Alibaba Cloud provides Resource Access Management (RAM). RAM allows you to manage permissions on Message Queue for Apache RocketMQ. When you use RAM, you do not need to share the AccessKey pair of your Alibaba Cloud account with other users. You can grant the users only the required permissions. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. This topic describes the RAM policies for Message Queue for Apache RocketMQ and provides sample policies.

Background information

In RAM, a policy is a set of permissions that are described based on the policy syntax and structure. You can use policies to describe the authorized resource sets, authorized action sets, and authorization conditions. For more information, see Policy elements.

Message Queue for Apache RocketMQ provides the following types of RAM policies:

  • System policy

    System policies are created by Alibaba Cloud. You can use these policies whereas you cannot modify the policies. Policy updates are maintained by Alibaba Cloud.

  • Custom policies

    You can create, update, and delete custom policies and manage the version updates of these policies. You can modify custom policies and attach the policies to RAM users in the RAM console. For information about sample policies, see Policy examples.

Note Access control is performed on each request of message subscription and sending and message management that are provided by Message Queue for Apache RocketMQ.

System policy

The following table describes the default system policies that are provided for Message Queue for Apache RocketMQ.

Policy Description
AliyunMQFullAccess The permissions that are required to manage Message Queue for Apache RocketMQ. This policy grants permissions that are equivalent to the permissions of an Alibaba Cloud account. RAM users to whom this policy is attached have all permissions to perform actions in the console and send and subscribe to messages.
AliyunMQPubOnlyAccess The permissions that allow users of Message Queue for Apache RocketMQ to send messages. RAM users to whom this policy is attached have the permissions to use all resources of an Alibaba Cloud account to send messages by using SDKs.
AliyunMQSubOnlyAccess The permissions that allow users of Message Queue for Apache RocketMQ to subscribe to messages. RAM users to whom this policy is attached have the permissions to use all resources of an Alibaba Cloud account to subscribe to messages by using SDKs.
AliyunMQReadOnlyAccess The permissions that allow users of Message Queue for Apache RocketMQ to only read the information about resources. RAM users to whom this policy is attached have the permissions to only read the information about the resources of an Alibaba Cloud account in the console or by calling API operations.

Custom policies

Custom policies allow you to grant fine-grained permissions to users.

In Message Queue for Apache RocketMQ, instances, topics, and groups are used as different types of resources. RAM users can perform actions on these resources only after the RAM users are granted the required permissions on the resources. The naming format of a resource that contains the {groupId} and {topic} parameters varies based on whether the corresponding instance contains a namespace. You can log on to the Message Queue for Apache RocketMQ console. On the Instances page of the instance. You can check the value of the Namespace parameter to determine whether the instance contains a namespace.

The valid values of and the mappings between resources and actions in Message Queue for Apache RocketMQ can be described based on the following dimensions: Message Queue for Apache RocketMQ service, Message Queue for Apache RocketMQ client, console, and API operation. Actions on the console are divided into actions on instances, groups, and tags by resource type.

Notice
  • A RAM user can access the resources of a Message Queue for Apache RocketMQ instance and call the API operations of the instance only after the RAM user is granted the permission to perform the mq:QueryInstanceBaseInfo action to query the basic information about the Message Queue for Apache RocketMQ instance.
  • When you grant permissions to RAM users, replace {instanceId}, {topic}, and {groupId} with the actual resource information. For example, you can replace {groupId} with GID_test.

Permission that is required to activate the Message Queue for Apache RocketMQ service

Resource Naming format Action
Action Description
Message Queue for Apache RocketMQ service * ons:OpenOnsService Activates the Message Queue for Apache RocketMQ service.

Permissions that allow Message Queue for Apache RocketMQ clients to send and subscribe to messages

Notice Before you grant a RAM user the permissions on a topic or group, grant the RAM user the permission to perform the mq:QueryInstanceBaseInfo action on the instance that contains the topic or group. The naming format is acs:mq:*:*:{instanceId}.
Resource Naming format Action
Resource of an instance that contains a namespace Resource of an instance that does not contain a namespace Action Description
Group acs:mq:*:*:{instanceId}%{groupId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%GID_test

acs:mq:*:*:{groupId}

Example: acs:mq:*:*:GID_test

mq:SUB Subscribes to messages.
Topic acs:mq:*:*:{instanceId}%{topic}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%Topic-test

acs:mq:*:*:{topic}

Example: acs:mq:*:*:Topic-test

mq:PUB Sends messages.
mq:SUB Subscribes to messages.

Permissions that are required to manage instances in the Message Queue for Apache RocketMQ console

Notice Before you grant a RAM user the permissions that are required to manage an instance, grant the RAM user the permission to perform the mq:QueryInstanceBaseInfo action on the instance. The naming format is acs:mq:*:*:{instanceId}.
Resource Naming format Action
Action Description
Instances acs:mq:*:*:* mq:CreateInstance Creates an instance.
acs:mq:*:*:{instanceId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k

mq:QueryInstanceBaseInfo Queries the basic information about an instance.
mq:UpdateInstance Updates an instance.
mq:DeleteInstance Deletes an instance. Exercise caution when you delete an instance.

Permissions that are required to manage groups in the Message Queue for Apache RocketMQ console

Notice Before you grant a RAM user the permissions on a topic or group, grant the RAM user the permission to perform the mq:QueryInstanceBaseInfo action on the instance that contains the topic or group. The naming format is acs:mq:*:*:{instanceId}.
Resource Naming format Action
Resource of an instance that contains a namespace Resource of an instance that does not contain a namespace Action Description
Group acs:mq:*:*:{instanceId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k

mq:CreateGroup Creates a group ID.
acs:mq:*:*:{instanceId}%{groupId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%GID_test

acs:mq:*:*:{groupId}

Example: acs:mq:*:*:GID_test

mq:DeleteGroup Deletes a group with a specified group ID. Exercise caution when you delete a group.
mq:QueryGroupSubDetail Queries the topics to which a group that has a specified group ID subscribes.
mq:UpdateGroupConsumer Configures the permissions that are required to read and write messages for the group that has a specified group ID.
mq:QueryConsumerAccumulate Queries the message accumulation data of a group that has a specified group ID.
mq:QueryConsumerStatus Queries the details about the status of a group that has a specified group ID.
mq:QueryConsumerConnection Queries the connection information about the clients in a group that has a specified group ID.
mq:QueryTrendGroupOutputTps Queries the statistics on message consumption of a group that has a specified group ID.
mq:ResendDLQMessage Resends a dead-letter message.
mq:QueryDLQMessage Queries dead-letter messages.

Permissions that are required to manage topics in the Message Queue for Apache RocketMQ console

Notice Before you grant a RAM user the permissions on a topic or group, grant the RAM user the permission to perform the mq:QueryInstanceBaseInfo action on the instance that contains the topic or group. The naming format is acs:mq:*:*:{instanceId}.
Resource Naming format Action
Resource of an instance that contains a namespace Resource of an instance that does not contain a namespace Action Description
Topic acs:mq:*:*:{instanceId}%{topic}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%Topic-test

acs:mq:*:*:{topic}

Example: acs:mq:*:*:Topic-test

mq:CreateTopic Creates a topic.
mq:DeleteTopic Deletes a topic. Exercise caution when you delete a topic.
mq:QueryTopicStatus Queries the total number of messages and the most recent point in time when a topic is updated.
mq:QueryTopicSubDetail Queries the group IDs of the groups that subscribe to a topic.
mq:ResetConsumerOffset Resets the consumer offset of a group that has a specified group ID in a specified topic.
mq:QueryConsumerTimeSpan Queries the time range within which a consumer offset can be reset. The consumer offset is in a topic to which a group with a specified group ID subscribes.
mq:QueryMessageTrace Queries the consumption status of a message.
mq:QueryMessage Queries the details about a message.
mq:QueryDLQMessage Queries dead-letter messages.
mq:QueryTrendTopicInputTps Queries statistics on the messages that are written to a topic.
mq:QueryTrace Queries the ID of the task in which a message trace is queried. You can call the OnsTraceGetResult operation, and then use the task ID that is returned to query the results of the message trace query. The permissions to call the OnsTraceGetResult operation are not required.

Permissions that are required to manage tags in the Message Queue for Apache RocketMQ console

Notice Before you grant a RAM user the permissions that are required to manage a tag, grant the RAM user the permission to perform the mq:QueryInstanceBaseInfo action on the instance that contains the tag. The naming format is acs:mq:*:*:{instanceId}.
Resource Naming format Action
Action Description
Tags acs:mq:*:*:* mq:TagResources Adds a tag to a resource.
mq:ListTagResources Queries a tag.
mq:UntagResources Unbinds and deletes a tag from a resource. Exercise caution when you unbind and delete a tag from a resource.

Permissions that are required to call API operations

The following table describes the API operations provided by Message Queue for Apache RocketMQ and actions that you must authorize a RAM user to perform before the RAM user can call the API operations.

Notice Before you grant a RAM user the permissions to call an API operation, grant the RAM user the permission to call the QueryInstanceBaseInfo operation on the instance that contains the resource that the RAM user wants to manage. This means the RAM user is granted the permission to perform the mq:QueryInstanceBaseInfo action on the instance. The naming format is acs:mq:*:*:{instanceId}. This rule does not apply to the scenarios in which you want to grant a RAM user the permissions to call the OnsRegionList operation and OpeOnsService operation.
API Naming format Action
Resource of an instance that contains a namespace Resource of an instance that does not contain a namespace
OnsRegionList N/A N/A No permissions are required.
OpenOnsService * ons:OpenOnsService
OnsInstanceCreate acs:mq:*:*:* mq:CreateInstance
OnsInstanceBaseInfo acs:mq:*:*:{instanceId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k

mq:QueryInstanceBaseInfo
OnsInstanceDelete mq:DeleteInstance
OnsInstanceUpdate mq:UpdateInstance
OnsInstanceInServiceList acs:mq:*:*:{instanceId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k

N/A mq:QueryInstanceBaseInfo
Note
  • If a namespace is configured for the Message Queue for Apache RocketMQ instance, grant a RAM user the permission to perform the mq:QueryInstanceBaseInfo action on the instance. If you do not grant the RAM user the permission, no information is returned when the RAM user calls this API operation.
  • If no namespaces are configured for the instance, the RAM user can call this API operation without the need to be granted the permission on the API operation.
OnsTopicCreate acs:mq:*:*:{instanceId}%{topic}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%Topic-test

acs:mq:*:*:{topic}

Example: acs:mq:*:*:Topic-test

mq:CreateTopic
OnsTopicDelete mq:DeleteTopic
OnsTopicStatus mq:QueryTopicStatus
OnsTopicSubDetail mq:QueryTopicSubDetail
OnsTopicList acs:mq:*:*:{instanceId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k

mq:QueryInstanceBaseInfo
Note When a RAM user calls this operation, only the information about the topics on which the RAM user has message sending and subscription permissions is returned.
OnsGroupCreate acs:mq:*:*:{instanceId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k

mq:CreateGroup
OnsGroupDelete acs:mq:*:*:{instanceId}%{groupId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%GID_test

acs:mq:*:*:{groupId}

Example: acs:mq:*:*:GID_test

mq:DeleteGroup
OnsGroupSubDetail mq:QueryGroupSubDetail
OnsGroupConsumerUpdate mq:UpdateGroupConsumer
OnsGroupList acs:mq:*:*:{instanceId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k

mq:QueryInstanceBaseInfo
Note When a RAM user calls this operation, only the information about the groups on which the RAM user has message sending and subscription permissions is returned.
TagResources acs:mq:*:*:* mq:TagResources
ListTagResources mq:ListTagResources
UntagResources mq:UntagResources
OnsConsumerAccumulate acs:mq:*:*:{instanceId}%{groupId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%GID_test

acs:mq:*:*:{groupId}

Example: acs:mq:*:*:GID_test

mq:QueryConsumerAccumulate
OnsConsumerStatus mq:QueryConsumerStatus
OnsConsumerGetConnection mq:QueryConsumerConnection
OnsConsumerResetOffset acs:mq:*:*:{instanceId}%{topic}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%Topic-test

acs:mq:*:*:{topic}

Example: acs:mq:*:*:Topic-test

mq:ResetConsumerOffset
OnsConsumerTimeSpan mq:QueryConsumerTimeSpan
OnsMessagePush mq:SUB
OnsMessageTrace acs:mq:*:*:{instanceId}%{topic}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%Topic-test

acs:mq:*:*:{topic}

Example: acs:mq:*:*:Topic-test

mq:QueryMessageTrace
OnsMessageGetByMsgId mq:QueryMessage
OnsMessageGetByKey mq:QueryMessage
OnsMessagePageQueryByTopic mq:QueryMessage
OnsTrendTopicInputTps acs:mq:*:*:{instanceId}%{topic}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%Topic-test

acs:mq:*:*:{topic}

Example: acs:mq:*:*:Topic-test

mq:QueryTrendTopicInputTps
OnsTrendGroupOutputTps acs:mq:*:*:{instanceId}%{groupId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%GID_test

acs:mq:*:*:{groupId}

Example: acs:mq:*:*:GID_test

mq:QueryTrendGroupOutputTps
OnsTraceGetResult acs:mq:*:*:{instanceId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k

mq:QueryInstanceBaseInfo
OnsTraceQueryByMsgId acs:mq:*:*:{instanceId}%{topic}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%Topic-test

acs:mq:*:*:{topic}

Example: acs:mq:*:*:Topic-test

mq:QueryTrace
OnsTraceQueryByMsgKey mq:QueryTrace
OnsDLQMessageGetById acs:mq:*:*:{instanceId}%{groupId}

Example: acs:mq:*:*:MQ_INST_138015630679****_BcZwWZ9k%GID_test

acs:mq:*:*:{groupId}

Example: acs:mq:*:*:GID_test

mq:QueryDLQMessage
OnsDLQMessagePageQueryByGroupId mq:QueryDLQMessage
OnsDLQMessageResendById mq:ResendDLQMessage

Policy examples

Notice If you want to use the sample code, delete all comments when you use the code. A comment includes two forward slashes (//) and a description that follows the two forward slashes (//).
  • Example 1: Grant permissions on a topic and a group in an instance.

    You can authorize a RAM user to send messages to a specified topic and subscribe to messages from a specified topic and authorize the RAM user to subscribe to messages from a specified group. To implement the authorization, configure a policy based on the following examples:

    • The following example is used for an instance that contains a namespace:
      {
              "Version":"1",
              "Statement":[
                  {    // Grant the following permission on an instance. Before you grant permissions on a topic or a group, you must first grant the following permission on the corresponding instance. This applies to an instance that contains a namespace. 
                      "Effect":"Allow",
                      "Action":[
                          "mq:QueryInstanceBaseInfo"
                      ],
                      "Resource":[
                          "acs:mq:*:*:{instanceId}"
                      ]
                  },
                  {    // Grant the permissions that are required to send messages to a specified topic and subscribe to messages from a specified topic. 
                      "Effect":"Allow",
                      "Action":[
                          "mq:PUB",    
                          "mq:SUB"
                      ],
                      "Resource":[
                          "acs:mq:*:*:{instanceId}%{topic}"
                      ]
                  },
                  {    // Grant the required permissions on a specified group. 
                      "Effect":"Allow",
                      "Action":[
                          "mq:SUB"
                      ],
                      "Resource":[
                          "acs:mq:*:*:{instanceId}%{groupId}"
                      ]
                  }
              ]
          }                    
    • The following example applies to an instance that does not contain a namespace.
      {
          "Version":"1",
          "Statement":[
              {    // Grant the following permission on an instance. Before you grant permissions on a topic or a group, you must first grant the following permission on the corresponding instance. This applies to an instance that does not contain a namespace. 
                  "Effect":"Allow",
                  "Action":[
                      "mq:QueryInstanceBaseInfo"
                  ],
                  "Resource":[
                      "acs:mq:*:*:{instanceId}"
                  ]
              },
              {    // Grant the permissions that are required to send messages to a specified topic and subscribe to messages from a specified topic. 
                  "Effect":"Allow",
                  "Action":[
                      "mq:PUB",    
                      "mq:SUB"
                  ],
                  "Resource":[
                      "acs:mq:*:*:{topic}"
                  ]
              },
              {   // Grant permissions on a specified group. 
                  "Effect":"Allow",
                  "Action":[
                      "mq:SUB"
                  ],
                  "Resource":[
                      "acs:mq:*:*:{groupId}"
                  ]
              }
          ]
      }                    
  • Example 2: Grant all permissions on an instance. This example applies only to an instance that contains a namespace.

    To grant all permissions on all resources in an instance, configure a policy based on the following example:

    {   // This applies only to an instance that contains a namespace. 
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "mq:*"
                ],
                "Resource": [
                    "acs:mq:*:*:{instanceId}*" // Grant all permissions on the instance. Replace {instanceId} with your instance ID. 
                ]
            }
        ]
    }          

References