文档

RAM权限策略

更新时间:
一键部署

云消息队列 RabbitMQ 版的资源以及SDK收发消息的权限管理通过访问控制RAM(Resource Access Management)实现。RAM可以让您避免与其他用户共享阿里云云账号密钥,即AccessKey(包含AccessKey ID和AccessKey Secret),按需为其他用户分配最小权限。

RAM权限策略

在RAM中,权限策略是用语法结构描述的一组权限的集合,可以精确地描述被授权的资源集、操作集以及授权条件。权限策略是描述权限集的一种简单语言规范,RAM支持的语言规范请参见权限策略语法和结构

在RAM中,权限策略是一种资源实体。云消息队列 RabbitMQ 版支持以下两种类型的权限策略:

  • 系统权限策略:统一由阿里云创建,您只能使用不能修改,策略的版本更新由阿里云维护,适用于粗粒度地控制RAM用户权限。

  • 自定义权限策略:您可以自主创建、更新和删除,策略的版本更新由您自己维护,适用于细粒度地控制RAM用户权限。

系统权限策略

云消息队列 RabbitMQ 版支持以下系统权限策略。

授权策略名称

说明

AliyunAMQPFullAccess

云消息队列 RabbitMQ 版的管理权限,被授予该权限的RAM用户具有等同于阿里云账号的权限,即资源以及SDK收发消息的所有权限。

AliyunAMQPReadOnlyAccess

云消息队列 RabbitMQ 版的只读权限,被授予该权限的RAM用户只具有阿里云账号所有资源的只读权限。

系统权限策略示例

以系统权限策略AliyunAMQPFullAccess为例,被授予该权限的RAM用户具有等同于阿里云账号的权限,即资源以及SDK收发消息的所有权限。策略内容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": "amqp:*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

自定义授权策略

云消息队列 RabbitMQ 版支持以下自定义权限策略。

重要

对Exchange或Queue等资源进行操作的前提是要有这些资源所在Vhost的读权限(amqp:GetVhost)。

API

Action

说明

资源

ListInstances

amqp:ListInstance

获取实例列表

acs:amqp:$region:$accountid:/instances/*

CreateInstance

amqp:CreateInstance

创建实例

CreateInstance接口的权限策略支持设置以下条件关键字。详细信息,请参见条件(Condition)

  • amqp:InstanceType:表示可创建的实例类型。取值如下:

    professional:专业版实例

    enterprise:企业版

    vip:铂金版实例

  • amqp:SupportEIP:表示是否支持公网。取值如下:

    • true:支持公网

    • false:不支持公网

acs:amqp:$region:$accountid:/instances/*

DeleteInstance

amqp:DeleteInstance

删除实例

acs:amqp:$region:$accountid:/instances/$instanceId

GetInstance

amqp:GetInstance

查看实例

acs:amqp:$region:$accountid:/instances/$instanceId

ListVhost

amqp:ListVhost

获取Vhost列表

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/*

CreateVhost

amqp:CreateVhost

创建Vhost

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/*

DeleteVhost

amqp:DeleteVhost

删除Vhost

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName

GetVhost

amqp:GetVhost

查看Vhost

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName

ListExchange

amqp:ListExchange

获取Exchange列表

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*

CreateExchange

amqp:CreateExchange

创建Exchange

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*

DeleteExchange

amqp:DeleteExchange

删除Exchange

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName

GetExchange

amqp:GetExchange

查看Exchange

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName

exchange.declare(passive=false)

amqp:CreateExchange

声明Exchange,并验证Exchange是否存在。

  • 如果指定的Exchange不存在,则创建Exchange,返回声明成功。

  • 如果指定的Exchange已存在,则会校验该Exchange的信息是否正确。如果信息匹配,则会返回声明成功;如果信息不匹配,则会报错。

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*

exchange.declare(passive=true)

amqp:GetExchange

声明Exchange,并验证Exchange是否存在。

  • 如果指定的Exchange不存在,则会报错。

  • 如果指定的Exchange已存在,则会返回声明成功。

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName

exchange.bind

amqp:GetExchange(源Exchange)

将源Exchange绑定到目标Exchange

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName(源Exchange)

amqp:CreateExchange(目标Exchange)

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*(目标Exchange)

exchange.unbind

amqp:GetExchange(源Exchange)

解除源Exchange到目标Exchange的绑定

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName(源Exchange)

amqp:CreateExchange(目标Exchange)

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*(目标Exchange)

ListQueue

amqp:ListQueue

获取Queue列表

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*

CreateQueue

amqp:CreateQueue

创建Queue

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*

DeleteQueue

amqp:DeleteQueue

删除Queue

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName

GetQueue

amqp:GetQueue

查看Queue

acs:amqp:$region:$accountid:/vhosts/$vhostName/queues/$queueName

queue.declare(passive=false)

amqp:CreateQueue

声明Queue,并验证Queue是否存在。

  • 如果指定的Queue不存在,则会创建Queue。

  • 如果指定的Queue已存在,则会校验该Queue的信息是否正确。如果信息匹配,则会返回声明成功;如果信息不匹配,则会报错。

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*

queue.declare(passive=true)

amqp:CreateQueue

声明Queue,并验证Queue是否存在。

  • 如果指定的Queue不存在,则会报错。

  • 如果指定的Queue已存在,则会返回声明成功。

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName

queue.declare(有死信Exchange)

amqp:CreateQueue

声明绑定死信Exchange的Queue

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*

amqp:GetQueue

acs:amqp:$region:$accountid:/vhosts/$vhostName/queues/$queueName

amqp:CreateExchange(死信Exchange)

acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName(死信Exchange)

queue.bind

amqp:CreateQueue

绑定Queue到Exchange

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*

amqp:GetExchange

acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName

queue.unbind

amqp:CreateQueue

解除Queue和Exchange间的绑定

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*

amqp:GetExchange

acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName

BasicRecover

amqp:BasicRecover

重新投递没被Consumer确认消费(Ack)的消息

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*

BasicCancel

amqp:BasicCancel

取消订阅

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

BasicPublish

amqp:BasicPublish

发布一条消息

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName/messages/*

BasicConsume

amqp:BasicConsume

启动一个Consumer

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

BasicAck

amqp:BasicAck

确认消费一条或多条消息

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

BasicNack

amqp:BasicNack

拒绝一条或多条消息

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

BasicReject

amqp:BasicReject

拒绝一条消息

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

QueuePurge

amqp:QueuePurge

清空一个Queue里的所有消息

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

BasicGet

amqp:BasicGet

直接访问Queue的消息

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

ListStaticAccounts

amqp:ListStaticAccounts

查看静态用户名密码

acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*

FetchStaticAccount

amqp:FetchStaticAccount

创建用户名密码

acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*

DeleteStaticAccount

amqp:DeleteStaticAccount

删除用户名密码

acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*

自定义权限策略示例

重要

创建自定义权限策略时,您需要将以下示例中Resource的参数修改为您实际环境中的参数值。

  • $region:资源所属的地域ID。获取方式,请参见服务接入点

  • $accountid:被授权对象的阿里云账号ID。

  • $instanceId:云消息队列 RabbitMQ 版的实例ID。

  • $vhostName:Vhost名称。

  • $queueName:Queue名称。

  • $exchangeName:Exchange名称。

  • 示例一:自定义某个Vhost消息收发权限

    {
        "Version":"1",
        "Statement":[
            {
                "Action":[
                    "amqp:GetInstance",
                    "amqp:GetVhost",
                    "amqp:ListVhost"
                ],
                "Resource":[
                    "acs:amqp:*:*:/instances/$instanceId",
                    "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName",
                    "acs:amqp:*:*:/instances/$instanceId/vhosts/*"
                ],
                "Effect":"Allow"
            },
            {
                "Action":[
                    "amqp:ListExchange",
                    "amqp:CreateExchange",
                    "amqp:DeleteExchange",
                    "amqp:GetExchange",
                    "amqp:ListQueue",
                    "amqp:DeleteQueue",
                    "amqp:GetQueue",
                    "amqp:CreateQueue",
                    "amqp:BasicRecover",
                    "amqp:BasicCancel",
                    "amqp:BasicPublish",
                    "amqp:BasicConsume",
                    "amqp:BasicAck",
                    "amqp:BasicNack",
                    "amqp:BasicReject",
                    "amqp:QueuePurge",
                    "amqp:BasicGet"
                ],
                "Resource":"acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
                "Effect":"Allow"
            },
            {
                "Action":[
                    "amqp:ListStaticAccounts",
                    "amqp:FetchStaticAccount",
                    "amqp:DeleteStaticAccount"
                ],
                "Resource":"acs:amqp:*:*:/instances/$instanceId/staticAccount/*",
                "Effect":"Allow"
            }
        ]
    }
  • 示例二:自定义发布消息授权策略

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "amqp:GetInstance",
                    "amqp:GetVhost"
                ],
                "Resource": [
                    "acs:amqp:*:*:/instances/$instanceId",
                    "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "amqp:CreateExchange",
                    "amqp:GetExchange",
                    "amqp:CreateQueue",
                    "amqp:GetQueue",
                    "amqp:BasicRecover",
                    "amqp:BasicPublish",
                    "amqp:BasicAck",
                    "amqp:BasicNack"
                ],
                "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
                "Effect": "Allow"
            }
        ]
    }
  • 示例三:自定义订阅消息授权策略

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "amqp:GetInstance",
                    "amqp:GetVhost"
                ],
                "Resource": [
                    "acs:amqp:*:*:/instances/$instanceId",
                    "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "amqp:CreateExchange",
                    "amqp:GetExchange",
                    "amqp:GetQueue",
                    "amqp:CreateQueue",
                    "amqp:BasicRecover",
                    "amqp:BasicCancel",
                    "amqp:BasicConsume",
                    "amqp:BasicAck",
                    "amqp:BasicNack",
                    "amqp:BasicReject",
                    "amqp:QueuePurge",
                    "amqp:BasicGet"
                ],
                "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
                "Effect": "Allow"
            }
        ]
    }
  • 示例四:自定义发布和订阅消息授权策略

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "amqp:GetInstance",
                    "amqp:GetVhost"
                ],
                "Resource": [
                    "acs:amqp:*:*:/instances/$instanceId",
                    "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "amqp:ListExchange",
                    "amqp:CreateExchange",
                    "amqp:DeleteExchange",
                    "amqp:GetExchange",
                    "amqp:ListQueue",
                    "amqp:DeleteQueue",
                    "amqp:GetQueue",
                    "amqp:CreateQueue",
                    "amqp:BasicRecover",
                    "amqp:BasicCancel",
                    "amqp:BasicPublish",
                    "amqp:BasicConsume",
                    "amqp:BasicAck",
                    "amqp:BasicNack",
                    "amqp:BasicReject",
                    "amqp:QueuePurge",
                    "amqp:BasicGet"
                ],
                "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
                "Effect": "Allow"
            }
        ]
    }
  • 示例五:自定义用户名密码权限

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "amqp:ListStaticAccounts",
                    "amqp:FetchStaticAccount",
                    "amqp:DeleteStaticAccount"
                ],
                "Resource": "acs:amqp:*:*:/instances/$instanceId/staticAccount/*"
            },
            {
                "Effect": "Allow",
                "Action": "amqp:GetInstance",
                "Resource": "acs:amqp:*:*:/instances/$instanceId"
            }
        ],
        "Version": "1"
    }
  • 示例六:自定义授予某个RAM用户创建实例的权限

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "amqp:CreateInstance",
                "Resource": "acs:amqp:*:$accountid:/instances/*",
            }
        ]
    }
  • 示例七:自定义授予某个RAM用户,仅能创建铂金版实例且不支持开启公网的权限

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "amqp:CreateInstance",
                "Resource": "acs:amqp:*:$accountid:/instances/*",
                "Condition": {
                    "StringEquals": {
                        "amqp:InstanceType": [
                            "vip"
                        ],
                        "amqp:SupportEIP": [
                            "false"
                        ]
                    }
                }
            }
        ]
    }

  • 本页导读 (1)
文档反馈