tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
TDMQ for RocketMQ
    Documentation
    Download PDF

    Granting Resource-Level Permissions to Sub-Accounts

    Last updated: 2023-10-13 10:37:11
    Download PDF

      Overview

      This document describes how to use the root account to authorize sub-accounts at the resource level. After successful authorization, the sub-accounts will have the capability to control a certain resource.

      Prerequisites

      You must have a Tencent Cloud root account and have activated the Cloud Access Management (CAM) service.
      Your root account must have at least one sub-account, and you have completed the authorization as instructed in Access Authorization for Sub-Accounts.
      You must have at least one TDMQ for RocketMQ cluster instance.

      Directions

      By using the policy feature in the CAM console, you can grant a sub-account access to the TDMQ for RocketMQ resources owned by the root account. Taking cluster resource as an example, the following describes the detailed steps for granting the sub-account access to TDMQ for RocketMQ resources, which also apply to other types of resources.

      Step 1. Obtain the TDMQ for RocketMQ cluster ID

      1. Log in to the TDMQ for RocketMQ console with root account, select an existing cluster instance, and click it to enter the details page.
      
      2. In Basic Info, the field ID indicates the ID of the current TDMQ for RocketMQ cluster.
      

      Step 2. Create a new authorization policy

      1. Log in to the CAM console and click Policies on the left sidebar.
      2. Click Create Custom Policy > Create by Policy Generator.
      3. In the visual policy generator, select Allow for Effect, enter "TDMQ" in Service to filter, and select **Tencent Distributed Message Queue (tdmq)**.
      
      4. Select All actions in Action, and you can also select the action type as needed.
      Note
      Currently, some APIs don't support resource authentication, which is as displayed in the console page. For the list of APIs that support resource-level authorization, see the list of APIs supporting resource-level authorization in the appendix.
      
      5. In the Resource field, select Specific resources, find the cluster resource type, and you can select Any resource of this type on the right to authorize all cluster resources, or click Add a six-segment resource description to authorize specific cluster resources.
      6. If you click Add a six-segment resource description, enter the cluster ID for Resource in the pop-up dialog box. For how to obtain the cluster ID, see Step 1.
      
      7. Click Next and enter a policy name as needed.
      8. Click Select Users or Select User Groups to select the users or user groups that need to be granted resource permissions.
      
      9. Click Complete. The sub-account with granted resource permissions will have the capability to access related resources.

      Other authorization methods

      Operation-Level Authorization
      Tag-Level Authorization
      

      Appendix

      List of APIs supporting resource-level authorization

      TDMQ supports resource-level authorization. You can grant a specified sub-account the API permission of a specified resource. APIs supporting resource-level authorization include:
      API Name
      Description
      Resource Type
      Six-Segment Resource Example
      ResetRocketMQConsumerOffSet
      Resets RocketMQ consumption offset
      consumer
      qcs::tdmq:${region}:uin/${uin}:consumer/${clusterId}/${namespaceId}/${topic}/${groupId}
      DescribeRocketMQClusters
      Gets the list of RocketMQ clusters
      cluster
      qcs::tdmq:${region}:uin/${uin}:cluster/${clusterId}
      DeleteRocketMQCluster
      Deletes a RocketMQ cluster
      cluster
      qcs::tdmq:${region}:uin/${uin}:cluster/${clusterId}
      DescribeRocketMQCluster
      Gets the information of a RocketMQ cluster
      cluster
      qcs::tdmq:${region}:uin/${uin}:cluster/${clusterId}
      CreateRocketMQNamespace
      Creates a RocketMQ namespace
      cluster
      qcs::tdmq:${region}:uin/${uin}:cluster/${clusterId}
      ModifyRocketMQNamespace
      Updates a RocketMQ namespace
      namespace
      qcs::tdmq:${region}:uin/${uin}:namespace/${clusterId}/${namespace}
      DeleteRocketMQNamespace
      Deletes a RocketMQ namespace
      namespace
      qcs::tdmq:${region}:uin/${uin}:namespace/${clusterId}/${namespace}
      CreateRocketMQGroup
      Creates a RocketMQ consumer group
      namespace
      qcs::tdmq:${region}:uin/${uin}:namespace/${clusterId}/${namespace}
      ModifyRocketMQGroup
      Updates a RocketMQ consumer group
      group
      qcs::tdmq:${region}:uin/${uin}:group/${clusterId}/${namespaceId}/${groupId}
      DescribeRocketMQGroups
      Gets the list of RocketMQ consumer groups
      group
      qcs::tdmq:${region}:uin/${uin}:group/${clusterId}/${namespaceId}/${groupId}
      DeleteRocketMQGroup
      Deletes a RocketMQ consumer group
      group
      qcs::tdmq:${region}:uin/${uin}:group/${clusterId}/${namespaceId}/${groupId}
      CreateRocketMQTopic
      Creates a RocketMQ topic
      namespace
      qcs::tdmq:${region}:uin/${uin}:namespace/${clusterId}/${namespace}
      ModifyRocketMQTopic
      Updates RocketMQ topic information
      topic
      qcs::tdmq:${region}:uin/${uin}:topic/${clusterId}/${namespaceId}/${topicName}
      DeleteRocketMQTopic
      Deletes a RocketMQ topic
      topic
      qcs::tdmq:${region}:uin/${uin}:topic/${clusterId}/${namespaceId}/${topicName}
      DescribeRocketMQTopics
      Gets the list of RocketMQ topics
      topic
      qcs::tdmq:${region}:uin/${uin}:topic/${clusterId}/${namespaceId}/${topicName}
      DescribeRocketMQTopicsByGroup
      Gets the list of topics subscribed to a specified consumer group
      topic
      qcs::tdmq:${region}:uin/${uin}:topic/${clusterId}/${namespaceId}/${topicName}
      DescribeRocketMQConsumerConnections
      Gets the current client connection status under a specified consumer group
      group
      qcs::tdmq:${region}:uin/${uin}:group/${clusterId}/${namespaceId}/${groupId}
      DescribeRocketMQConsumerConnectionDetail
      Gets the details of online consumers
      group
      qcs::tdmq:${region}:uin/${uin}:group/${clusterId}/${namespaceId}/${groupId}
      ModifyRocketMQCluster
      Modifies RocketMQ cluster information
      cluster
      qcs::tdmq:${region}:uin/${uin}:cluster/${clusterId}

      List of APIs not supporting resource-level authorization

      API Name
      Description
      Six-Segment Resource
      CreateRocketMQCluster
      Creates a RocketMQ cluster
      *
      
      
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy