ApsaraMQ for RabbitMQ leverages the authentication and permission model of open-source RabbitMQ to control access to its resources.
Limitations
This feature is only available for newly purchased serverless instances of the exclusive cluster type; existing instances are not supported.
Creation and permission management for the default guest account is not allowed.
User tag-based permission management is not supported. For details on managing permissions via the console or OpenAPI, see RAM access control.
You must choose either open-source authentication and permission management or Alibaba Cloud Resource Access Management (RAM) when configuring an instance. This choice is irreversible.
Once open-source authentication and permission management is enabled for a serverless instance of the exclusive cluster type, you cannot downgrade it to a shared instance.
How it works
ApsaraMQ for RabbitMQ provides granular access control at the vhost level, allowing you to assign configure, write, and read permissions to resources such as exchanges and queues. Permissions are defined using regular expressions, with the following patterns:
.*grants access to all resources.^$matches only the empty string, effectively blocking all access.'^(amq\.gen.*|amq\.default)$'allows access to system resources and the default exchange.
The following table describes how typical AMQP 0-9-1 operations map to these permissions:
AMQP 0-9-1 operation | configure | write | read | |
exchange.declare | (passive=false) | exchange | ||
exchange.declare | (passive=true) | |||
exchange.declare | (with AE) | exchange | exchange (AE) | exchange |
exchange.delete | exchange | |||
queue.declare | (passive=false) | queue | ||
queue.declare | (passive=true) | |||
queue.declare | (with DLX) | queue | exchange (DLX) | queue |
queue.delete | queue | |||
exchange.bind | exchange (destination) | exchange (source) | ||
exchange.unbind | exchange (destination) | exchange (source) | ||
queue.bind | queue | exchange | ||
queue.unbind | queue | exchange | ||
basic.publish | exchange | |||
basic.get | queue | |||
basic.consume | queue | |||
queue.purge | queue |
Access control in ApsaraMQ for RabbitMQ consists of two stages:
Vhost access: When a RabbitMQ client connects, it specifies a vhost. The server checks whether the user has access to that vhost. Connections are rejected if permissions are insufficient.
Resource operations: When performing actions on exchanges or queues, the server evaluates whether the user has appropriate permissions for the operation.
Security
When using open-source authentication and permission management, ApsaraMQ for RabbitMQ enhances security as follows:
Network type | Solution |
VPC | Open-source auth + private endpoint |
Internet | Open-source auth + public IP whitelist |
Operations
ApsaraMQ for RabbitMQ lets you create users and manage permissions in the console. For step-by-step guidance, see Permissions.