If system policies do not meet your requirements, you can configure custom policies to implement the principle of least privilege. You can use custom policies to implement fine-grained control over permissions and increase resource access security. This topic describes the scenarios in which custom policies for ApsaraMQ for RocketMQ are used. This topic also provides sample custom policies.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.
After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Sample custom policies
If you want to use the sample code, delete all comments after you copy the code. A comment includes two forward slashes (//) and a description that follows the two forward slashes (//).
Example 1: Grant permissions on a topic or a group on an instance.
You can grant a RAM user permissions to publish messages to or subscribe to messages from a specific topic or group. To grant the permissions, configure a policy based on the following examples:
Instances that contain namespaces:
{ "Version":"1", "Statement":[ { // Grant the following permission on the instance. Before you grant permissions on a topic or a group, you must first grant the following permission on the corresponding instance. This example is applicable to instances that contain namespaces. "Effect":"Allow", "Action":[ "mq:QueryInstanceBaseInfo" ], "Resource":[ "acs:mq:*:*:{instanceId}" ] }, { // Grant the permissions that are required to publish messages to and subscribe to messages from a specific topic. "Effect":"Allow", "Action":[ "mq:PUB", "mq:SUB" ], "Resource":[ "acs:mq:*:*:{instanceId}%{topic}" ] }, { // Grant the required permissions on a specific group. "Effect":"Allow", "Action":[ "mq:SUB" ], "Resource":[ "acs:mq:*:*:{instanceId}%{groupId}" ] } ] }Instances that do not contain namespaces:
{ "Version":"1", "Statement":[ { // Grant the following permission on the instance. Before you grant permissions on a topic or a group, you must first grant the following permission on the corresponding instance. This example is applicable to instances that do not contain namespaces. "Effect":"Allow", "Action":[ "mq:QueryInstanceBaseInfo" ], "Resource":[ "acs:mq:*:*:{instanceId}" ] }, { // Grant the permissions that are required to publish messages to and subscribe to messages from a specific topic. "Effect":"Allow", "Action":[ "mq:PUB", "mq:SUB" ], "Resource":[ "acs:mq:*:*:{topic}" ] }, { // Grant the required permissions on a specific group. "Effect":"Allow", "Action":[ "mq:SUB" ], "Resource":[ "acs:mq:*:*:{groupId}" ] } ] }
Example 2: Grant all permissions on all resources of an instance. This example is applicable only to instances that contain namespaces.
To grant all permissions on all resources of an instance, configure a policy based on the following example:
{ // This example is applicable only to instances that contain namespaces. "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mq:*" ], "Resource": [ "acs:mq:*:*:{instanceId}*" // Grant all permissions on the instance. Replace {instanceId} with your instance ID. ] } ] }
Authorization information
To use a custom policy, you must understand the permission management requirements of your business and the authorization information about ApsaraMQ for RocketMQ. For more information, see RAM authorization.