云消息队列 RabbitMQ 版自定义权限策略参考

更新时间:

如果系统权限策略不能满足您的要求,您可以创建自定义权限策略实现最小授权。使用自定义权限策略有助于实现权限的精细化管控,是提升资源访问安全的有效手段。本文介绍云消息队列 RabbitMQ 版使用自定义权限策略的场景和策略示例。

什么是自定义权限策略

在基于RAM的访问控制体系中,自定义权限策略是指在系统权限策略之外,您可以自主创建、更新和删除的权限策略。自定义权限策略的版本更新需由您来维护。

  • 创建自定义权限策略后,需为RAM用户、用户组或RAM角色绑定权限策略,这些RAM身份才能获得权限策略中指定的访问权限。

  • 已创建的权限策略支持删除,但删除前需确保该策略未被引用。如果该权限策略已被引用,您需要在该权限策略的引用记录中移除授权。

  • 自定义权限策略支持版本控制,您可以按照RAM规定的版本管理机制来管理您创建的自定义权限策略版本。

操作文档

自定义授权策略

云消息队列 RabbitMQ 版支持以下自定义权限策略。

客户端接口权限说明

客户端API

Action

资源

说明

exchange.declare(passive=false)

amqp:CreateExchange

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*

声明Exchange,并验证Exchange是否存在。

  • 如果指定的Exchange不存在,则创建Exchange,返回声明成功。

  • 如果指定的Exchange已存在,则会校验该Exchange的信息是否正确。如果信息匹配,则会返回声明成功;如果信息不匹配,则会报错。

exchange.declare(passive=true)

amqp:GetExchange

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName

声明Exchange,并验证Exchange是否存在。

  • 如果指定的Exchange不存在,则会报错。

  • 如果指定的Exchange已存在,则会返回声明成功。

exchange.bind

amqp:GetExchange(源Exchange)

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName(源Exchange)

将源Exchange绑定到目标Exchange

amqp:CreateExchange(目标Exchange)

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*(目标Exchange)

exchange.unbind

amqp:GetExchange(源Exchange)

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName(源Exchange)

解除源Exchange到目标Exchange的绑定

amqp:CreateExchange(目标Exchange)

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*(目标Exchange)

queue.declare(passive=false)

amqp:CreateQueue

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*

声明Queue,并验证Queue是否存在。

  • 如果指定的Queue不存在,则会创建Queue。

  • 如果指定的Queue已存在,则会校验该Queue的信息是否正确。如果信息匹配,则会返回声明成功;如果信息不匹配,则会报错。

queue.declare(passive=true)

amqp:CreateQueue

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName

声明Queue,并验证Queue是否存在。

  • 如果指定的Queue不存在,则会报错。

  • 如果指定的Queue已存在,则会返回声明成功。

queue.declare(有死信Exchange)

amqp:CreateQueue

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*

声明绑定死信Exchange的Queue

amqp:GetQueue

acs:amqp:$region:$accountid:/vhosts/$vhostName/queues/$queueName

amqp:CreateExchange(死信Exchange)

acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName(死信Exchange)

queue.bind

amqp:CreateQueue

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*

绑定Queue到Exchange

amqp:GetExchange

acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName

queue.unbind

amqp:CreateQueue

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*

解除Queue和Exchange间的绑定

amqp:GetExchange

acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName

BasicRecover

amqp:BasicRecover

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*

重新投递没被Consumer确认消费(Ack)的消息

BasicCancel

amqp:BasicCancel

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

取消订阅

BasicPublish

amqp:BasicPublish

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName/messages/*

发布消息

BasicConsume

amqp:BasicConsume

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

启动一个Consumer

BasicAck

amqp:BasicAck

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

确认一条或多条消息

BasicNack

amqp:BasicNack

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

拒绝一条或多条消息

BasicReject

amqp:BasicReject

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

拒绝一条消息

BasicGet

amqp:BasicGet

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

直接访问Queue的消息

控制台OpenAPI及功能权限说明

控制台OpenAPI/功能

Action

资源

说明

ListInstances

amqp:ListInstance

acs:amqp:$region:$accountid:/instances/*

获取实例列表

CreateInstance

amqp:CreateInstance

acs:amqp:$region:$accountid:/instances/*

创建实例

CreateInstance接口的权限策略支持设置以下条件关键字。详细信息,请参见条件(Condition)

  • amqp:InstanceType:表示可创建的实例类型。取值如下:

    • professional:专业版实例

    • enterprise:企业版

    • vip:铂金版实例

  • amqp:SupportEIP:表示是否支持公网。取值如下:

    • true:支持公网

    • false:不支持公网

DeleteInstance

amqp:DeleteInstance

acs:amqp:$region:$accountid:/instances/$instanceId

删除实例

GetInstance

amqp:GetInstance

acs:amqp:$region:$accountid:/instances/$instanceId

查看实例

ListVhost

amqp:ListVhost

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/*

获取Vhost列表

CreateVhost

amqp:CreateVhost

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/*

创建Vhost

DeleteVhost

amqp:DeleteVhost

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName

删除Vhost,执行此操作需同时授予GetInstance API的权限

amqp:GetInstance

acs:amqp:$region:$accountid:/instances/$instanceId

ListExchange

amqp:ListExchange

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*

获取Exchange列表,执行此操作需同时授予GetInstance API的权限

amqp:GetInstance

acs:amqp:$region:$accountid:/instances/$instanceId

CreateExchange

amqp:CreateExchange

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*

创建Exchange

DeleteExchange

amqp:DeleteExchange

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName

删除Exchange

ListQueue

amqp:ListQueue

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*

获取Queue列表,执行此操作需同时授予GetInstance API的权限

amqp:GetInstance

acs:amqp:$region:$accountid:/instances/$instanceId

CreateQueue

amqp:CreateQueue

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/*

创建Queue

DeleteQueue

amqp:DeleteQueue

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName

删除Queue

QueuePurge

amqp:QueuePurge

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

清空队列

ListStaticAccounts

amqp:ListStaticAccounts

acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*

查看用户名密码,执行此操作需同时授予GetInstance API的权限

amqp:GetInstance

acs:amqp:$region:$accountid:/instances/$instanceId

FetchStaticAccount

amqp:FetchStaticAccount

acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*

创建用户名密码,执行此操作需同时授予GetInstance API的权限

amqp:GetInstance

acs:amqp:$region:$accountid:/instances/$instanceId

DeleteStaticAccount

amqp:DeleteStaticAccount

acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/*

删除用户名密码

按Queue查询消息

amqp:BasicGet

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

访问Queue的消息

按消息ID查询消息

amqp:BasicGet

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

访问Queue的消息

重发消息

  • amqp:BasicGet

  • amqp:BasicPublish

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

重新发送消息

发送消息

amqp:BasicPublish

acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/*

发送消息

自定义权限策略示例

重要

创建自定义权限策略时,您需要将以下示例中Resource的参数修改为您实际环境中的参数值。

  • $region:资源所属的地域ID。获取方式,请参见服务接入点

  • $accountid:被授权对象的阿里云账号ID。

  • $instanceId:云消息队列 RabbitMQ 版的实例ID。

  • $vhostName:Vhost名称。

  • $queueName:Queue名称。

  • $exchangeName:Exchange名称。

  • 示例一:自定义某个Vhost消息收发权限

    {
        "Version":"1",
        "Statement":[
            {
                "Action":[
                    "amqp:GetInstance",
                    "amqp:ListVhost",
                    "amqp:GetVhost"
                ],
                "Resource":[
                    "acs:amqp:*:*:/instances/$instanceId",
                    "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName",
                    "acs:amqp:*:*:/instances/$instanceId/vhosts/*"
                ],
                "Effect":"Allow"
            },
            {
                "Action":[
                    "amqp:ListExchange",
                    "amqp:CreateExchange",
                    "amqp:DeleteExchange",
                    "amqp:ListQueue",
                    "amqp:DeleteQueue",
                    "amqp:CreateQueue",
                    "amqp:BasicRecover",
                    "amqp:BasicCancel",
                    "amqp:BasicPublish",
                    "amqp:BasicConsume",
                    "amqp:BasicAck",
                    "amqp:BasicNack",
                    "amqp:BasicReject",
                    "amqp:QueuePurge",
                    "amqp:BasicGet",
                    "amqp:GetExchange"
                ],
                "Resource":"acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
                "Effect":"Allow"
            },
            {
                "Action":[
                    "amqp:ListStaticAccounts",
                    "amqp:FetchStaticAccount",
                    "amqp:DeleteStaticAccount"
                ],
                "Resource":"acs:amqp:*:*:/instances/$instanceId/staticAccount/*",
                "Effect":"Allow"
            }
        ]
    }
  • 示例二:自定义发布消息授权策略

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "amqp:GetInstance"
                ],
                "Resource": [
                    "acs:amqp:*:*:/instances/$instanceId",
                    "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "amqp:CreateExchange",
                    "amqp:CreateQueue",
                    "amqp:BasicRecover",
                    "amqp:BasicPublish",
                    "amqp:BasicAck",
                    "amqp:BasicNack"
                ],
                "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
                "Effect": "Allow"
            }
        ]
    }
  • 示例三:自定义订阅消息授权策略

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "amqp:GetInstance",
                    "amqp:GetVhost"
                ],
                "Resource": [
                    "acs:amqp:*:*:/instances/$instanceId",
                    "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "amqp:CreateExchange",
                    "amqp:CreateQueue",
                    "amqp:BasicRecover",
                    "amqp:BasicCancel",
                    "amqp:BasicConsume",
                    "amqp:BasicAck",
                    "amqp:BasicNack",
                    "amqp:BasicReject",
                    "amqp:QueuePurge",
                    "amqp:BasicGet"
                ],
                "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
                "Effect": "Allow"
            }
        ]
    }
  • 示例四:自定义发布和订阅消息授权策略

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "amqp:GetInstance",
                    "amqp:GetVhost"
                ],
                "Resource": [
                    "acs:amqp:*:*:/instances/$instanceId",
                    "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "amqp:ListExchange",
                    "amqp:CreateExchange",
                    "amqp:DeleteExchange",
                    "amqp:ListQueue",
                    "amqp:DeleteQueue",
                    "amqp:CreateQueue",
                    "amqp:BasicRecover",
                    "amqp:BasicCancel",
                    "amqp:BasicPublish",
                    "amqp:BasicConsume",
                    "amqp:BasicAck",
                    "amqp:BasicNack",
                    "amqp:BasicReject",
                    "amqp:QueuePurge",
                    "amqp:BasicGet"
                ],
                "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*",
                "Effect": "Allow"
            }
        ]
    }
  • 示例五:自定义用户名密码权限

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "amqp:ListStaticAccounts",
                    "amqp:FetchStaticAccount",
                    "amqp:DeleteStaticAccount"
                ],
                "Resource": "acs:amqp:*:*:/instances/$instanceId/staticAccount/*"
            },
            {
                "Effect": "Allow",
                "Action": "amqp:GetInstance",
                "Resource": "acs:amqp:*:*:/instances/$instanceId"
            }
        ],
        "Version": "1"
    }
  • 示例六:自定义授予某个RAM用户创建实例的权限

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "amqp:CreateInstance",
                "Resource": "acs:amqp:*:$accountid:/instances/*",
            }
        ]
    }
  • 示例七:自定义授予某个RAM用户,仅能创建铂金版实例且不支持开启公网的权限

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "amqp:CreateInstance",
                "Resource": "acs:amqp:*:$accountid:/instances/*",
                "Condition": {
                    "StringEquals": {
                        "amqp:InstanceType": [
                            "vip"
                        ],
                        "amqp:SupportEIP": [
                            "false"
                        ]
                    }
                }
            }
        ]
    }
  • 示例八:自定义某个RAM用户对单个实例的所有操作权限

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "amqp:ListInstance",
                "Resource": "acs:amqp:*:*:/instances/*",
                "Effect": "Allow"
            },
            {
                "Action": "amqp:*",
                "Resource": [
                    "acs:amqp:*:*:/instances/$instanceId",
                    "acs:amqp:*:*:/instances/$instanceId/vhosts/*"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "amqp:ListStaticAccounts",
                    "amqp:FetchStaticAccount",
                    "amqp:DeleteStaticAccount"
                ],
                "Resource": "acs:amqp:*:*:/instances/$instanceId/staticAccount/*",
                "Effect": "Allow"
            }
        ]
    }