Microservices Engine (MSE) Nacos registries allow you to configure fine-grained access permissions based on resources such as an instance, namespace, group, and service name. This reduces the risk of unauthorized access to or modification of an instance. This topic describes how to configure fine-grained authentication for a Nacos registry in MSE.
Prerequisites
Usage
This topic describes how to enable and configure access permissions for the direct connection to the engine, as shown in the following figure. After the permissions are granted, the Nacos client can access MSE Nacos as a RAM user.

For information about how to configure authentication for engine control, which involves granting a RAM user permissions to use the MSE console, see Registry and configuration center authorization.
Step 1: Create a fine-grained policy
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.

On the Create Policy page, click the JSON Editor tab.

Enter the policy content.
The following table describes the actions for fine-grained authentication in a registry.
Actions
Description
mse:QueryNacosNaming
The permission to read services in an MSE Nacos registry. This allows you to use an SDK to retrieve and subscribe to services.
mse:UpdateNacosNaming
The permission to update services in an MSE Nacos registry. This allows you to use an SDK to publish and modify services.
The resources for fine-grained authentication in a registry must follow this format:
acs:mse:*:*:instance/{instance_id}/{namespaceId}/{group}/naming/{serviceName}You can also modify the policy content based on the examples in the Examples section.
For more information about the syntax and structure of a RAM policy, see Policy structure and syntax.
At the top of the page, click Optimize, and then click Perform to perform advanced optimization on the policy.
This feature performs the following tasks:
Splits resources or conditions for incompatible actions.
Reduces the resource scope for greater precision.
Removes duplicate statements or merges statements.
On the Create Policy page, click OK.
In the Create Policy dialog box, enter a policy name and Description, then click OK.
Step 2: Grant RAM permissions
Grant permissions to a RAM user
Log on to the RAM console with an Alibaba Cloud account or a RAM user that has RAM administrative permissions (
AliyunRAMFullAccess).In the navigation pane on the left, choose .
On the Users page, find the target RAM user and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions at the bottom of the list to grant permissions in bulk.
In the Grant Permission panel, in the Policies section, click the All Policy Types drop-down list and select Custom Policy. In the text box, enter the name of the policy that you created in Step 1, click the name of the policy that appears in the search results, and then click OK.
In the Grant Permission panel, confirm the authorization information and click Close.
Grant permissions to a RAM role
Log on to the RAM console with an Alibaba Cloud account or a RAM user that has RAM administrative permissions (
AliyunRAMFullAccess).In the Grant Permission panel, in the Policies section, click the All Policy Types dropdown list and select Custom Policy. In the text box, enter the name of the permission policy that you created in Step 1, click the policy name in the search results, and then click Confirm Add Permission.
In the Grant Permission panel, confirm the authorization information and click Close.
Examples
Grant a user read-only permission on services in specific instances.
{ "Version": "1", "Statement": [ { "Action": [ "mse:QueryNacosNaming" ], "Resource": [ "acs:mse:*:*:instance/${instanceId1}", "acs:mse:*:*:instance/${instanceId2}" ], "Effect": "Allow" } ] }Grant a user read and update permissions on services in specific instances.
{ "Version": "1", "Statement": [ { "Action": [ "mse:QueryNacosNaming", "mse:UpdateNacosNaming" ], "Resource": [ "acs:mse:*:*:instance/${instanceId1}", "acs:mse:*:*:instance/${instanceId2}" ], "Effect": "Allow" } ] }Note${instanceId1}and${instanceId2}represent the IDs of the registry instances.Grant a user read-only permission on services in a specific namespace of an instance.
{ "Statement": [ { "Effect": "Allow", "Action": "mse:QueryNacosNaming", "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}" } ], "Version": "1" }Grant a user read and update permissions for services in the
${group}group in a specific namespace of an instance.{ "Statement": [ { "Effect": "Allow", "Action": [ "mse:QueryNacosNaming", "mse:UpdateNacosNaming" ], "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}" } ], "Version": "1" }Grant a user read-only permission for the
${serviceName}service in the${group}group.{ "Statement": [ { "Effect": "Allow", "Action": "mse:QueryNacosNaming", "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}/naming/${serviceName}" } ], "Version": "1" }Grant a user read and update permissions for the
${serviceName}service in the${group}group.{ "Statement": [ { "Effect": "Allow", "Action": [ "mse:QueryNacosNaming", "mse:UpdateNacosNaming" ], "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}/naming/${serviceName}" } ], "Version": "1" }
Related documents
To learn about instance-level authentication for a registry, see Nacos client authentication.