云消息隊(duì)列 RabbitMQ 版自定義權(quán)限策略參考
如果系統(tǒng)權(quán)限策略不能滿足您的要求,您可以創(chuàng)建自定義權(quán)限策略實(shí)現(xiàn)最小授權(quán)。使用自定義權(quán)限策略有助于實(shí)現(xiàn)權(quán)限的精細(xì)化管控,是提升資源訪問安全的有效手段。本文介紹云消息隊(duì)列 RabbitMQ 版使用自定義權(quán)限策略的場景和策略示例。
什么是自定義權(quán)限策略
在基于RAM的訪問控制體系中,自定義權(quán)限策略是指在系統(tǒng)權(quán)限策略之外,您可以自主創(chuàng)建、更新和刪除的權(quán)限策略。自定義權(quán)限策略的版本更新需由您來維護(hù)。
創(chuàng)建自定義權(quán)限策略后,需為RAM用戶、用戶組或RAM角色綁定權(quán)限策略,這些RAM身份才能獲得權(quán)限策略中指定的訪問權(quán)限。
已創(chuàng)建的權(quán)限策略支持刪除,但刪除前需確保該策略未被引用。如果該權(quán)限策略已被引用,您需要在該權(quán)限策略的引用記錄中移除授權(quán)。
自定義權(quán)限策略支持版本控制,您可以按照RAM規(guī)定的版本管理機(jī)制來管理您創(chuàng)建的自定義權(quán)限策略版本。
操作文檔
自定義授權(quán)策略
云消息隊(duì)列 RabbitMQ 版支持以下自定義權(quán)限策略。
客戶端接口權(quán)限說明
客戶端API | Action | 資源 | 說明 |
exchange.declare(passive=false) | amqp:CreateExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* | 聲明Exchange,并驗(yàn)證Exchange是否存在。
|
exchange.declare(passive=true) | amqp:GetExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName | 聲明Exchange,并驗(yàn)證Exchange是否存在。
|
exchange.bind | amqp:GetExchange(源Exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName(源Exchange) | 將源Exchange綁定到目標(biāo)Exchange |
amqp:CreateExchange(目標(biāo)Exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*(目標(biāo)Exchange) | ||
exchange.unbind | amqp:GetExchange(源Exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName(源Exchange) | 解除源Exchange到目標(biāo)Exchange的綁定 |
amqp:CreateExchange(目標(biāo)Exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*(目標(biāo)Exchange) | ||
queue.declare(passive=false) | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 聲明Queue,并驗(yàn)證Queue是否存在。
|
queue.declare(passive=true) | amqp:GetQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName | 聲明Queue,并驗(yàn)證Queue是否存在。
|
queue.declare(有死信Exchange) | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 聲明綁定死信Exchange的Queue |
amqp:GetQueue | acs:amqp:$region:$accountid:/vhosts/$vhostName/queues/$queueName | ||
amqp:CreateExchange(死信Exchange) | acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName(死信Exchange) | ||
queue.bind | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 綁定Queue到Exchange |
amqp:GetExchange | acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName | ||
queue.unbind | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 解除Queue和Exchange間的綁定 |
amqp:GetExchange | acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName | ||
BasicRecover | amqp:BasicRecover | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 重新投遞沒被Consumer確認(rèn)消費(fèi)(Ack)的消息 |
BasicCancel | amqp:BasicCancel | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 取消訂閱 |
BasicPublish | amqp:BasicPublish | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName/messages/* | 發(fā)布消息 |
BasicConsume | amqp:BasicConsume | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 啟動(dòng)一個(gè)Consumer |
BasicAck | amqp:BasicAck | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 確認(rèn)一條或多條消息 |
BasicNack | amqp:BasicNack | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 拒絕一條或多條消息 |
BasicReject | amqp:BasicReject | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 拒絕一條消息 |
BasicGet | amqp:BasicGet | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 直接訪問Queue的消息 |
控制臺OpenAPI及功能權(quán)限說明
控制臺OpenAPI/功能 | Action | 資源 | 說明 |
ListInstances | amqp:ListInstance | acs:amqp:$region:$accountid:/instances/* | 獲取實(shí)例列表 |
CreateInstance | amqp:CreateInstance | acs:amqp:$region:$accountid:/instances/* | 創(chuàng)建實(shí)例 CreateInstance接口的權(quán)限策略支持設(shè)置以下條件關(guān)鍵字。詳細(xì)信息,請參見條件(Condition)。
|
DeleteInstance | amqp:DeleteInstance | acs:amqp:$region:$accountid:/instances/$instanceId | 刪除實(shí)例 |
GetInstance | amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | 查看實(shí)例 |
ListVhost | amqp:ListVhost | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/* | 獲取Vhost列表 |
CreateVhost | amqp:CreateVhost | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/* | 創(chuàng)建Vhost |
DeleteVhost | amqp:DeleteVhost | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName | 刪除Vhost,執(zhí)行此操作需同時(shí)授予GetInstance API的權(quán)限 |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
ListExchange | amqp:ListExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* | 獲取Exchange列表,執(zhí)行此操作需同時(shí)授予GetInstance API的權(quán)限 |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
CreateExchange | amqp:CreateExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* | 創(chuàng)建Exchange |
DeleteExchange | amqp:DeleteExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName | 刪除Exchange |
ListQueue | amqp:ListQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 獲取Queue列表,執(zhí)行此操作需同時(shí)授予GetInstance API的權(quán)限 |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
CreateQueue | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 創(chuàng)建Queue |
DeleteQueue | amqp:DeleteQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName | 刪除Queue |
QueuePurge | amqp:QueuePurge | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 清空隊(duì)列 |
ListStaticAccounts | amqp:ListStaticAccounts | acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/* | 查看用戶名密碼,執(zhí)行此操作需同時(shí)授予GetInstance API的權(quán)限 |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
FetchStaticAccount | amqp:FetchStaticAccount | acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/* | 創(chuàng)建用戶名密碼,執(zhí)行此操作需同時(shí)授予GetInstance API的權(quán)限 |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
DeleteStaticAccount | amqp:DeleteStaticAccount | acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/* | 刪除用戶名密碼 |
按Queue查詢消息 | amqp:BasicGet | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 訪問Queue的消息 |
按消息ID查詢消息 | amqp:BasicGet | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 訪問Queue的消息 |
重發(fā)消息 |
| acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 重新發(fā)送消息 |
發(fā)送消息 | amqp:BasicPublish | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 發(fā)送消息 |
自定義權(quán)限策略示例
創(chuàng)建自定義權(quán)限策略時(shí),您需要將以下示例中Resource的參數(shù)修改為您實(shí)際環(huán)境中的參數(shù)值。
$region:資源所屬的地域ID。獲取方式,請參見服務(wù)接入點(diǎn)。
$accountid:被授權(quán)對象的阿里云賬號ID。
$instanceId:云消息隊(duì)列 RabbitMQ 版的實(shí)例ID。
$vhostName:Vhost名稱。
$queueName:Queue名稱。
$exchangeName:Exchange名稱。
示例一:自定義某個(gè)Vhost消息收發(fā)權(quán)限
{ "Version":"1", "Statement":[ { "Action":[ "amqp:GetInstance", "amqp:ListVhost", "amqp:GetVhost" ], "Resource":[ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName", "acs:amqp:*:*:/instances/$instanceId/vhosts/*" ], "Effect":"Allow" }, { "Action":[ "amqp:ListExchange", "amqp:CreateExchange", "amqp:DeleteExchange", "amqp:ListQueue", "amqp:DeleteQueue", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicCancel", "amqp:BasicPublish", "amqp:BasicConsume", "amqp:BasicAck", "amqp:BasicNack", "amqp:BasicReject", "amqp:QueuePurge", "amqp:BasicGet", "amqp:GetExchange" ], "Resource":"acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect":"Allow" }, { "Action":[ "amqp:ListStaticAccounts", "amqp:FetchStaticAccount", "amqp:DeleteStaticAccount" ], "Resource":"acs:amqp:*:*:/instances/$instanceId/staticAccount/*", "Effect":"Allow" } ] }示例二:自定義發(fā)布消息授權(quán)策略
{ "Version": "1", "Statement": [ { "Action": [ "amqp:GetInstance" ], "Resource": [ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName" ], "Effect": "Allow" }, { "Action": [ "amqp:CreateExchange", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicPublish", "amqp:BasicAck", "amqp:BasicNack" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect": "Allow" } ] }示例三:自定義訂閱消息授權(quán)策略
{ "Version": "1", "Statement": [ { "Action": [ "amqp:GetInstance", "amqp:GetVhost" ], "Resource": [ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName" ], "Effect": "Allow" }, { "Action": [ "amqp:CreateExchange", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicCancel", "amqp:BasicConsume", "amqp:BasicAck", "amqp:BasicNack", "amqp:BasicReject", "amqp:QueuePurge", "amqp:BasicGet" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect": "Allow" } ] }示例四:自定義發(fā)布和訂閱消息授權(quán)策略
{ "Version": "1", "Statement": [ { "Action": [ "amqp:GetInstance", "amqp:GetVhost" ], "Resource": [ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName" ], "Effect": "Allow" }, { "Action": [ "amqp:ListExchange", "amqp:CreateExchange", "amqp:DeleteExchange", "amqp:ListQueue", "amqp:DeleteQueue", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicCancel", "amqp:BasicPublish", "amqp:BasicConsume", "amqp:BasicAck", "amqp:BasicNack", "amqp:BasicReject", "amqp:QueuePurge", "amqp:BasicGet" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect": "Allow" } ] }示例五:自定義用戶名密碼權(quán)限
{ "Statement": [ { "Effect": "Allow", "Action": [ "amqp:ListStaticAccounts", "amqp:FetchStaticAccount", "amqp:DeleteStaticAccount" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/staticAccount/*" }, { "Effect": "Allow", "Action": "amqp:GetInstance", "Resource": "acs:amqp:*:*:/instances/$instanceId" } ], "Version": "1" }示例六:自定義授予某個(gè)RAM用戶創(chuàng)建實(shí)例的權(quán)限
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "amqp:CreateInstance", "Resource": "acs:amqp:*:$accountid:/instances/*", } ] }示例七:自定義授予某個(gè)RAM用戶,僅能創(chuàng)建鉑金版實(shí)例且不支持開啟公網(wǎng)的權(quán)限
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "amqp:CreateInstance", "Resource": "acs:amqp:*:$accountid:/instances/*", "Condition": { "StringEquals": { "amqp:InstanceType": [ "vip" ], "amqp:SupportEIP": [ "false" ] } } } ] }示例八:自定義某個(gè)RAM用戶對單個(gè)實(shí)例的所有操作權(quán)限
{ "Version": "1", "Statement": [ { "Action": "amqp:ListInstance", "Resource": "acs:amqp:*:*:/instances/*", "Effect": "Allow" }, { "Action": "amqp:*", "Resource": [ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/*" ], "Effect": "Allow" }, { "Action": [ "amqp:ListStaticAccounts", "amqp:FetchStaticAccount", "amqp:DeleteStaticAccount" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/staticAccount/*", "Effect": "Allow" } ] }