消息队列RabbitMQ版的资源以及SDK收发消息的权限管理通过访问控制RAM(Resource Access Management)实现。RAM可以让您避免与其他用户共享阿里云云账号密钥,即AccessKey(包含AccessKey ID和AccessKey Secret),按需为其他用户分配最小权限。

RAM权限策略

在RAM中,权限策略是用语法结构描述的一组权限的集合,可以精确地描述被授权的资源集、操作集以及授权条件。权限策略是描述权限集的一种简单语言规范,RAM支持的语言规范请参见权限策略语法和结构

在RAM中,权限策略是一种资源实体。消息队列RabbitMQ版支持以下两种类型的权限策略:

  • 系统权限策略:统一由阿里云创建,您只能使用不能修改,策略的版本更新由阿里云维护,适用于粗粒度地控制RAM用户权限。
  • 自定义权限策略:您可以自主创建、更新和删除,策略的版本更新由您自己维护,适用于细粒度地控制RAM用户权限。

系统权限策略

消息队列RabbitMQ版支持以下系统权限策略。

授权策略名称 说明
AliyunAMQPFullAccess 消息队列RabbitMQ版的管理权限,被授予该权限的RAM用户具有等同于阿里云账号的权限,即资源以及SDK收发消息的所有权限。
AliyunAMQPReadOnlyAccess 消息队列RabbitMQ版的只读权限,被授予该权限的RAM用户只具有阿里云账号所有资源的只读权限。

系统权限策略示例

以系统权限策略AliyunAMQPFullAccess为例,被授予该权限的RAM用户具有等同于阿里云账号的权限,即资源以及SDK收发消息的所有权限。策略内容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": "amqp:*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

自定义授权策略

消息队列RabbitMQ版支持以下自定义权限策略。

注意 对Exchange或Queue等资源进行操作的前提是要有这些资源所在Vhost的读权限(amqp:GetVhost)。
API Action 说明 资源
ListInstances amqp:ListInstance 获取实例列表 acs:amqp:$region:$accountid:/instances/*
CreateInstance amqp:CreateInstance 创建实例 acs:amqp:$region:$accountid:/instances/*
DeleteInstance amqp:DeleteInstance 删除实例 acs:amqp:$region:$accountid:/instances/$instanceId
GetInstance amqp:GetInstance 查看实例 acs:amqp:$region:$accountid:/instances/$instanceId
ListVhost amqp:ListVhost 获取Vhost列表 acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/*
CreateVhost amqp:CreateVhost 创建Vhost acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/*
DeleteVhost amqp:DeleteVhost 删除Vhost acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName
GetVhost amqp:GetVhost 查看Vhost acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName
ListExchange amqp:ListExchange 获取Exchange列表 acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*
CreateExchange amqp:CreateExchange 创建Exchange acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*
DeleteExchange amqp:DeleteExchange 删除Exchange acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName
GetExchange amqp:GetExchange 查看Exchange acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName
exchange.declare(passive=false) amqp:CreateExchange 声明Exchange,并验证Exchange是否存在。
  • 如果指定的Exchange不存在,则创建Exchange,返回声明成功。
  • 如果指定的Exchange已存在,则会校验该Exchange的信息是否正确。如果信息匹配,则会返回声明成功;如果信息不匹配,则会报错。
acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*
exchange.declare(passive=true) amqp:GetExchange 声明Exchange,并验证Exchange是否存在。
  • 如果指定的Exhange不存在,则会报错。
  • 如果指定的Exhange已存在,则会返回声明成功。
acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName
exchange.bind amqp:GetExchange(源Exchange) 将源Exchange绑定到目标Exchange acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName(源Exchange)
amqp:CreateExchange(目标Exchange) acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*(目标Exchange)
exchange.unbind amqp:GetExchange(源Exchange) 解除源Exchange到目标Exchange的绑定 acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName(源Exchange)
amqp:CreateExchange(目标Exchange) acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*(目标Exchange)
ListQueue amqp:ListQueue 获取Queue列表 acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
CreateQueue amqp:CreateQueue 创建Queue acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
DeleteQueue amqp:DeleteQueue 删除Queue acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName
GetQueue amqp:GetQueue 查看Queue acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName
queue.declare(passive=false) amqp:CreateQueue 声明Queue,并验证Queue是否存在。
  • 如果指定的Queue不存在,则会创建Queue。
  • 如果指定的Queue已存在,则会校验该Queue的信息是否正确。如果信息匹配,则会返回声明成功;如果信息不匹配,则会报错。
acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
queue.declare(passive=true) amqp:CreateQueue 声明Queue,并验证Queue是否存在。
  • 如果指定的Queue不存在,则会报错。
  • 如果指定的Queue已存在,则会返回声明成功。
acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName
queue.declare(有死信Exchange) amqp:CreateQueue 声明绑定死信Exchange的Queue acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
amqp:GetQueue acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/queues/$queueName
amqp:CreateExchange(死信Exchange) acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName(死信Exchange)
queue.bind amqp:CreateQueue 绑定Queue到Exchange acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
amqp:GetExchange acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName
queue.unbind amqp:CreateQueue 解除Queue和Exchange间的绑定 acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
amqp:GetExchange acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName
BasicRecover amqp:BasicRecover 重新投递没被Consumer确认消费(Ack)的消息 acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*
BasicCancel amqp:BasicCancel 取消订阅 acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/messages/*
BasicPublish amqp:BasicPublish 发布一条消息 acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName/messages/*
BasicConsume amqp:BasicConsume 启动一个Consumer acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
BasicAck amqp:BasicAck 确认消费一条或多条消息 acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
BasicNack amqp:BasicNack 拒绝一条或多条消息 acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
BasicReject amqp:BasicReject 拒绝一条消息 acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
QueuePurge amqp:QueuePurge 清空一个Queue里的所有消息 acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
BasicGet amqp:BasicGet 直接访问Queue的消息 acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*
ListStaticAccounts amqp:ListStaticAccounts 查看静态用户名密码 acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*
FetchStaticAccount amqp:FetchStaticAccount 创建用户名密码 acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*
DeleteStaticAccount amqp:DeleteStaticAccount 删除用户名密码 acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*

自定义权限策略示例

  • 示例一:自定义发布消息授权策略
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "amqp:GetVhost"
                ],
                "Resource": [
                    "acs:amqp:*:*:/instances/amqp-cn-09k1o***",
                    "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "amqp:CreateExchange",
                    "amqp:GetExchange",
                    "amqp:CreateQueue",
                    "amqp:GetQueue",
                    "amqp:BasicRecover",
                    "amqp:BasicPublish",
                    "amqp:BasicAck",
                    "amqp:BasicNack"
                ],
                "Resource": "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost/*",
                "Effect": "Allow"
            }
        ]
    }
  • 示例二:自定义订阅消息授权策略
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "amqp:GetVhost"
                ],
                "Resource": [
                    "acs:amqp:*:*:/instances/amqp-cn-09k1o***",
                    "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "amqp:CreateExchange",
                    "amqp:GetExchange",
                    "amqp:GetQueue",
                    "amqp:CreateQueue",
                    "amqp:BasicRecover",
                    "amqp:BasicCancel",
                    "amqp:BasicConsume",
                    "amqp:BasicAck",
                    "amqp:BasicNack",
                    "amqp:BasicReject",
                    "amqp:QueuePurge",
                    "amqp:BasicGet"
                ],
                "Resource": "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost/*",
                "Effect": "Allow"
            }
        ]
    }
  • 示例三:自定义发布和订阅消息授权策略
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "amqp:GetInstance",
                    "amqp:GetVhost"
                ],
                "Resource": [
                    "acs:amqp:*:*:/instances/amqp-cn-09k1o***",
                    "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "amqp:ListExchange",
                    "amqp:CreateExchange",
                    "amqp:DeleteExchange",
                    "amqp:GetExchange",
                    "amqp:ListQueue",
                    "amqp:DeleteQueue",
                    "amqp:GetQueue",
                    "amqp:CreateQueue",
                    "amqp:BasicRecover",
                    "amqp:BasicCancel",
                    "amqp:BasicPublish",
                    "amqp:BasicConsume",
                    "amqp:BasicAck",
                    "amqp:BasicNack",
                    "amqp:BasicReject",
                    "amqp:QueuePurge",
                    "amqp:BasicGet"
                ],
                "Resource": "acs:amqp:*:*:/instances/amqp-cn-09k1o***/vhosts/testVhost/*",
                "Effect": "Allow"
            }
        ]
    }
  • 示例四:自定义用户名密码权限
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "amqp:ListStaticAccounts",
                    "amqp:FetchStaticAccount",
                    "amqp:DeleteStaticAccount"
                ],
                "Resource": "acs:amqp:*:*:/instances/amqp-cn-09k1o***/staticAccount/*"
            },
            {
                "Effect": "Allow",
                "Action": "amqp:GetInstance",
                "Resource": "acs:amqp:*:*:/instances/amqp-cn-09k1o***"
            }
        ],
        "Version": "1"
    }