云消息隊列 RabbitMQ 版自定義權限策略參考
如果系統權限策略不能滿足您的要求,您可以創建自定義權限策略實現最小授權。使用自定義權限策略有助于實現權限的精細化管控,是提升資源訪問安全的有效手段。本文介紹云消息隊列 RabbitMQ 版使用自定義權限策略的場景和策略示例。
什么是自定義權限策略
在基于RAM的訪問控制體系中,自定義權限策略是指在系統權限策略之外,您可以自主創建、更新和刪除的權限策略。自定義權限策略的版本更新需由您來維護。
創建自定義權限策略后,需為RAM用戶、用戶組或RAM角色綁定權限策略,這些RAM身份才能獲得權限策略中指定的訪問權限。
已創建的權限策略支持刪除,但刪除前需確保該策略未被引用。如果該權限策略已被引用,您需要在該權限策略的引用記錄中移除授權。
自定義權限策略支持版本控制,您可以按照RAM規定的版本管理機制來管理您創建的自定義權限策略版本。
操作文檔
自定義授權策略
云消息隊列 RabbitMQ 版支持以下自定義權限策略。
客戶端接口權限說明
客戶端API | Action | 資源 | 說明 |
exchange.declare(passive=false) | amqp:CreateExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* | 聲明Exchange,并驗證Exchange是否存在。
|
exchange.declare(passive=true) | amqp:GetExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName | 聲明Exchange,并驗證Exchange是否存在。
|
exchange.bind | amqp:GetExchange(源Exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName(源Exchange) | 將源Exchange綁定到目標Exchange |
amqp:CreateExchange(目標Exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*(目標Exchange) | ||
exchange.unbind | amqp:GetExchange(源Exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName(源Exchange) | 解除源Exchange到目標Exchange的綁定 |
amqp:CreateExchange(目標Exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*(目標Exchange) | ||
queue.declare(passive=false) | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 聲明Queue,并驗證Queue是否存在。
|
queue.declare(passive=true) | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName | 聲明Queue,并驗證Queue是否存在。
|
queue.declare(有死信Exchange) | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 聲明綁定死信Exchange的Queue |
amqp:GetQueue | acs:amqp:$region:$accountid:/vhosts/$vhostName/queues/$queueName | ||
amqp:CreateExchange(死信Exchange) | acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName(死信Exchange) | ||
queue.bind | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 綁定Queue到Exchange |
amqp:GetExchange | acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName | ||
queue.unbind | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 解除Queue和Exchange間的綁定 |
amqp:GetExchange | acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName | ||
BasicRecover | amqp:BasicRecover | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 重新投遞沒被Consumer確認消費(Ack)的消息 |
BasicCancel | amqp:BasicCancel | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 取消訂閱 |
BasicPublish | amqp:BasicPublish | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName/messages/* | 發布消息 |
BasicConsume | amqp:BasicConsume | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 啟動一個Consumer |
BasicAck | amqp:BasicAck | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 確認一條或多條消息 |
BasicNack | amqp:BasicNack | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 拒絕一條或多條消息 |
BasicReject | amqp:BasicReject | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 拒絕一條消息 |
BasicGet | amqp:BasicGet | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 直接訪問Queue的消息 |
控制臺OpenAPI及功能權限說明
控制臺OpenAPI/功能 | Action | 資源 | 說明 |
ListInstances | amqp:ListInstance | acs:amqp:$region:$accountid:/instances/* | 獲取實例列表 |
CreateInstance | amqp:CreateInstance | acs:amqp:$region:$accountid:/instances/* | 創建實例 CreateInstance接口的權限策略支持設置以下條件關鍵字。詳細信息,請參見條件(Condition)。
|
DeleteInstance | amqp:DeleteInstance | acs:amqp:$region:$accountid:/instances/$instanceId | 刪除實例 |
GetInstance | amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | 查看實例 |
ListVhost | amqp:ListVhost | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/* | 獲取Vhost列表 |
CreateVhost | amqp:CreateVhost | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/* | 創建Vhost |
DeleteVhost | amqp:DeleteVhost | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName | 刪除Vhost,執行此操作需同時授予GetInstance API的權限 |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
ListExchange | amqp:ListExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* | 獲取Exchange列表,執行此操作需同時授予GetInstance API的權限 |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
CreateExchange | amqp:CreateExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* | 創建Exchange |
DeleteExchange | amqp:DeleteExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName | 刪除Exchange |
ListQueue | amqp:ListQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 獲取Queue列表,執行此操作需同時授予GetInstance API的權限 |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
CreateQueue | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 創建Queue |
DeleteQueue | amqp:DeleteQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName | 刪除Queue |
QueuePurge | amqp:QueuePurge | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 清空隊列 |
ListStaticAccounts | amqp:ListStaticAccounts | acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/* | 查看用戶名密碼,執行此操作需同時授予GetInstance API的權限 |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
FetchStaticAccount | amqp:FetchStaticAccount | acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/* | 創建用戶名密碼,執行此操作需同時授予GetInstance API的權限 |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
DeleteStaticAccount | amqp:DeleteStaticAccount | acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/* | 刪除用戶名密碼 |
按Queue查詢消息 | amqp:BasicGet | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 訪問Queue的消息 |
按消息ID查詢消息 | amqp:BasicGet | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 訪問Queue的消息 |
重發消息 |
| acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 重新發送消息 |
發送消息 | amqp:BasicPublish | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 發送消息 |
自定義權限策略示例
創建自定義權限策略時,您需要將以下示例中Resource的參數修改為您實際環境中的參數值。
$region:資源所屬的地域ID。獲取方式,請參見服務接入點。
$accountid:被授權對象的阿里云賬號ID。
$instanceId:云消息隊列 RabbitMQ 版的實例ID。
$vhostName:Vhost名稱。
$queueName:Queue名稱。
$exchangeName:Exchange名稱。
示例一:自定義某個Vhost消息收發權限
{ "Version":"1", "Statement":[ { "Action":[ "amqp:GetInstance", "amqp:ListVhost", "amqp:GetVhost" ], "Resource":[ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName", "acs:amqp:*:*:/instances/$instanceId/vhosts/*" ], "Effect":"Allow" }, { "Action":[ "amqp:ListExchange", "amqp:CreateExchange", "amqp:DeleteExchange", "amqp:ListQueue", "amqp:DeleteQueue", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicCancel", "amqp:BasicPublish", "amqp:BasicConsume", "amqp:BasicAck", "amqp:BasicNack", "amqp:BasicReject", "amqp:QueuePurge", "amqp:BasicGet", "amqp:GetExchange" ], "Resource":"acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect":"Allow" }, { "Action":[ "amqp:ListStaticAccounts", "amqp:FetchStaticAccount", "amqp:DeleteStaticAccount" ], "Resource":"acs:amqp:*:*:/instances/$instanceId/staticAccount/*", "Effect":"Allow" } ] }示例二:自定義發布消息授權策略
{ "Version": "1", "Statement": [ { "Action": [ "amqp:GetInstance" ], "Resource": [ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName" ], "Effect": "Allow" }, { "Action": [ "amqp:CreateExchange", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicPublish", "amqp:BasicAck", "amqp:BasicNack" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect": "Allow" } ] }示例三:自定義訂閱消息授權策略
{ "Version": "1", "Statement": [ { "Action": [ "amqp:GetInstance" ], "Resource": [ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName" ], "Effect": "Allow" }, { "Action": [ "amqp:CreateExchange", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicCancel", "amqp:BasicConsume", "amqp:BasicAck", "amqp:BasicNack", "amqp:BasicReject", "amqp:QueuePurge", "amqp:BasicGet" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect": "Allow" } ] }示例四:自定義發布和訂閱消息授權策略
{ "Version": "1", "Statement": [ { "Action": [ "amqp:GetInstance", "amqp:GetVhost" ], "Resource": [ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName" ], "Effect": "Allow" }, { "Action": [ "amqp:ListExchange", "amqp:CreateExchange", "amqp:DeleteExchange", "amqp:ListQueue", "amqp:DeleteQueue", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicCancel", "amqp:BasicPublish", "amqp:BasicConsume", "amqp:BasicAck", "amqp:BasicNack", "amqp:BasicReject", "amqp:QueuePurge", "amqp:BasicGet" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect": "Allow" } ] }示例五:自定義用戶名密碼權限
{ "Statement": [ { "Effect": "Allow", "Action": [ "amqp:ListStaticAccounts", "amqp:FetchStaticAccount", "amqp:DeleteStaticAccount" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/staticAccount/*" }, { "Effect": "Allow", "Action": "amqp:GetInstance", "Resource": "acs:amqp:*:*:/instances/$instanceId" } ], "Version": "1" }示例六:自定義授予某個RAM用戶創建實例的權限
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "amqp:CreateInstance", "Resource": "acs:amqp:*:$accountid:/instances/*", } ] }示例七:自定義授予某個RAM用戶,僅能創建鉑金版實例且不支持開啟公網的權限
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "amqp:CreateInstance", "Resource": "acs:amqp:*:$accountid:/instances/*", "Condition": { "StringEquals": { "amqp:InstanceType": [ "vip" ], "amqp:SupportEIP": [ "false" ] } } } ] }示例八:自定義某個RAM用戶對單個實例的所有操作權限
{ "Version": "1", "Statement": [ { "Action": "amqp:ListInstance", "Resource": "acs:amqp:*:*:/instances/*", "Effect": "Allow" }, { "Action": "amqp:*", "Resource": [ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/*" ], "Effect": "Allow" }, { "Action": [ "amqp:ListStaticAccounts", "amqp:FetchStaticAccount", "amqp:DeleteStaticAccount" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/staticAccount/*", "Effect": "Allow" } ] }