消息队列RabbitMQ版的资源以及SDK收发消息的权限管理通过访问控制RAM(Resource Access Management)实现。RAM可以让您避免与其他用户共享阿里云云账号密钥,即AccessKey(包含AccessKey ID和AccessKey Secret),按需为其他用户分配最小权限。
RAM权限策略
在RAM中,权限策略是用语法结构描述的一组权限的集合,可以精确地描述被授权的资源集、操作集以及授权条件。权限策略是描述权限集的一种简单语言规范,RAM支持的语言规范请参见权限策略语法和结构。
在RAM中,权限策略是一种资源实体。消息队列RabbitMQ版支持以下两种类型的权限策略:
- 系统权限策略:统一由阿里云创建,您只能使用不能修改,策略的版本更新由阿里云维护,适用于粗粒度地控制RAM用户权限。
- 自定义权限策略:您可以自主创建、更新和删除,策略的版本更新由您自己维护,适用于细粒度地控制RAM用户权限。
系统权限策略
消息队列RabbitMQ版支持以下系统权限策略。
| 授权策略名称 | 说明 |
|---|---|
| AliyunAMQPFullAccess | 消息队列RabbitMQ版的管理权限,被授予该权限的RAM用户具有等同于阿里云账号的权限,即资源以及SDK收发消息的所有权限。 |
| AliyunAMQPReadOnlyAccess | 消息队列RabbitMQ版的只读权限,被授予该权限的RAM用户只具有阿里云账号所有资源的只读权限。 |
系统权限策略示例
以系统权限策略AliyunAMQPFullAccess为例,被授予该权限的RAM用户具有等同于阿里云账号的权限,即资源以及SDK收发消息的所有权限。策略内容如下:
{
"Version": "1",
"Statement": [
{
"Action": "amqp:*",
"Resource": "*",
"Effect": "Allow"
}
]
}自定义授权策略
消息队列RabbitMQ版支持以下自定义权限策略。
注意 对Exchange或Queue等资源进行操作的前提是要有这些资源所在Vhost的读权限(amqp:GetVhost)。
| API | Action | 说明 | 资源 |
|---|---|---|---|
| ListInstances | amqp:ListInstance | 获取实例列表 | acs:amqp:$region:$accountid:/instances/* |
| CreateInstance | amqp:CreateInstance | 创建实例 | acs:amqp:$region:$accountid:/instances/* |
| DeleteInstance | amqp:DeleteInstance | 删除实例 | acs:amqp:$region:$accountid:/instances/$instanceId |
| GetInstance | amqp:GetInstance | 查看实例 | acs:amqp:$region:$accountid:/instances/$instanceId |
| ListVhost | amqp:ListVhost | 获取Vhost列表 | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/* |
| CreateVhost | amqp:CreateVhost | 创建Vhost | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/* |
| DeleteVhost | amqp:DeleteVhost | 删除Vhost | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName |
| GetVhost | amqp:GetVhost | 查看Vhost | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName |
| ListExchange | amqp:ListExchange | 获取Exchange列表 | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* |
| CreateExchange | amqp:CreateExchange | 创建Exchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* |
| DeleteExchange | amqp:DeleteExchange | 删除Exchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName |
| GetExchange | amqp:GetExchange | 查看Exchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName |
| exchange.declare(passive=false) | amqp:CreateExchange | 声明Exchange,并验证Exchange是否存在。
|
acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* |
| exchange.declare(passive=true) | amqp:GetExchange | 声明Exchange,并验证Exchange是否存在。
|
acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName |
| exchange.bind | amqp:GetExchange(源Exchange) | 将源Exchange绑定到目标Exchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName(源Exchange) |
| amqp:CreateExchange(目标Exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*(目标Exchange) | ||
| exchange.unbind | amqp:GetExchange(源Exchange) | 解除源Exchange到目标Exchange的绑定 | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName(源Exchange) |
| amqp:CreateExchange(目标Exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*(目标Exchange) | ||
| ListQueue | amqp:ListQueue | 获取Queue列表 | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* |
| CreateQueue | amqp:CreateQueue | 创建Queue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* |
| DeleteQueue | amqp:DeleteQueue | 删除Queue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName |
| GetQueue | amqp:GetQueue | 查看Queue | acs:amqp:$region:$accountid:/vhosts/$vhostName/queues/$queueName |
| queue.declare(passive=false) | amqp:CreateQueue | 声明Queue,并验证Queue是否存在。
|
acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* |
| queue.declare(passive=true) | amqp:CreateQueue | 声明Queue,并验证Queue是否存在。
|
acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName |
| queue.declare(有死信Exchange) | amqp:CreateQueue | 声明绑定死信Exchange的Queue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* |
| amqp:GetQueue | acs:amqp:$region:$accountid:/vhosts/$vhostName/queues/$queueName | ||
| amqp:CreateExchange(死信Exchange) | acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName(死信Exchange) | ||
| queue.bind | amqp:CreateQueue | 绑定Queue到Exchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* |
| amqp:GetExchange | acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName | ||
| queue.unbind | amqp:CreateQueue | 解除Queue和Exchange间的绑定 | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* |
| amqp:GetExchange | acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName | ||
| BasicRecover | amqp:BasicRecover | 重新投递没被Consumer确认消费(Ack)的消息 | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* |
| BasicCancel | amqp:BasicCancel | 取消订阅 | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* |
| BasicPublish | amqp:BasicPublish | 发布一条消息 | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName/messages/* |
| BasicConsume | amqp:BasicConsume | 启动一个Consumer | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* |
| BasicAck | amqp:BasicAck | 确认消费一条或多条消息 | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* |
| BasicNack | amqp:BasicNack | 拒绝一条或多条消息 | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* |
| BasicReject | amqp:BasicReject | 拒绝一条消息 | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* |
| QueuePurge | amqp:QueuePurge | 清空一个Queue里的所有消息 | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* |
| BasicGet | amqp:BasicGet | 直接访问Queue的消息 | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* |
| ListStaticAccounts | amqp:ListStaticAccounts | 查看静态用户名密码 | acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/* |
| FetchStaticAccount | amqp:FetchStaticAccount | 创建用户名密码 | acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/* |
| DeleteStaticAccount | amqp:DeleteStaticAccount | 删除用户名密码 | acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/* |
自定义权限策略示例
- 示例一:自定义某个Vhost消息收发权限
{ "Version":"1", "Statement":[ { "Action":[ "amqp:GetInstance", "amqp:GetVhost", "amqp:ListVhost" ], "Resource":[ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName", "acs:amqp:*:*:/instances/$instanceId/vhosts/*" ], "Effect":"Allow" }, { "Action":[ "amqp:ListExchange", "amqp:CreateExchange", "amqp:DeleteExchange", "amqp:GetExchange", "amqp:ListQueue", "amqp:DeleteQueue", "amqp:GetQueue", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicCancel", "amqp:BasicPublish", "amqp:BasicConsume", "amqp:BasicAck", "amqp:BasicNack", "amqp:BasicReject", "amqp:QueuePurge", "amqp:BasicGet" ], "Resource":"acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect":"Allow" }, { "Action":[ "amqp:ListStaticAccounts", "amqp:FetchStaticAccount", "amqp:DeleteStaticAccount" ], "Resource":"acs:amqp:*:*:/instances/$instanceId/staticAccount/*", "Effect":"Allow" } ] } - 示例二:自定义发布消息授权策略
{ "Version": "1", "Statement": [ { "Action": [ "amqp:GetInstance", "amqp:GetVhost" ], "Resource": [ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName" ], "Effect": "Allow" }, { "Action": [ "amqp:CreateExchange", "amqp:GetExchange", "amqp:CreateQueue", "amqp:GetQueue", "amqp:BasicRecover", "amqp:BasicPublish", "amqp:BasicAck", "amqp:BasicNack" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect": "Allow" } ] } - 示例三:自定义订阅消息授权策略
{ "Version": "1", "Statement": [ { "Action": [ "amqp:GetInstance", "amqp:GetVhost" ], "Resource": [ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName" ], "Effect": "Allow" }, { "Action": [ "amqp:CreateExchange", "amqp:GetExchange", "amqp:GetQueue", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicCancel", "amqp:BasicConsume", "amqp:BasicAck", "amqp:BasicNack", "amqp:BasicReject", "amqp:QueuePurge", "amqp:BasicGet" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect": "Allow" } ] } - 示例四:自定义发布和订阅消息授权策略
{ "Version": "1", "Statement": [ { "Action": [ "amqp:GetInstance", "amqp:GetVhost" ], "Resource": [ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName" ], "Effect": "Allow" }, { "Action": [ "amqp:ListExchange", "amqp:CreateExchange", "amqp:DeleteExchange", "amqp:GetExchange", "amqp:ListQueue", "amqp:DeleteQueue", "amqp:GetQueue", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicCancel", "amqp:BasicPublish", "amqp:BasicConsume", "amqp:BasicAck", "amqp:BasicNack", "amqp:BasicReject", "amqp:QueuePurge", "amqp:BasicGet" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect": "Allow" } ] } - 示例五:自定义用户名密码权限
{ "Statement": [ { "Effect": "Allow", "Action": [ "amqp:ListStaticAccounts", "amqp:FetchStaticAccount", "amqp:DeleteStaticAccount" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/staticAccount/*" }, { "Effect": "Allow", "Action": "amqp:GetInstance", "Resource": "acs:amqp:*:*:/instances/$instanceId" } ], "Version": "1" }