edit-icon download-icon

Resource authorization

Last Updated: Aug 10, 2018

MQ allows a cloud account (primary account) to authorize RAM users (sub-accounts) to use Topic resources. Authorized RAM users can manage resources on the MQ console, and publish or subscribe to messages through SDK.

Authorization policy

MQ currently supports three authorization policies. To view them, do as follows:

  1. Log on to the RAM console, and choose Policies > System Policy.
  2. Enter MQ in the Policy Name or Description search box and click Search to view the three supported authorization policies.

The specific descriptions on the three authorization policies are as follows:

AliyunMQFullAccess: the administration permission of MQ. With this permission, a RAM user is not only authorized to handle all resources of the primary account, but also to manage resources on the MQ console on behalf of the primary account, such as creating or deleting Topics, Producers or Consumers. Note that any resource created by the RAM user is eventually owned by the primary account.

AliyunMQPubOnlyAccess: the publishing permission of MQ. With this permission, a RAM user is authorized to publish any resource of the primary account, including creating Producers on the MQ console and sending messages through SDK, except deleting Producers.

AliyunMQSubOnlyAccess: the subscription permission of MQ. With this permission, a RAM user is authorized to subscribe to any resource of the primary account, including creating Consumers on the MQ console and subscribing to messages through SDK, except deleting Consumers.

Tips:

You can combine AliyunMQPubOnlyAccess with AliyunMQSubOnlyAccess policies to grant RAM users the permission to publish and subscribe to any resource of the primary account.

Unlike the AliyunMQFullAccess policy, this policy combination does not grant RAM users the administration permission of MQ. Therefore, it does not cover the permission to create or delete Topics.

Create custom policy

Most of the time, the three authorization policies provided by MQ are sufficient to meet the business requirements. However, if you have authorization requirements with finer granularity, you can create a custom policy for access control.

For instructions, see Create a custom policy.

Here’s an example of a custom policy:

  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": "mq:PUB",
  6. "Resource": [
  7. "acs:mq:*:*:TopicA",
  8. "acs:mq:*:*:TopicB"
  9. ],
  10. "Effect": "Allow"
  11. }
  12. ]
  13. }

In this example:

  • Resource name: TopicA and TopicB;
  • Permission: the publishing permission, including the permission to create Producers and to send messages through SDK.

RAM user authorization

For instructions on how to create a RAM user, see Create a RAM user. For more information about basic authorization operations and the concept of the user group authorization, see Attach policies to a RAM user.

Authorization steps

To authorize a RAM user with the primary account, do as follows:

  1. Log on to the RAM console with the primary account.
  2. Click Users in the left-side navigation pane.
  3. Locate the user to be authorized (you can search for the user by the user name/display name), and click Authorize in the Actions column to enter Edit User-Level Authorization.
  4. Add the desired authorization policy (you can search for the policy by keyword) and click OK.
    • Select the required policy in Available Authorization Policy Names on the left and click the right arrow (which means “authorize”) to add it to Selected Authorization Policy Name.
    • Likewise, click the left arrow to remove a policy from the Selected Authorization Policy Name on the right.

RAM user permission verification

RAM users can log on to the MQ console for verification. After logging on to the MQ console, you can view all authorized Topic resources on the Topics page.

The logon steps are as follows:

  1. Log on to the RAM console.
  2. Locate and click Message Queue in the left-side product list of the RAM console to go to the MQ console. Alternatively, you can directly log on to the MQ console.
Thank you! We've received your feedback.