To ensure system security and implement fine-grained permission control, ApsaraMQ for RabbitMQ uses a two-step authentication mechanism. In this mechanism, AccessKey pair-based identity authentication is first performed and then Resource Access Management (RAM)-based permission authentication is performed. This topic describes the two-step authentication mechanism.
AccessKey pair-based identity authentication
ApsaraMQ for RabbitMQ performs AccessKey pair-based identity authentication only during connection establishment. If an AccessKey pair expires after a connection is established, the subsequent behavior is not affected.
RAM-based permission authentication
After the user identity is verified, ApsaraMQ for RabbitMQ verifies the permissions of a RAM user when you use the RAM user to send messages, declare queues and exchanges, and start message consumption. If the permissions of the RAM user change after a connection is established, the preceding behavior may be blocked. The permissions on message consumption are verified only during consumer startup. After consumers are started, the ApsaraMQ for RabbitMQ broker does not stop pushing messages to them.
For more information, see System policies for Amqp and Custom policies of ApsaraMQ for RabbitMQ.