本文介绍在微消息队列 MQTT 版中常见的授权策略示例。

注意事项

在阅读本文前,建议您可先查看在访问控制 RAM 中支持的微消息队列 MQTT 版相关的权限策略

如需直接复制示例代码,使用时请删除注释内容,即双斜杠(//)及以后的文字说明。示例中的取值均需替换为您实际的资源信息:
  • post-cn-09k1noy**** 替换为您的实例 ID。
  • Topic_**** 替换为您的 Topic。
  • GID_**** 替换为您的 Group ID。
  • Rule**** 替换为您的规则 ID。

示例一:授予 MQTT 客户端消息收发权限

说明 MQTT 客户端消息收发权限不支持跨云账号授权。
{
    "Version":"1",
    "Statement":[
        {    // 授予消息收发的授权前,请先授予相应实例的权限
            "Effect":"Allow",
            "Action":[
                "mq:MqttInstanceAccess"
            ],
            "Resource":[
                "acs:mq:*:*:instance/post-cn-09k1noy****"
            ]
        },
        {    // 授予 Topic 的消息发布和订阅权限
            "Effect":"Allow",
            "Action":[
                  "mq:PUB",
                  "mq:SUB"
                ],
            "Resource":[
                "acs:mq:*:*:topic/post-cn-09k1noy****/Topic_****"
            ]
        },
        {    // 授予 Group 的权限
            "Effect":"Allow",
            "Action":[
                "mq:SUB"
            ],
            "Resource":[
                "acs:mq:*:*:groupId/post-cn-09k1noy****/GID_****"
            ]
        }
    ]
 }

示例二:授予控制台某 Topic 发消息权限

{
    "Version":"1",
    "Statement":[
        {    // 授予 Topic 控制台发消息权限前,请先授予相应实例的权限
            "Effect":"Allow",
            "Action":[
                "mq:MqttInstanceAccess"
            ],
            "Resource":[
                "acs:mq:*:*:instance/post-cn-09k1noy****"
            ]
        },
        {    // 授予 Topic 控制台发消息权限
            "Effect":"Allow",
            "Action":[
                  "mq:SendMqttMessageByConsole"
                ],
            "Resource":[
                "acs:mq:*:*:topic/post-cn-09k1noy****/Topic_****"
            ]
        }
    ]
 }

示例三:授予申请 Token 的 OpenAPI 权限

{
    "Version":"1",
    "Statement":[
        {    // 授予申请 Token 的 OpenAPI 权限前,请先授予相应实例的权限
            "Effect":"Allow",
            "Action":[
                "mq:MqttInstanceAccess"
            ],
            "Resource":[
                "acs:mq:*:*:instance/post-cn-09k1noy****"
            ]
        },
        {    // 授予申请 Token 的 OpenAPI 权限
            "Effect":"Allow",
            "Action":[
                  "mq:ApplyToken"
                ],
            "Resource":[
                "acs:mq:*:*:topic/post-cn-09k1noy****/Topic_****"
            ]
        }
    ]
 }

示例四:授予数据流出规则的所有 OpenAPI 权限

授予规则权限时,请确保涉及的实例、Topic 以及 Group ID 资源属于同一主账号。

{
    "Version":"1",
    "Statement":[
        {    // 授予数据流出规则的所有 OpenAPI 权限前,请先授予相应实例的权限
            "Effect":"Allow",
            "Action":[
                "mq:MqttInstanceAccess"
            ],
            "Resource":[
                "acs:mq:*:*:instance/post-cn-09k1noy****"
            ]
        },
        {    // 授予数据流出规则的所有 OpenAPI 权限
            "Effect":"Allow",
            "Action":[
                  "mq:CreateMqttOutboundRule",
                  "mq:DeleteMqttOutboundRule",
                  "mq:ListMqttOutboundRule",
                  "mq:UpdateMqttOutboundRule"
                ],
            "Resource":[
                "acs:mq:*:*:rule/post-cn-09k1noy****/Rule****"
            ]
        }
    ]
 }