本文介绍在微消息队列MQTT版中常见的授权策略示例。

注意事项

在阅读本文前,建议您可先查看在访问控制RAM中支持的微消息队列MQTT版相关的权限策略

如需直接复制示例代码,使用时请删除注释内容,即双斜杠(//)及以后的文字说明。示例中的取值均需替换为您实际的资源信息:
  • post-cn-09k1noy****替换为您的实例ID。
  • Topic_****替换为您的Topic。
  • GID_****替换为您的Group ID。
  • Rule****替换为您的规则ID。

示例一:授予MQTT客户端消息收发权限

说明 MQTT客户端消息收发权限不支持跨云账号授权。
{
    "Version":"1",
    "Statement":[
        {    // 授予消息收发的授权前,请先授予相应实例的权限
            "Effect":"Allow",
            "Action":[
                "mq:MqttInstanceAccess"
            ],
            "Resource":[
                "acs:mq:*:*:instance/post-cn-09k1noy****"
            ]
        },
        {    // 授予Topic的消息发布和订阅权限
            "Effect":"Allow",
            "Action":[
                  "mq:PUB",
                  "mq:SUB"
                ],
            "Resource":[
                "acs:mq:*:*:topic/post-cn-09k1noy****/Topic_****"
            ]
        },
        {    // 授予Group的权限
            "Effect":"Allow",
            "Action":[
                "mq:SUB"
            ],
            "Resource":[
                "acs:mq:*:*:groupId/post-cn-09k1noy****/GID_****"
            ]
        }
    ]
 }

示例二:授予控制台某Topic发消息权限

{
    "Version":"1",
    "Statement":[
        {    // 授予Topic控制台发消息权限前,请先授予相应实例的权限
            "Effect":"Allow",
            "Action":[
                "mq:MqttInstanceAccess"
            ],
            "Resource":[
                "acs:mq:*:*:instance/post-cn-09k1noy****"
            ]
        },
        {    // 授予Topic控制台发消息权限
            "Effect":"Allow",
            "Action":[
                  "mq:SendMqttMessageByConsole"
                ],
            "Resource":[
                "acs:mq:*:*:topic/post-cn-09k1noy****/Topic_****"
            ]
        }
    ]
 }

示例三:授予申请Token的OpenAPI权限

{
    "Version":"1",
    "Statement":[
        {    // 授予申请Token的OpenAPI权限前,请先授予相应实例的权限
            "Effect":"Allow",
            "Action":[
                "mq:MqttInstanceAccess"
            ],
            "Resource":[
                "acs:mq:*:*:instance/post-cn-09k1noy****"
            ]
        },
        {    // 授予申请Token的OpenAPI权限
            "Effect":"Allow",
            "Action":[
                  "mq:ApplyToken"
                ],
            "Resource":[
                "acs:mq:*:*:topic/post-cn-09k1noy****/Topic_****"
            ]
        }
    ]
 }

示例四:授予数据流出规则的所有OpenAPI权限

授予规则权限时,请确保涉及的实例、Topic以及Group ID资源属于同一阿里云账号。

{
    "Version":"1",
    "Statement":[
        {    // 授予数据流出规则的所有OpenAPI权限前,请先授予相应实例的权限
            "Effect":"Allow",
            "Action":[
                "mq:MqttInstanceAccess"
            ],
            "Resource":[
                "acs:mq:*:*:instance/post-cn-09k1noy****"
            ]
        },
        {    // 授予数据流出规则的所有OpenAPI权限
            "Effect":"Allow",
            "Action":[
                  "mq:CreateMqttOutboundRule",
                  "mq:DeleteMqttOutboundRule",
                  "mq:ListMqttOutboundRule",
                  "mq:UpdateMqttOutboundRule"
                ],
            "Resource":[
                "acs:mq:*:*:rule/post-cn-09k1noy****/Rule****"
            ]
        }
    ]
 }