Alibaba Cloud offers Resource Access Management (RAM), which allows you to manage permissions on Message Queue for Apache RocketMQ. When you use RAM, you do not need to share the AccessKey pair of your Alibaba Cloud account with other users. Instead, you can grant them only the minimal required permissions. An AccessKey pair includes an AccessKey ID and an AccessKey secret. This topic describes the RAM policies and provides examples for Message Queue for Apache RocketMQ.

Background information

In RAM, a policy is a set of permissions that are described with the policy syntax and structure. A policy can accurately describe the authorized resource set, action set, and authorization conditions. For more information, see Policy elements.

Message Queue for Apache RocketMQ provides the following types of RAM policies:

  • System policies

    System policies are created by Alibaba Cloud. You can use these policies but cannot modify these policies. The policy updates are maintained by Alibaba Cloud.

  • Custom policies

    You can create, update, and delete custom policies and maintain version updates of these policies. You must go to the RAM console, edit the corresponding policy, and then grant permissions to the corresponding user. For more information about policy examples, see Examples.

Note Access control is performed for each request to the messaging and management services of Message Queue for Apache RocketMQ.

System policies

The following table lists the default system policies provided by Message Queue for Apache RocketMQ.

Policy Description
AliyunMQFullAccess The permission to manage Message Queue for Apache RocketMQ. This permission is equivalent to the permission that the Alibaba Cloud account has. A RAM user to which this permission is granted can send and subscribe to all messages and use all the features of the console.
AliyunMQPubOnlyAccess The publishing permission of Message Queue for Apache RocketMQ. A RAM user to which this permission is granted can use all the resources of the Alibaba Cloud account to send messages by using SDKs.
AliyunMQSubOnlyAccess The subscription permission of Message Queue for Apache RocketMQ. A RAM user to which this permission is granted can use all the resources of the Alibaba Cloud account to subscribe to messages by using SDKs.
AliyunMQReadOnlyAccess The read-only permission on Message Queue for Apache RocketMQ. A RAM user to which this permission is granted can only read resource information by using the console or by calling API operations.

Custom policies

Custom policies allow you to grant fine-grained permissions to RAM users.

In Message Queue for Apache RocketMQ, instances, topics, and groups are different types of resources, and the permissions granted on these resources are actions. The naming format of a resource that has the {groupId} and {topic} elements varies based on whether the instance has a namespace. You can log on to the Message Queue for Apache RocketMQ console and determine whether an instance has a namespace based on the value of Namespace on the Instance Details page.

The valid values of and the mapping between resources and actions in Message Queue for Apache RocketMQ can be described in the following dimensions: the Message Queue for Apache RocketMQ service, the Message Queue for Apache RocketMQ client, the console, and the API. Among them, console actions are divided into instance, group, topic, and tag actions by resource type.

Notice
  • Before you grant custom permissions to a RAM user, you must first grant the mq:QueryInstanceBaseInfo permission on the instance to which the specified topic and group belong.
  • You must replace {instanceId}, {topic}, and {groupId} with your resource information. For example, you can replace {groupId} with GID_test.

Permission to activate the Message Queue for Apache RocketMQ service

Resource Naming format Action
Action Description
Message Queue for Apache RocketMQ * ons:OpenOnsService Activates the Message Queue for Apache RocketMQ service.

Permissions for Message Queue for Apache RocketMQ clients to send and subscribe to messages

Resource Naming format Action
With namespace Without namespace Action Description
Group acs:mq:*:*:{instanceId}%{groupId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%GID_test

*
acs:mq:*:*:{groupId}

Example: acs:mq:*:*:GID_test

mq:SUB Subscribes to messages.
Topic acs:mq:*:*:{instanceId}%{topic}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%Topic-test

acs:mq:*:*:{topic}

Example: acs:mq:*:*:Topic-test

mq:PUB Publishes messages.
mq:SUB Subscribes to messages.

Permissions to manage instances in the Message Queue for Apache RocketMQ console

Resource Naming format Action
Action Description
instance acs:mq:*:*:* mq:CreateInstance Creates an instance.
acs:mq:*:*:{instanceId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k

mq:QueryInstanceBaseInfo Queries the basic information of an instance.
mq:UpdateInstance Updates an instance.
mq:DeleteInstance Deletes an instance. Proceed with caution.

Permissions to manage groups in the Message Queue for Apache RocketMQ console

Resource Naming format Action
With namespace Without namespace Action Description
Group acs:mq:*:*:{instanceId}%{groupId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%GID_test

acs:mq:*:*:{groupId}

Example: acs:mq:*:*:GID_test

mq:CreateGroup Creates a consumer group with the specified group ID.
mq:DeleteGroup Deletes a consumer group with the specified group ID. Proceed with caution.
mq:QueryGroupSubDetail Queries the topics to which a consumer group with the specified group ID has subscribed.
mq:UpdateGroupConsumer Configures the permissions to read and write messages for the consumer group with the specified group ID.
mq:QueryConsumerAccumulate Queries the message accumulation data of a consumer group with the specified group ID.
mq:QueryConsumerStatus Queries the detailed status data of a consumer group with the specified group ID.
mq:QueryConsumerConnection Queries the connection information of consumer clients in a consumer group with the specified group ID.
mq:QueryTrendGroupOutputTps Queries the statistical data about message consumption of a consumer group with the specified group ID.
mq:ResendDLQMessage Resends a dead-letter message.
mq:QueryDLQMessage Queries dead-letter messages.

Permissions to manage topics in the Message Queue for Apache RocketMQ console

Resource Naming format Action
With namespace Without namespace Action Description
Topic acs:mq:*:*:{instanceId}%{topic}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%Topic-test

acs:mq:*:*:{topic}

Example: acs:mq:*:*:Topic-test

mq:CreateTopic Creates a topic.
mq:DeleteTopic Deletes a topic. Proceed with caution.
mq:UpdateTopic Updates a topic.
mq:QueryTopicStatus Queries the total number of messages and the last update time of a topic.
mq:QueryTopicSubDetail Queries the group IDs of the consumer groups that have subscribed to a topic.
mq:ResetConsumerOffset Resets the consumer offset of a consumer group with the specified group ID in a specified topic.
mq:QueryConsumerTimeSpan Queries the time range that can be reset for a topic to which a consumer group with the specified group ID has subscribed.
mq:QueryMessageTrace Queries the consumption status of a message.
mq:QueryMessage Queries the detailed information of a message.
mq:QueryDLQMessage Queries dead-letter messages.
mq:QueryTrendTopicInputTps Query the statistical data of the messages written to a topic.
mq:QueryTrace Queries the ID of the task for querying the message trace. You can call the OnsTraceGetResult operation by using the obtained task ID to query the trace query results. Authorization is not required when you call the OnsTraceGetResult operation.

Permissions to manage tags in the Message Queue for Apache RocketMQ console

Resource Naming format Action
Action Description
Tags acs:mq:::* mq:TagResources Binds tags to resources.
mq:ListTagResources Queries tags.
mq:UntagResources Unbinds and deletes a tag. Proceed with caution.

Permissions to call API operations

The following table lists the actions that can be authorized on each API operation in Message Queue for Apache RocketMQ.

API Naming format Action
With namespace Without namespace
OnsRegionList N/A N/A No authorization is required.
OpenOnsService * ons:OpenOnsService
OnsInstanceBaseInfo acs:mq:*:*:{instanceId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k

mq:QueryInstanceBaseInfo
OnsInstanceCreate mq:CreateInstance
OnsInstanceDelete mq:DeleteInstance
OnsInstanceUpdate mq:UpdateInstance
OnsInstanceInServiceList N/A N/A No authorization is required.
OnsTopicCreate acs:mq:*:*:{instanceId}%{topic}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%Topic-test

acs:mq:*:*:{topic}

Example: acs:mq:*:*:Topic-test

mq:CreateTopic
OnsTopicDelete mq:DeleteTopic
OnsTopicStatus mq:QueryTopicStatus
OnsTopicUpdate mq:UpdateTopic
OnsTopicSubDetail mq:QueryTopicSubDetail
OnsTopicList N/A N/A No authorization is required.

When a RAM user calls this operation, only information about topics to which the RAM user has the publishing and subscription permissions is returned.

OnsGroupCreate acs:mq:*:*:{instanceId}%{groupId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%GID_test

acs:mq:*:*:{groupId}

Example: acs:mq:*:*:GID_test

mq:CreateGroup
OnsGroupDelete mq:DeleteGroup
OnsGroupSubDetail mq:QueryGroupSubDetail
OnsGroupConsumerUpdate mq:UpdateGroupConsumer
OnsGroupList N/A N/A No authorization is required.

When a RAM user calls this operation, only information about groups to which the RAM user has the publishing and subscription permissions is returned.

TagResources acs:mq:::* mq:TagResources
ListTagResources mq:ListTagResources
UntagResources mq:UntagResources
OnsConsumerAccumulate acs:mq:*:*:{instanceId}%{groupId}

Example: acs:mq:*:*:MQ_INST_13801563067

acs:mq:*:*:{groupId}

Example: acs:mq:*:*:GID_test

mq:QueryConsumerAccumulate
OnsConsumerStatus mq:QueryConsumerStatus
OnsConsumerGetConnection mq:QueryConsumerConnection
OnsConsumerResetOffset acs:mq:*:*:{instanceId}%{topic}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%Topic-test

acs:mq:*:*:{topic}

Example: acs:mq:*:*:Topic-test

mq:ResetConsumerOffset
OnsConsumerTimeSpan mq:QueryConsumerTimeSpan
OnsMessagePush mq:SUB
OnsMessageTrace acs:mq:*:*:{instanceId}%{topic}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%Topic-test

acs:mq:*:*:{topic}

Example: acs:mq:*:*:Topic-test

mq:QueryMessageTrace
OnsMessageGetByMsgId mq:QueryMessage
OnsMessageGetByKey mq:QueryMessage
OnsMessagePageQueryByTopic mq:QueryMessage
OnsTrendTopicInputTps acs:mq:*:*:{instanceId}%{topic}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%Topic-test

acs:mq:*:*:{topic}

Example: acs:mq:*:*:Topic-test

mq:QueryTrendTopicInputTps
OnsTrendGroupOutputTps acs:mq:*:*:{instanceId}%{groupId}

Example: acs:mq:*:*:MQ_INST_13801563067

acs:mq:*:*:{groupId}

Example: acs:mq:*:*:GID_test

mq:QueryTrendGroupOutputTp
OnsTraceGetResult N/A N/A No authorization is required.
OnsTraceQueryByMsgId acs:mq:*:*:{instanceId}%{topic}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%Topic-test

acs:mq:*:*:{topic}

Example: acs:mq:*:*:Topic-test

mq:QueryTrace
OnsTraceQueryByMsgKey mq:QueryTrace
OnsDLQMessageGetById acs:mq:*:*:{instanceId}%{groupId}

Example: acs:mq:*:*:MQ_INST_13801563067

acs:mq:*:*:{groupId}

Example: acs:mq:*:*:GID_test

mq:ResendDLQMessage
OnsDLQMessagePageQueryByGroupId mq:QueryDLQMessage
OnsDLQMessageResendById mq:QueryDLQMessage

Examples

Notice If you need to directly copy the sample code, delete the comments when you use the code. Comments are the two forward slashes (//) and the text description that follows.
  • Example 1: Grant permissions on a specified topic and group in an instance.

    You can grant the permissions to publish messages to and subscribe to messages from a specified topic and grant permissions on a specified group in an instance. To grant the permissions, set the policy based on the following examples:

    • This example is applicable to instances that have namespaces.
      {
              "Version":"1",
              "Statement":[
                  {    // Grant the following permission on an instance. Before you grant permissions on a specified topic and group, grant the following permission on the corresponding instance. This is applicable to instances that have namespaces.
                      "Effect":"Allow",
                      "Action":[
                          "mq:QueryInstanceBaseInfo"
                      ],
                      "Resource":[
                          "acs:mq:*:*:{instanceId}"
                      ]
                  },
                  {    // Grant the permissions to publish messages to and subscribe to messages from a specified topic.
                      "Effect":"Allow",
                      "Action":[
                          "mq:PUB",    
                          "mq:SUB"
                      ],
                      "Resource":[
                          "acs:mq:*:*:{instanceId}%{topic}"
                      ]
                  },
                  {    // Grant permissions on a specified group.
                      "Effect":"Allow",
                      "Action":[
                          "mq:SUB"
                      ],
                      "Resource":[
                          "acs:mq:*:*:{instanceId}%{groupId}"
                      ]
                  }
              ]
          }                    
    • This example is applicable to instances that have no namespaces.
      {
          "Version":"1",
          "Statement":[
              {    // Grant the following permission on an instance. Before you grant permissions on a specified topic and group, grant the following permission on the corresponding instance. This is applicable to instances that have no namespaces.
                  "Effect":"Allow",
                  "Action":[
                      "mq:QueryInstanceBaseInfo"
                  ],
                  "Resource":[
                      "acs:mq:*:*:{instanceId}"
                  ]
              },
              {    // Grant the permissions to publish messages to and subscribe to messages from a specified topic.
                  "Effect":"Allow",
                  "Action":[
                      "mq:PUB",    
                      "mq:SUB"
                  ],
                  "Resource":[
                      "acs:mq:*:*:{topic}"
                  ]
              },
              {    // Grant permissions on a specified group.
                  "Effect":"Allow",
                  "Action":[
                      "mq:SUB"
                  ],
                  "Resource":[
                      "acs:mq:*:*:{groupId}"
                  ]
              }
          ]
      }                    
  • Example 2: Grant all permissions on an instance. This example is applicable only to instances that have namespaces.

    To grant all permissions on all the resources in an instance, set the policy based on the following example:

    {   // This is applicable only to instances that have namespaces.
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "mq:*"
                ],
                "Resource": [
                    "acs:mq:*:*:{instanceId}*" //Grant all permissions on the instance. Replace {instanceId} with your instance ID.
                ]
            }
        ]
    }          

References