本文介绍控制台自定义权限策略及客户端自定义权限策略的常见使用场景及示例。
控制台自定义权限策略示例
基础示例
示例一:授予RAM用户访问控制台首页时不报错,正常进行访问的权限
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "mns:ListQueue",
"Resource": "*"
}
]
}示例二:授予RAM用户仅能通过HTTPS方式访问服务的权限
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "mns:*",
"Resource": "*",
"Condition": {
"Bool": {
"acs:SecureTransport": [
"false"
]
}
}
}
]
}队列管理
示例三:授予RAM用户访问控制台并对所有Queue可读的权限
授予RAM用户通过管控SDK读取主账号下所有Queue的属性信息的权限
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:ListQueue" ], "Resource": "*" } ] }授予RAM用户访问控制台队列列表菜单栏的权限
说明管控页面请求涉及多个接口请求,其中包括
mns:ListTagResourcesAction。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:ListTagResources", "mns:ListQueue" ], "Resource": "*" } ] }
示例四:授予RAM用户有且仅能管理某个Queue的权限
授予RAM用户通过管控SDK仅对指定Queue读写的权限。本示例以队列名称
MySampleQueue为例。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:CreateQueue", "mns:DeleteQueue", "mns:GetQueueAttributes", "mns:SetQueueAttributes" ], "Resource": "acs:mns:*:*:/queues/MySampleQueue" } ] }授予RAM用户在控制台访问指定Queue详情的权限
说明指定的队列详情地址为:
https://${MNS管控地址}/region/${regionId}/queue/${queueName}/detail。管控页面请求涉及多个接口请求,其中包括
mns:ListQueueAction。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:CreateQueue", "mns:DeleteQueue", "mns:GetQueueAttributes", "mns:SetQueueAttributes" ], "Resource": "acs:mns:*:*:/queues/MySampleQueue" }, { "Effect": "Allow", "Action": "mns:ListQueue", "Resource": "*" } ] }
主题管理
示例五:授予RAM用户访问控制台并对所有Topic可读的权限
授予RAM用户通过管控SDK读取主账号下所有Topic的属性信息的权限
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:ListTopic" ], "Resource": "*" } ] }授予RAM用户访问控制台主题列表菜单栏的权限
说明管控页面请求涉及多个接口请求,其中包括
mns:ListTagResourcesAction。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:ListTagResources", "mns:ListTopic" ], "Resource": "*" } ] }
示例六:授予RAM用户有且仅能管理某个Topic的权限
授予RAM用户通过管控SDK仅对指定Topic读写的权限。本示例以主题名称
MySampleTopic为例。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:CreateTopic", "mns:DeleteTopic", "mns:GetTopicAttributes", "mns:SetTopicAttributes" ], "Resource": "acs:mns:*:*:/topics/MySampleTopic" } ] }授予RAM用户在控制台访问指定Topic详情的权限
说明指定的队列详情地址为:
https://${MNS管控地址}/region/${regionId}/topic/${topicName}/detail。管控页面请求涉及多个接口请求,其中包括
mns:ListSubscriptionByTopicAction。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:CreateTopic", "mns:DeleteTopic", "mns:GetTopicAttributes", "mns:SetTopicAttributes" ], "Resource": "acs:mns:*:*:/topics/MySampleTopic" }, { "Effect": "Allow", "Action": [ "mns:ListQueue", "mns:ListSubscriptionByTopic" ], "Resource": "*" } ] }
客户端自定义权限策略示例
队列消息收发
示例一:授予RAM用户仅能对指定Queue进行消息收发的权限
授予RAM用户通过客户端SDK对指定Queue进行消息收发的权限,本示例以队列名称
MySampleQueue为例。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:SendMessage", "mns:ReceiveMessage", "mns:DeleteMessage", "mns:PeekMessage", "mns:ChangeMessageVisibility" ], "Resource": "acs:mns:*:*:/queues/MySampleQueue/messages" } ] }授予RAM用户在控制台进行队列消息收发体验的权限
说明地址为:
https://${MNS管控地址}/region/${regionId}/queue/${queueName}/publish。管控页面请求涉及多个接口请求,其中包括
mns:ListQueueAction。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:SendMessage", "mns:ReceiveMessage", "mns:DeleteMessage", "mns:PeekMessage", "mns:ChangeMessageVisibility" ], "Resource": "acs:mns:*:*:/queues/MySampleQueue/messages" }, { "Effect": "Allow", "Action": "mns:ListQueue", "Resource": "*" } ] }
主题消息收发
示例二:授予RAM用户仅能对指定Topic进行消息发送的权限
授予RAM用户通过客户端SDK对指定Topic进行消息发送的权限,本示例以主题名称
MySampleTopic为例。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:PublishMessage" ], "Resource": "acs:mns:*:*:/topics/MySampleTopic/messages" } ] }授予RAM用户在控制台进行主题消息收发体验的权限
说明地址为:
https://${MNS管控地址}/region/${regionId}/topic/${topicName}/publish。管控页面请求涉及多个接口请求,其中包括
mns:ListQueueAction。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:PublishMessage" ], "Resource": "acs:mns:*:*:/topics/MySampleTopic/messages" }, { "Effect": "Allow", "Action": "mns:ListQueue", "Resource": "*" } ] }