本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 在 Amazon Neptune 中创建 IAM 数据访问策略
[以下示例展示了如何创建自定义 IAM 策略,这些策略使用 Neptune 引擎发行版 1.2.0.0 中引入的数据平面 APIs 和操作的精细访问控制。](engine-releases-1.2.0.0.md)
## 策略示例:允许不受限制地访问 Neptune 数据库集群中的数据
以下示例策略允许 IAM 用户使用 IAM 数据库身份验证连接到 Neptune 数据库集群,并使用“`*`”字符匹配所有可用的操作。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "neptune-db:*",
"Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*"
}
]
}
```
------
以上示例包含采用特定于 Neptune IAM 身份验证的格式的资源 ARN。要构造 ARN,请参阅[指定数据资源](iam-data-resources.md)。请注意,用于 IAM 授权 `Resource` 的 ARN 与创建时分配给集群的 ARN 不同。
## 允许对 Neptune 数据库集群进行只读访问的策略示例
以下策略授予对 Neptune 数据库集群中数据的完全只读访问权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Action": [
"neptune-db:Read*",
"neptune-db:Get*",
"neptune-db:List*"
],
"Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*"
}
]
}
```
------
## 策略示例:拒绝对 Neptune 数据库集群的所有访问权限
默认 IAM 操作是拒绝对数据库集群的访问,除非授予 `Allow` *效果*。但是,以下策略拒绝特定 AWS 账户和区域对数据库集群的所有访问权限,然后优先于任何`Allow`效果。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "neptune-db:*",
"Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*"
}
]
}
```
------
## 策略示例:通过查询授予读取访问权限
以下策略仅授予使用查询从 Neptune 数据库集群读取数据的权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "neptune-db:ReadDataViaQuery",
"Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*"
}
]
}
```
------
## 仅允许 Gremlin 查询的策略示例
以下策略使用 `neptune-db:QueryLanguage` 条件键授予仅使用 Gremlin 查询语言查询 Neptune 的权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"neptune-db:ReadDataViaQuery",
"neptune-db:WriteDataViaQuery",
"neptune-db:DeleteDataViaQuery"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"neptune-db:QueryLanguage": "Gremlin"
}
}
}
]
}
```
------
## 策略示例:允许除 Neptune ML 模型管理之外的所有访问权限
以下策略授予对 Neptune 图形操作的完全访问权限,但 Neptune ML 模型管理特征除外:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Action": [
"neptune-db:CancelLoaderJob",
"neptune-db:CancelQuery",
"neptune-db:DeleteDataViaQuery",
"neptune-db:DeleteStatistics",
"neptune-db:GetEngineStatus",
"neptune-db:GetLoaderJobStatus",
"neptune-db:GetQueryStatus",
"neptune-db:GetStatisticsStatus",
"neptune-db:GetStreamRecords",
"neptune-db:ListLoaderJobs",
"neptune-db:ManageStatistics",
"neptune-db:ReadDataViaQuery",
"neptune-db:ResetDatabase",
"neptune-db:StartLoaderJob",
"neptune-db:WriteDataViaQuery"
],
"Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*"
}
]
}
```
------
## 允许访问 Neptune ML 模型管理的策略示例
此策略授予对 Neptune ML 模型管理特征的访问权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Action": [
"neptune-db:CancelMLDataProcessingJob",
"neptune-db:CancelMLModelTrainingJob",
"neptune-db:CancelMLModelTransformJob",
"neptune-db:CreateMLEndpoint",
"neptune-db:DeleteMLEndpoint",
"neptune-db:GetMLDataProcessingJobStatus",
"neptune-db:GetMLEndpointStatus",
"neptune-db:GetMLModelTrainingJobStatus",
"neptune-db:GetMLModelTransformJobStatus",
"neptune-db:ListMLDataProcessingJobs",
"neptune-db:ListMLEndpoints",
"neptune-db:ListMLModelTrainingJobs",
"neptune-db:ListMLModelTransformJobs",
"neptune-db:StartMLDataProcessingJob",
"neptune-db:StartMLModelTrainingJob",
"neptune-db:StartMLModelTransformJob"
],
"Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*"
}
]
}
```
------
## 策略示例:授予完全查询访问权限
以下策略授予对 Neptune 图形查询操作的完全访问权限,但不授予对快速重置、流、批量加载程序、Neptune ML 模型管理等特征的完全访问权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Action": [
"neptune-db:ReadDataViaQuery",
"neptune-db:WriteDataViaQuery",
"neptune-db:DeleteDataViaQuery",
"neptune-db:GetEngineStatus",
"neptune-db:GetQueryStatus",
"neptune-db:CancelQuery"
],
"Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*"
}
]
}
```
------
## 策略示例:仅授予对 Gremlin 查询的完全访问权限
以下策略授予使用 Gremlin 查询语言对 Neptune 图形查询操作的完全访问权限,但不授予对其它语言的查询的完全访问权限,也不授予对快速重置、流、批量加载程序、Neptune ML 模型管理等特征的完全访问权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Action": [
"neptune-db:ReadDataViaQuery",
"neptune-db:WriteDataViaQuery",
"neptune-db:DeleteDataViaQuery",
"neptune-db:GetEngineStatus",
"neptune-db:GetQueryStatus",
"neptune-db:CancelQuery"
],
"Resource": [
"arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*"
],
"Condition": {
"StringEquals": {
"neptune-db:QueryLanguage":"Gremlin"
}
}
}
]
}
```
------
## 策略示例:授予完全访问权限,但快速重置除外
以下策略授予对 Neptune 数据库集群的完全访问权限,但使用快速重置除外:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "neptune-db:*",
"Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*"
},
{
"Effect": "Deny",
"Action": "neptune-db:ResetDatabase",
"Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*"
}
]
}
```
------