All Products
Search

This Product

    ApsaraMQ for RocketMQ:Access control overview

    Document Center

    ApsaraMQ for RocketMQ:Access control overview

    Last Updated:Aug 19, 2024

    ApsaraMQ for RocketMQ allows you to use Resource Access Management (RAM) and access control lists (ACLs) to control access to ApsaraMQ for RocketMQ resources.

    Limits

    If the user authentication feature is not enabled for an ApsaraMQ for RocketMQ instance, submit a ticket to apply to enable the feature. The entry point to access control is displayed only after your application is approved.

    Type

    Description

    Authorization object

    Authorization required or not

    RAM

    • RAM provides account-level permission control. You can use RAM to grant the minimum permissions to users. This helps prevent issues caused by sharing the AccessKey pair of an Alibaba Cloud account.

    • You can use RAM to grant a RAM user or a user group the permissions to perform operations in the ApsaraMQ for RocketMQ console or by using a specific API operation. For example, you can grant a RAM user the permissions to create topics or delete groups.

    • API operations

    • The ApsaraMQ for RocketMQ console

    • Alibaba Cloud account: By default, all permissions are granted. No authorization is required.

    • RAM user: You can access specific resources only after the relevant permissions are granted.

    ACL

    IP address whitelists are used to control permissions.

    You can configure an IP address whitelist for an ApsaraMQ for RocketMQ instance to specify the IP addresses that can access the instance.

    Note

    The IP address whitelist that you configured for an ApsaraMQ for RocketMQ instance always takes effect, regardless of whether you access the instance over the Internet or in a VPC.

    IP addresses of clients

    • By default, all client IP addresses can access an ApsaraMQ for RocketMQ instance.

    • If you configure an IP address whitelist for an ApsaraMQ for RocketMQ instance, only IP addresses in the IP address whitelist can access the instance.

    User authentication is used to control permissions.

    You can use user authentication to specify whether a client can access an ApsaraMQ for RocketMQ instance and whether the client can publish messages to or subscribe to messages from specific topics or groups.

    Groups and topics

    • By default, the system uses the intelligent authentication method. In this method, the system authenticates a client based on the username and password that are assigned to the instance. After the client passes the authentication, the client can publish messages to or subscribe to messages from all topics and groups on the instance.

    • If you use the ACL-based authentication method, you must manually create an ACL user and grant the user the permissions to publish messages to or subscribe to messages from a specific topic or group. In this method, the client can use the username and password of the ACL user to access the specified topics or groups on the ApsaraMQ for RocketMQ instance.