如果系統權限原則不能滿足您的要求,您可以建立自訂權限原則實現最小授權。使用自訂權限原則有助於實現許可權的精細化管控,是提升資源訪問安全的有效手段。本文介紹ApsaraMQ for RabbitMQ使用自訂權限原則的情境和策略樣本。
什麼是自訂權限原則
在基於RAM的存取控制體系中,自訂權限原則是指在系統權限原則之外,您可以自主建立、更新和刪除的權限原則。自訂權限原則的版本更新需由您來維護。
建立自訂權限原則後,需為RAM使用者、使用者組或RAM角色綁定權限原則,這些RAM身份才能獲得權限原則中指定的存取權限。
已建立的權限原則支援刪除,但刪除前需確保該策略未被引用。如果該權限原則已被引用,您需要在該權限原則的引用記錄中移除授權。
自訂權限原則支援版本控制,您可以按照RAM規定的版本管理機制來管理您建立的自訂權限原則版本。
操作文檔
自訂授權策略
雲訊息佇列 RabbitMQ 版支援以下自訂權限原則。
用戶端介面許可權說明
用戶端API | Action | 資源 | 說明 |
exchange.declare(passive=false) | amqp:CreateExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* | 聲明Exchange,並驗證Exchange是否存在。
|
exchange.declare(passive=true) | amqp:GetExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName | 聲明Exchange,並驗證Exchange是否存在。
|
exchange.bind | amqp:GetExchange(源Exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName(源Exchange) | 將源Exchange綁定到目標Exchange |
amqp:CreateExchange(目標Exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*(目標Exchange) | ||
exchange.unbind | amqp:GetExchange(源Exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName(源Exchange) | 解除源Exchange到目標Exchange的綁定 |
amqp:CreateExchange(目標Exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*(目標Exchange) | ||
queue.declare(passive=false) | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 聲明Queue,並驗證Queue是否存在。
|
queue.declare(passive=true) | amqp:GetQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName | 聲明Queue,並驗證Queue是否存在。
|
queue.declare(有死信Exchange) | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 聲明綁定死信Exchange的Queue |
amqp:GetQueue | acs:amqp:$region:$accountid:/vhosts/$vhostName/queues/$queueName | ||
amqp:CreateExchange(死信Exchange) | acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName(死信Exchange) | ||
queue.bind | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 綁定Queue到Exchange |
amqp:GetExchange | acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName | ||
queue.unbind | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 解除Queue和Exchange間的綁定 |
amqp:GetExchange | acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName | ||
BasicRecover | amqp:BasicRecover | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 重新投遞沒被Consumer確認消費(Ack)的訊息 |
BasicCancel | amqp:BasicCancel | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 取消訂閱 |
BasicPublish | amqp:BasicPublish | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName/messages/* | 發布訊息 |
BasicConsume | amqp:BasicConsume | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 啟動一個Consumer |
BasicAck | amqp:BasicAck | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 確認一條或多條訊息 |
BasicNack | amqp:BasicNack | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 拒絕一條或多條訊息 |
BasicReject | amqp:BasicReject | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 拒絕一條訊息 |
BasicGet | amqp:BasicGet | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 直接存取Queue的訊息 |
控制台OpenAPI及功能許可權說明
控制台OpenAPI/功能 | Action | 資源 | 說明 |
ListInstances | amqp:ListInstance | acs:amqp:$region:$accountid:/instances/* | 擷取執行個體列表 |
CreateInstance | amqp:CreateInstance | acs:amqp:$region:$accountid:/instances/* | 建立執行個體 CreateInstance介面的權限原則支援設定以下條件關鍵字。詳細資料,請參見條件(Condition)。
|
DeleteInstance | amqp:DeleteInstance | acs:amqp:$region:$accountid:/instances/$instanceId | 刪除執行個體 |
GetInstance | amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | 查看執行個體 |
ListVhost | amqp:ListVhost | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/* | 擷取Vhost列表 |
CreateVhost | amqp:CreateVhost | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/* | 建立Vhost |
DeleteVhost | amqp:DeleteVhost | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName | 刪除Vhost,執行此操作需同時授予GetInstance API的許可權 |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
ListExchange | amqp:ListExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* | 擷取Exchange列表,執行此操作需同時授予GetInstance API的許可權 |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
CreateExchange | amqp:CreateExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* | 建立Exchange |
DeleteExchange | amqp:DeleteExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName | 刪除Exchange |
ListQueue | amqp:ListQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 擷取Queue列表,執行此操作需同時授予GetInstance API的許可權 |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
CreateQueue | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 建立Queue |
DeleteQueue | amqp:DeleteQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName | 刪除Queue |
QueuePurge | amqp:QueuePurge | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 清空隊列 |
ListStaticAccounts | amqp:ListStaticAccounts | acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/* | 查看使用者名稱密碼,執行此操作需同時授予GetInstance API的許可權 |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
FetchStaticAccount | amqp:FetchStaticAccount | acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/* | 建立使用者名稱密碼,執行此操作需同時授予GetInstance API的許可權 |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
DeleteStaticAccount | amqp:DeleteStaticAccount | acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/* | 刪除使用者名稱密碼 |
按Queue查詢訊息 | amqp:BasicGet | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 訪問Queue的訊息 |
按訊息ID查詢訊息 | amqp:BasicGet | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 訪問Queue的訊息 |
重發訊息 |
| acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 重新發送訊息 |
發送訊息 | amqp:BasicPublish | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 發送訊息 |
自訂權限原則樣本
建立自訂權限原則時,您需要將以下樣本中Resource的參數修改為您實際環境中的參數值。
$region:資源所屬的地區ID。擷取方式,請參見服務存取點。
$accountid:被授權對象的阿里雲帳號ID。
$instanceId:雲訊息佇列 RabbitMQ 版的執行個體ID。
$vhostName:Vhost名稱。
$queueName:Queue名稱。
$exchangeName:Exchange名稱。
樣本一:自訂某個Vhost訊息收發許可權
{ "Version":"1", "Statement":[ { "Action":[ "amqp:GetInstance", "amqp:ListVhost", "amqp:GetVhost" ], "Resource":[ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName", "acs:amqp:*:*:/instances/$instanceId/vhosts/*" ], "Effect":"Allow" }, { "Action":[ "amqp:ListExchange", "amqp:CreateExchange", "amqp:DeleteExchange", "amqp:ListQueue", "amqp:DeleteQueue", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicCancel", "amqp:BasicPublish", "amqp:BasicConsume", "amqp:BasicAck", "amqp:BasicNack", "amqp:BasicReject", "amqp:QueuePurge", "amqp:BasicGet", "amqp:GetExchange", "amqp:GetQueue" ], "Resource":"acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect":"Allow" }, { "Action":[ "amqp:ListStaticAccounts", "amqp:FetchStaticAccount", "amqp:DeleteStaticAccount" ], "Resource":"acs:amqp:*:*:/instances/$instanceId/staticAccount/*", "Effect":"Allow" } ] }樣本二:自訂發布訊息授權策略
{ "Version": "1", "Statement": [ { "Action": [ "amqp:GetInstance" ], "Resource": [ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName" ], "Effect": "Allow" }, { "Action": [ "amqp:CreateExchange", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicPublish", "amqp:BasicAck", "amqp:BasicNack", "amqp:GetExchange", "amqp:GetQueue" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect": "Allow" } ] }樣本三:自訂訂閱訊息授權策略
{ "Version": "1", "Statement": [ { "Action": [ "amqp:GetInstance", "amqp:GetVhost" ], "Resource": [ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName" ], "Effect": "Allow" }, { "Action": [ "amqp:CreateExchange", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicCancel", "amqp:BasicConsume", "amqp:BasicAck", "amqp:BasicNack", "amqp:BasicReject", "amqp:QueuePurge", "amqp:BasicGet", "amqp:GetExchange", "amqp:GetQueue" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect": "Allow" } ] }樣本四:自訂發布和訂閱訊息授權策略
{ "Version": "1", "Statement": [ { "Action": [ "amqp:GetInstance", "amqp:GetVhost" ], "Resource": [ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName" ], "Effect": "Allow" }, { "Action": [ "amqp:ListExchange", "amqp:CreateExchange", "amqp:DeleteExchange", "amqp:ListQueue", "amqp:DeleteQueue", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicCancel", "amqp:BasicPublish", "amqp:BasicConsume", "amqp:BasicAck", "amqp:BasicNack", "amqp:BasicReject", "amqp:QueuePurge", "amqp:BasicGet", "amqp:GetExchange", "amqp:GetQueue" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect": "Allow" } ] }樣本五:自訂使用者名稱密碼許可權
{ "Statement": [ { "Effect": "Allow", "Action": [ "amqp:ListStaticAccounts", "amqp:FetchStaticAccount", "amqp:DeleteStaticAccount" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/staticAccount/*" }, { "Effect": "Allow", "Action": "amqp:GetInstance", "Resource": "acs:amqp:*:*:/instances/$instanceId" } ], "Version": "1" }樣本六:自訂授予某個RAM使用者建立執行個體的許可權
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "amqp:CreateInstance", "Resource": "acs:amqp:*:$accountid:/instances/*", } ] }樣本七:自訂授予某個RAM使用者,僅能建立鉑金版執行個體且不支援開啟公網的許可權
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "amqp:CreateInstance", "Resource": "acs:amqp:*:$accountid:/instances/*", "Condition": { "StringEquals": { "amqp:InstanceType": [ "vip" ], "amqp:SupportEIP": [ "false" ] } } } ] }樣本八:自訂某個RAM使用者對單個執行個體的所有操作許可權
{ "Version": "1", "Statement": [ { "Action": "amqp:ListInstance", "Resource": "acs:amqp:*:*:/instances/*", "Effect": "Allow" }, { "Action": "amqp:*", "Resource": [ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/*" ], "Effect": "Allow" }, { "Action": [ "amqp:ListStaticAccounts", "amqp:FetchStaticAccount", "amqp:DeleteStaticAccount" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/staticAccount/*", "Effect": "Allow" } ] }