Message Queue for MQTTAlibaba Cloud provides a Resource Access Management (RAM) for you to manage permissions. With RAM, you can avoid sharing the key of your Alibaba Cloud account (an AccessKey pair that contains an AccessKey ID and an AccessKey secret) with other users. Instead, you can grant them only the necessary permissions. This topic describes the permission policies of Message Queue for MQTT in RAM.

In RAM, a policy is a collection of permissions described by using syntax structure. A policy can accurately describe the authorized resource sets, action sets, and authorization conditions. Message Queue for MQTT provides the following types of RAM policies:

  • System policies: Policies that are created by Alibaba Cloud. You can use but not modify these policies. Version updates of the policies are maintained by Alibaba Cloud.
  • Custom policies: Policies that you can create, update, and delete. You also maintain the version updates of these policies.

System policies

Currently, Message Queue for MQTT provides three system policies by default.

Notice Message Queue for MQTTIndependent system policies are not supported. When you grant the following system permission policies to RAM users, Message Queue for MQTTin addition to taking effect, Message Queue for Apache RocketMQtake effect.
Policy Additional considerations
AliyunMQFullAccess The permission to manage Message Queue for MQTT. It is equivalent to the permission that the Alibaba Cloud account has. A RAM user granted this permission can send and subscribe to all messages and use all the features of the console.
AliyunMQPubOnlyAccess The publishing permission of Message Queue for MQTT. A RAM user granted this permission can use all the resources of the Alibaba Cloud account to send messages through SDKs.
AliyunMQSubOnlyAccess The subscription permission of Message Queue for MQTT. A RAM user granted this permission can use all the resources of the Alibaba Cloud account to subscribe to messages through SDKs.

Custom policies

With custom policies, you can grant fine-grained permissions to users.

Message Queue for MQTTSee the following mappings between resources and actions.

In Message Queue for MQTT, instances, topics, and groups are different types of resources, and the permissions granted for these resources are actions. The naming formats of topics and groups vary depending on whether an instance has a namespace. You can go to Message Queue for MQTTof the console instance details page to check whether the instance has a namespace.

Message Queue for MQTTCan be divided into the console, OpenAPI, and Message Queue for MQTTclient. Operations on resources in the console are classified into three types: instances, topics, and groups.

Note For access Message Queue for MQTTand OpenAPI, you must have access Message Queue for MQTTthe permission of the instance, that is, mq:MqttInstanceAccess.

The permission to send and subscribe to messages by using an MQTT client

The message sending and receiving permissions involve the Resource naming format of topics and Group ids. These naming formats Message Queue for MQTTthe namespace of an instance varies depending on whether the instance has a namespace.
  • With namespace
    • Topic:acs:mq:*:*:{storeInstanceId}%{topic}
    • Group ID:acs:mq:*:*:{storeInstanceId}%{groupid}
    Notice Here's storeInstanceid refers to you Message Queue for MQTTthe ID of the persistent instance bound to the instance. You can go to Message Queue for MQTTof the console instance details page to get the ID of the bound persistent instance.
  • Without namespace
    • Topic:acs:mq:*:*:{topic}
    • Group ID:acs:mq:*:*:{groupid}
Action Description Remarks
mq:PUB Publishes a message. Before granting permissions to a RAM user for topics, you must grant the mq:MqttInstanceAccess permission of the instance to which the topics belong.
mq:SUB Subscribes to a message.

Permissions to operate instances

No matter your Message Queue for MQTTcheck whether the instances have separate namespaces. The Resource naming format is acs:mq:*:*:{mqttInstanceId}. The following table describes the supported actions.

Action Action description Remarks
mq:MqttInstanceAccess Query the basic information of a specified instance. Before granting permissions to a RAM user for topics and groups, you must grant the mq:MqttInstanceAccess permission of the instance to which the topics and groups belong.
mq:DeleteMqttInstance Deletes a cluster. No
mq:UpdateMqttInstance Update instance information No
mq:BindMqttInstance Bind an instance If you need to bind an instance, you must have the permission to the Message Queue for MQTTand the associated persistent instances. For the permissions of the persistent instances, see The permission control policies of the corresponding product.
mq:ListMqttInstance Obtain the list of instances No
mq:UpdateMqttInstanceWarn Update the alerting information of a specified instance No

Topic permissions in the console

The naming format for topics Message Queue for MQTTthe namespace of an instance varies depending on whether the instance has a namespace.
  • With namespace: acs:mq:*:*:{storeInstanceId}%{topic}
    Notice Here's storeInstanceid refers to you Message Queue for MQTTthe ID of the persistent instance bound to the instance. You can go to Message Queue for MQTTof the console instance details page to get the ID of the bound persistent instance.
  • No namespace: acs:mq:*:*:{topic}
Action Action description Remarks
mq:QueryMqttClientByTopic Query the clients that subscribed to a topic Before granting permissions to a RAM user for topics and groups, you must grant the mq:MqttInstanceAccess permission of the instance to which the topics and groups belong.
mq:QueryMqttMsgTransTrend Query statistics on sending and receiving messages by topic
mq:SendMqttMessageByConsole Test the function of sending messages in the MQTT console

Perform operations on Group IDs in the console

The naming format of Group IDs Message Queue for MQTTthe namespace of an instance varies depending on whether the instance has a namespace.
  • With namespace: acs:mq:*:*:{mqttInstanceId}%{groupId}
    Notice If it is an instance with independent namespace, the Group IDs must be spliced. Message Queue for MQTTInstance ID as the prefix.
  • No namespace: acs:mq:*:*:{groupId}
Action Action description Remarks
mq:CreateMqttGroupId Create a group ID Before granting permissions to a RAM user for topics and groups, you must grant the "mq:MqttInstanceAccess" permission of the instance to which the topics and groups belong.
mq:ListMqttGroupId Obtain the list of group IDs
mq:QueryMqttClientByClientId Query MQTT client information by client ID
mq:QueryMqttClientByGroupId Query MQTT client information by group ID
mq:QueryMqttHistoryOnline Query historical online MQTT client information by group ID
mq:DeleteMqttGroupId Delete a group ID
mq:QueryMqttDeviceTrace Query device traces
mq:QueryMqttDeviceTrace Query messages related to an MQTT client

OpenAPI permissions

Operation Resource naming format (no namespace for instances) Resource naming format (instances have namespaces) Description
RevokeToken
  • Example: acs:mq:*:*:{mqttInstanceId}
  • Topic:acs:mq:*:*:{topic}
  • Group ID:acs:mq:*:*:{groupId}
  • Example: acs:mq:*:*:{mqttInstanceId}
  • Topic:acs:mq:*:*:{storeInstanceId}%{topic}
  • Group ID:acs:mq:*:*:{storeInstanceId}%{topic}
  • mq:MqttInstanceAccess
  • mq:RevokeToken
QueryToken
  • mq:MqttInstanceAccess
  • mq:QueryToken
ApplyToken
  • mq:MqttInstanceAccess
  • mq:ApplyToken
CreateGroupId
  • mq:MqttInstanceAccess
  • mq:CreateGroupId
DeleteGroupId
  • mq:MqttInstanceAccess
  • mq:DeleteGroupId
ListGroupId
  • mq:MqttInstanceAccess
  • mq:ListGroupId
Note For more information about the API, see API overview.

More information