本文介紹控制臺自定義權限策略及客戶端自定義權限策略的常見使用場景及示例。
控制臺自定義權限策略示例
基礎示例
示例一:授予RAM用戶訪問控制臺首頁時不報錯,正常進行訪問的權限
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "mns:ListQueue",
"Resource": "*"
}
]
}示例二:授予RAM用戶僅能通過HTTPS方式訪問服務的權限
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "mns:*",
"Resource": "*",
"Condition": {
"Bool": {
"acs:SecureTransport": [
"false"
]
}
}
}
]
}隊列管理
示例三:授予RAM用戶訪問控制臺并對所有Queue可讀的權限
授予RAM用戶通過管控SDK讀取主賬號下所有Queue的屬性信息的權限
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:ListQueue" ], "Resource": "*" } ] }授予RAM用戶訪問控制臺隊列列表菜單欄的權限
說明管控頁面請求涉及多個接口請求,其中包括
mns:ListTagResourcesAction。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:ListTagResources", "mns:ListQueue" ], "Resource": "*" } ] }
示例四:授予RAM用戶有且僅能管理某個Queue的權限
授予RAM用戶通過管控SDK僅對指定Queue讀寫的權限。本示例以隊列名稱
MySampleQueue為例。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:CreateQueue", "mns:DeleteQueue", "mns:GetQueueAttributes", "mns:SetQueueAttributes" ], "Resource": "acs:mns:*:*:/queues/MySampleQueue" } ] }授予RAM用戶在控制臺訪問指定Queue詳情的權限
說明指定的隊列詳情地址為:
https://${MNS管控地址}/region/${regionId}/queue/${queueName}/detail。管控頁面請求涉及多個接口請求,其中包括
mns:ListQueueAction。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:CreateQueue", "mns:DeleteQueue", "mns:GetQueueAttributes", "mns:SetQueueAttributes" ], "Resource": "acs:mns:*:*:/queues/MySampleQueue" }, { "Effect": "Allow", "Action": "mns:ListQueue", "Resource": "*" } ] }
主題管理
示例五:授予RAM用戶訪問控制臺并對所有Topic可讀的權限
授予RAM用戶通過管控SDK讀取主賬號下所有Topic的屬性信息的權限
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:ListTopic" ], "Resource": "*" } ] }授予RAM用戶訪問控制臺主題列表菜單欄的權限
說明管控頁面請求涉及多個接口請求,其中包括
mns:ListTagResourcesAction。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:ListTagResources", "mns:ListTopic" ], "Resource": "*" } ] }
示例六:授予RAM用戶有且僅能管理某個Topic的權限
授予RAM用戶通過管控SDK僅對指定Topic讀寫的權限。本示例以主題名稱
MySampleTopic為例。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:CreateTopic", "mns:DeleteTopic", "mns:GetTopicAttributes", "mns:SetTopicAttributes" ], "Resource": "acs:mns:*:*:/topics/MySampleTopic" } ] }授予RAM用戶在控制臺訪問指定Topic詳情的權限
說明指定的隊列詳情地址為:
https://${MNS管控地址}/region/${regionId}/topic/${topicName}/detail。管控頁面請求涉及多個接口請求,其中包括
mns:ListSubscriptionByTopicAction。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:CreateTopic", "mns:DeleteTopic", "mns:GetTopicAttributes", "mns:SetTopicAttributes" ], "Resource": "acs:mns:*:*:/topics/MySampleTopic" }, { "Effect": "Allow", "Action": [ "mns:ListQueue", "mns:ListSubscriptionByTopic" ], "Resource": "*" } ] }
客戶端自定義權限策略示例
隊列消息收發
示例一:授予RAM用戶僅能對指定Queue進行消息收發的權限
授予RAM用戶通過客戶端SDK對指定Queue進行消息收發的權限,本示例以隊列名稱
MySampleQueue為例。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:SendMessage", "mns:ReceiveMessage", "mns:DeleteMessage", "mns:PeekMessage", "mns:ChangeMessageVisibility" ], "Resource": "acs:mns:*:*:/queues/MySampleQueue/messages" } ] }授予RAM用戶在控制臺進行隊列消息收發體驗的權限
說明地址為:
https://${MNS管控地址}/region/${regionId}/queue/${queueName}/publish。管控頁面請求涉及多個接口請求,其中包括
mns:ListQueueAction。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:SendMessage", "mns:ReceiveMessage", "mns:DeleteMessage", "mns:PeekMessage", "mns:ChangeMessageVisibility" ], "Resource": "acs:mns:*:*:/queues/MySampleQueue/messages" }, { "Effect": "Allow", "Action": "mns:ListQueue", "Resource": "*" } ] }
主題消息收發
示例二:授予RAM用戶僅能對指定Topic進行消息發送的權限
授予RAM用戶通過客戶端SDK對指定Topic進行消息發送的權限,本示例以主題名稱
MySampleTopic為例。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:PublishMessage" ], "Resource": "acs:mns:*:*:/topics/MySampleTopic/messages" } ] }授予RAM用戶在控制臺進行隊列消息收發體驗的權限
說明地址為:
https://${MNS管控地址}/region/${regionId}/topic/${topicName}/publish。管控頁面請求涉及多個接口請求,其中包括
mns:ListQueueAction。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "mns:PublishMessage" ], "Resource": "acs:mns:*:*:/topics/MySampleTopic/messages" }, { "Effect": "Allow", "Action": "mns:ListQueue", "Resource": "*" } ] }