id, resource_type, tag1) Tag2): request = AddTagsRequest () request.set_ResourceId (resource_id) request.set_ResourceType (resource_type) request.set_Tag1Key (tag1.get ('key')) request.set_Tag1Value (tag1.get (' value')) request.set_Tag2Key (tag2.get ('key')) request.set_Tag2Value (tag2.get (' value')) _ get_response (request) if _ _ name__ ='_ _ main__': add_tag ('iMurxxxxxxx' 'instance', {' key':'env', 'value':'test'}, {' key':'depart', 'value':'dep1'})

In the above example, you can add two tags to the instance (instance) i-xxxxx, env:test and depart:dep1, respectively. If the value makes a mistake when adding Tag, you can correct the value and then call AddTags again to "overwrite" the same key tag.

Query tag page operation

Query tags, you can query the tags on the resources according to the resources, or you can query all the tags under the user's name without filling in the resources. The following is an example of a code that queries a tag under a resource

From aliyunsdkecs.request.v20140526.DescribeTagsRequest import DescribeTagsRequestdef describe_tag (resource_id, resource_type): request = DescribeTagsRequest () request.set_ResourceId (resource_id) request.set_ResourceType (resource_type) _ get_response (request) if _ _ name__ = ='_ main__': describe_tag ('imurxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Delete the tag and delete the tag of the specified resource. This API must now specify the resource. You can delete all tags on the resource whose Tag key is a certain value without specifying Tag value.

From aliyunsdkecs.request.v20140526.RemoveTagsRequest import RemoveTagsRequestdef remove_tag (resource_id, resource_type, tag): request = RemoveTagsRequest () request.set_ResourceId (resource_id) request.set_ResourceType (resource_type) request.set_Tag1Key (tag.get ('key')) request.set_Tag1Value (tag.get (' value')) _ get_response (request) if _ name__ ='_ main__': remove_tag ('iMuk xxxxx,' instance') {'key':'env',' value':'test'}) create resource tagged page operation

The above operations are all aimed at adding Tag for existing resources. In order to ensure the closed loop of the tagging process, tag addition is also supported when creating resources. The creation of APIs with Tag are supported in resource creation APIs, such as creating instance APIs:

From aliyunsdkecs.request.v20140526.RunInstancesRequest import RunInstancesRequestdef remove_tag (resource_id, resource_type, tag): request = RunInstancesRequest ()... Request.set_Tags ({'Key':'env',' Value':'test'}) _ get_response (request)

The instance created in this way will naturally have an env:test tag.

Add tags to console operation and send me to learn API.

To add a tag in the console, you can select the edit tag directly from the "more" option in the instance list, and create a new tag in the pop-up box.

Query tags send me to learn API.

The tag can be seen in the instance list or in the instance details page.

Delete the tag and send me to learn API.

Just like adding tags, deleting tags is also operated in the pop-up window of editing tags. Select the existing tags and delete them.

In the grouping configuration in step 4, you can add the label of the created resource.

Authority Control based on Tag

The permission control we involve refers to controlling the access of a sub-account in the case of a sub-account. First, you need to create a sub-account (user) in the RAM console, and then grant permissions to the sub-user. This sub-user will only have permissions related to operation and query authorization rules.

For label permissions, the authorization syntax is as follows:

{"Version": "1", "Statement": [{"Effect": "Allow", "Action": "*", "Resource": "*", "Condition": {"StringEquals": {"ecs:tag/depart": "dep1"}}]}

Sub-users authorized as above can only operate resources with depart:dep1 tags. Note that when querying, this authorization cannot be used as a filter condition. When querying instances, the sub-account must have the filter condition of Tag.1.Key=depart Tag.1.Value=dep1 to allow the query.

For resources authorized by Tag, there are different restrictions on different types of API. The specific restrictions are as follows:

Operation class interface

For an operation API (such as StartInstance), it is an operation against a resource, and whether the sub-account has the permission depends entirely on whether the instance has the specified tag.

If the instance has all the tags specified in the authorization statement, the sub-account operation is allowed.

Query class interface

For query operations, because all authentication actions are pre-actions (that is, the judgment result only distinguishes whether the result is passed or not, but not what is passed in a set), there is no "permission filtering" on the result set. A sub-account that uses tag authentication must be queried with a tag with permission specified in the query in order to find the instance with permission.

Create a class interface

For creating a class interface, authentication determines whether all resources used in the interface have permissions. At the same time, it also determines whether the created resources have permissions. Therefore, for a sub-account with tag authorization, when creating an instance, the creation call must also have the relevant Tag, otherwise the sub-user does not have the permission to create it.

The above is the editor for you to share how to parse the ECS TAG function, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.