Alibaba Cloud offers Resource Access Management (RAM), which allows you to manage permissions for Message Queue for Apache RocketMQ. RAM allows you to avoid sharing the AccessKey pair of your Alibaba Cloud account with other users. Instead, you can grant them only the minimum required permissions. An AccessKey pair includes an AccessKey ID and an AccessKey secret. This topic describes the permission policies and provides examples for Message Queue for Apache RocketMQ in RAM.

Background

In RAM, a permission policy is a collection of permissions described with the permission policy syntax and structure. A policy can accurately describe authorized resource sets, actions, and authorization conditions. For more information, see Policy structure and syntax.

Message Queue for Apache RocketMQ provides the following two types of RAM permission policies.

  • System policies
  • Custom policies

    You must go to the RAM console to edit the corresponding permission policies. Then, you can apply these policies to the corresponding RAM users. You can create, update, and delete permission policies, and maintain version updates of these policies. For more information about permission policy examples, see Examples in the following text.

System policies

Message Queue for Apache RocketMQ provides the following four system policies by default.

Policy Description
AliyunMQFullAccess The permission to manage Message Queue for Apache RocketMQ. It is equivalent to the permission that the Alibaba Cloud account has. A RAM user granted this permission can send and subscribe to all messages and use all the features of the console.
AliyunMQPubOnlyAccess The publishing permission of Message Queue for Apache RocketMQ. A RAM user granted this permission can use all the resources of the Alibaba Cloud account to send messages by using SDKs.
AliyunMQSubOnlyAccess The subscription permission of Message Queue for Apache RocketMQ. A RAM user granted this permission can use all the resources of the Alibaba Cloud account to subscribe to messages by using SDKs.
AliyunMQReadOnlyAccess The read-only permission of Message Queue for Apache RocketMQ. A RAM user granted this permission can read only resource information by accessing the console or calling API operations.

Custom policies

Custom policies allow you to grant fine-grained permissions to RAM users.

In Message Queue for Apache RocketMQ, instances, topics, and groups are different types of resources, and the permissions granted for these resources are actions. The naming formats of topics and groups vary depending on whether the instance has a namespace. You can check whether the instance has a namespace on the Instance Details page of the Message Queue for Apache RocketMQ console.

The following table lists mappings between resources and actions in Message Queue for Apache RocketMQ.

Note You must replace {instanceId}, {topic}, and {groupId} with your resource information. For example, you can replace {groupId} with GID_xxx.
Resource Naming format Action Note
With namespace Without namespace Name Description
Instance acs:mq:*:*:{instanceId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k

acs:mq:*:*:{instanceId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k

mq:QueryInstanceBaseInfo Queries the basic information of the instance. Before you grant permissions to a RAM user for topics and groups, you must grant it the mq:OnsInstanceBaseInfo permission for the instance to which the topics and groups belong.
mq:UpdateIntance Updates an instance. None
mq:CreateInstance Creates an instance. None
mq:DeleteIntance Deletes an instance. Exercise caution when you perform this action. None
Topic acs:mq:*:*:{instanceId}%{topic}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%Topic-test

acs:mq:*:*:{topic}

Example: acs:mq:*:*:Topic-test

mq:PUB Publishes a message. Before you grant permissions to a RAM user for topics, you must grant it the mq:OnsInstanceBaseInfo permission for the instance to which the topics belong.
mq:SUB Subscribes to a message.
mq:CreateTopic Creates a topic.
mq:DeleteTopic Deletes a topic.
mq:UpdateTopicInfo Updates the information about a topic.
Group acs:mq:*:*:{instanceId}%{groupId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%GID_test

acs:mq:*:*:{groupId}

Example: acs:mq:*:*:GID_test

mq:SUB Subscribes to a message. Before you grant permissions to a RAM user for groups, you must it grant the mq:OnsInstanceBaseInfo permission for the instance to which the groups belong.
mq:CreateGroup Creates a group ID.
mq:DeleteGroup Deletes a group ID.

Examples

Note If you directly copy the sample code, delete the comments when you use the code. Comments are the two forward slashes (//) and the text description that follows.
  • Example 1: Grant permissions for a topic and a group in an instance.
    • Applicable to instances with namespaces
          {
              "Version":"1",
              "Statement":[
                  {    // Grant the permission for an instance. Before you grant permissions for a topic and a group, grant the permission for the corresponding instance. This is applicable to instances with namespaces.
                      "Effect":"Allow",
                      "Action":[
                          "mq:QueryInstanceBaseInfo"
                      ],
                      "Resource":[
                          "acs:mq:*:*:{instanceId}"
                      ]
                  },
                  {    // Grant the permissions to publish and subscribe to messages for a topic.
                      "Effect":"Allow",
                      "Action":[
                          "mq:PUB",    
                          "mq:SUB"
                      ],
                      "Resource":[
                          "acs:mq:*:*:{instanceId}%{topic}"
                      ]
                  },
                  {    // Grant permissions for a group.
                      "Effect":"Allow",
                      "Action":[
                          "mq:SUB"
                      ],
                      "Resource":[
                          "acs:mq:*:*:{instanceId}%{groupId}"
                      ]
                  }
              ]
          }                    
    • Applicable to instances without namespaces
      {
          "Version":"1",
          "Statement":[
              {    // Grant the permission for an instance. Before you grant permissions for the topic and group, grant the permission for the corresponding instance. This is applicable to instances without namespaces.
                  "Effect":"Allow",
                  "Action":[
                      "mq:QueryInstanceBaseInfo"
                  ],
                  "Resource":[
                      "acs:mq:*:*:{instanceId}"
                  ]
              },
              {    // Grant the permissions to publish and subscribe to messages for a topic.
                  "Effect":"Allow",
                  "Action":[
                      "mq:PUB",    
                      "mq:SUB"
                  ],
                  "Resource":[
                      "acs:mq:*:*:{topic}"
                  ]
              },
              {    // Grant permissions for a group.
                  "Effect":"Allow",
                  "Action":[
                      "mq:SUB"
                  ],
                  "Resource":[
                      "acs:mq:*:*:{groupId}"
                  ]
              }
          ]
      }                    
  • Example 2: Grant the permission for an entire instance (applicable only to instances with namespaces).

    To grant the permission for managing all the resources in an instance, use the following sample code to set the the policy.

    {   // This is applicable only to instances with namespaces.
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "mq:*"
                ],
                "Resource": [
                    "acs:mq:*:*:{instanceId}*" //Grant the permission for the instance. Replace {instanceId} with your instance ID.
                ]
            }
        ]
    }          

What to do next