Use resource groups for fine-grained access control - ApsaraMQ for Kafka

Using resource groups, you can integrate with Resource Access Management (RAM) to isolate resources and manage permissions with fine-grained control within a single Alibaba Cloud account. This topic describes how Message Queue for Apache Kafka supports resource groups and provides the steps to grant permissions at the resource group level.

Note

Authorization at the resource group level applies only to resource types that support resource groups and to actions that support this level of authorization.
For resource types that do not support resource groups, you must grant permissions at the account level. For more information, see Actions that do not support resource group-level authorization.

How it works

You can use resource groups to manage resources in your Alibaba Cloud account by organizing them into groups. For example, you can create a resource group for each project and move the project's resources into that group. This allows you to manage the resources for different projects in a centralized manner. For more information, see What is a resource group?.

After organizing resources into groups, you can grant permissions scoped to a specific resource group to RAM principals, such as RAM users, RAM user groups, or RAM roles. This limits a principal to managing only the resources within that group. For more information, see Resource grouping and authorization.

This approach provides the following benefits:

Fine-grained permissions: You can ensure that each identity has precise access to specific resources, which prevents resources from different projects from being managed under the same set of permissions.
Scalability: When you add new resources, simply add them to the resource group. The principal automatically gains permissions for these resources without requiring you to grant permissions again.

Grant resource group-level permissions to a RAM user

The following steps describe how to grant permissions to a RAM user to manage Message Queue for Apache Kafka resources within a specific resource group.

1. Prerequisites

Create a RAM user. For more information, see Create a RAM user.
Create a resource group and move your existing resources into the target resource group. For more information, see Create a resource group, Automatically transfer resources to a resource group, and Manually transfer resources to a resource group.

2. Grant permissions at the resource group level

You can grant permissions at the resource group level by using either of the following methods.

Method 1: Resource Management console

Use the resource group's permission management feature to grant permissions to a RAM user. For details, see Grant a RAM identity permissions scoped to a resource group.

Log on to the Resource Management console.
On the Resource Groups page, click Permission Management in the Actions column for the target resource group.
On the Permission Management tab, click grant permission.
In the Grant Permission panel, configure the principal and permission policy.
- principal: Select an existing RAM user.
- permission policy: Select a system policy or a custom policy. For more information, see Create a custom permission policy.
Click Confirm.

Method 2: RAM console

Use the RAM console to grant resource group-level permissions to a specific RAM user. For details, see Manage permissions for a RAM user.

Log on to the RAM console with your Alibaba Cloud account or as a RAM administrator.
In the left-side navigation pane, choose Identities > Users. On the Users page, click add permission in the Actions column for the target RAM user.
In the Add Permissions panel, grant permissions to the RAM user.
- Resource Scope: Select Resource Group Level.
- principal: Select the RAM user that you created or an existing RAM user.
- permission policy: Select a system policy or a custom policy. For more information, see Create a custom permission policy.
Click Confirm.

Resource types that support resource groups

Message Queue for Apache Kafka supports resource groups for the following resource type:

Cloud service	Service code	Resource type
Message Queue for Apache Kafka	alikafka	instance

Note

If a resource type that you need does not support resource groups, you can submit feedback in the Resource Management console.

Actions without group-level authorization

In Message Queue for Apache Kafka, the following actions do not support resource group-level authorization:

Actions	Description
alikafka:AddQuota	-
alikafka:CheckCreateSlr	-
alikafka:ConsoleClearPretendStatus	-
alikafka:ConsoleKafkaConnectorCheckKafkaConnectorStatus	-
alikafka:ConsoleKafkaConnectorOpenKafkaConnector	-
alikafka:ConsoleSavePretendStatus	-
alikafka:ConsoleSearchPretendUser	-
alikafka:ConvertPostPayOrder	Converts a pay-as-you-go instance to a subscription instance.
alikafka:CreateDefaultSlrRole	-
alikafka:CreateETLTask	-
alikafka:CreateInstance	-
alikafka:CreateInstanceMetadataMigration	-
alikafka:DeleteConsumerGroup	-
alikafka:DeleteContact	-
alikafka:DeleteInstance	-
alikafka:DiagnoseTimeoutTransaction	-
alikafka:EvaluateInstance	-
alikafka:GetBrokerIdListFromSls	-
alikafka:GetConsumerList	-
alikafka:GetInstanceList	-
alikafka:GetInstancesLeaderElectionOverviewListInPage	-
alikafka:GetLeaderElectionOverviewOrderByCostListInPage	-
alikafka:GetMakeFollowerProcess	-
alikafka:GetMakeLeaderProcess	-
alikafka:GetMeta	-
alikafka:GetPromotionList	-
alikafka:GetRegionErrorLeaderElectionOverviewListInPage	-
alikafka:GetRegionLeaderElectionOverview	-
alikafka:GetTopicList	-
alikafka:GetTransactionTopicListInPage	-
alikafka:HandleHangingTransaction	-
alikafka:ListInstanceGetNoDeployedInstanceList	-
alikafka:ListInstanceId	-
alikafka:ListLeaderElectionResult	-
alikafka:ListLogProject	-
alikafka:ListLogStore	-
alikafka:ListRegions	-
alikafka:ListReportAnalyseClientConsumerPower	-
alikafka:ListReportAnalyseFetchLog	-
alikafka:ListReportAnalyseGroup	-
alikafka:ListReportAnalyseMessageStoreBrokerTime	-
alikafka:ListReportAnalyseSubscribeRelationship	-
alikafka:ListReportAnalyseTopic	-
alikafka:QueryContact	-
alikafka:QueryMigrationRecord	-
alikafka:QueryQuota	-
alikafka:RegionalRollbackAddOrUpdateTopics	-
alikafka:SpCorrect	-
alikafka:SpCorrectPartition	-
alikafka:UpdateContact	-
alikafka:UpdateDeploymentRemark	-

For actions that do not support resource group-level authorization, setting the permission scope to Resource Group Level is ineffective. If a RAM user needs these permissions, you must create a custom permission policy and set the permission scope to Account Level.

The following examples show two custom permission policies. You can modify these policies as needed.

Allows all read-only actions that do not support resource group-level authorization: The Action element lists these actions.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "alikafka:CheckCreateSlr",
        "alikafka:GetBrokerIdListFromSls",
        "alikafka:GetConsumerList",
        "alikafka:GetInstanceList",
        "alikafka:GetInstancesLeaderElectionOverviewListInPage",
        "alikafka:GetLeaderElectionOverviewOrderByCostListInPage",
        "alikafka:GetMakeFollowerProcess",
        "alikafka:GetMakeLeaderProcess",
        "alikafka:GetMeta",
        "alikafka:GetPromotionList",
        "alikafka:GetRegionErrorLeaderElectionOverviewListInPage",
        "alikafka:GetRegionLeaderElectionOverview",
        "alikafka:GetTopicList",
        "alikafka:GetTransactionTopicListInPage",
        "alikafka:ListInstanceGetNoDeployedInstanceList",
        "alikafka:ListInstanceId",
        "alikafka:ListLeaderElectionResult",
        "alikafka:ListLogProject",
        "alikafka:ListLogStore",
        "alikafka:ListRegions",
        "alikafka:ListReportAnalyseClientConsumerPower",
        "alikafka:ListReportAnalyseFetchLog",
        "alikafka:ListReportAnalyseGroup",
        "alikafka:ListReportAnalyseMessageStoreBrokerTime",
        "alikafka:ListReportAnalyseSubscribeRelationship",
        "alikafka:ListReportAnalyseTopic",
        "alikafka:QueryContact",
        "alikafka:QueryMigrationRecord",
        "alikafka:QueryQuota"
      ],
      "Resource": "*"
    }
  ]
}

Allows all actions that do not support resource group-level authorization: All such actions are listed in the Action element.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "alikafka:AddQuota",
        "alikafka:CheckCreateSlr",
        "alikafka:ConsoleClearPretendStatus",
        "alikafka:ConsoleKafkaConnectorCheckKafkaConnectorStatus",
        "alikafka:ConsoleKafkaConnectorOpenKafkaConnector",
        "alikafka:ConsoleSavePretendStatus",
        "alikafka:ConsoleSearchPretendUser",
        "alikafka:ConvertPostPayOrder",
        "alikafka:CreateDefaultSlrRole",
        "alikafka:CreateETLTask",
        "alikafka:CreateInstance",
        "alikafka:CreateInstanceMetadataMigration",
        "alikafka:DeleteConsumerGroup",
        "alikafka:DeleteContact",
        "alikafka:DeleteInstance",
        "alikafka:DiagnoseTimeoutTransaction",
        "alikafka:EvaluateInstance",
        "alikafka:GetBrokerIdListFromSls",
        "alikafka:GetConsumerList",
        "alikafka:GetInstanceList",
        "alikafka:GetInstancesLeaderElectionOverviewListInPage",
        "alikafka:GetLeaderElectionOverviewOrderByCostListInPage",
        "alikafka:GetMakeFollowerProcess",
        "alikafka:GetMakeLeaderProcess",
        "alikafka:GetMeta",
        "alikafka:GetPromotionList",
        "alikafka:GetRegionErrorLeaderElectionOverviewListInPage",
        "alikafka:GetRegionLeaderElectionOverview",
        "alikafka:GetTopicList",
        "alikafka:GetTransactionTopicListInPage",
        "alikafka:HandleHangingTransaction",
        "alikafka:ListInstanceGetNoDeployedInstanceList",
        "alikafka:ListInstanceId",
        "alikafka:ListLeaderElectionResult",
        "alikafka:ListLogProject",
        "alikafka:ListLogStore",
        "alikafka:ListRegions",
        "alikafka:ListReportAnalyseClientConsumerPower",
        "alikafka:ListReportAnalyseFetchLog",
        "alikafka:ListReportAnalyseGroup",
        "alikafka:ListReportAnalyseMessageStoreBrokerTime",
        "alikafka:ListReportAnalyseSubscribeRelationship",
        "alikafka:ListReportAnalyseTopic",
        "alikafka:QueryContact",
        "alikafka:QueryMigrationRecord",
        "alikafka:QueryQuota",
        "alikafka:RegionalRollbackAddOrUpdateTopics",
        "alikafka:SpCorrect",
        "alikafka:SpCorrectPartition",
        "alikafka:UpdateContact",
        "alikafka:UpdateDeploymentRemark"
      ],
      "Resource": "*"
    }
  ]
}

Important

RAM users or RAM roles with account-level permissions can manage all applicable resources in the account. Always grant permissions based on the principle of least privilege.

FAQ

View a resource's group

Method 1: Click the resource name to go to its details page. The resource's resource group is displayed on the page.
Method 2: Log on to the Resource Management console. Click resource center > resource search. In the left-side navigation pane, select the resource's account (the Current Account is selected by default). Use the filter conditions to find the target resource and view its resource group.

View product resources in a resource group

Method 1: Log on to the Resource Management console. Click resource center > resource search. In the left-side navigation pane, under the account to which the resources belong (the Current Account is selected by default), click the name of the target resource group. Then, from the Select Resource Type drop-down list on the right, select the product to view all its resources in the resource group.
Method 2: Log on to the Resource Management console. Click Resource Groups > Resource Groups. Find the target resource group and click Resource Management in the Actions column. On the Resource Management page, select the product from the Product drop-down list to view all of its resources in the resource group.

Move resources to another resource group

Log on to the Resource Management console. Click Resource Groups > Resource Groups. In the row of the target resource group, click Resource Management in the Actions column. On the Resource Management page, use the filter conditions to find the target resources. Select the resources, and then click transfer resource group below the list, and then follow the on-screen instructions to complete the process.