Alibaba Cloud provides Resource Access Management (RAM), which allows you to manage permissions on Message Queue for Apache RocketMQ. When you use RAM, you do not need to share the AccessKey pair of your Alibaba Cloud account with other users. Instead, you can grant them only the minimal required permissions. An AccessKey pair includes an AccessKey ID and an AccessKey secret. This topic describes the RAM policies for Message Queue for Apache RocketMQ and provides sample policies.

Background information

In RAM, a policy is a set of permissions that are described based on the policy syntax and structure. A policy accurately describes the authorized resource set, action set, and authorization conditions. For more information, see Policy elements.

Message Queue for Apache RocketMQ provides the following types of RAM policies:

  • System policies

    System policies are created by Alibaba Cloud. You can use these policies but cannot modify these policies. The policy updates are maintained by Alibaba Cloud.

  • Custom policies

    You can create, update, and delete custom policies and maintain version updates of these policies. You can edit custom policies and attach them to RAM users in the RAM console. For information about sample policies, see Examples.

Note Access control is performed for each request to the messaging and management services of Message Queue for Apache RocketMQ.

System policies

The following table describes the default system policies that are provided for Message Queue for Apache RocketMQ.

Policy Description
AliyunMQFullAccess The permissions to manage Message Queue for Apache RocketMQ. Such permissions are equivalent to the permissions that an Alibaba Cloud account has. A RAM user to which this policy is attached can send and subscribe to all messages and use all the features of the console.
AliyunMQPubOnlyAccess The message sending permissions of Message Queue for Apache RocketMQ. A RAM user to which this policy is attached can use all the resources of the relevant Alibaba Cloud account to send messages by using SDKs.
AliyunMQSubOnlyAccess The message subscription permissions of Message Queue for Apache RocketMQ. A RAM user to which this policy is attached can use all the resources of the relevant Alibaba Cloud account to subscribe to messages by using SDKs.
AliyunMQReadOnlyAccess The read-only permissions on Message Queue for Apache RocketMQ. A RAM user to which this policy is attached can only read resource information by using the console or by calling API operations.

Custom policies

Custom policies allow you to grant fine-grained permissions to RAM users.

In Message Queue for Apache RocketMQ, instances, topics, and groups are different types of resources. RAM users can perform actions on these resources only after the required permissions on the resources are granted. The naming format of a resource that has the {groupId} and {topic} elements varies based on whether the relevant instance has a namespace. You can log on to the Message Queue for Apache RocketMQ console and check whether an instance has a namespace based on the value of the Namespace parameter on the Instances page.

The valid values of and the mapping between resources and actions in Message Queue for Apache RocketMQ can be described from the following dimensions: the Message Queue for Apache RocketMQ service, the Message Queue for Apache RocketMQ client, the console, and the API. Among them, console actions are divided into instance, group, topic, and tag actions by resource type.

Notice
  • A RAM user can access resources and call API operations of Message Queue for Apache RocketMQ only after the RAM user is granted the permission to perform the mq:QueryInstanceBaseInfo action on the Message Queue for Apache RocketMQ instance.
  • When you grant permissions to RAM users, you must replace {instanceId}, {topic}, and {groupId} with the actual resource information. For example, you can replace {groupId} with GID_test.

Permission to activate the Message Queue for Apache RocketMQ service

Resource Naming format Action
Action Description
Message Queue for Apache RocketMQ service * ons:OpenOnsService Activates the Message Queue for Apache RocketMQ service.

Permissions for Message Queue for Apache RocketMQ clients to send and subscribe to messages

Note Before you grant permissions on specific topics or groups to a RAM user, you must grant the RAM user the permission to perform the mq:QueryInstanceBaseInfo action on the instance to which the topics or groups belong.
Resource Naming format Action
With a namespace Without a namespace Action Description
Group acs:mq:*:*:{instanceId}%{groupId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%GID_test

*
acs:mq:*:*:{groupId}

Example: acs:mq:*:*:GID_test

mq:SUB Subscribes to messages.
Topic acs:mq:*:*:{instanceId}%{topic}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%Topic-test

acs:mq:*:*:{topic}

Example: acs:mq:*:*:Topic-test

mq:PUB Sends messages.
mq:SUB Subscribes to messages.

Permissions to manage instances in the Message Queue for Apache RocketMQ console

Note Before you grant a RAM user the permissions to manage an instance in the Message Queue for Apache RocketMQ console, you must grant the RAM user the permission to perform the mq:QueryInstanceBaseInfo action on the instance.
Resource Naming format Action
Action Description
instance acs:mq:*:*:* mq:CreateInstance Creates an instance.
acs:mq:*:*:{instanceId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k

mq:QueryInstanceBaseInfo Queries the basic information of an instance.
mq:UpdateInstance Updates an instance.
mq:DeleteInstance Deletes an instance. Proceed with caution when you perform this action.

Permissions to manage groups in the Message Queue for Apache RocketMQ console

Note Before you grant permissions on specific topics or groups to a RAM user, you must grant the RAM user the permission to perform the mq:QueryInstanceBaseInfo action on the instance to which the topics or groups belong.
Resource Naming format Action
With a namespace Without a namespace Action Description
Group acs:mq:*:*:{instanceId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k

mq:CreateGroup Creates a group with the specified group ID.
acs:mq:*:*:{instanceId}%{groupId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%GID_test

acs:mq:*:*:{groupId}

Example: acs:mq:*:*:GID_test

mq:DeleteGroup Deletes a group with the specified group ID. Proceed with caution when you perform this action.
mq:QueryGroupSubDetail Queries the topics to which a group with the specified group ID has subscribed.
mq:UpdateGroupConsumer Configures the permissions to read and write messages for the group with the specified group ID.
mq:QueryConsumerAccumulate Queries the message accumulation data of a group with the specified group ID.
mq:QueryConsumerStatus Queries the details about the status of a group with the specified group ID.
mq:QueryConsumerConnection Queries the connection information of clients in a group with the specified group ID.
mq:QueryTrendGroupOutputTps Queries the statistics on message consumption of a group with the specified group ID.
mq:ResendDLQMessage Resends a dead-letter message.
mq:QueryDLQMessage Queries dead-letter messages.

Permissions to manage topics in the Message Queue for Apache RocketMQ console

Note Before you grant permissions on specific topics or groups to a RAM user, you must grant the RAM user the permission to perform the mq:QueryInstanceBaseInfo action on the instance to which the topics or groups belong.
Resource Naming format Action
With a namespace Without a namespace Action Description
Topic acs:mq:*:*:{instanceId}%{topic}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%Topic-test

acs:mq:*:*:{topic}

Example: acs:mq:*:*:Topic-test

mq:CreateTopic Creates a topic.
mq:DeleteTopic Deletes a topic. Proceed with caution when you perform this action.
mq:UpdateTopic Updates a topic.
mq:QueryTopicStatus Queries the total number of messages and the last update time of a topic.
mq:QueryTopicSubDetail Queries the group IDs of the groups that have subscribed to a topic.
mq:ResetConsumerOffset Resets the consumer offset of a group with the specified group ID in a specified topic.
mq:QueryConsumerTimeSpan Queries the time range that can be reset for a topic to which a group with the specified group ID has subscribed.
mq:QueryMessageTrace Queries the consumption status of a message.
mq:QueryMessage Queries the details about a message.
mq:QueryDLQMessage Queries dead-letter messages.
mq:QueryTrendTopicInputTps Query statistics on the messages written to a topic.
mq:QueryTrace Queries the ID of the task for querying the message trace. You can call the OnsTraceGetResult operation and use the obtained task ID to query the trace query results. Authorization is not required when you call the OnsTraceGetResult operation.

Permissions to manage tags in the Message Queue for Apache RocketMQ console

Note Before you grant a RAM user the permissions to manage tags in the Message Queue for Apache RocketMQ console, you must grant the RAM user the permission to perform the mq:QueryInstanceBaseInfo action on the instance to which the tags belong.
Resource Naming format Action
Action Description
Tag acs:mq:*:*:* mq:TagResources Adds a tag to a resource.
mq:ListTagResources Queries tags.
mq:UntagResources Removes and deletes a tag from a resource. Proceed with caution when you perform this action.

Permissions to call API operations

The following table describes the actions that you must authorize a RAM user to perform before the RAM user can call API operations of Message Queue for Apache RocketMQ.

Note Before you grant a RAM user the permissions to call API operations of Message Queue for Apache RocketMQ to manage resources, you must grant the RAM user the permission to perform the mq:QueryInstanceBaseInfo action on the instance to which the resources belong.
API Naming format Action
With a namespace Without a namespace
OnsRegionList N/A N/A No authorization is required.
OpenOnsService * ons:OpenOnsService
OnsInstanceDelete acs:mq:*:*:*
  • mq:QueryInstanceBaseInfo
  • mq:CreateInstance
OnsInstanceBaseInfo acs:mq:*:*:{instanceId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k

mq:QueryInstanceBaseInfo
OnsInstanceDelete
  • mq:QueryInstanceBaseInfo
  • mq:DeleteInstance
OnsInstanceUpdate
  • mq:QueryInstanceBaseInfo
  • mq:UpdateInstance
OnsInstanceInServiceList acs:mq:*:*:{instanceId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k

N/A mq:QueryInstanceBaseInfo
Note
  • If a namespace is configured for the Message Queue for Apache RocketMQ instance, you must grant a RAM user the permission to perform the mq:QueryInstanceBaseInfo action on the instance. Otherwise, no information can be retrieved when the RAM user calls this API operation.
  • If no namespaces are configured for the instance, the RAM user can call this API operation without authorization.
OnsTopicCreate acs:mq:*:*:{instanceId}%{topic}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%Topic-test

acs:mq:*:*:{topic}

Example: acs:mq:*:*:Topic-test

  • mq:QueryInstanceBaseInfo
  • mq:CreateTopic
OnsTopicDelete
  • mq:QueryInstanceBaseInfo
  • mq:DeleteTopic
OnsTopicStatus
  • mq:QueryInstanceBaseInfo
  • mq:QueryTopicStatus
OnsTopicUpdate
  • mq:QueryInstanceBaseInfo
  • mq:UpdateTopic
OnsTopicSubDetail
  • mq:QueryInstanceBaseInfo
  • mq:QueryTopicSubDetail
OnsTopicList acs:mq:*:*:{instanceId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k

mq:QueryInstanceBaseInfo
Note When a RAM user calls this operation, only information about the topics on which the RAM user has message sending and subscription permissions is returned.
OnsGroupCreate acs:mq:*:*:{instanceId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k

  • mq:QueryInstanceBaseInfo
  • mq:CreateGroup
OnsGroupDelete acs:mq:*:*:{instanceId}%{groupId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%GID_test

acs:mq:*:*:{groupId}

Example: acs:mq:*:*:GID_test

  • mq:QueryInstanceBaseInfo
  • mq:DeleteGroup
OnsGroupSubDetail
  • mq:QueryInstanceBaseInfo
  • mq:QueryGroupSubDetail
OnsGroupConsumerUpdate
  • mq:QueryInstanceBaseInfo
  • mq:UpdateGroupConsumer
OnsGroupList acs:mq:*:*:{instanceId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k

mq:QueryInstanceBaseInfo
Note When a RAM user calls this operation, only information about the groups on which the RAM user has message sending and subscription permissions is returned.
TagResources acs:mq:*:*:*
  • mq:QueryInstanceBaseInfo
  • mq:TagResources
ListTagResources
  • mq:QueryInstanceBaseInfo
  • mq:ListTagResources
UntagResources
  • mq:QueryInstanceBaseInfo
  • mq:UntagResources
OnsConsumerAccumulate acs:mq:*:*:{instanceId}%{groupId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%GID_test

acs:mq:*:*:{groupId}

Example: acs:mq:*:*:GID_test

  • mq:QueryInstanceBaseInfo
  • mq:QueryConsumerAccumulate
OnsConsumerStatus
  • mq:QueryInstanceBaseInfo
  • mq:QueryConsumerStatus
OnsConsumerGetConnection
  • mq:QueryInstanceBaseInfo
  • mq:QueryConsumerConnection
OnsConsumerResetOffset acs:mq:*:*:{instanceId}%{topic}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%Topic-test

acs:mq:*:*:{topic}

Example: acs:mq:*:*:Topic-test

  • mq:QueryInstanceBaseInfo
  • mq:ResetConsumerOffset
OnsConsumerTimeSpan
  • mq:QueryInstanceBaseInfo
  • mq:QueryConsumerTimeSpan
OnsMessagePush
  • mq:QueryInstanceBaseInfo
  • mq:SUB
OnsMessageTrace acs:mq:*:*:{instanceId}%{topic}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%Topic-test

acs:mq:*:*:{topic}

Example: acs:mq:*:*:Topic-test

  • mq:QueryInstanceBaseInfo
  • mq:QueryMessageTrace
OnsMessageGetByMsgId
  • mq:QueryInstanceBaseInfo
  • mq:QueryMessage
OnsMessageGetByKey
  • mq:QueryInstanceBaseInfo
  • mq:QueryMessage
OnsMessagePageQueryByTopic
  • mq:QueryInstanceBaseInfo
  • mq:QueryMessage
OnsTrendTopicInputTps acs:mq:*:*:{instanceId}%{topic}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%Topic-test

acs:mq:*:*:{topic}

Example: acs:mq:*:*:Topic-test

  • mq:QueryInstanceBaseInfo
  • mq:QueryTrendTopicInputTps
OnsTrendGroupOutputTps acs:mq:*:*:{instanceId}%{groupId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%GID_test

acs:mq:*:*:{groupId}

Example: acs:mq:*:*:GID_test

  • mq:QueryInstanceBaseInfo
  • mq:QueryTrendGroupOutputTps
OnsTraceGetResult acs:mq:*:*:{instanceId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k

mq:QueryInstanceBaseInfo
OnsTraceQueryByMsgId acs:mq:*:*:{instanceId}%{topic}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%Topic-test

acs:mq:*:*:{topic}

Example: acs:mq:*:*:Topic-test

  • mq:QueryInstanceBaseInfo
  • mq:QueryTrace
OnsTraceQueryByMsgKey
  • mq:QueryInstanceBaseInfo
  • mq:QueryTrace
OnsDLQMessageGetById acs:mq:*:*:{instanceId}%{groupId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%GID_test

acs:mq:*:*:{groupId}

Example: acs:mq:*:*:GID_test

  • mq:QueryInstanceBaseInfo
  • mq:ResendDLQMessage
OnsDLQMessagePageQueryByGroupId
  • mq:QueryInstanceBaseInfo
  • mq:QueryDLQMessage
OnsDLQMessageResendById
  • mq:QueryInstanceBaseInfo
  • mq:QueryDLQMessage

Examples

Notice If you want to directly copy the sample code, delete the annotations when you use the code. An annotation is a pair of two forward slashes (//) and the description that follows.
  • Example 1: Grant permissions on a topic and a group in an instance.

    You can authorize a RAM user to send messages to and subscribe to messages from a specified topic and grant the RAM user the permissions on a specified group in an instance. To implement the authorization, configure a policy based on the following examples:

    • The following example applies to instances that have a namespace:
      {
              "Version":"1",
              "Statement":[
                  {    // Grant the following permission on an instance. Before you grant permissions on a topic or a group, you must first grant the following permission on the corresponding instance. This applies to instances that have a namespace. 
                      "Effect":"Allow",
                      "Action":[
                          "mq:QueryInstanceBaseInfo"
                      ],
                      "Resource":[
                          "acs:mq:*:*:{instanceId}"
                      ]
                  },
                  {    // Grant the permissions to send messages to and subscribe to messages from a specified topic. 
                      "Effect":"Allow",
                      "Action":[
                          "mq:PUB",    
                          "mq:SUB"
                      ],
                      "Resource":[
                          "acs:mq:*:*:{instanceId}%{topic}"
                      ]
                  },
                  {    // Grant permissions on a specified group. 
                      "Effect":"Allow",
                      "Action":[
                          "mq:SUB"
                      ],
                      "Resource":[
                          "acs:mq:*:*:{instanceId}%{groupId}"
                      ]
                  }
              ]
          }                    
    • The following example applies to instances that have no namespaces.
      {
          "Version":"1",
          "Statement":[
              {    // Grant the following permission on an instance. Before you grant permissions on a topic or a group, you must first grant the following permission on the corresponding instance. This applies to instances that have no namespaces. 
                  "Effect":"Allow",
                  "Action":[
                      "mq:QueryInstanceBaseInfo"
                  ],
                  "Resource":[
                      "acs:mq:*:*:{instanceId}"
                  ]
              },
              {    // Grant the permissions to send messages to and subscribe to messages from a specified topic. 
                  "Effect":"Allow",
                  "Action":[
                      "mq:PUB",    
                      "mq:SUB"
                  ],
                  "Resource":[
                      "acs:mq:*:*:{topic}"
                  ]
              },
              {   // Grant permissions on a specified group. 
                  "Effect":"Allow",
                  "Action":[
                      "mq:SUB"
                  ],
                  "Resource":[
                      "acs:mq:*:*:{groupId}"
                  ]
              }
          ]
      }                    
  • Example 2: Grant all permissions on an instance. This example applies only to instances that have a namespace.

    To grant all permissions on all the resources in an instance, configure a policy based on the following example:

    {   // This applies only to instances that have a namespace. 
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "mq:*"
                ],
                "Resource": [
                    "acs:mq:*:*:{instanceId}*" // Grant all permissions on the instance. Replace {instanceId} with your instance ID. 
                ]
            }
        ]
    }          

References