Amazon亚马逊的托管政策 SageMaker - 亚马逊 SageMaker
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon亚马逊的托管政策 SageMaker

要向用户、组和角色添加权限,与自己编写策略相比,使用 Amazon 托管策略更简单。创建仅为团队提供所需权限的 IAM 客户托管策略需要时间和专业知识。要快速入门,您可以使用我们的 Amazon 托管策略。这些策略涵盖常见使用案例,可在您的 Amazon 账户中使用。有关 Amazon 托管策略的更多信息,请参阅 IAM 用户指南中的 Amazon 托管策略

Amazon 服务负责维护和更新 Amazon 托管策略。您无法更改 Amazon 托管策略中的权限。服务偶尔会向 Amazon 托管式策略添加额外权限以支持新功能。此类型的更新会影响附加了策略的所有身份(用户、组和角色)。当启动新功能或新操作可用时,服务最有可能会更新 Amazon 托管式策略。服务不会从 Amazon 托管式策略中删除权限,因此策略更新不会破坏您的现有权限。

此外,Amazon 还支持跨多种服务的工作职能的托管式策略。例如,ReadOnlyAccessAmazon托管策略提供对所有Amazon服务和资源的只读访问权限。当服务启动新功能时,Amazon 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅 IAM 用户指南中的适用于工作职能的 Amazon 托管策略

重要

建议您使用允许您执行使用案例的最受限制的策略。

以下Amazon托管式策略(可以附加到您账户中的用户)特定于Amazon SageMaker:

  • AmazonSageMakerFullAccess— 授予对亚马逊 SageMaker 和 SageMaker 地理空间资源以及支持的操作的完全访问权限。这不提供不受限制的 Amazon S3 访问权限,但支持带有特定sagemaker标签的存储桶和对象。此策略允许将所有 IAM 角色传递给 Amazon SageMaker,但仅允许将包含AmazonSageMaker “” 的 IAM 角色传递给Amazon GlueAmazon Step Functions、和Amazon RoboMaker 服务。

  • AmazonSageMakerReadOnly— 授予 Amazon SageMaker 资源的只读访问权限。

可以将以下Amazon托管策略附加到您账户中的用户,但不建议这样做:

  • AdministratorAccess— 为账户中的所有Amazon服务和所有资源授予所有操作权限。

  • DataScientist— 授予广泛的权限,以涵盖数据科学家遇到的大多数用例(主要用于分析和商业智能)。

您可以通过登录到 IAAM 控制台并进行搜索来查看这些权限策略。

此外,您还可以创建自定义 IAM policy,以授予您 Amazon SageMaker 操作和资源的相关权限。您可以将这些自定义策略附加到需要它们的 用户或组。

Amazon托管策略: AmazonSageMakerFullAccess

此策略授予管理权限,允许委托人完全访问所有 Amazon SageMaker 和 SageMaker 地理空间资源及操作。该政策还提供对相关服务的选择访问权限。此策略允许将所有 IAM 角色传递给 Amazon SageMaker,但仅允许将包含AmazonSageMaker “” 的 IAM 角色传递给Amazon GlueAmazon Step Functions、和Amazon RoboMaker 服务。此政策不包括创建亚马逊 SageMaker 域的权限。有关创建域所需策略的信息,请参阅创建管理用户和组

权限详细信息

此策略包含以下权限。

  • application-autoscaling— 允许校长自动扩展 SageMaker 实时推理端点。

  • athena— 允许校长从中查询数据目录、数据库和表元数据的列表Amazon Athena。

  • aws-marketplace— 允许校长查看Amazon AI Marketplace 订阅。如果你想访问订阅的 SageMaker软件,你需要这个Amazon Web Services Marketplace。

  • cloudformation— 允许校长获取使用 SageMaker JumpStart 解决方案和管道的Amazon CloudFormation模板。 SageMaker JumpStart创建运行与其他Amazon服务 end-to-end 相关的机器学习解决方案所需的资源。 SageMaker SageMaker 管道创建由Service Catalog 支持的新项目。

  • cloudwatch— 允许校长发布 CloudWatch 指标、与警报交互以及将日志上传到您账户中的 CloudWatch 日志。

  • codebuild— 允许校长存储 SageMaker 管道和项目的Amazon CodeBuild构件。

  • codecommit— 需要与 SageMaker笔记本实例Amazon CodeCommit集成。

  • cognito-idp— Amazon Gro SageMaker und Truth 需要定义私人劳动力和工作团队。

  • ec2— 当您 SageMaker 为 SageMaker 任务、模型、终端节点和笔记本实例指定 Amazon VPC 时,需要用于管理 Amazon EC2 资源和网络接口。

  • ecr— 需要提取和存储 Amazon SageMaker Studio(自定义镜像)、训练、处理、批量推理和推理终端节点的 Docker 工件。这也是使用您自己的容器所必需的 SageMaker。需要额外的 SageMaker JumpStart 解决方案权限才能代表用户创建和删除自定义镜像。

  • elastic-inference— 允许委托人连接到 Amazon Elastic Inference 以使用 SageMaker 笔记本实例和终端节点。

  • elasticfilesystem— 允许校长访问Amazon Elastic File System。这是使用 Amazon Elastic File System 中的数据源训练机器学习模型所必需的。 SageMaker

  • fsx— 允许校长访问亚马逊 FSx。这是使用 Amazon FSx 中的数据源训练机器学习模型所必需的。 SageMaker

  • glue— 需要在 SageMaker 笔记本实例内进行推理流水线预处理。

  • groundtruthlabeling— 需要用于 Ground Truth 标签工作。该groundtruthlabeling端点由 Ground Truth 控制台访问。

  • iam— 需要向 SageMaker 控制台授予对可用的 IAM 角色的访问权限并创建服务相关角色。

  • kms— 需要允许 SageMaker 控制台访问可用Amazon KMS密钥并检索任务和终端节点中任何指定Amazon KMS别名的密钥。

  • lambda— 允许校长调用和获取Amazon Lambda函数列表。

  • logs— 需要允许 SageMaker 任务和端点发布日志流。

  • redshift— 允许委托人访问Amazon Redshift ft 集群证书。

  • redshift-data— 允许校长使用来自 Amazon Redshift 的数据来运行、描述和取消语句;获取语句结果;以及列出架构和表。

  • robomaker— 允许校长拥有创建、获取描述和删除Amazon RoboMaker 仿真应用程序和作业的完全访问权限。在笔记本实例上运行强化学习示例也需要这样做。

  • s3— 允许委托人完全访问与 Amazon S3 相关的 Amazon S3 资源 SageMaker,但不是全部 Amazon S3 资源。

  • sagemaker— 允许校长在亚马逊 SageMaker 用户个人资料上列出标签,并为 SageMaker 应用程序添加标签。还允许校长描述和列出空间。

  • sagemakersagemaker-geospatial — 允许委托人访问除域、用户配置文件、应用程序、空间和流程定义之外的所有亚马逊 SageMaker 资源。

  • secretsmanager— 允许校长完全访问Amazon Secrets Manager。委托人可以安全加密、存储和检索数据库和其他服务的凭证。对于使用 SageMaker 代码存储库的 SageMaker 笔记本实例,这也是必需的 GitHub。

  • servicecatalog— 允许校长使用Service Catalog。委托人可以创建、获取、更新或终止预配置产品的列表,例如使用Amazon资源部署的服务器、数据库、网站或应用程序。这是 SageMaker JumpStart 和 Projects 在用户中查找和读取服务目录产品以及启动Amazon资源所必需的。

  • sns— 允许委托人获取 Amazon SNS 主题列表。对于启用了异步推理的端点,需要这样才能通知用户他们的推理已完成。

  • states— SageMaker JumpStart 和管道需要使用服务目录来创建步骤函数资源。

  • tag— SageMaker 流水线需要在 Studio 中进行渲染。Studio 需要使用特定sagemaker:project-id标签键标记的资源。这需要tag:GetResources许可。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:*", "sagemaker-geospatial:*" ], "NotResource": [ "arn:aws:sagemaker:*:*:domain/*", "arn:aws:sagemaker:*:*:user-profile/*", "arn:aws:sagemaker:*:*:app/*", "arn:aws:sagemaker:*:*:space/*", "arn:aws:sagemaker:*:*:flow-definition/*" ] }, { "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": [ "arn:aws:sagemaker:*:*:app/*" ] }, { "Effect": "Allow", "Action": [ "sagemaker:CreatePresignedDomainUrl", "sagemaker:DescribeDomain", "sagemaker:ListDomains", "sagemaker:DescribeUserProfile", "sagemaker:ListUserProfiles", "sagemaker:DescribeSpace", "sagemaker:ListSpaces", "sagemaker:*App", "sagemaker:ListApps" ], "Resource": "*" }, { "Effect": "Allow", "Action": "sagemaker:*", "Resource": [ "arn:aws:sagemaker:*:*:flow-definition/*" ], "Condition": { "StringEqualsIfExists": { "sagemaker:WorkteamType": [ "private-crowd", "vendor-crowd" ] } } }, { "Effect": "Allow", "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DeleteScheduledAction", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:PutScalingPolicy", "application-autoscaling:PutScheduledAction", "application-autoscaling:RegisterScalableTarget", "aws-marketplace:ViewSubscriptions", "cloudformation:GetTemplateSummary", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "cloudwatch:PutMetricAlarm", "cloudwatch:PutMetricData", "codecommit:BatchGetRepositories", "codecommit:CreateRepository", "codecommit:GetRepository", "codecommit:List*", "cognito-idp:AdminAddUserToGroup", "cognito-idp:AdminCreateUser", "cognito-idp:AdminDeleteUser", "cognito-idp:AdminDisableUser", "cognito-idp:AdminEnableUser", "cognito-idp:AdminRemoveUserFromGroup", "cognito-idp:CreateGroup", "cognito-idp:CreateUserPool", "cognito-idp:CreateUserPoolClient", "cognito-idp:CreateUserPoolDomain", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:List*", "cognito-idp:UpdateUserPool", "cognito-idp:UpdateUserPoolClient", "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:CreateVpcEndpoint", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:CreateRepository", "ecr:Describe*", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:StartImageScan", "elastic-inference:Connect", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets", "fsx:DescribeFileSystems", "glue:CreateJob", "glue:DeleteJob", "glue:GetJob*", "glue:GetTable*", "glue:GetWorkflowRun", "glue:ResetJobBookmark", "glue:StartJobRun", "glue:StartWorkflowRun", "glue:UpdateJob", "groundtruthlabeling:*", "iam:ListRoles", "kms:DescribeKey", "kms:ListAliases", "lambda:ListFunctions", "logs:CreateLogDelivery", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DeleteLogDelivery", "logs:Describe*", "logs:GetLogDelivery", "logs:GetLogEvents", "logs:ListLogDeliveries", "logs:PutLogEvents", "logs:PutResourcePolicy", "logs:UpdateLogDelivery", "robomaker:CreateSimulationApplication", "robomaker:DescribeSimulationApplication", "robomaker:DeleteSimulationApplication", "robomaker:CreateSimulationJob", "robomaker:DescribeSimulationJob", "robomaker:CancelSimulationJob", "secretsmanager:ListSecrets", "servicecatalog:Describe*", "servicecatalog:List*", "servicecatalog:ScanProvisionedProducts", "servicecatalog:SearchProducts", "servicecatalog:SearchProvisionedProducts", "sns:ListTopics", "tag:GetResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecr:SetRepositoryPolicy", "ecr:CompleteLayerUpload", "ecr:BatchDeleteImage", "ecr:UploadLayerPart", "ecr:DeleteRepositoryPolicy", "ecr:InitiateLayerUpload", "ecr:DeleteRepository", "ecr:PutImage" ], "Resource": [ "arn:aws:ecr:*:*:repository/*sagemaker*" ] }, { "Effect": "Allow", "Action": [ "codecommit:GitPull", "codecommit:GitPush" ], "Resource": [ "arn:aws:codecommit:*:*:*sagemaker*", "arn:aws:codecommit:*:*:*SageMaker*", "arn:aws:codecommit:*:*:*Sagemaker*" ] }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild" ], "Resource": [ "arn:aws:codebuild:*:*:project/sagemaker*", "arn:aws:codebuild:*:*:build/*" ], "Effect": "Allow" }, { "Action": [ "states:DescribeExecution", "states:GetExecutionHistory", "states:StartExecution", "states:StopExecution", "states:UpdateStateMachine" ], "Resource": [ "arn:aws:states:*:*:statemachine:*sagemaker*", "arn:aws:states:*:*:execution:*sagemaker*:*" ], "Effect": "Allow" }, { "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret" ], "Resource": [ "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" ] }, { "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/SageMaker": "true" } } }, { "Effect": "Allow", "Action": [ "servicecatalog:ProvisionProduct" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "servicecatalog:TerminateProvisionedProduct", "servicecatalog:UpdateProvisionedProduct" ], "Resource": "*", "Condition": { "StringEquals": { "servicecatalog:userLevel": "self" } } }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*", "arn:aws:s3:::*aws-glue*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*" ], "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/SageMaker": "true" } } }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*" ], "Condition": { "StringEquals": { "s3:ExistingObjectTag/servicecatalog:provisioning": "true" } } }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketCors", "s3:PutBucketCors" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketAcl", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:*:*:function:*SageMaker*", "arn:aws:lambda:*:*:function:*sagemaker*", "arn:aws:lambda:*:*:function:*Sagemaker*", "arn:aws:lambda:*:*:function:*LabelingFunction*" ] }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint", "Condition": { "StringLike": { "iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com" } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "robomaker.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "sns:Subscribe", "sns:CreateTopic", "sns:Publish" ], "Resource": [ "arn:aws:sns:*:*:*SageMaker*", "arn:aws:sns:*:*:*Sagemaker*", "arn:aws:sns:*:*:*sagemaker*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*AmazonSageMaker*", "Condition": { "StringEquals": { "iam:PassedToService": [ "glue.amazonaws.com", "robomaker.amazonaws.com", "states.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "athena:ListDataCatalogs", "athena:ListDatabases", "athena:ListTableMetadata", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "glue:CreateTable" ], "Resource": [ "arn:aws:glue:*:*:table/*/sagemaker_tmp_*", "arn:aws:glue:*:*:table/sagemaker_featurestore/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Effect": "Allow", "Action": [ "glue:UpdateTable" ], "Resource": [ "arn:aws:glue:*:*:table/sagemaker_featurestore/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/sagemaker_featurestore" ] }, { "Effect": "Allow", "Action": [ "glue:DeleteTable" ], "Resource": [ "arn:aws:glue:*:*:table/*/sagemaker_tmp_*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Effect": "Allow", "Action": [ "glue:GetDatabases", "glue:GetTable", "glue:GetTables" ], "Resource": [ "arn:aws:glue:*:*:table/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Effect": "Allow", "Action": [ "glue:CreateDatabase", "glue:GetDatabase" ], "Resource": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/sagemaker_featurestore", "arn:aws:glue:*:*:database/sagemaker_processing", "arn:aws:glue:*:*:database/default", "arn:aws:glue:*:*:database/sagemaker_data_wrangler" ] }, { "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult", "redshift-data:ListSchemas", "redshift-data:ListTables" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "redshift:GetClusterCredentials" ], "Resource": [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] }, { "Effect": "Allow", "Action": [ "sagemaker:ListTags" ], "Resource": [ "arn:aws:sagemaker:*:*:user-profile/*" ] }, { "Effect": "Allow", "Action": [ "cloudformation:ListStackResources" ], "Resource": "arn:aws:cloudformation:*:*:stack/SC-*" } ] }

Amazon托管策略: AmazonSageMakerReadOnly

此策略 SageMaker 通过Amazon Web Services Management Console和 SDK 向亚马逊授予只读访问权限。

权限详细信息

此策略包含以下权限。

  • application-autoscaling— 允许用户浏览可扩展的 SageMaker 实时推理端点的描述。

  • aws-marketplace— 允许用户查看Amazon AI Marketplace 订阅。

  • cloudwatch— 允许用户接收 CloudWatch 警报。

  • cognito-idp— Amazon Gro SageMaker und Truth 需要浏览私人员工和工作团队的描述和列表。

  • ecr— 需要读取 Docker 工件以进行训练和推理。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:Describe*", "sagemaker:List*", "sagemaker:BatchGetMetrics", "sagemaker:GetDeviceRegistration", "sagemaker:GetDeviceFleetReport", "sagemaker:GetSearchSuggestions", "sagemaker:BatchGetRecord", "sagemaker:GetRecord", "sagemaker:Search", "sagemaker:QueryLineage", "sagemaker:GetLineageGroupPolicy", "sagemaker:BatchDescribeModelPackage", "sagemaker:GetModelPackageGroupPolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "aws-marketplace:ViewSubscriptions", "cloudwatch:DescribeAlarms", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:ListGroups", "cognito-idp:ListIdentityProviders", "cognito-idp:ListUserPoolClients", "cognito-idp:ListUserPools", "cognito-idp:ListUsers", "cognito-idp:ListUsersInGroup", "ecr:Describe*" ], "Resource": "*" } ] }

SageMaker Amazon托管策略的更新

查看有关此服务开始跟踪这些更改以 SageMaker 来的Amazon托管式策略更新的详细信息(从该服务开始跟踪这些更改开始)。

策略 版本 更改 日期

AmazonSageMakerFullAccess – 对现有策略的更新

24

添加sagemaker-geospatial:*sagemaker:AddTagssagemaker-ListTagssagemaker-DescribeSpace、和sagemaker:ListSpaces权限。

2022 年 11 月 30 日

AmazonSageMakerFullAccess -对现有策略的更新

23

添加 glue:UpdateTable.

2022 年 6 月 29 日

AmazonSageMakerFullAccess -对现有策略的更新

22

添加 cloudformation:ListStackResources.

2022 年 5 月 1 日

AmazonSageMakerReadOnly – 对现有策略的更新

11

添加sagemaker:QueryLineagesagemaker:GetLineageGroupPolicysagemaker:BatchDescribeModelPackagesagemaker:GetModelPackageGroupPolicy权限。

2021 年 12 月 1 日

AmazonSageMakerFullAccess -对现有策略的更新

21

为启用异步推理的端点添加sns:Publish权限。

2021 年 9 月 8 日

AmazonSageMakerFullAccess -对现有策略的更新

20

更新iam:PassRole资源和权限。

2021 年 7 月 15 日

AmazonSageMakerReadOnly -对现有策略的更新

10

为 SageMaker 功能存储BatchGetRecord添加了新 API。

2021 年 6 月 10 日

SageMaker 已开始跟踪其Amazon托管式策略的更改。

2021 年 6 月 1 日