Alibaba Cloud offers Resource Access Management (RAM), which allows you to manage permissions for the Message Queue for Apache Kafka console and API. RAM allows you to avoid sharing the AccessKey pair, which includes an AccessKey ID and an AccessKey secret, of your Alibaba Cloud account with other users. Instead, you can grant users only the minimum required permissions.
RAM policies
In RAM, policies are a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. For more information, see Policy structure and syntax.
In RAM, a policy is a resource entity. Message Queue for Apache Kafka supports the following types of policies:
- System policies: System policies are created and updated by Alibaba Cloud and you cannot modify them. These policies are applicable to coarse-grained control of RAM user permissions.
- Custom policies: You can create, update, and delete custom policies and maintain policy versions. These policies are applicable to fine-grained control of RAM user permissions.
System policies
The following table lists the system policies supported by Message Queue for Apache Kafka.
| Policy | Description |
|---|---|
| AliyunKafkaFullAccess | The management permission of Message Queue for Apache Kafka. The RAM user who has been granted this permission has the permission equivalent to the Alibaba Cloud account, that is, all operation permissions of the console and API. |
| AliyunKafkaReadOnlyAccess | The read-only permission of Message Queue for Apache Kafka. The RAM user who has been granted this permission has only the read-only permission of all resources of the Alibaba Cloud account, and does not have the operation permissions of the console and API. |
Examples of system policies
Use the system policy AliyunKafkaFullAccess as an example. The RAM user who has been granted this permission has the permission equivalent to the Alibaba Cloud account, that is, all operation permissions of the console and API. The following code displays the policy content:
{
"Version": "1",
"Statement": [
{
"Action": "alikafka:*",
"Resource": "*",
"Effect": "Allow"
}
]
}Custom policies
The following table lists the custom policies supported by Message Queue for Apache Kafka.
| Action | Permission description | Read-only or not |
|---|---|---|
| ReadOnly | Only reads all resources. | Yes |
| ListInstance | Views instances. | Yes |
| StartInstance | Deploys instances. | No |
| UpdateInstance | Changes instance configuration. | No |
| ReleaseInstance | Releases instances. | No |
| ListTopic | Views topics. | Yes |
| CreateTopic | Creates topics. | No |
| UpdateTopic | Changes topic configuration. | No |
| DeleteTopic | Deletes topics. | No |
| ListGroup | Views consumer groups. | Yes |
| CreateGroup | Creates consumer groups. | No |
| UpdateGroup | Changes consumer group configuration. | No |
| DeleteGroup | Deletes consumer groups. | No |
| QueryMessage | Queries messages. | Yes |
| SendMessage | Sends messages. | No |
| DownloadMessage | Downloads messages. | Yes |
| CreateDeployment | Creates connector tasks. | No |
| DeleteDeployment | Deletes connector tasks. | No |
| ListDeployments | Views connector tasks. | Yes |
| UpdateDeploymentRemark | Updates connector task description. | No |
| GetDeploymentLog | Obtains the operational logs of connector tasks. | Yes |
| EnableAcl | Enables the access control list (ACL) feature. | No |
| CreateAcl | Creates an ACL. | No |
| DeleteAcl | Deletes an ACL. | No |
| ListAcl | Queries ACLs. | Yes |
| CreateSaslUser | Creates a Simple Authentication and Security Layer (SASL) user. | No |
| DeleteSaslUser | Deletes an SASL user. | No |
| ListSaslUser | Queries SASL users. | Yes |
Examples of custom policies
Use the custom policy AliyunKafkaCustomAccess as an example. The RAM user who has been granted this permission only has the permissions to view the alikafka_post-cn-xxx instance, view topics, view consumer groups, query messages, and download messages in the console and by using API operations. The following code displays the policy content:
{
"Version": "1",
"Statement": [
{
"Action": [
"alikafka:ListInstance",
"alikafka:ListTopic",
"alikafka:ListGroup",
"alikafka:QueryMessage",
"alikafka:DownloadMessage"
],
"Resource": "acs:alikafka:*:*:alikafka_post-cn-xxx",
"Effect": "Allow"
}
]
}