Policies and examples - ApsaraMQ for RocketMQ - Alibaba Cloud Documentation Center

Alibaba Cloud provides Resource Access Management (RAM). RAM allows you to manage permissions on ApsaraMQ for RocketMQ. When you use RAM, you do not need to share the AccessKey pair of your Alibaba Cloud account with other users. You can grant the users only the required permissions. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. This topic describes the RAM policies for ApsaraMQ for RocketMQ and provides sample policies.

Background information

In RAM, a policy is a set of permissions that are described based on the policy syntax and structure. You can use policies to describe the authorized resource sets, authorized action sets, and authorization conditions. For more information, see Policy elements.

ApsaraMQ for RocketMQ provides the following types of RAM policies:

System policy
System policies are created and updated by Alibaba Cloud. You can use these policies whereas you cannot modify the policies.
Custom policies
You can create, update, and delete custom policies and manage the version updates of these policies. You can modify custom policies and attach the policies to RAM users in the RAM console. For information about sample policies, see Policy examples.

Note Access control is performed on each request of message subscription and sending and message management that are provided by ApsaraMQ for RocketMQ.

System policy

The following table describes the default system policies that are provided for ApsaraMQ for RocketMQ.


Policy	Description
AliyunMQFullAccess	The permissions that are required to manage ApsaraMQ for RocketMQ. This policy grants permissions that are equivalent to the permissions of an Alibaba Cloud account. RAM users to whom this policy is attached have permissions to perform all actions in the console and send and subscribe to messages.
AliyunMQPubOnlyAccess	The permissions that allow users of ApsaraMQ for RocketMQ to send messages. RAM users to whom this policy is attached have the permissions to use all resources of an Alibaba Cloud account to send messages by using SDKs.
AliyunMQSubOnlyAccess	The permissions that allow users of ApsaraMQ for RocketMQ to subscribe to messages. RAM users to whom this policy is attached have the permissions to use all resources of an Alibaba Cloud account to subscribe to messages by using SDKs.
AliyunMQReadOnlyAccess	The permissions that allow users of ApsaraMQ for RocketMQ to only read the information about resources. RAM users to whom this policy is attached have the permissions to only read the information about the resources of an Alibaba Cloud account in the console or by calling API operations.

Custom policies

Custom policies allow you to grant fine-grained permissions to users.

In ApsaraMQ for RocketMQ, instances, topics, and groups are used as different types of resources. RAM users can perform actions on these resources only after the RAM users are granted the required permissions on the resources. The naming format of a resource that contains the {groupId} and {topic} parameters varies based on whether the corresponding instance contains a namespace. You can log on to the ApsaraMQ for RocketMQ console. On the Instances page of the instance. You can check the value of the Namespace parameter to determine whether the instance contains a namespace.

The valid values of and the mappings between resources and actions in ApsaraMQ for RocketMQ can be described based on the following dimensions: ApsaraMQ for RocketMQ service, ApsaraMQ for RocketMQ client, console, and API operation. Actions on the console are divided into actions on instances, groups, and tags by resource type.

Important

A RAM user can access the resources of a ApsaraMQ for RocketMQ instance by using a client, the console, or API operations only after the RAM user is granted permission to perform the mq:QueryInstanceBaseInfo action on the ApsaraMQ for RocketMQ instance. The mq:QueryInstanceBaseInfo action indicates the action to query the basic information about a Message Queue for Apache RocketMQ instance.
When you grant permissions to RAM users, replace {instanceId}, {topic}, and {groupId} with the actual resource information. For example, you can replace {groupId} with GID_test.

Permission that is required to activate the ApsaraMQ for RocketMQ service


Resource	Naming format	Action
Resource	Naming format	Action	Description
ApsaraMQ for RocketMQ service	*	ons:OpenOnsService	Activates the ApsaraMQ for RocketMQ service.

Permissions that allow ApsaraMQ for RocketMQ clients to send and subscribe to messages

Important Before you grant a RAM user the permissions on a topic or group, grant the RAM user the permission to perform the mq:QueryInstanceBaseInfo action on the instance that contains the topic or group. The naming format is acs:mq:*:*:{instanceId}.


Resource	Naming format		Action
Resource	Resource of an instance that contains a namespace	Resource of an instance that does not contain a namespace	Action	Description
Group	acs:mq:::{instanceId}%{groupId} Example: acs:mq:::MQ_INST_138015630679****_BcZwWZ9k%GID_test	acs:mq:::{groupId} Example: acs:mq:::GID_test	mq:SUB	Subscribes to messages.
Topic	acs:mq:::{instanceId}%{topic} Example: acs:mq:::MQ_INST_138015630679****_BcZwWZ9k%Topic-test	acs:mq:::{topic} Example: acs:mq:::Topic-test	mq:PUB	Sends messages.
Topic		acs:mq:::{topic} Example: acs:mq:::Topic-test	mq:SUB	Subscribes to messages.

Permissions that are required to manage instances in the ApsaraMQ for RocketMQ console

Important Before you grant a RAM user the permissions that are required to manage an instance, grant the RAM user the permission to perform the mq:QueryInstanceBaseInfo action on the instance. The naming format is acs:mq:*:*:{instanceId}.


Resource	Naming format	Action
Resource	Naming format	Action	Description
Instances	acs:mq:::*	mq:CreateInstance	Creates an instance.
	acs:mq:::{instanceId} Example: acs:mq:::MQ_INST_138015630679****_BcZwWZ9k	mq:QueryInstanceBaseInfo	Queries the basic information about an instance.
		mq:UpdateInstance	Updates an instance.
		mq:DeleteInstance	Deletes an instance. Exercise caution when you delete an instance.

Permissions that are required to manage groups in the ApsaraMQ for RocketMQ console


Resource	Naming format		Action
Resource	Resource of an instance that contains a namespace	Resource of an instance that does not contain a namespace	Action	Description
Group	acs:mq:::{instanceId} Example: acs:mq:::MQ_INST_138015630679****_BcZwWZ9k		mq:CreateGroup	Creates a group ID.
	acs:mq:::{instanceId}%{groupId} Example: acs:mq:::MQ_INST_138015630679****_BcZwWZ9k%GID_test	acs:mq:::{groupId} Example: acs:mq:::GID_test	mq:DeleteGroup	Deletes a group with a specified group ID. Exercise caution when you delete a group.
			mq:QueryGroupSubDetail	Queries the topics to which a group that has a specified group ID subscribes.
			mq:UpdateGroupConsumer	Configures the permissions that are required to read and write messages for the group that has a specified group ID.
			mq:QueryConsumerAccumulate	Queries the message accumulation data of a group that has a specified group ID.
			mq:QueryConsumerStatus	Queries the details about the status of a group that has a specified group ID.
			mq:QueryConsumerConnection	Queries the connection information about the clients in a group that has a specified group ID.
			mq:QueryTrendGroupOutputTps	Queries the statistics on message consumption of a group that has a specified group ID.
			mq:ResendDLQMessage	Resends a dead-letter message.
			mq:QueryDLQMessage	Queries dead-letter messages.

Permissions that are required to manage topics in the ApsaraMQ for RocketMQ console


Resource	Naming format		Action
Resource	Resource of an instance that contains a namespace	Resource of an instance that does not contain a namespace	Action	Description
Topic	acs:mq:::{instanceId}%{topic} Example: acs:mq:::MQ_INST_138015630679****_BcZwWZ9k%Topic-test	acs:mq:::{topic} Example: acs:mq:::Topic-test	mq:CreateTopic	Creates a topic.
			mq:DeleteTopic	Deletes a topic. Exercise caution when you delete a topic.
			mq:QueryTopicStatus	Queries the total number of messages and the most recent point in time when a topic is updated.
			mq:QueryTopicSubDetail	Queries the group IDs of the groups that subscribe to a topic.
			mq:ResetConsumerOffset	Resets the consumer offset of a group that has a specified group ID in a specified topic.
			mq:QueryConsumerTimeSpan	Queries the time range within which a consumer offset can be reset. The consumer offset is in a topic to which a group with a specified group ID subscribes.
			mq:QueryMessageTrace	Queries the consumption status of a message.
			mq:QueryMessage	Queries the details about a message.
			mq:QueryDLQMessage	Queries dead-letter messages.
			mq:QueryTrendTopicInputTps	Queries statistics on the messages that are written to a topic.
			mq:QueryTrace	Queries the ID of the task in which a message trace is queried. You can call the OnsTraceGetResult operation, and then use the task ID that is returned to query the results of the message trace query. The permissions to call the OnsTraceGetResult operation are not required.

Permissions that are required to manage tags in the ApsaraMQ for RocketMQ console

Important Before you grant a RAM user the permissions that are required to manage a tag, grant the RAM user the permission to perform the mq:QueryInstanceBaseInfo action on the instance that contains the tag. The naming format is acs:mq:*:*:{instanceId}.


Resource	Naming format	Action
Resource	Naming format	Action	Description
Tags	acs:mq:::*	mq:TagResources	Adds a tag to a resource.
		mq:ListTagResources	Queries a tag.
		mq:UntagResources	Unbinds and deletes a tag from a resource. Exercise caution when you unbind and delete a tag from a resource.

Permissions that are required to call API operations

The following table describes the API operations provided by ApsaraMQ for RocketMQ and actions that you must authorize a RAM user to perform before the RAM user can call the API operations.

Important Before you grant a RAM user the permissions to call an API operation, grant the RAM user the permission to call the QueryInstanceBaseInfo operation on the instance that contains the resource that the RAM user wants to manage. This means the RAM user is granted the permission to perform the mq:QueryInstanceBaseInfo action on the instance. The naming format is acs:mq:*:*:{instanceId}. This rule does not apply to the scenarios in which you want to grant a RAM user the permissions to call the OnsRegionList operation and OpeOnsService operation.


API	Naming format		Action
API	Resource of an instance that contains a namespace	Resource of an instance that does not contain a namespace	Action
OnsRegionList	N/A	N/A	No permissions are required.
OpenOnsService	*		ons:OpenOnsService
OnsInstanceCreate	acs:mq:::*		mq:CreateInstance
OnsInstanceBaseInfo	acs:mq:::{instanceId} Example: acs:mq:::MQ_INST_138015630679****_BcZwWZ9k		mq:QueryInstanceBaseInfo
OnsInstanceDelete			mq:DeleteInstance
OnsInstanceUpdate			mq:UpdateInstance
OnsInstanceInServiceList	acs:mq:::{instanceId} Example: acs:mq:::MQ_INST_138015630679****_BcZwWZ9k	N/A	mq:QueryInstanceBaseInfo Note If a namespace is configured for the Message Queue for Apache RocketMQ instance, grant a RAM user the permission to perform the `mq:QueryInstanceBaseInfo` action on the instance. If you do not grant the RAM user the permission, no information is returned when the RAM user calls this API operation. If no namespaces are configured for the instance, the RAM user can call this API operation without the need to be granted the permission on the API operation.
OnsTopicCreate	acs:mq:::{instanceId}%{topic} Example: acs:mq:::MQ_INST_138015630679****_BcZwWZ9k%Topic-test	acs:mq:::{topic} Example: acs:mq:::Topic-test	mq:CreateTopic
OnsTopicDelete			mq:DeleteTopic
OnsTopicStatus			mq:QueryTopicStatus
OnsTopicSubDetail		mq:QueryTopicSubDetail	mq:QueryTopicSubDetail
OnsTopicList	acs:mq:::{instanceId} Example: acs:mq:::MQ_INST_138015630679****_BcZwWZ9k		mq:ListTopic Note When a RAM user calls this operation, only the information about the topics on which the RAM user has message sending and subscription permissions is returned.
OnsGroupCreate	acs:mq:::{instanceId} Example: acs:mq:::MQ_INST_138015630679****_BcZwWZ9k		mq:CreateGroup
OnsGroupDelete	acs:mq:::{instanceId}%{groupId} Example: acs:mq:::MQ_INST_138015630679****_BcZwWZ9k%GID_test	acs:mq:::{groupId} Example: acs:mq:::GID_test	mq:DeleteGroup
OnsGroupSubDetail			mq:QueryGroupSubDetail
OnsGroupConsumerUpdate			mq:UpdateGroupConsumer
OnsGroupList	acs:mq:::{instanceId} Example: acs:mq:::MQ_INST_138015630679****_BcZwWZ9k		mq:QueryInstanceBaseInfo Note When a RAM user calls this operation, only the information about the groups on which the RAM user has message sending and subscription permissions is returned.
TagResources	acs:mq:::*		mq:TagResources
ListTagResources			mq:ListTagResources
UntagResources			mq:UntagResources
OnsConsumerAccumulate	acs:mq:::{instanceId}%{groupId} Example: acs:mq:::MQ_INST_138015630679****_BcZwWZ9k%GID_test	acs:mq:::{groupId} Example: acs:mq:::GID_test	mq:QueryConsumerAccumulate
OnsConsumerStatus			mq:QueryConsumerStatus
OnsConsumerGetConnection			mq:QueryConsumerConnection
OnsConsumerResetOffset	acs:mq:::{instanceId}%{topic} Example: acs:mq:::MQ_INST_138015630679****_BcZwWZ9k%Topic-test	acs:mq:::{topic} Example: acs:mq:::Topic-test	mq:ResetConsumerOffset
OnsConsumerTimeSpan			mq:QueryConsumerTimeSpan
OnsMessagePush			mq:SUB
OnsMessageTrace	acs:mq:::{instanceId}%{topic} Example: acs:mq:::MQ_INST_138015630679****_BcZwWZ9k%Topic-test	acs:mq:::{topic} Example: acs:mq:::Topic-test	mq:QueryMessageTrace
OnsMessageGetByMsgId			mq:QueryMessage
OnsMessageGetByKey			mq:QueryMessage
OnsMessagePageQueryByTopic			mq:QueryMessage
OnsTrendTopicInputTps	acs:mq:::{instanceId}%{topic} Example: acs:mq:::MQ_INST_138015630679****_BcZwWZ9k%Topic-test	acs:mq:::{topic} Example: acs:mq:::Topic-test	mq:QueryTrendTopicInputTps
OnsTrendGroupOutputTps	acs:mq:::{instanceId}%{groupId} Example: acs:mq:::MQ_INST_138015630679****_BcZwWZ9k%GID_test	acs:mq:::{groupId} Example: acs:mq:::GID_test	mq:QueryTrendGroupOutputTps
OnsTraceGetResult	acs:mq:::{instanceId} Example: acs:mq:::MQ_INST_138015630679****_BcZwWZ9k		mq:QueryInstanceBaseInfo
OnsTraceQueryByMsgId	acs:mq:::{instanceId}%{topic} Example: acs:mq:::MQ_INST_138015630679****_BcZwWZ9k%Topic-test	acs:mq:::{topic} Example: acs:mq:::Topic-test	mq:QueryTrace
OnsTraceQueryByMsgKey		acs:mq:::{topic} Example: acs:mq:::Topic-test	mq:QueryTrace
OnsDLQMessageGetById	acs:mq:::{instanceId}%{groupId} Example: acs:mq:::MQ_INST_138015630679****_BcZwWZ9k%GID_test	acs:mq:::{groupId} Example: acs:mq:::GID_test	mq:QueryDLQMessage
OnsDLQMessagePageQueryByGroupId			mq:QueryDLQMessage
OnsDLQMessageResendById			mq:ResendDLQMessage

Policy examples

Important If you want to use the sample code, delete all comments when you use the code. A comment includes two forward slashes (//) and a description that follows the two forward slashes (//).

Example 1: Grant permissions on a topic and a group in an instance.

You can authorize a RAM user to send messages to a specified topic and subscribe to messages from a specified topic and authorize the RAM user to subscribe to messages from a specified group. To implement the authorization, configure a policy based on the following examples:

The following example is used for an instance that contains a namespace:

{
        "Version":"1",
        "Statement":[
            {    // Grant the following permission on an instance. Before you grant permissions on a topic or a group, you must first grant the following permission on the corresponding instance. This applies to an instance that contains a namespace. 
                "Effect":"Allow",
                "Action":[
                    "mq:QueryInstanceBaseInfo"
                ],
                "Resource":[
                    "acs:mq:*:*:{instanceId}"
                ]
            },
            {    // Grant the permissions that are required to send messages to a specified topic and subscribe to messages from a specified topic. 
                "Effect":"Allow",
                "Action":[
                    "mq:PUB",    
                    "mq:SUB"
                ],
                "Resource":[
                    "acs:mq:*:*:{instanceId}%{topic}"
                ]
            },
            {    // Grant the required permissions on a specified group. 
                "Effect":"Allow",
                "Action":[
                    "mq:SUB"
                ],
                "Resource":[
                    "acs:mq:*:*:{instanceId}%{groupId}"
                ]
            }
        ]
    }

The following example applies to an instance that does not contain a namespace.

{
    "Version":"1",
    "Statement":[
        {    // Grant the following permission on an instance. Before you grant permissions on a topic or a group, you must first grant the following permission on the corresponding instance. This applies to an instance that does not contain a namespace. 
            "Effect":"Allow",
            "Action":[
                "mq:QueryInstanceBaseInfo"
            ],
            "Resource":[
                "acs:mq:*:*:{instanceId}"
            ]
        },
        {    // Grant the permissions that are required to send messages to a specified topic and subscribe to messages from a specified topic. 
            "Effect":"Allow",
            "Action":[
                "mq:PUB",    
                "mq:SUB"
            ],
            "Resource":[
                "acs:mq:*:*:{topic}"
            ]
        },
        {   // Grant permissions on a specified group. 
            "Effect":"Allow",
            "Action":[
                "mq:SUB"
            ],
            "Resource":[
                "acs:mq:*:*:{groupId}"
            ]
        }
    ]
}

Example 2: Grant all permissions on an instance. This example applies only to an instance that contains a namespace.

To grant all permissions on all resources in an instance, configure a policy based on the following example:

{   // This applies only to an instance that contains a namespace. 
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "mq:*"
            ],
            "Resource": [
                "acs:mq:*:*:{instanceId}*" // Grant all permissions on the instance. Replace {instanceId} with your instance ID. 
            ]
        }
    ]
}

ApsaraMQ for RocketMQ:Policies and examples

Background information

System policy

Custom policies

Permission that is required to activate the ApsaraMQ for RocketMQ service

Permissions that allow ApsaraMQ for RocketMQ clients to send and subscribe to messages

Permissions that are required to manage instances in the ApsaraMQ for RocketMQ console

Permissions that are required to manage groups in the ApsaraMQ for RocketMQ console

Permissions that are required to manage topics in the ApsaraMQ for RocketMQ console

Permissions that are required to manage tags in the ApsaraMQ for RocketMQ console

Permissions that are required to call API operations

Policy examples

References