如果系统权限策略不能满足您的要求,您可以创建自定义权限策略实现最小授权。使用自定义权限策略有助于实现权限的精细化管控,是提升资源访问安全的有效手段。本文介绍云消息队列 RabbitMQ 版使用自定义权限策略的场景和策略示例。
什么是自定义权限策略
在基于RAM的访问控制体系中,自定义权限策略是指在系统权限策略之外,您可以自主创建、更新和删除的权限策略。自定义权限策略的版本更新需由您来维护。
创建自定义权限策略后,需为RAM用户、用户组或RAM角色绑定权限策略,这些RAM身份才能获得权限策略中指定的访问权限。
已创建的权限策略支持删除,但删除前需确保该策略未被引用。如果该权限策略已被引用,您需要在该权限策略的引用记录中移除授权。
自定义权限策略支持版本控制,您可以按照RAM规定的版本管理机制来管理您创建的自定义权限策略版本。
操作文档
自定义授权策略
云消息队列 RabbitMQ 版支持以下自定义权限策略。
客户端接口权限说明
客户端API | Action | 资源 | 说明 |
exchange.declare(passive=false) | amqp:CreateExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* | 声明Exchange,并验证Exchange是否存在。
|
exchange.declare(passive=true) | amqp:GetExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName | 声明Exchange,并验证Exchange是否存在。
|
exchange.bind | amqp:GetExchange(源Exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName(源Exchange) | 将源Exchange绑定到目标Exchange |
amqp:CreateExchange(目标Exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*(目标Exchange) | ||
exchange.unbind | amqp:GetExchange(源Exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName(源Exchange) | 解除源Exchange到目标Exchange的绑定 |
amqp:CreateExchange(目标Exchange) | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/*(目标Exchange) | ||
queue.declare(passive=false) | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 声明Queue,并验证Queue是否存在。
|
queue.declare(passive=true) | amqp:GetQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName | 声明Queue,并验证Queue是否存在。
|
queue.declare(有死信Exchange) | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 声明绑定死信Exchange的Queue |
amqp:GetQueue | acs:amqp:$region:$accountid:/vhosts/$vhostName/queues/$queueName | ||
amqp:CreateExchange(死信Exchange) | acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName(死信Exchange) | ||
queue.bind | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 绑定Queue到Exchange |
amqp:GetExchange | acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName | ||
queue.unbind | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 解除Queue和Exchange间的绑定 |
amqp:GetExchange | acs:amqp:$region:$accountid:/instances/$instanceName/vhosts/$vhostName/exchanges/$exchangeName | ||
BasicRecover | amqp:BasicRecover | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 重新投递没被Consumer确认消费(Ack)的消息 |
BasicCancel | amqp:BasicCancel | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 取消订阅 |
BasicPublish | amqp:BasicPublish | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName/messages/* | 发布消息 |
BasicConsume | amqp:BasicConsume | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 启动一个Consumer |
BasicAck | amqp:BasicAck | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 确认一条或多条消息 |
BasicNack | amqp:BasicNack | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 拒绝一条或多条消息 |
BasicReject | amqp:BasicReject | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 拒绝一条消息 |
BasicGet | amqp:BasicGet | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 直接访问Queue的消息 |
控制台OpenAPI及功能权限说明
控制台OpenAPI/功能 | Action | 资源 | 说明 |
ListInstances | amqp:ListInstance | acs:amqp:$region:$accountid:/instances/* | 获取实例列表 |
CreateInstance | amqp:CreateInstance | acs:amqp:$region:$accountid:/instances/* | 创建实例 CreateInstance接口的权限策略支持设置以下条件关键字。详细信息,请参见条件(Condition)。
|
DeleteInstance | amqp:DeleteInstance | acs:amqp:$region:$accountid:/instances/$instanceId | 删除实例 |
GetInstance | amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | 查看实例 |
ListVhost | amqp:ListVhost | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/* | 获取Vhost列表 |
CreateVhost | amqp:CreateVhost | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/* | 创建Vhost |
DeleteVhost | amqp:DeleteVhost | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName | 删除Vhost,执行此操作需同时授予GetInstance API的权限 |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
ListExchange | amqp:ListExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* | 获取Exchange列表,执行此操作需同时授予GetInstance API的权限 |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
CreateExchange | amqp:CreateExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/* | 创建Exchange |
DeleteExchange | amqp:DeleteExchange | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/exchanges/$exchangeName | 删除Exchange |
ListQueue | amqp:ListQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 获取Queue列表,执行此操作需同时授予GetInstance API的权限 |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
CreateQueue | amqp:CreateQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/* | 创建Queue |
DeleteQueue | amqp:DeleteQueue | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName | 删除Queue |
QueuePurge | amqp:QueuePurge | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 清空队列 |
ListStaticAccounts | amqp:ListStaticAccounts | acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/* | 查看用户名密码,执行此操作需同时授予GetInstance API的权限 |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
FetchStaticAccount | amqp:FetchStaticAccount | acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/* | 创建用户名密码,执行此操作需同时授予GetInstance API的权限 |
amqp:GetInstance | acs:amqp:$region:$accountid:/instances/$instanceId | ||
DeleteStaticAccount | amqp:DeleteStaticAccount | acs:amqp:$region:$accountid:/instances/$instanceId/staticAccount/* | 删除用户名密码 |
按Queue查询消息 | amqp:BasicGet | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 访问Queue的消息 |
按消息ID查询消息 | amqp:BasicGet | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 访问Queue的消息 |
重发消息 |
| acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 重新发送消息 |
发送消息 | amqp:BasicPublish | acs:amqp:$region:$accountid:/instances/$instanceId/vhosts/$vhostName/queues/$queueName/messages/* | 发送消息 |
自定义权限策略示例
创建自定义权限策略时,您需要将以下示例中Resource的参数修改为您实际环境中的参数值。
$region:资源所属的地域ID。获取方式,请参见服务接入点。
$accountid:被授权对象的阿里云账号ID。
$instanceId:云消息队列 RabbitMQ 版的实例ID。
$vhostName:Vhost名称。
$queueName:Queue名称。
$exchangeName:Exchange名称。
示例一:自定义某个Vhost消息收发权限
{ "Version":"1", "Statement":[ { "Action":[ "amqp:GetInstance", "amqp:ListVhost", "amqp:GetVhost" ], "Resource":[ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName", "acs:amqp:*:*:/instances/$instanceId/vhosts/*" ], "Effect":"Allow" }, { "Action":[ "amqp:ListExchange", "amqp:CreateExchange", "amqp:DeleteExchange", "amqp:ListQueue", "amqp:DeleteQueue", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicCancel", "amqp:BasicPublish", "amqp:BasicConsume", "amqp:BasicAck", "amqp:BasicNack", "amqp:BasicReject", "amqp:QueuePurge", "amqp:BasicGet", "amqp:GetExchange" ], "Resource":"acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect":"Allow" }, { "Action":[ "amqp:ListStaticAccounts", "amqp:FetchStaticAccount", "amqp:DeleteStaticAccount" ], "Resource":"acs:amqp:*:*:/instances/$instanceId/staticAccount/*", "Effect":"Allow" } ] }
示例二:自定义发布消息授权策略
{ "Version": "1", "Statement": [ { "Action": [ "amqp:GetInstance" ], "Resource": [ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName" ], "Effect": "Allow" }, { "Action": [ "amqp:CreateExchange", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicPublish", "amqp:BasicAck", "amqp:BasicNack" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect": "Allow" } ] }
示例三:自定义订阅消息授权策略
{ "Version": "1", "Statement": [ { "Action": [ "amqp:GetInstance", "amqp:GetVhost" ], "Resource": [ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName" ], "Effect": "Allow" }, { "Action": [ "amqp:CreateExchange", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicCancel", "amqp:BasicConsume", "amqp:BasicAck", "amqp:BasicNack", "amqp:BasicReject", "amqp:QueuePurge", "amqp:BasicGet" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect": "Allow" } ] }
示例四:自定义发布和订阅消息授权策略
{ "Version": "1", "Statement": [ { "Action": [ "amqp:GetInstance", "amqp:GetVhost" ], "Resource": [ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName" ], "Effect": "Allow" }, { "Action": [ "amqp:ListExchange", "amqp:CreateExchange", "amqp:DeleteExchange", "amqp:ListQueue", "amqp:DeleteQueue", "amqp:CreateQueue", "amqp:BasicRecover", "amqp:BasicCancel", "amqp:BasicPublish", "amqp:BasicConsume", "amqp:BasicAck", "amqp:BasicNack", "amqp:BasicReject", "amqp:QueuePurge", "amqp:BasicGet" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/vhosts/$vhostName/*", "Effect": "Allow" } ] }
示例五:自定义用户名密码权限
{ "Statement": [ { "Effect": "Allow", "Action": [ "amqp:ListStaticAccounts", "amqp:FetchStaticAccount", "amqp:DeleteStaticAccount" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/staticAccount/*" }, { "Effect": "Allow", "Action": "amqp:GetInstance", "Resource": "acs:amqp:*:*:/instances/$instanceId" } ], "Version": "1" }
示例六:自定义授予某个RAM用户创建实例的权限
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "amqp:CreateInstance", "Resource": "acs:amqp:*:$accountid:/instances/*", } ] }
示例七:自定义授予某个RAM用户,仅能创建铂金版实例且不支持开启公网的权限
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "amqp:CreateInstance", "Resource": "acs:amqp:*:$accountid:/instances/*", "Condition": { "StringEquals": { "amqp:InstanceType": [ "vip" ], "amqp:SupportEIP": [ "false" ] } } } ] }
示例八:自定义某个RAM用户对单个实例的所有操作权限
{ "Version": "1", "Statement": [ { "Action": "amqp:ListInstance", "Resource": "acs:amqp:*:*:/instances/*", "Effect": "Allow" }, { "Action": "amqp:*", "Resource": [ "acs:amqp:*:*:/instances/$instanceId", "acs:amqp:*:*:/instances/$instanceId/vhosts/*" ], "Effect": "Allow" }, { "Action": [ "amqp:ListStaticAccounts", "amqp:FetchStaticAccount", "amqp:DeleteStaticAccount" ], "Resource": "acs:amqp:*:*:/instances/$instanceId/staticAccount/*", "Effect": "Allow" } ] }